JP2003169048A - Data protection system for protecting data through encryption - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a system which suppresses an increase in the amount of encryption data to be distributed to many terminals and encrypts data so that the data can not correctly be decrypted on a specified terminal. <P>SOLUTION: For individual nodes except for those in the bottom layer in a quadrant tree wherein terminals are made to correspond to respective bottom- layer nodes, a plurality of combination patterns as to four nodes in layers which are reached from the nodes and one layer below them are determined, individual keys are determined by the combination patterns, individual keys are determined by the respective nodes in the bottom layers, and each terminal stores and holds all keys determined as to individual nodes on the corresponding path from the bottom layer node to the top layer. The individual nodes on the path from the node corresponding to a specified terminal (terminal 1) to the top layer are defined as ineffective nodes (mark '×' in Fig. 15) and keys determined corresponding to the combination patterns of all nodes except ineffective nodes among four nodes of the layer which is reached from the ineffective nodes other than the bottom layer and one stage below the layer are specified and used to cipher data to be distributed. <P>COPYRIGHT: (C)2003,JPO

Description

Detailed Description of the Invention

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to a data protection system that encrypts and distributes data to a plurality of terminals, and more particularly to a technique for determining a key used for encryption and decryption of data.

[0002]

2. Description of the Related Art In recent years, the development of multimedia related technology,
Background of the Invention With the background of the appearance of large-capacity recording media, systems have emerged in which digital contents such as moving images and audio are generated, stored in large-capacity recording media such as optical disks, and distributed. The digital content recorded on the distributed optical disc or the like is read by a terminal such as a computer or a reproduction device and is subjected to reproduction, copying, or the like.

In such a system, in order to protect the so-called copyright of digital contents,
That is, an encryption technique is used to prevent illegal use such as illegal copying of digital contents. That is, such a system encrypts digital content using a certain encryption key, records it on an optical disk, etc., and distributes it. On the other hand, only the terminal that holds the decryption key corresponding to the encryption key uses the decryption key to decrypt the data read from the optical disc, obtains the original digital content, and reproduces the digital content. It can be carried out.

As a method of encrypting the digital content and recording it on the recording medium, a method of encrypting the digital content itself with an encryption key corresponding to a decryption key held by the terminal and recording the digital content There is a method of encrypting and recording with a certain key, and then encrypting and recording a decryption key corresponding to the key with an encryption key corresponding to the decryption key held by the terminal.

As an example of such a system, for example,
"National Technical Report
Vol. 43, No. 3, pp. 118-122 "(Matsushita Electric Industrial Co., Ltd. Technical Administration Center, issued June 18, 1997)
Discloses a DVD copyright protection system. DVD distributed in this DVD copyright protection system
The DVD playback terminal for playing back the digital content recorded in has a master key determined in advance for each manufacturer of the playback terminal, uses the master key in the decryption process, and finally creates a DVD. It has a function of decoding and reproducing recorded digital contents. In addition, DV
In D, a key group that is encrypted with the master key of each manufacturer and is necessary for decrypting digital contents is recorded.

[0006]

By the way, the decryption key held in the terminal is usually kept secret, but there is a possibility that an unauthorized person may recognize and expose the decryption key by analyzing the terminal or other methods. is there. Once the decryption key stored in a certain terminal is exposed, an unauthorized person may create a terminal or software that decrypts digital contents using this decryption key, and may perform unauthorized copying. As a result, in order to protect the copyright, it becomes impossible to encrypt the digital content with the encryption key corresponding to the exposed decryption key and record it on an optical disc or the like for distribution.

For example, considering a DVD reproducing terminal related to the above-mentioned DVD copyright protection system, one DVD
If the master key is once exposed by illegally analyzing the playback terminal, the digital content encrypted by the master key cannot be distributed thereafter. As a result, after the disclosure, the creator of the DVD will be forced to record the digital content on the DVD and distribute it by performing encryption using a master key different from the one that was exposed. Since many DVD playback terminals manufactured by the same manufacturer as the DVD playback terminal analyzed in Section 1 above hold the same master key, they are recorded on the DVD newly generated and distributed after the exposure. There arises a problem that it is impossible to decrypt and reproduce the existing digital content. That is, if one DVD reproducing terminal is analyzed by an unauthorized person, many DVD reproducing terminals cannot use the newly generated DVD in the future.

In order to solve this problem, a separate decryption key is held for each DVD reproducing terminal, and the digital content or the key necessary for decrypting the digital content is
All encrypted data obtained by encrypting with each encryption key corresponding to the decryption key held by each DVD playback terminal is D
A method of recording in VD can be considered. According to this method
Even if some of the DVD playback terminals are analyzed by an illicit person and some of the decryption keys are exposed, after that, each cipher corresponding to each unexposed decryption key held in the DVD playback terminal group. Since all encrypted data obtained by encrypting digital contents using the encryption key can be recorded on a DVD and distributed, all DVD playback terminals other than the DVD playback terminal holding the exposed decryption key However, it will be possible to use the newly created DVD in the future.

However, this method also requires a large number of DVD playback terminals to be distributed as DVDs.
It has a drawback that the encrypted data to be recorded on the DVD becomes huge. Therefore, the present invention has been made in view of such a problem, and is a data protection system that encrypts data such as a digital content and a key necessary for decrypting an encrypted digital content and distributes the same data to a large number of terminals. Therefore, after suppressing the increase in the amount of encrypted data to be distributed to some extent, if the decryption key held by the specific terminal is exposed by an unauthorized person due to analysis of the specific terminal, etc. To provide a data protection system using an encryption technology that enables a terminal to correctly decrypt data and another terminal to properly decrypt data, and to provide a technology useful for constructing such a data protection system. To aim.

[0010]

In order to achieve the above object, a data protection system according to the present invention comprises three or more terminals, an encryption device and an encryption key identification device, and distributes the data to each terminal. A data protection system for encrypting and protecting data by an encryption device, wherein each terminal stores a decryption key group individually assigned by a predetermined key assignment method, and is output from the encryption device. The encrypted distribution data group is acquired, and the encrypted distribution data is decrypted by using the stored decryption key. The predetermined key allocation method is (a) each terminal has two To belong to at least one terminal set which is a set including the above terminals as elements,
Further, it is a plurality of terminal sets each including the same one or more terminals as elements, and any one terminal set in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. Two or more terminal sets are determined so that the plurality of terminal sets in which the relationship is established exist, and (b) a separate decryption key is set for each terminal and each determined terminal set, (c) For each terminal,
This is a method of allocating all the decryption keys defined for the terminal and the decryption keys defined for each of all terminal sets including the terminal, wherein the encryption key identification device identifies the encryption key. And an invalidation terminal identifying unit that identifies one or more terminals as invalidation terminals, and all of the decryption keys assigned to the terminals by the predetermined key assignment method are assigned to the invalidation terminal. When a decryption key other than the decryption key is defined as the valid decryption key, the procedure of selecting the assigned valid decryption key to the largest number of terminals to which the selected valid decryption key has not been assigned Assuming that the process is repeated until there is no terminal to which a valid decryption key is not assigned, the encryption key feature that identifies the encryption key corresponding to each valid decryption key that has been selected as a result. Means for encrypting distribution data by sequentially using all the encryption keys specified by the encryption key specifying device to generate an encrypted distribution data group. It is characterized by having an encryption means for outputting.

Here, the distribution data is data which is supposed to be recorded in a recording medium and distributed, or distributed through a wired or wireless communication path, and finally reach each terminal. Assuming terminal 1, terminal 2, and terminal 3,
In the terminal set determined by the above-mentioned predetermined key allotment method,
Set A of terminal 1 and terminal 2, set B of terminal 1 and terminal 3
There is a pair C of the terminal 2 and the terminal 3, and the decryption key stored and held by the terminal 1 in response to the assignment result by the predetermined key assignment method is the decryption key unique to the terminal 1 and the decryption key A corresponding to the pair A.
The decryption key B corresponding to the set B, and the decryption keys stored and held by the terminal 2 are the decryption key unique to the terminal 2, the decryption key A corresponding to the set A, and the decryption key C corresponding to the set C. The decryption keys stored and held by the terminal 3 are the decryption key unique to the terminal 3, the decryption key B corresponding to the set B, and the decryption key C corresponding to the set C. In this example, when the terminal 2 is illegally analyzed and all the decryption keys stored and held by the terminal 2 are exposed, the terminal 2 is specified as the invalidation terminal, that is, the terminal to be invalidated, When the encryption key is specified by the encryption key specifying means, the encryption key corresponding to the decryption key B is specified.

Therefore, if the data is encrypted by using the encryption key corresponding to the decryption key B and distributed to each terminal, the data cannot be correctly decrypted at the terminal 2 and correctly at the terminals 1 and 3. The data can be decrypted. For the same purpose, data can be encrypted and distributed to each terminal by using an encryption key corresponding to the decryption key unique to the terminal 1 and an encryption key corresponding to the decryption key unique to the terminal 3, respectively. Compared with this method, the method using the encryption key corresponding to the above-mentioned decryption key B has the effect that the number of encryption keys used for encryption is small, and the amount of encrypted data distributed correspondingly is small. Have.

That is, according to the present invention, in a data protection system that encrypts data such as a key necessary for decrypting encrypted digital content and distributes the same data to a plurality of terminals, the encrypted data to be distributed is When the decryption key held by a particular terminal is exposed by an illicit person due to analysis of the particular terminal, etc., while suppressing the increase in volume, the particular terminal cannot correctly decrypt the data and other terminals Then, it becomes possible to correctly decode the data.

Further, the decryption key determination device according to the present invention is for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. A decryption key determination device, wherein: (a) each of the terminals further includes the same one or more terminals so that they belong to at least one of the terminal sets, which is a set including two or more terminals as elements. A plurality of terminal sets included in the element, and the plurality of terminals for which a relation that any one of the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets is established. So that a set exists, two or more terminal sets are determined, and (b) a decryption key setting unit that associates a different decryption key for each terminal and each determined terminal set, and for each terminal,
A decryption key group that determines the decryption key associated with the terminal by the decryption key setting unit and all the decryption keys associated with each of all the terminal sets including the terminal as the decryption key group to be assigned to the terminal. And allocating means.

The decryption key determination method according to the present invention is for determining a decryption key group for decryption, which is individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. A decryption key determination method, wherein each of the terminals further includes the same one or more terminals as elements so that the terminals belong to at least one of the terminal sets, which is a set including two or more terminals as elements. There is a plurality of terminal sets in which there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. As described above, a terminal set determining step for determining two or more terminal sets, and a decryption key for associating a separate decryption key for each terminal and each terminal set determined by the terminal set determining step For the responding step and for each of the terminals, the decryption key associated with the terminal in the decryption key associating step and all the decryption keys associated with each of all the terminal sets including the terminal are And a decryption key group assignment step of determining a decryption key group to be assigned to the terminal.

The decoding terminal system according to the present invention is
A decryption terminal system comprising three or more terminals for acquiring and decrypting encrypted data, wherein each of the terminals stores a decryption key group individually assigned by a predetermined key assignment method. A decryption key group storage means, an encrypted data acquisition means for obtaining encrypted data, and a decryption key stored in the decryption key group storage means for the data obtained by the encrypted data acquisition means. And a decrypting means for decrypting using the predetermined key assigning method, wherein (a) each terminal belongs to at least one of a terminal set which is a set including two or more terminals as elements, Further, a plurality of terminal sets each including the same one or more terminals as elements,
There are two or more terminal sets such that there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. Determine the terminal set, (b)
Determining a separate decryption key for each terminal and for each determined terminal set, (c) for each terminal, the decryption key defined for the terminal, and all terminal sets including the terminal Is a method of allocating all the decryption keys defined for each of the above.

Further, the decryption terminal according to the present invention is a decryption terminal for acquiring and decrypting encrypted data, and stores a decryption key group individually assigned by a predetermined key assignment method. Decryption key group storage means, encrypted data acquisition means for acquiring encrypted data, and data obtained by the encrypted data acquisition means using the decryption key stored in the decryption key group storage means. (A) A plurality of terminals, which is a set including two or more terminals as elements, in the case where three or more terminals including this terminal are assumed. A plurality of terminal sets each including this terminal as an element so as to belong to the set, and any one terminal set in the plurality of terminal sets is a subset of each of the other terminal sets in the plurality of terminal sets. Not Seki Determining two or more terminal sets so that there are a plurality of terminal sets for which the relationship is established, and (b) separate decoding is performed for this terminal and for each determined terminal set. Set the key, (c) for this terminal,
The method is characterized in that a decryption key defined corresponding to this terminal and a decryption key defined corresponding to each of all terminal sets including this terminal are allotted.

As a result, for example, when recording the encrypted data on the recording medium to each terminal and distributing the recording medium, it is possible to suppress an increase in the amount of data recorded on the recording medium. So, if the decryption key held by that terminal due to analysis of a particular terminal is exposed by an illicit person, so that the data cannot be correctly decrypted at that particular terminal and the data can be decrypted correctly at other terminals, It becomes possible to implement the encryption.

The encryption key specifying device according to the present invention is
An encryption key specifying device for specifying an encryption key to be used for encrypting data for distribution to three or more terminals, comprising: (a)
A plurality of terminal sets each including the same one or more terminals as elements so that each of the terminals belongs to at least one of the terminal sets that is a set including two or more terminals as elements, Two or more terminal sets are present such that there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. Determining a terminal set, (b) a decryption key group associating unit that associates a separate decryption key for each terminal and each determined terminal set, and for each terminal, the corresponding decryption key setting unit for the corresponding terminal In addition to the attached decryption key, all decryption keys associated with each of all the terminal sets including the relevant terminal are associated with the relevant decryption key setting means, and one or more terminals are specified as invalidation terminals. You And a decryption key other than the decryption key associated with the invalidation terminal out of all the decryption keys associated with the terminal by the invalidation terminal identification means and the decryption key group association means. In this case, the procedure of selecting the valid decryption key that is associated with the largest number of terminals that are not associated with the selected valid decryption key is the same as when there is a terminal that is not associated with the selected valid decryption key. It is characterized by further comprising encryption key specifying means for specifying an encryption key corresponding to each of all the effective decryption keys that have been selected as a result when it is assumed that the process is repeated until no more.

The encryption device according to the present invention is an encryption device for encrypting data for distribution to three or more terminals, and (a) each of the terminals has two or more terminals. A plurality of terminal sets each further including the same one or more terminals as elements so as to belong to at least one of the terminal sets which is a set included in the elements, and any one terminal in the plurality of terminal sets. Two or more terminal sets are determined so that there exists such a plurality of terminal sets that a relationship that a set is not a subset of each of the other terminal sets in the plurality of terminal sets is established. And decryption key setting means for associating different decryption keys for each determined terminal set,
For each terminal, in addition to the decryption key associated with the terminal by the decryption key setting means, all the decryption keys associated with each of all the terminal sets including the terminal are associated with the terminal. Decryption key group associating unit, invalidation terminal identifying unit for identifying one or more terminals as invalidation terminals, and invalidation terminal of all the decryption keys associated with the terminals by the decryption key group associating unit When a decryption key other than the decryption key associated with is defined as the valid decryption key, the valid decryption key associated with the largest number of terminals to which the selected valid decryption key is not associated is selected. Assuming that the procedure described above is repeated until there is no terminal to which the selected valid decryption key is not associated, there is a secret code corresponding to all the valid decryption keys that have been selected. Encryption key specifying means for specifying an encryption key and encryption means for encrypting distribution data by sequentially using all the encryption keys specified by the encryption key specifying means to generate an encrypted distribution data group And an output means for outputting the encrypted distribution data group generated by the encryption means to the outside.

The encryption key specifying method according to the present invention is
What is claimed is: 1. An encryption key specifying method for specifying an encryption key to be used for encrypting data for distribution to three or more terminals, wherein each terminal is a set including two or more terminals as elements. A plurality of terminal sets each including the same one or more terminals as elements so as to belong to at least one of the certain terminal sets, and any one terminal set in the plurality of terminal sets is associated with the plurality of terminal sets. A terminal set determining step of determining two or more terminal sets, such that there is a plurality of terminal sets for which the relationship that they are not subsets of other terminal sets in the terminal set exist; A decryption key associating step of associating a different decryption key for each terminal set determined by the set determining step, and corresponding to each terminal by the decryption key associating step In addition to the generated decryption key, a decryption key group associating step of associating all decryption keys associated with each of all terminal sets including the terminal with the relevant terminal, and disabling one or more terminals And a decryption key other than the decryption key associated with the invalidation terminal among all the decryption keys associated with the terminal in the decryption key group association step as the valid decryption key. In the case where it is determined, the procedure of selecting the valid decryption key associated with the most terminals that are not associated with the selected valid decryption key is the terminal that is not associated with the selected valid decryption key. Is repeated until no longer exists, and an encryption key specifying step for specifying an encryption key corresponding to each of all the effective decryption keys that have been selected as a result is included.

As a result, for example, when recording the encrypted data on the recording medium to each terminal and distributing the recording medium, the number of encryption keys used for encryption can be kept relatively small. Therefore, while suppressing an increase in the amount of data recorded on the recording medium, if a decryption key held by the terminal is exposed by an unauthorized person due to analysis of the specific terminal, etc. Then, the encryption can be performed so that the data cannot be correctly decrypted and the other terminals can correctly decrypt the data.

[0023]

<First Embodiment> A data protection system according to a first embodiment of the present invention will be described below with reference to the drawings. <Overall Configuration> FIG. 1 is a schematic configuration diagram of a data protection system 100 according to the first embodiment of the present invention.

The data protection system 100 includes an encryption device 101 and a plurality of decryption devices (terminals) 1 as shown in FIG.
03a to 103n and a key setting system 104, which is a system for encrypting content consisting of digital data indicating video, audio, etc., recording it on an optical disc 102 such as a DVD-ROM, and distributing it to a plurality of terminals. .

Here, the key setting system 104 includes an encryption key for setting in the encryption device 101, and the decryption device 1.
This is a system for determining a decryption key to be individually set to 03a to 103n. The encryption device 101 holds the encryption key specified by the key setting system 104,
This is a device for encrypting content and recording it on the optical disc 102. It should be noted that it is assumed that a large number of objects having completely the same recorded content will be duplicated on the optical disk 102.

Further, the decryption devices 103a to 103n are a large number of terminals such as 1 billion, and each decryption device holds a decryption key individually determined by the key setting system 104, and the This is a device that reads and decrypts encrypted content (hereinafter referred to as “encrypted content”) and reproduces the content obtained by the decryption.

When the data protection system 100 is used to protect the copyright of contents,
It is assumed that the key setting system 104 and the encryption device 101 are operated by an organization that manages copyright protection, and the decryption device is used by general users. Further, the key setting system 104 is basically used once to determine a decryption key for each decryption device, once to identify an encryption key to be used first, and further to identify a specific encryption key. Whenever it is found that the decryption key stored in the decryption device has been exposed due to illegal analysis of the decryption device, etc., the specific decryption device cannot decrypt the encrypted content recorded on the optical disc. For this purpose, the encryption device 101 is used to specify a new encryption key to be used when a new content is recorded on the optical disc.

Hereinafter, the encryption device 101 and the decryption device 103
The a to 103n and the key setting system 104 will be described in more detail. <Configuration of Encryption Device> FIG. 2 is a functional configuration diagram of the encryption device 101 and the decryption device 103a. As shown in the figure, the encryption device 101 includes a content storage unit 201, a random number generation unit 202, an encryption key group storage unit 203, and a key encryption unit 20.
4, the content encryption unit 205 and the output unit 206.

Here, the content storage unit 201 is a storage device such as a hard disk that stores content consisting of digital data representing video, audio and the like. The random number generation unit 202 has a function of generating a random number that serves as a key used for content encryption (hereinafter, referred to as “content key”). The content key is, for example, 64-bit data composed of random numbers.

The encryption key group storage unit 203 stores one or a plurality of encryption keys specified by the key setting system 104, and the decryption device side specifies a decryption key corresponding to the stored encryption key. It is a storage device such as a memory for storing the key specifying information used for the operation. When the encryption key is newly specified by the operation of the key setting system 104, the encryption key stored in the encryption key group storage unit 203 before the specification is deleted, and the encryption key is newly specified. Only the generated encryption key is stored in the encryption key group storage unit 203. The new encryption key and the key identification information corresponding to the new encryption key may be stored, for example, by being input by the operator, or the key setting system 104.
It may be done by receiving from.

The key encryption unit 204 encrypts the content key obtained from the random number generation unit 202 using each encryption key stored in the encryption key group storage unit 203, and the result is encrypted. It has a function of transmitting each content key (hereinafter, referred to as “encrypted content key”) to the output unit 206. The content encryption unit 205 has a function of encrypting the content stored in the content storage unit 201 using the content key acquired from the random number generation unit 202, and transmitting the encrypted content that is the result to the output unit 206. ..

The output unit 206 includes hardware capable of recording data on an optical disc, acquires key identification information from the encryption key group storage unit 203, and transmits the key identification information from the content encryption unit 205. It has a function of recording the encrypted content thus obtained and the encrypted content key transmitted from the key encryption unit 204 onto the optical disc 102.

By the recording of the encryption device 101, the encrypted content, one or a plurality of encrypted content keys, and the key specifying information are recorded on the optical disc 102. The number of encrypted content keys recorded on the optical disc 102 matches the number of encryption keys specified by the key setting system 104 and stored in the encryption key group storage unit 203.

Such an encryption device 101 is provided with a CPU, a memory and the like as hardware, and has the functions of the random number generation unit 202, the key encryption unit 204, the content encryption unit 205 and the output unit 206 described above. All or part is realized by the control program stored in the memory being executed by the CPU. <Structure of Decryption Device> The decryption device 103a is a terminal for reproducing an optical disc, and as shown in FIG. 2, an acquisition unit 211, a decryption key group storage unit 212, a decryption key selection unit 213, and a key decryption unit 2
14, a content decrypting unit 215, and a reproducing unit 216.

Here, the acquisition unit 211 includes hardware capable of reading data from the optical disc, reads the encrypted content from the optical disc 102 and conveys it to the content decryption unit 215, and reads the encrypted content key from the optical disc 102 to obtain the key. This is sent to the decryption unit 214, the key identification information is read from the optical disc 102, and the decryption key selection unit 21 is read.
3 has the function of transmitting.

The decryption key group storage unit 212 is a storage device such as a non-volatile memory that stores a plurality of decryption keys determined for the decryption device 103a by the key setting system 104. The storage of the decryption key is performed in the manufacturing process of the decryption device, for example. The decryption key selection unit 213, based on the key identification information transmitted from the acquisition unit 211, the decryption key group storage unit 21.
It has a function of determining which decryption key can be used from the decryption key group stored in No. 2 and selecting one decryption key that can be used.

The key decryption unit 214 obtains, through the acquisition unit 211, an encrypted content key that can be decrypted by using the decryption key selected by the decryption key selection unit 213, and acquires the obtained encrypted content key as the decryption key. A content key is generated by decrypting using. The content decryption unit 215 has a function of decrypting the encrypted content transmitted from the acquisition unit 211 using the content key generated by the key decryption unit 214 to generate content and transmitting it to the reproduction unit 216.

The reproducing unit 216 also has a function of reproducing the content transmitted from the content decoding unit 215. The content handled by the data protection system 100 is, for example, MPEG (Moving Picture).
If it is decided that the moving image data is in accordance with the compression method specified by the Expert Group, etc., the reproducing unit 21
6 is, for example, a so-called MPEG decoder,
It is necessary to include a function of expanding the content and outputting a video signal.

Such a decryption device 103a is provided with a CPU, a memory, etc. as hardware, and has the acquisition unit 211, decryption key selection unit 213, key decryption unit 214, and
All or some of the functions of the content decryption unit 215 and the reproduction unit 216 are controlled by the control program stored in the memory.
It is realized by being executed by U.

The plurality of decoding devices 103b to 103n other than the decoding device 103a have the same configuration as the decoding device 103a. However, all or part of the content stored in the decryption key group storage unit 212 differs depending on the decryption device. <Structure of Key Setting System> FIG.
It is a functional block diagram of FIG.

As shown in the figure, the key setting system 104
Has a key information storage unit 301, a key information generation unit 302, a revocation terminal identification unit 303, a key information update unit 304, a decryption key determination unit 305, and an encryption key identification unit 306. Here, the key information storage unit 301 is a storage device such as a hard disk for storing key information described later.

The key information generation unit 302 determines a tree structure so that each of the decryption devices forming the data protection system 100 corresponds to the node of the lowest layer of the hierarchical quadtree tree structure. One or more keys are assigned to each node, and key information indicating keys assigned to each node is generated. The key information is information used to identify the encryption key and the decryption key, and serves as a criterion for determining whether or not each key assigned to each node can be used as the encryption key. Contains invalidation information. The key information and the tree structure of the quadtree will be described later in detail.

The invalidation terminal identification unit 303 is a keyboard,
A terminal that accepts the designation of the decryption device in which the decryption key held by the operator is exposed through an input device such as a pointing device, and the designated decryption device should be invalidated (hereinafter referred to as "invalidation terminal"). ) Has the function to specify. The revocation terminal indicates a decryption device that needs to be encrypted so that the terminal cannot properly decrypt the encrypted content when encrypting the content.

The key information updating unit 304 has a function of updating the revocation information in the key information stored in the key information storage unit 301, based on the revocation terminal specified by the revocation terminal specifying unit 303. . The decryption key determination unit 305 has a function of determining a plurality of decryption keys to be set for each decryption device based on the key information stored in the key information storage unit 301. The decryption key determined for each decryption device is stored in the decryption key group storage unit of the decryption device together with the information indicating the node associated with the decryption key, for example, in the production process of the decryption device, Is stored. Therefore, the key setting system 104, for example,
The determined decryption key and information indicating the correspondence between the decryption key and the node are transmitted to, for example, a manufacturing system for manufacturing the decryption device.

The encryption key specifying unit 306 has a function of specifying one or more encryption keys to be set in the encryption device based on the key information stored in the key information storage unit 301. By showing the correspondence between the specified encryption key and the node, the key specifying information serving as a criterion for determining which decoding key should be used at the time of decoding is output together with the specified encryption key.

This output is, for example, transmission to the encryption device 101 or recording on a portable recording medium. When the encryption key identifying unit 306 records the encryption key in a portable recording medium, the content of the recording medium is stored in the encryption key group storage unit 203 of the encryption device 101 by the operator in operation. Needs to be copied. <Key information> Hereinafter, generated by the key information generation unit 302,
The key information stored in the key information storage unit 301 will be described.

First, the tree structure of the quadtree will be described.
FIG. 4 is a diagram showing a tree structure of a quadtree. In this tree structure, each node (hereinafter, also referred to as “leaf”) configuring the node group 406 in the lowest layer and the decoding device (terminal) are 1
Constructed in a one-to-one correspondence, 4 from one node
It is a tree structure with a branch to one node. Note that, here, a structure having a branch from this one node to n nodes is referred to as an n-ary tree, and a structure having a branch to four nodes is referred to as a quadtree. Further, one node having a branch to the four nodes is referred to as a parent node with respect to the four nodes, the four nodes are referred to as child nodes with respect to the parent node, and the node 405 in the highest layer is routed. Shall be called.

If the number of decoding devices in the data protection system 100 is not a factorial of four, the number of nodes in the lowest layer is the smallest number of factorials of four that is larger than the number of decoding devices. Here, for simplification of description, it is assumed that the number of decoding devices matches the number of nodes in the lowest layer.
The key information generation unit 302 is the top layer 4 of the tree structure shown in FIG.
01 is a level 0, the layer 402 one level lower is level 1, the layer one level lower is increased by one level, and the layer 403 one layer above the lowest layer is level D-1 and the lowest layer. 404 to level D
And each node in each level sequentially determines the relative number in each level from 1. Therefore, the node of relative number 1 in level D corresponds to the decoding device 103a, the node of relative number 2 in level D corresponds to the decoding device 103b, and D of relative number 4 in level D
The power node corresponds to the last decoding device 103n.

FIG. 5 is a diagram showing an example of a tree structure of a quadtree when the number of decoding devices is 64. In the example shown in the figure, since the tree structure of the quadtree is constructed so that there are 64 leaves, the lowest layer is level 3. next,
The invalidation information defined for each node will be described.

The invalidation information about a node is a flag indicating whether or not the node is an invalid node for four child nodes when the node is a parent node, and a flag for a node with a small relative number. The information is combined in order from. The flag takes a value of 1 if it is an invalid node, and takes a value of 0 if it is not an invalid node. Therefore, for example, if the four child nodes are invalid nodes, the invalidation information of the parent node is "0000", and if the four child nodes are invalid nodes, the invalidation information of the parent node is "1111".
Becomes

However, for the leaf, the invalidation information is "111" if the decoding device corresponding to the leaf is the invalidation terminal.
If it is 1 ”and it is not a revocation terminal, it will be“ 0000. ”The revocation node is a leaf corresponding to the revocation terminal, or is traced from the leaf corresponding to the revocation terminal to the upper layer. Therefore, it can be said that an invalid node is a node whose corresponding invalidation information has a value other than "0000".

Here, a node “reached” from a specific node is a node that is assumed to have a chain between nodes having a relationship between a parent node and a child node. A node connected by one or a plurality of chains in either one of the upper layer direction and the lower layer direction. Therefore, in the tree structure, the lower layer node that is reached by passing through one or more chains from the upper layer node toward the lower layer all the way is the node that reaches the upper layer node, and conversely the upper layer node. Is a node that is reached from the node below it. For example, you can reach the root from any leaf,
You can reach either leaf from the root, but not from one leaf to another.

Before the decryption key held by the decryption device is exposed, there is no revocation terminal, so the revocation information for all nodes takes the value "0000". 6 and 7 are diagrams showing examples of route invalidation information. The example of FIG. 6 shows that the invalidation information of the root is “0000” when all the child nodes of the root are not invalid nodes.

In the example of FIG. 7, an invalid node is indicated by an X mark, and when only the child nodes of the root having a relative number of 1 are invalid nodes, the invalidation information of the route is "1000". It has become. Next, the key assigned to each node will be described. The key information generation unit 302 separately assigns a pair of an encryption key and a decryption key corresponding to the encryption key to each node. Note that a leaf is assigned a unique set of keys for each decryption device, and nodes other than the leaf are assigned a plurality of sets of keys as described below.

FIG. 8 is a diagram showing the keys assigned to the nodes of the level 0 and level 1 hierarchies of the quadtree tree structure. In the figure, 0-1K0000, 0-1K00
01 and the like are a collective representation of the encryption key and the corresponding decryption key. In the data protection system 100, it is possible to determine in advance whether the encryption key and the decryption key have different values or the same value. When adopting a method that takes separate values, for example, 0-1K0
The decryption key represented by 000 and the encryption key represented by 0-1K0000 have different values, and when the data protection system 100 adopts a method in which the encryption key and the decryption key have the same value. For example, the encryption key and the decryption key represented by 0-1K0000 have the same value.

Hereinafter, the expression that a decryption key is assigned to each node or the expression that an encryption key is assigned to each node is used, but in reality, the decryption key and the encryption key are different. When adopting the method that takes a value, the decryption key and the corresponding encryption key are assigned to each node, and when adopting the method that the decryption key and the encryption key take the same value, the decryption A key that is both a key and an encryption key is assigned to each node. As a result, the decryption key or the like assigned in the key information is set. The encryption key and the decryption key are
For example, it is 64-bit data.

As shown in FIG. 8, eleven decryption keys are assigned to the nodes other than the leaf. Here, the invalidation information about a certain node can be “0”.
Of the values such as 000 ”and“ 1000 ”, the number of“ 1 ”is n
A value that is less than (n-1) in the case of a tree structure of a branch tree is called an invalidation pattern. Therefore, the invalidation pattern in the quadtree is "0000", "0001", "0010", "00" where the number of "1" is less than 3.
11 "," 0100 "," 0101 "," 011 "
There are 11 types of 0 ”,“ 1000 ”,“ 1001 ”,“ 1010 ”, and“ 1100 ”, and 11 decryption keys for all invalidation patterns are assigned to each node other than the leaf.

Here, the key for the node of the relative number B of the level A and the invalidation pattern of X is expressed as "A-BKX". Therefore, "0-1K
“0000” indicates that the invalidation pattern for the node with the relative number 1 of level 0 is the decryption key or the like corresponding to “0000”. FIG. 9 is a diagram showing the configuration of the key information stored in the key information storage unit 301.

As shown in the figure, the key information 500 is information in which, for each node, the node ID 501 of the node, the invalidation pattern 502, the key 503, and the invalidation information 504 are associated. The node ID 501 is an ID indicating the level indicating the location of the node in the tree structure and the relative number. For example, the node ID of the node having the relative number B of level A is expressed as “AB”.

The invalidation pattern 502 is a value in which the number of "1" s among the possible values of the invalidation information is less than 3 as described above. The key 503 is a decryption key and an encryption key assigned to the node indicated by the corresponding node ID. The invalidation information 504 is invalidation information about the node indicated by the corresponding node ID, and the initial value is “00”.
00 ".

There is no invalidation pattern corresponding to the leaf in the key information, and the key 503 for the leaf is a set of decryption key and encryption key. <Key Assignment Process> Hereinafter, after the key information generation unit 302 in the key setting system 104 stores the key information in the key information storage unit 301, the decryption key determination unit 305 sets the decryption key in each of the decryption devices 103a to 103n. A key assignment process performed to determine a power decryption key, that is, to assign a plurality of decryption keys to each decryption device will be described.

FIG. 10 is a flowchart showing the key assignment process executed by the decryption key determination unit 305. The decryption key determination unit 305 first assigns the decryption device in the decryption device (terminal) to which the relative number 1 of the leaf in the tree structure of the quadtree is associated (step S11), and corresponds to the assignment target terminal. Focusing on the leaf, that is, the node in the lowest layer, one decryption key assigned to the node (target node) is specified (step S12). Note that focusing on a node specifically means, for example, storing the address in the storage area of the information about the node in the key information in a variable for internal processing or the like.

Next, the decryption key determination unit 305 stores in the key information storage unit 301 a node (parent node) one layer higher than the focused node, which indicates that the focused node is valid, that is, is not an invalid node. All the decryption keys corresponding to the invalidation pattern defined in the stored key information are specified, and the parent node is newly set as the target node (step S13).

Following step S13, the decryption key determination unit 3
05 determines whether the current focused node is the root (step S14), and if it is not the root, repeats the processing of step S13 until the current focused node becomes the root. If the current node of interest is the root in step S14, the decryption key determination unit 305 determines all the keys identified in steps S12 and S13 for the allocation target terminal as the decryption keys to be set (step S1).
5) It is determined whether or not the allocation target terminal is the last terminal, that is, whether or not it is the decoding device associated with the leaf having the largest relative number (step S16). If the key allotment process is completed.

If it is determined in step S16 that the allocation target terminal is not the last terminal, the decryption key determination unit 305 determines the leaf next to the current allocation target terminal, that is, the leaf corresponding to the current allocation target terminal. Relative number than 1
The decoding device associated with the larger leaf is newly set as the allocation target terminal (step S17), and the process of step S12 is performed.

By such a key assignment process, a decryption key group to be set for each decryption device is determined, and upon receipt of this, each decryption device holds the determined decryption key group. To be done. FIG. 11 shows a group of decryption keys 905 determined by the key allotment process as being assigned to the decryption device (terminal 1) corresponding to the leaf of relative number 1 in level 3 when there are only 64 decryption devices. FIG.

3-1K in the figure represents a decryption key uniquely assigned to the leaf 904 of relative number 1 in level 3. Assuming that there are only 64 decoding devices, as shown in FIG. Of the decryption keys assigned to the node 903 having the relative number 1 of the level 2 which is the parent node on the 1st layer, the decryption key corresponding to the invalidation pattern indicating that the first child node is not the invalid node, that is, " 0000 "," 0001 "," 001 "
Seven decryption keys 2-1K0000, 2-1K0001, 2 corresponding to seven invalidation patterns of 0 "," 0011 "," 0100 "," 0101 "and" 0110 ".
-1K0010, 2-1K0011, 2-1K010
Of the decryption keys assigned to 0, 2-1K0101 and 2-1K0110, and the node 902 of the relative number 1 of level 1 which is the parent node on the further upper layer,
Seven decryption keys 1-1K0000, 1 corresponding to the invalidation pattern indicating that the first child node is not an invalid node
-1K0001, 1-1K0010, 1-1K001
1, 1-1K0100, 1-1K0101, and 1-1K
0110 and an invalidation pattern indicating that the first child node of the decryption key assigned to the node of relative number 1 of level 0, that is, the parent node on the first layer, that is, the root 901 is not an invalid node. Corresponding seven decryption keys 0-1K0000, 0-1K0001, 0-1
K0010, 0-1K0011, 0-1K0100, 0
A total of 22 decryption keys of -1K0101 and 0-1K0110 are assigned.

Therefore, in this case, the assigned 22 decryption keys are stored in the decryption key group storage unit 212 of the terminal 1.
For example, it is stored in the manufacturing process of the terminal 1. The invalidation pattern corresponding to each node other than the leaf is "1" if the child node of the node is an invalid node and "0" if it is a valid node that is not an invalid node.
Is the information that is linked in ascending order of the relative number in the child node level, and assigning the decryption key to the invalidation pattern can be achieved from all the child nodes indicated as valid nodes in the invalidation pattern. This is equivalent to assigning a decryption key to a terminal set having all terminals corresponding to leaves as elements. Therefore, each terminal is assigned the decryption key unique to that terminal and the decryption key assigned to all the terminal sets including the terminal.

<Specification of Encryption Key> Key Setting System 104
In a state where there is no revocation terminal, that is, a state where no decryption key is exposed, the encryption key identifying unit 306 of the above responds to the encryption key 0-1K0000 assigned to the root, that is, the decryption key 0-1K0000. The encryption key to be set is specified as the encryption key to be set in the encryption key group storage unit 203 of the encryption device 101.

On the other hand, the encryption apparatus 101 receives the specified encryption key and the key specifying information for specifying the decryption key 0-1K0000 assigned to the root of the tree structure from the key setting system 104. By doing
It is stored in the encryption key group storage unit 203. Optical disc 1
When recording content in 02, the encryption device 10
1 is an encryption obtained by encrypting the content key generated from the random number generation unit 202 in the key encryption unit 204 using the encryption key stored in the encryption key group storage unit 203. The content key is associated with the key identification information, recorded on the optical disc 102 by the output unit 102, and the content storage unit 20 is recorded using the content key.
1 stores the content stored in the content encryption unit 2
At 05, the encrypted content obtained by the encryption is recorded on the optical disc 102 by the output unit 102.

The revocation information updating process executed by the key information updating unit 304 in the key setting system 104 will be described below. When the invalidation terminal is identified by the invalidation terminal identification unit 303, the key information update unit 304 determines, among the key information stored in the key information storage unit 301, a tree structure of a quadtree corresponding to the invalidation terminal. After setting the invalidation information for the leaf in “1111” to indicate that the leaf is an invalid node, the invalidation information update process for updating the invalidation information corresponding to each node in the key information is executed. To do.

FIG. 12 is a flowchart showing the revocation information updating process executed by the key information updating unit 304. First, the key information updating unit 304 focuses on the layer one layer above the lowest layer in the tree structure of the quadtree (step S2).
1). That is, if the lowest layer is level D, focus is on the layer of level (D-1).

Subsequently, the key information updating unit 304 sequentially focuses on each node of the layer of interest (layer of interest) in ascending order of relative number, and regards four child nodes of the node of interest (node of interest). The invalidation information about the focused node is updated so as to match the combination pattern of invalid nodes in step S22. For example, in order of the four child nodes of the node of interest having the smallest relative numbers, “invalid node”,
In the case of “not an invalid node”, “not an invalid node”, or “not an invalid node”, the invalidation information for the focused node is “1000”.

After step S22, the key information updating unit 30
4 determines whether the current focused layer is the top layer, that is, the layer of level 0 (step S23), and if it is not the top layer,
Focusing on the layer immediately above the layer of interest (step S24), the process of step S22 is performed. The key information updating unit 304 repeats steps S22 to S24 until the current focused layer becomes the uppermost layer in the determination of step S23, and is invalid if the current focused layer becomes the highest layer in the determination of step S23. The conversion information update processing ends.

As a result, in the tree structure of the quadtree, the invalidation information about all the nodes that can be reached from the leaf corresponding to the invalidation terminal to the upper layer is "000".
It takes a value other than 0 ". Next, the key setting system 1
04, the revocation terminal identification unit 303 identifies the revocation terminal, and the key information update unit 304 updates the revocation information in the key information, and then the encryption key identification unit 306 performs the encryption of the encryption device 101. A key specifying process performed to specify the encryption key group to be set in the key group storage unit 203 will be described.

FIG. 13 is a flow chart showing the key specifying process executed by the encryption key specifying unit 306. First, the encryption key identifying unit 306 focuses on the node at the highest layer in the tree structure of the quadtree, that is, the root (step S
31). Subsequently, the encryption key identifying unit 306 refers to the key information stored in the key information storage unit 301 for the node of interest (the node of interest), and invalidates the node that is in agreement with the invalidation information of the node of interest. It is determined whether or not the pattern exists (step S32), and if the invalidation pattern exists, the encryption key corresponding to the invalidation pattern of the node of interest should be set in the encryption device 101. Only when it is specified as a key (step S33) and it is determined that the layer one layer below the node of interest is not the lowest layer in the tree structure (step S34), if an invalid node exists among the child nodes of the node of interest. All the invalid nodes are set as the target node of interest (step S35).

If it is determined in step S32 that there is no invalidation pattern that matches the invalidation information, the encryption key identification unit 306 determines whether the layer to which the child node of the target node belongs is the lowest layer in the tree structure. It is determined whether or not (step S36), and if the layer to which the child node of the focused node belongs is the lowest layer, the encryption key assigned to a child node of the focused node other than the leaf corresponding to the invalidation terminal. Is specified as the encryption key to be set in the encryption device 101 (step S37).

When it is determined in step S36 that the layer to which the child node of the focused node belongs is not the lowest layer, the encryption key identifying unit 306 determines all the child nodes of the focused node as the focused scheduled node (step S38). After steps S35, S37, S38, or step S
After determining in 34 that the layer one layer below the node of interest is the lowest layer, the encryption key identifying unit 306 determines whether or not there is a node of interest that has not been focused (step S39). If there is a target node of interest that has not yet been focused, one of the unfocused target nodes of interest is newly focused (step S40), and the process returns to the determination process of step S32.

If it is determined in step S39 that there is no target node to be focused, the encryption key identifying unit 306 ends the key identifying process.
As a result, all the encryption keys specified in step S33 or S37 are output from the encryption key specifying unit 306 together with the key specifying information and stored in the encryption key group storage unit 203 of the encryption device 101. Become.

FIG. 14 is a diagram showing an encryption key and the like in the state where there is no invalidation terminal, assuming that there are only 64 decryption devices. In this case, the encryption device 1
The encryption key stored in the encryption key group storage unit 203 of No. 01, which is used to encrypt the content key when recording the content on the optical disc 102, is the encryption key 0-1K0000. , That is, 0-1K00
This is one encryption key corresponding to the decryption key represented by 00.

FIG. 15 is a diagram showing an encryption key and the like when terminal 1 is an invalidation terminal, assuming that there are only 64 decryption devices. If only terminal 1 is a revocation terminal, as a result of the revocation information update processing described above,
Regarding the key information stored in the key information storage unit 301, the revocation information of the node 1103 with the relative number 1 in the layer of level 2 is “1000”, and the invalidation information of the node 1102 with the relative number 1 in the layer of level 1 is The invalidation information is "1000", and the invalidation information of the root 1101 of the level 0 layer is "
It becomes 1000 ".

Given this, the specific processing contents of the above-described key identification processing (see FIG. 13) will be described below based on the example of FIG. First, the encryption key identification unit 306
Pays attention to the highest layer node, that is, the route 1101 (step S31). Then, the encryption key identification unit 306
Regarding the node of interest (node of interest), referring to the key information stored in the key information storage unit 301, the invalidation information “1000” of the node 1101 is the 11 types of invalidation patterns described above. (Step S32), the encryption key 0-1K1000 corresponding to the revocation pattern is specified as the encryption key to be set in the encryption device 101 (step S33), and the first layer of the node of interest is identified. Since the lower layer is the layer of level 1 and is not the lowest layer (step S34), the node 1102 which is an invalid node existing among the child nodes of the focused node is set as the focused node (step S35).

After step S35, the encryption key specifying unit 30
In node 6, since node 1102 exists as a node to be focused, which has not yet been focused (step S39), node 1
102 as a new node of interest (step S40),
It returns to the determination process of step S32. Subsequently, the encryption key identifying unit 306, for the node of interest, the key information storage unit 301
Node 110 by referring to the key information stored in
The invalidation information “1000” of No. 2 matches one of the 11 types of invalidation patterns described above (step S
32), the encryption key 1-1 corresponding to the invalidation pattern
K1000 is specified as the encryption key to be set in the encryption device 101 (step S33), and the layer one layer below the node of interest is the layer of level 2 and not the lowest layer (step S34). The node 1103, which is an invalid node existing in the child nodes of, is set as the focused node (step S35).

After step S35, the encryption key specifying unit 30
In node 6, node 1103 exists as a node to be focused that has not been focused (step S39).
103 as a new node of interest (step S40),
It returns to the determination process of step S32. Subsequently, the encryption key identifying unit 306, for the node of interest, the key information storage unit 301
Node 110 by referring to the key information stored in
Since the invalidation information “1000” of No. 3 matches one of the 11 types of invalidation patterns described above (step S
32), the encryption key 2-1 corresponding to the invalidation pattern
K1000 is specified as the encryption key to be set in the encryption device 101 (step S33), and the layer one layer below the node of interest is the level 3 layer and the lowest layer (step S34), so step S35. Is skipped, and there is no scheduled node to be focused on yet (step S39), the key identification processing is ended.

As a result of the key identification processing, the encryption key group stored in the encryption key group storage unit 203 of the encryption device 101 is used for encrypting the content key when recording the content on the optical disc 102. The encryption key groups to be generated are the encryption keys 0-1K1000 and 1-, respectively.
It becomes 1K1000 and 2-1K1000. The encryption key identification unit 306 has key information 500 (see FIG. 9) corresponding to each of the encryption keys identified by the key identification processing described above.
The key identification information is created and output from the node ID, the invalidation pattern, etc. in the inside, and this key identification information is stored in the encryption key group storage unit 203 of the encryption device 101.
Thus, the contents and the like are recorded on the optical disc 102.

FIG. 16 is a diagram showing an example of key identification information corresponding to the encryption key shown in FIG. In the example of the figure, the key identification information is configured by combining the character string that is the node ID in the key information 500, the character "K", and the character string of the invalidation pattern. Note that the output unit 206 of the encryption device 101, when recording the key identification information shown in FIG. 16 on the optical disc, the encryption key 0-1K10 on the optical disc.
Encrypted content key generated by encryption using 00, encrypted content key generated by encryption using encryption key 1-1K1000, and encryption key 2-1K1
The encrypted content key generated by the encryption using 000 is recorded in such a manner that this order can be identified.

<Decryption of Encrypted Content> FIG. 15 below
From the optical disc 102 on which each encrypted content key generated by encryption using each encryption key shown in FIG. 6, encrypted content, and the key identification information shown in FIG. A specific procedure of decoding and reproducing will be described. The decoding device 103n
The decryption device 103a has the same configuration as that of the decryption device 103a, and only the contents of the decryption key group storage unit 212 are different.
Each unit of 3n will be described using the reference numerals in FIG.

Decryption key selection unit 213 of the decryption device 103n
Reads out the key identification information from the optical disc 102 via the acquisition unit 211, and indicates the correspondence between each decryption key held in the decryption key group storage unit 212 and the node, for example, each decryption in the key information 500. By collating the information, which is the node ID and invalidation pattern corresponding to the key, with the key identification information, the encryption key identified by the key identification information and the same invalidation pattern for the same node are dealt with. A decryption key, that is, a decryption key corresponding to the encryption key is selected, and the decryption key is extracted from the decryption key group storage unit 212 and given to the key decryption unit 214. In response to this, the key decryption unit 214
The encrypted content key encrypted with the encryption key acquired via the acquisition unit 211 is decrypted with the decryption key. By such a procedure, for example, the decoding device 103
n decryption key group storage unit 212, the decryption key 0-1K1000
16 is included, the decryption apparatus 103n determines that the key identification information shown in FIG.
The content key encrypted with the encryption key 0-1K1000 is decrypted with the decryption key 0-1K1000 to obtain the content key.

After obtaining the content key, the decryption device 10
3n uses the content key in the content decryption unit 215 to decrypt the encrypted content acquired via the acquisition unit 211 to obtain the content, and the reproduction unit 21.
At 6, the content is played. If the terminal 1 in FIG. 15 is the decoding device 103a,
The decryption device 103a holds only the 22 decryption keys shown in FIG.
Since no decryption key of 00 or 2-1K1000 is held, it is possible to correctly decrypt each encrypted content key generated by encryption using each encryption key shown in FIG. 15 and recorded on the optical disc 102. Therefore, the encrypted content recorded on the optical disc 102 cannot be correctly decrypted, and the content cannot be reproduced.

<Discussion> In the data protection system 100,
When the number of decoding apparatus was about one billion (≒ 4 ¹⁵ units), the tree structure of the quadtree consisting hierarchy from level 0 to level 15 has to be built. In this case, assuming that one decryption device is the invalidation terminal, in the key identification processing by the encryption key identification unit 306, it exists on the route from the leaf corresponding to the one invalidation terminal to the root. However, the encryption key corresponding to one invalidation pattern for each of all 15 nodes excluding the leaf is specified, and as a result, the encryption key for encrypting the content key is 15 in the encryption device 101. Encryption keys will be used. At this time, the encrypted content, the 15 encrypted content keys, and the key identification information are recorded on the optical disc 102.

[0091] For example, if the decoding device of about 16,000 units in the approximately one billion of the decoding device (≒ 4 ⁷ units) and invalidated terminal was equal to the encrypted content key in the encryption device 101 About 130,107 (4 ⁷
X (15-7) encryption keys will be used. At this time, the encrypted content, about 130,1072 encrypted content keys and key identification information are recorded on the optical disc 102.

One encrypted content key is 64 bits,
That is, if it is 8 bytes (Byte), it is about 130,1072.
The total number of encrypted content keys is about 1 megabyte (MB). Therefore, it can be said that the total data amount of the encrypted content key is a sufficiently small data amount with respect to the capacity of a general optical disc. Hereinafter, the total amount of data of the encrypted content key when encryption is performed using a method other than this embodiment will be examined. (1) All decryption devices are different under the assumption that the encrypted content key is 8 bytes, the number of decryption devices is about 1 billion, and about 16,000 decryption devices are invalidation terminals. One decryption key is held and the content key is encrypted using each encryption key corresponding to the decryption key held by each decryption device other than the invalidation terminal, recorded on the optical disc, and distributed. If this method is adopted, the total number of encrypted content keys to be recorded on the optical disk will be about 999984,000, and the total data amount of the encrypted content will be as large as about 7600 megabytes. Not relevant. (2) Under the same premise, only one decryption key is assigned to each node in the quadtree tree structure in which leaves are associated with each decryption device, and each decryption device is assigned to that decryption device. The decryption key assigned to each of the corresponding leaf and all the nodes that can be reached by tracing from that leaf to the upper layer is held, and traced from one leaf corresponding to the invalidation terminal to the upper layer. A method of encrypting the content key using the encryption key assigned to each node that is not an invalid node among all the child nodes of all reachable nodes (that is, invalid nodes), recording it on the optical disc, and distributing it. If adopted, the level of the lowest layer of the tree structure will be 15, and the total number of encrypted content keys to be recorded on the optical disc will be approximately 393,216.
(4 ⁷ × (15−7) × 3), and the total data amount of the encrypted content is about 3 megabytes, which is considerably larger than that of the data protection system 100 according to the present embodiment. Become. (3) Under the same premise, only one decryption key is assigned to each node in the tree structure of a binary tree in which each decryption device is associated with a leaf, and each decryption device is assigned to that decryption device. The decryption key assigned to each of the corresponding leaf and all the nodes that can be reached by tracing from that leaf to the upper layer is held, and traced from one leaf corresponding to the invalidation terminal to the upper layer. A method of encrypting the content key using the encryption key assigned to each node that is not an invalid node among all the child nodes of all reachable nodes (that is, invalid nodes), recording it on the optical disc, and distributing it. if adopted, the total number of the encrypted content key to be recorded level of the lowest layer 30 next optical disk in the tree structure is about 262 144 pieces (2 ¹⁴ × (30- 4) number), and the total data size of the encrypted content becomes about 2 megabytes than with the data protection system 100 of the present embodiment,
The amount of data is considerably large. <Second Embodiment> Hereinafter, a data protection system according to a second embodiment of the present invention (hereinafter, referred to as "second data protection system").
Say. ) Will be described with reference to the drawings.

The second data protection system is different from the data protection system 100 in that it uses a plurality of tree structures for determining a decryption key and an encryption key.
The second data protection system basically has the same components as those of the data protection system 100 described in the first embodiment (see FIGS.
(See FIG. 3). Therefore, the components of the second data protection system will also be described here using the reference numerals shown in FIGS. Note that, here, the second data protection system will be described focusing on the points different from the data protection system 100, and the description of the same points will be omitted.

The key information generating section 302, the key information updating section 304, and the decryption key determining section 305 in the second data protection system.
The specific operation content of the encryption key identification unit 306 is different from the corresponding units in the data protection system 100, but the basic processing contents (procedures shown in FIGS. 10, 12, and 13) performed by each unit are , Which is almost the same, in the key information storage unit 301 in the second data protection system, in each node other than the lowest layer, 11 shown in FIG.
Eleven sets of decryption keys and encryption keys are associated with the types of invalidation patterns, and one set of decryption keys and encryption keys is stored in association with each node in the lowest layer.

In the key setting system 104 in the second data protection system, the key information generation unit 302
As shown in FIG. 17, four quadtree tree structures are constructed and
Each of all the leaves in one tree structure is decoded by the decoding device 1.
03a to 103n, respectively. Therefore, there are four routes 1301 to 1304, and each decoding device corresponds to any tree-structured leaf.

FIG. 17 is a diagram showing an example of a tree structure of four quadtrees constructed when the number of decoding devices is 64 in the second data protection system according to the second embodiment.
In this case, since the tree structure of four quadtrees is constructed so that there are 64 leaves, the lowest layer is level 2. For example, by the key assignment process of the decryption key determination unit 305 in the second data protection system (see FIG. 10),
It is assigned to the terminal 1 shown in FIG.
The decryption key group to be held in the above is the decryption key 2-1K assigned to the leaf of the relative number 1 of the level 2,
Of the decryption keys assigned to the level 1 relative node 1 that is the parent node of the leaf, the decryption key corresponding to the invalidation pattern indicating that the first child node is not an invalid node, that is, "0000" , "000
1 ”,“ 0010 ”,“ 0011 ”,“ 0100 ”,“
Seven decryption keys 1-1K0000, 1-1K corresponding to the seven invalidation patterns 0101 "and" 0110 "
0001, 1-1K0010, 1-1K0011, 1-
1K0100, 1-1K0101 and 1-1K0110
And the invalidation pattern indicating that the first child node of the decryption key assigned to the node of relative number 1 of level 0, which is the parent node on the first layer, that is, the root 1301, is not an invalid node. 7 decryption keys 0-1K0000, 0-1K0001, 0-1K00
10, 0-1K0011, 0-1K0100, 0-1K
There are a total of 15 decryption keys 0101 and 0-1K0110.

Also, for example, by the decryption key determination unit 305 in the second data protection system, the terminal 1 shown in FIG.
The decryption key assigned to No. 7 and held in the terminal 17 is the decryption key 2-17K assigned to the leaf of the relative number 17 of the level 2 and the relative number of the level 1 which is the parent node of the leaf. Of the decryption keys assigned to the 5th node, the decryption key corresponding to the invalidation pattern indicating that the first child node is not an invalid node, that is, "0000", "0001", "0010", "00"
11 "," 0100 "," 0101 "and" 0110 "
7 decryption keys 1 corresponding to the 7 invalidation patterns
-5K0000, 1-5K0001, 1-5K001
0, 1-5K0011, 1-5K0100, 1-5K0
101 and 1-5K0110, and one of the decryption keys assigned to the node of the relative number 1 of level 0, which is the parent node on the first layer, that is, the root 1302
Seven decryption keys 0-2K0000, 0-corresponding to the invalidation pattern indicating that the th child node is not an invalid node
2K0001, 0-2K0010, 0-2K0011,
0-2K0100, 0-2K0101 and 0-2K01
There are 15 decryption keys in total.

Further, as shown in FIG. 17, in the state where there is no revocation terminal, it is specified by the encryption key specifying unit 306 in the second data protection system (see FIG. 13) and set in the encryption device 101 to the optical disc 102. The encryption keys used when the content key is encrypted and recorded are the encryption keys 0-1K0000, 0-2K0000, 0-3K.
There are four keys, 0000 and 0-4K0000.

FIG. 18 is a diagram showing an encryption key and the like when the terminal 1 is an invalidation terminal in the second data protection system. If only terminal 1 is a revocation terminal, as a result of revocation information update processing (see FIG. 12), the key information stored in the key information storage unit 301 is the node with the relative number 1 in the level 1 layer. The invalidation information of 1405 is "100".
0, the invalidation information of the root 1401 of the level 0 layer becomes “1000”, and should be set in the encryption device 101 by the key identification processing (see FIG. 13) executed by the encryption key identification unit 306. The encryption key specified as the one is the encryption key 0-1K1000, 1-1K100.
0, 0-2K0000, 0-3K0000 and 0-4K
There are five keys, 0000.

The operations of the encryption device 101 and the decryption devices 103a to 103n in the second data protection system are the same as the operations of the corresponding devices in the data protection system 100 shown in the first embodiment. <Third Embodiment> Hereinafter, a data protection system according to a third embodiment of the present invention (hereinafter, referred to as "third data protection system").
Say. ) Will be described with reference to the drawings.

The third data protection system is the same as that of the first embodiment.
The data protection system 100 is basically the same as the data protection system 100, except that the invalidation patterns having different contents from the invalidation patterns shown in 2 and 2 are used. The third data protection system includes basically the same components (see FIGS. 1 to 3) as the data protection system 100 described in the first embodiment. Therefore, here, the components of the third data protection system will also be described using the reference numerals shown in FIGS. Note that, here, the third data protection system will be described focusing on the points different from the data protection system 100, and description of the same points will be omitted.

In the key information storage unit 301 in the third data protection system, for each node other than the lowest layer, five sets of decryption keys and encryption keys are associated with the invalidation pattern, and each node in the lowest layer is associated with each other. A pair of a decryption key and an encryption key are stored in the table in association with each other. However, in the first and second embodiments, in the case where the number of “1” among the possible values “0000”, “1000”, etc. of the invalidation information for a certain node is a tree structure of n-ary tree. The value that is less than (n-1) is referred to as an invalidation pattern, but the invalidation pattern in the third embodiment is the value of "1" among the possible values of the invalidation information for a certain node. Each value will be referred to as less than two.

Therefore, the invalidation pattern is "000.
There are five types of 0 ”,“ 0001 ”,“ 0010 ”,“ 0100 ”, and“ 1000 ”, and the key information generation unit 302 causes each node other than the leaf to encrypt five sets of all invalidation patterns. A key and a decryption key are associated with each other, and a pair of encryption key and decryption key is associated with the leaf, and key information is generated and stored in the key information storage unit 301.

FIG. 19 is a diagram showing a decryption key assigned to each node in the tree structure of the quadtree used in the third embodiment. As shown in the figure, for example, in the route, 0-1K0000, 0-1K0001, 0-1
Five decryption keys K0010, 0-1K0100, and 0-1K1000 are assigned, and 1-1K0000 and 1-1K000 are assigned to the node of relative number 1 in level 1.
1, 1-1K0010, 1-1K0100 and 1-1K
Five decryption keys of 1000 are assigned.

The operation of the third data protection system will be described below by taking the case where there are only 64 decryption devices as an example. FIG. 20 is a diagram showing a decryption key group 1705 assigned to the decryption device (terminal 1) corresponding to the leaf of relative number 1 in level 3 when it is assumed that there are only 64 decryption devices.

20 by the key allotment process (see FIG. 10) of the decryption key determination unit 305 in the third data protection system.
The decryption key group 1705 assigned to the terminal 1 and finally held in the terminal 1 is the decryption key 3 assigned to the leaf 1704 of the relative number 1 of level 3.
-1K and the decryption key corresponding to the invalidation pattern indicating that the first child node of the decryption keys assigned to the node 1703 having the relative number 1 of level 2 which is the parent node of the leaf is not the invalid node That is, "000
Four decryption keys 2-corresponding to four invalidation patterns 0 "," 0001 "," 0010 "and" 0100 "
The first child node of the decryption keys assigned to 1K0000, 2-1K0001, 2-1K0010, and 2-1K0100 and the node 1702 of the relative number 1 of level 1 which is the parent node on the first layer is invalid. Four decryption keys 1-1K0000, 1-1K0001, 1-1K0 corresponding to the invalidation pattern indicating that the node is not a node
010 and 1-1K0100, and one of the decryption keys assigned to the node of the relative number 1 of level 0, which is the parent node on the further upper layer, that is, the root 1701
Four decryption keys 0-1K0000, 0-corresponding to the invalidation pattern indicating that the th child node is not an invalid node
1K0001, 0-1K0010 and 0-1K0100
And 13 decryption keys in total. Therefore, according to the third data protection system, the number of decryption keys held by each terminal can be smaller than in the data protection system 100 shown in the first embodiment.

The decryption key group assigned to each terminal by the decryption key determination unit 305 is stored in the decryption key group storage unit 212 of each terminal in the manufacturing process of each terminal. Less than,
The encryption key required for recording content or the like on the optical disc 102 in the operation stage of the third data protection system will be described. Assuming that there are only 64 decryption devices, when there is no revocation terminal, they are identified by the key identification processing of the encryption key identification unit 306 in the third data protection system, and the encryption key group of the encryption device 101 is identified. The encryption key stored in the storage unit 203 and used for encrypting the content key when recording the content on the optical disc 102 is the encryption key 0-1K000.
0, that is, one encryption key corresponding to the decryption key 0-1K0000.

FIG. 21 is a diagram showing an encryption key and the like when terminal 1, terminal 2 and terminal 17 are invalidation terminals, assuming that there are only 64 decryption devices. The key information in the key information storage unit 301 is updated by the revocation information updating process of the key information updating unit 304 in the third data protection system (see FIG. 12). The invalidation information update processing is performed by the data protection system 10 described in the first embodiment.
This is exactly the same as the content performed by the 0 key information updating unit 304. As a result, regarding the key information stored in the key information storage unit 301, the relative numbers 1 and 2 of the level 3 layer
The invalidation information for the # 17 and # 17 leaves is "111".
1 ”, and node 18 with relative number 1 in the level 2 layer
The invalidation information of 06 becomes "1100", and the invalidation information of the node 1807 having the relative number 5 in the level 2 layer is "10".
00 ", and node 1 with relative number 1 in the level 1 layer
The invalidation information of 802 is “1000”, and the invalidation information of the node 1803 having the relative number 2 in the level 1 layer is “1”.
000 ", the invalidation information of the root 1801 of the level 0 layer becomes" 1100 ", and the invalidation information of other nodes becomes" 0000 ". The corresponding invalidation information is"
The node of "0000" is a valid node, and the other nodes are invalid nodes.

After the revocation information updating process, the encryption key is specified by the key specifying process (see FIG. 13) of the encryption key specifying unit 306. Hereinafter, specific processing contents of the key identification processing based on the example shown in FIG. 21 will be described with reference to FIG. In this example, the lowest layer is level 3.

First, the encryption key identifying unit 306 focuses on the node at the highest layer, that is, the route 1801 (step S
31). Subsequently, the encryption key identification unit 306 refers to the key information stored in the key information storage unit 301 for the node 1801 of interest, and the invalidation information “1100” of the node 1801 is the above-mentioned information. It is determined whether any one of the five types of invalidation patterns that have been matched (step S
32), since it does not match any of them, it is determined whether the layer one layer below the node 1801 of interest is the lowest layer (step S36), and the node 180 of interest is selected.
Since the layer one layer below 1 is the layer of level 1 and is not the lowest layer, all the child nodes of the node 1801 are set as the target node (step S38).

By this step S38, the node 180
2-1805 are the planned nodes of interest. Subsequently, the encryption key identifying unit 306 determines whether or not there is an unfocused planned node of interest (step S39), and there is an unfocused planned node of interest, and therefore one node 1802 is focused on (step S40). Returning to the determination processing of step S32, it is determined by referring to the key information whether the invalidation information "1000" of the focused node 1802 matches any of the above-mentioned five types of invalidation patterns. (Step S3
2), since it matches, the encryption key 1-1K100 corresponding to the invalidation pattern “1000” for the node 1802
0 is specified as the encryption key to be set in the encryption device 101 (step S33), and the layer one layer below the node 1802 of interest is the level 2 layer and not the lowest layer (step S34). , The node 1806, which is an invalid node among the child nodes of the node 1802, is set as a focused node (step S35).

After step S35, the encryption key specifying unit 30
6 determines whether there is an unfocused planned node of interest (step S39), and since there is an unfocused planned node of interest, pays attention to one of them, the node 1806 (step S40), and returns to the determination process of step S32. . Next, the encryption key identifying unit 306 refers to the key information and determines whether the invalidation information "1100" of the node 1806 matches any of the above-mentioned five types of invalidation patterns (step S3).
2) Since it does not match any of the above, it is determined whether the layer one layer below the node 1806 of interest is the lowest layer (step S36), and the layer one layer below the node 1806 is the level. Since it is the third layer and is the lowest layer, the encryption key 3-corresponding to each of the leaves 1808 and 1809 which are valid nodes among the child nodes of the node 1806.
3K and the encryption key 3-4K are specified as the encryption keys to be set in the encryption device 101 (step S37), it is determined whether there is an unfocused planned node (step S39), and the unfocused planned Node 1 which is one because it exists
Focusing on 803 (step S40), the process returns to the determination process of step S32.

Next, the encryption key specifying unit 306 refers to the key information, which is the invalidation information of the node 1803 "100".
It is determined whether 0 "matches any of the above-mentioned five types of invalidation patterns (step S32), and since it matches, the invalidation pattern" 1000 "for the node 1803.
The encryption key 1-2K1000 corresponding to
Specified as an encryption key to be set to 1 (step S3
3), the layer one layer below the node 1803 of interest is the layer of level 2 and is not the lowest layer (step S3).
4), of the child nodes of the node 1803, the node 1807, which is an invalid node, is set as the target scheduled node (step S35).

Subsequently, the encryption key identifying unit 306 determines whether or not there is an unscheduled planned node of interest (step S39),
Since there is an unfocused attention schedule, attention is paid to one of them, the node 1807 (step S40), and step S32
Returning to the determination processing of No. 1, it is determined whether the invalidation information “1000” of the focused node 1807 matches any of the above-mentioned five types of invalidation patterns by referring to the key information (step S32), so the node 18
The encryption key 2-5K1000 corresponding to the invalidation pattern "1000" for 07 is specified as the encryption key to be set in the encryption device 101 (step S33), and the layer one layer below the node 1807 of interest is specified. Is the layer of level 3 and is the lowest layer (step S34), the step S
The process of step 35 is skipped, and it is determined whether there is an unfocused planned node of interest (step S39). Since there is an unfocused planned node of interest, one node 1804 is focused on (step S40), and step S32. Return to the determination process of.

Next, the encryption key specifying unit 306 refers to the key information, and the invalidation information "0000" of the node 1804 of interest matches any one of the above-mentioned five types of invalidation patterns. It is determined (step S32),
Since they match, the encryption key 1-3K0000 corresponding to the invalidation pattern “0000” of the node 1804 is specified as the encryption key to be set in the encryption device 101 (step S33), and the node 1804 of interest 1
Since the layer below the layer is the layer of level 2 and is not the lowest layer (step S34), an invalid node among the child nodes of the node 1804 is to be set as the focused node (step S35). However, since all the child nodes of the node 1804 are valid nodes, a node to be focused on cannot be newly set.

Then, the encryption key identifying unit 306 determines whether or not there is an unscheduled planned node of interest (step S39),
Focusing on the node 1805, which is an unscheduled planned node (step S40), the process returns to the determination process of step S32, the key information is referred to, and the invalidation information “0000” of the focused node 1805 is It is determined whether any of the above-mentioned five types of invalidation patterns matches (step S32), and since they match, the encryption key 1-4K corresponding to the invalidation pattern "0000" for the node 1805.
0000 is specified as the encryption key to be set in the encryption device 101 (step S33), and the node 18 of interest is selected.
Since the layer one layer below 05 is the layer of level 2 and is not the lowest layer (step S34), an invalid node among the child nodes of the node 1805 is to be set as the focused node (step S35). However, since all the child nodes of the node 1805 are valid nodes, a node to be focused on cannot be newly set.

Then, the encryption key identifying unit 306 determines whether or not there is an unscheduled planned node of interest (step S39),
Since there is no unscheduled node of interest yet, the key identification processing ends. As a result of such key identification processing, the encryption keys identified as those to be set in the encryption device 101 are the encryption keys 1-1K1000 and 1-2K100.
0, 1-3K0000, 1-4K0000, 2-5K1
000, 3-3K, and 3-4K.

The seven encryption keys are later stored in the encryption key group storage unit 203 of the encryption device 101 and used by the key encryption unit 204 to encrypt the content key. Also, each encrypted content key generated by encryption using each encryption key is used by the output unit 206 to specify the decryption key corresponding to each encryption key and the key identification information and the encryption. It is recorded on the optical disc 102 together with the encoded content.

As a result of assigning the decryption key to each terminal by the decryption key determination unit 305, any decryption key corresponding to the seven encryption keys is the terminal 1, the terminal 2, or the terminal 7.
In addition, any one or more of the decryption keys corresponding to the seven encryption keys are held in other terminals. Therefore, after the content is recorded on the optical disc 102 by the encryption process using the seven encryption keys, it is recorded on the optical disc 102 using the decryption keys exposed from the terminals 1, 2, and 7. The decrypting process of the content cannot be performed normally, and the decrypting process of the content recorded on the optical disc 102 can be performed normally by other terminals. <Fourth Embodiment> Hereinafter, a data protection system according to a fourth embodiment of the present invention (hereinafter, referred to as “fourth data protection system”).
Say. ) Will be described with reference to the drawings.

In the data protection system 100 shown in the first embodiment, the optical disc 102 for the encryption device 101 to record the encrypted content and distribute it to each of the decryption devices 103a to 103n is a DVD-ROM or the like. However, the fourth data protection system is the optical disc 10
This is an embodiment on the premise of only a recordable medium in the case where the item 2 is divided into a so-called pre-recorded medium such as a DVD-ROM and a so-called recordable medium such as a DVD-RAM.

That is, the fourth data protection system records certain information on the optical disc 102 which is a recordable medium on the system side, and the user encrypts arbitrary contents on the optical disc 102 by the terminal. It is a system in which the optical disc 102 can be distributed and recorded and the user can decrypt and use the content recorded on the optical disc 102 at the same or another terminal. Note that, here, the fourth data protection system will be described focusing on the points different from the data protection system 100, and description of the same points will be omitted.

FIG. 22 is a schematic block diagram of a fourth data protection system according to the fourth embodiment of the present invention. As shown in the figure, the fourth data protection system includes a key identification information recording device 1501 and a plurality of user data encryption devices (terminals) 1.
502a to 1502n, a plurality of decoding devices (terminals) 103
a to 103n and a key setting system 104. For example, the key setting system 104 and the key identification information recording device 15
01 is operated by an organization that manages copyright protection, and each terminal is assumed to be used by general users.

The decryption devices 103a to 103n are the same as those shown in the first embodiment, and all or some of the user data encryption devices 1502a to 1502n are all or some of the decryption devices 103a to 103n. It may be implemented in the same terminal as. Further, the key setting system 104 in the fourth data protection system is basically the same as that shown in the first embodiment, but there are some function additions. That is, the key setting system 104 in the fourth data protection system presupposes the construction of a quad-tree tree structure in which each terminal is associated with a leaf in advance, and the key assignment processing shown in FIG. At this time, when the allocation target terminal is a decryption device, a decryption key group is allocated, and when the allocation target terminal is a user data encryption device, an encryption key group corresponding to the decryption key group is allocated. And The key setting system 104 generates and outputs information indicating the correspondence between the key assigned to each terminal and the node in the tree structure.

In the fourth embodiment, for the sake of convenience, it is assumed that the user data encryption devices 1502a to 1502n are installed in the same terminals as the decryption devices 103a to 103n, respectively, and the corresponding encryption key and The decryption key will be described as having the same value. Therefore, the key setting system includes a key group that is a decryption key group and an encryption key group that are assigned to each terminal in advance by the key setting system 104, and information indicating the correspondence between each key and the node in the tree structure. It is acquired from 104 and held.

Further, the key setting system 104 in the fourth data protection system further includes one or a plurality of keys specified as a result of the revocation information updating process (see FIG. 12) and the key specifying process (see FIG. 13) in the operation stage. It has a function of outputting the key identification information (see FIG. 16) indicating the encryption key to the key identification information recording device 1501. For example, when there is no revocation terminal, the key identification information is "0-1K000.
Only "0".

The key specifying information recording device 1501 includes hardware capable of recording data on the optical disk, and stores the key specifying information input from the key setting system 104 in the optical disk 1.
02 is a device having a recording function. Further, each of the user data encryption devices 1502a to 1502n
It has functions corresponding to the respective functions of the encryption device 101 (see FIG. 2) shown in the first embodiment. However, the user can freely store digital content in the content storage unit 201, and the content of the encryption key group storage unit 203 is the encryption stored in the terminal obtained from the key setting system 104 described above. The key group and the information indicating the correspondence between each encryption key and the node in the tree structure, and the encryption key used by the key encryption unit 204 to encrypt the content key acquired from the random number generation unit 202 will be described later. It is selected as a result of the encryption key selection process, and the output unit 206 records the encrypted content and the encrypted content key on the optical disc 102 without recording the key identification information on the optical disc 102.

Also, the user data encryption device 1502a
Each of 1502n to 1502n further has a function of reading the key identification information recorded by the key identification information recording device 1501 from the optical disc 102 and performing an encryption key selection process of selecting an encryption key used for encryption of the content key. In this encryption key selection processing, the information indicating the correspondence between each encryption key in the encryption key group storage unit 203 and the node is compared with the key identification information, and if there is the content indicating the same node, both This is a process of selecting an encryption key corresponding to a node and transmitting it to the key encryption unit 204. The decryption device 10 shown in the first embodiment
This is the same process as the process of selecting the decryption key in the decryption key selection unit 213 in 3a.

That is, the user data encryption device 1502a
˜1502n, in the case of recording the content on the optical disc 102 by encrypting the content with the content key,
The optical disk 102 is a device having a function of encrypting a content key using an encryption key according to key identification information recorded in advance and recording the content key on the optical disk 102. Therefore, according to the fourth data protection system, in a large number of terminals other than the terminals in which the decryption key or the like has been exposed due to unauthorized analysis, the decryption key cannot be correctly decrypted and is exposed. The content can be encrypted and recorded on the optical disc 102 so that it can be correctly decrypted and used by many terminals having no decryption key. <Supplement> The data protection system according to the present invention has been described above based on the first to fourth embodiments, but it goes without saying that the present invention is not limited to these embodiments. That is, (1) Although the contents shown in the first to fourth embodiments are video, audio, etc., the contents are not limited to these, and even if they are programs and other data, And a video or the like may be combined. (2) Although the decoding device shown in the first to fourth embodiments is provided with the reproducing unit 216 that reproduces the decrypted content, instead of having the function of outputting the decrypted content to the outside of the device. Good. (3) In Embodiments 1 to 3, the encrypted content or the like is recorded on the optical disc 102 and distributed to each decryption device. However, as an embodiment of distributing the encrypted content or the like to each decryption device, a recording medium is used. In addition to the distribution by, the distribution may be performed via a wireless or wired transmission path.

In the case of adopting the form of distributing the encrypted content etc., the output unit 206 of the encryption apparatus 101 is used.
Shall have hardware having a communication function,
It is necessary to transmit the encrypted content, the encrypted content key, and the key identification information to each decryption device (terminal), and the acquisition unit 211 of the decryption device 103a and the like includes hardware having a communication function. It is necessary to receive and acquire the encrypted content, the encrypted content key, and the key identification information. As a distribution method, for example, the encryption device 101 may be recorded on a recording medium in a server connected to the Internet, and the decryption device 103a or the like may receive the content of the recording medium via the Internet.

The recording medium in the case of adopting the mode of recording and distributing the encrypted content or the like on the recording medium is not limited to the optical disc, but may be an IC card, a flexible disc, a magnetic tape, a ROM or the like. Good. (4) The method of defining the invalidation pattern corresponding to each node in the key information shown in the first embodiment is merely an example, and each node other than the root does not have the invalidation pattern of “0000”, for example. , Each node other than leaf is "0111", "1101", "1011", "
Since the invalidation pattern "1110" is provided, the contents of the key allotment process (see FIG. 10) and the key identification process (see FIG. 13) may be slightly changed accordingly.

In the first embodiment and the like, the invalidation pattern and the like are defined on the assumption that the quadtree tree structure is constructed. A tree structure including at least a part, that is, a tree structure in which one node in at least one layer is a parent node of three or more child nodes, may be a ternary tree or a quintile tree. Alternatively, a tree structure in which a ternary tree or a quadtree is different in each layer may be used.

In the first embodiment, the invalidation pattern for each node in the tree structure of the quadtree is 3 when the number of "1" is 3.
However, in the third embodiment, it is 4
The invalidation pattern for each node of the tree structure of the branch tree is limited to those in which the number of "1" is less than 2. For example, the invalidation pattern for each node of the tree structure of the 5-branch tree is "1". May be limited to less than 2, less than 3, or less than 4. (5) Decoding devices 103a to 103 shown in the first to fourth embodiments
03n related to decryption and user data encryption devices 1502a to 1502n described in the fourth embodiment.
It is desirable that each unit related to the encryption in (1) is configured so that the method and data used for decryption or encryption are protected by a so-called tamper resistant technique. (6) In the first embodiment and the like, the key setting system outputs the decryption key when determining the decryption key to be assigned to each terminal, and the information indicating the node in the tree structure corresponding to the decryption key. Although it has been decided that the decryption devices 103a to 103n hold the decryption key group and the information indicating the node corresponding to each decryption key, the decryption device does not necessarily need to retain the information indicating the node corresponding to the decryption key. . When the information indicating the node corresponding to the decryption key is not stored, the decryption device attempts to decrypt the encrypted content key recorded on the optical disc by sequentially using each decryption key held by itself. The key may be decrypted. In this case, the content key should have a rule such that the first 8 bits are 0, or
The authenticity of the decrypted content key should be confirmed using a general digital signature, and the decryption device uses the content key to decrypt the content only when the decrypted content key is legitimate. It may be decrypted. (7) In the first embodiment, the content key, the decryption key, and the encryption key are 64-bits. However, the data size of the key is not limited to 64-bits, and other bits may be used. Good. Note that, in FIG. 16, the key specifying information includes a character string that is a combination of the character string that is the node ID, the character "K", and the character string of the invalidation pattern, but the format of the key specifying information is It is not limited to this. (8) In Embodiments 1 to 4, the content key used for content encryption is the target of encryption using the encryption key represented by 0-1K0000 or the like, but the target of encryption is: The data is not limited to the content key, and may be any data requiring confidentiality. (9) Key setting system 104 shown in the first to fourth embodiments
A computer program for causing a computer or a device having a program execution function to execute the revocation information updating process, the key allotment process, or the key identification process (the procedure shown in FIG. 10, FIG. 12, or FIG. 13) in the recording medium. It can also be recorded or distributed and distributed via various communication channels. Such recording media include IC cards, optical disks, flexible disks, ROMs and the like. Distribution,
The distributed computer program is provided for use by being installed in a computer or the like, and the computer or the like executes the computer program to execute the revocation information updating process, the key allotment process, or the key as shown in the first to fourth embodiments. Perform specific processing.

[0133]

As is apparent from the above description,
The data protection system according to the present invention includes three or more terminals,
A data protection system, comprising an encryption device and an encryption key specifying device, for encrypting and distributing data for distribution to each terminal by the encryption device, wherein each terminal is individually allocated by a predetermined key allocation method. Stored in the decryption key group,
The encrypted distribution data group output from the encryption device is acquired, and the encrypted distribution data is decrypted using the stored decryption key.
(a) A plurality of terminal sets each including the same one or more terminals as elements so that each of the terminals belongs to at least one of the terminal sets which is a set including two or more terminals as elements. Therefore, there is such a plurality of terminal sets that the relationship that any one of the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets is present. Determining one or more terminal sets, (b) defining a separate decryption key for each terminal and for each determined terminal set, (c) for each terminal, corresponding to that terminal A method of allocating all of a decryption key and a decryption key defined corresponding to each of all terminal sets including the terminal, wherein the encryption key identifying device is a device that identifies the encryption key, and Disable to identify one or more devices as disabled devices In the case where the terminal identification means and the decryption keys other than the decryption key assigned to the invalidation terminal among all the decryption keys assigned to the terminal by the predetermined key assignment method are defined as the valid decryption keys, the selected valid decryption When it is assumed that the procedure of selecting a valid decryption key assigned to the most terminals to which no key is assigned is repeated until there is no terminal to which a selected valid decryption key is not assigned, As a result, a device having an encryption key specifying means for specifying an encryption key corresponding to each valid decryption key that has been selected, wherein the encryption device is specified by the encryption key specifying device. It is characterized by having an encryption means for encrypting the distribution data by sequentially using all the encryption keys, and generating and outputting the encrypted distribution data group.

Here, the distribution data is data which is supposed to be recorded in a recording medium and distributed, or distributed through a wired or wireless communication path, and finally reach each terminal. Assuming terminal 1, terminal 2, and terminal 3,
In the terminal set determined by the above-mentioned predetermined key allotment method,
Set A of terminal 1 and terminal 2, set B of terminal 1 and terminal 3
There is a pair C of the terminal 2 and the terminal 3, and the decryption key stored and held by the terminal 1 in response to the assignment result by the predetermined key assignment method is the decryption key unique to the terminal 1 and the decryption key A corresponding to the pair A.
The decryption key B corresponding to the set B, and the decryption keys stored and held by the terminal 2 are the decryption key unique to the terminal 2, the decryption key A corresponding to the set A, and the decryption key C corresponding to the set C. The decryption keys stored and held by the terminal 3 are the decryption key unique to the terminal 3, the decryption key B corresponding to the set B, and the decryption key C corresponding to the set C. In this example, when the terminal 2 is illegally analyzed and all the decryption keys stored and held by the terminal 2 are exposed, the terminal 2 is specified as the invalidation terminal, that is, the terminal to be invalidated, When the encryption key is specified by the encryption key specifying means, the encryption key corresponding to the decryption key B is specified.

Therefore, if the data is encrypted by using the encryption key corresponding to the decryption key B and distributed to each terminal, the data cannot be correctly decrypted at the terminal 2 and correctly at the terminals 1 and 3. The data can be decrypted. For the same purpose, data can be encrypted and distributed to each terminal by using an encryption key corresponding to the decryption key unique to the terminal 1 and an encryption key corresponding to the decryption key unique to the terminal 3, respectively. Compared with this method, the method using the encryption key corresponding to the above-mentioned decryption key B has the effect that the number of encryption keys used for encryption is small, and the amount of encrypted data distributed correspondingly is small. Have.

That is, according to the present invention, in a data protection system for encrypting data such as a key necessary for decrypting encrypted digital contents and distributing the same data to a plurality of terminals, the encrypted data to be distributed is When the decryption key held by a particular terminal is exposed by an illicit person due to analysis of the particular terminal, etc., while suppressing the increase in volume, the particular terminal cannot correctly decrypt the data and other terminals Then, it becomes possible to correctly decode the data.

The predetermined key allotment method further includes a plurality of terminal sets such that there exists a terminal set that completely includes the plurality of terminal sets and each of the terminal sets includes the same one or more terminal sets. Then, there is a plurality of terminal sets such that there is a relationship that any one of the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. It is good also as being the method of performing the said determination.

For example, when the decryption key AB is associated with the terminal set AB including the terminal set A and the terminal set B, and the decryption key BC is associated with the terminal set BC including the terminal set B and the terminal set C. As for the data protection system, in this data protection system, at least a decryption key AB is assigned to and stored in and stored in a terminal that belongs to the terminal set A but not to the terminal set B or the terminal set C, but the decryption key BC is Not stored and stored, and terminal set B or terminal set C
At least the decryption key BC is assigned to the terminal belonging to. Therefore, even after a terminal that belongs to the terminal set A but does not belong to the terminal set B or the terminal set C is illegally analyzed, the data is encrypted using at least the encryption key corresponding to the decryption key BC. By distributing to each terminal, the terminal group included in the terminal set BC, that is, the terminal group included in the terminal set B and the terminal group included in the terminal set C can correctly decrypt the data by using the decryption key BC. This makes it possible to encrypt data so that many terminals can be properly decrypted using a small number of encryption keys.

Further, the above-mentioned predetermined key allotment method is further configured such that each terminal set includes three or more terminals as elements, and that a terminal set including three or more terminal sets exists.
It may be a method of performing the determination of the terminal set. As a result, when the same encrypted data is distributed to each terminal, encryption can be performed using a key that is common to three or more terminals. The amount can be reduced.

Further, the data protection system is the lowest in the case of assuming a tree structure of N-branch trees (N is a natural number of 3 or more) of a plurality of layers in which each terminal is associated with a separate node of the lowest layer. For each node other than the layer, a plurality of combination patterns that include a combination of two or more of the N nodes of the one-stage lower layer that is reached from the node (parent node) and include all N combinations are determined and determined. A separate decryption key is defined for each combination pattern, and each of the defined decryption keys is stored in association with the node (parent node). Further, a separate decryption key is associated with each node in the lowest layer. A stored key storage device and a device for executing the predetermined key allocation method to determine a decryption key group to be allocated to each terminal, and for each terminal, a node in the lowest layer corresponding to the terminal. To top For each node that is not the lowest layer located on the route to the node, the decryption key stored in the key storage device in association with the node is located one layer below the node on the route. A decryption key corresponding to all the combination patterns related to a combination including a node, and a decryption key stored in the key storage device in association with the terminal as the decryption key to be assigned to the terminal. A determining device, wherein each terminal set corresponds to each of the combination patterns in a one-to-one relationship, and all terminals corresponding to nodes in the lowest layer reached from all nodes combined in the corresponding combination pattern are elements. And the encryption key specifying means corresponds to one of the revocation terminals when the tree structure is assumed. All nodes that reach the nodes of the upper layer are defined as invalid nodes, first the uppermost layer node is set as the processing target node, and the encryption key specifying process is repeated until there is no unprocessed processing target node, and the encryption The activation key identification processing is performed for one unprocessed processing target node (a) 1 of the processing target node
When the combination pattern related to the combination including all the nodes other than the invalid node exists in the lower layer of the stage,
The encryption key corresponding to the decryption key stored in the key storage device corresponding to the combination pattern is specified, and (b)
If the combination pattern relating to the combination including all the nodes other than the invalid nodes does not exist in the one-stage lower layer of the processing target node, if the one-stage lower layer is the lowest layer, the one-stage lower layer An encryption key corresponding to the decryption key stored in the key storage device corresponding to all nodes other than the invalid node is specified, and if the one-step lower layer is not the lowest layer, the one-step lower layer All nodes other than invalid nodes are newly set as process target nodes, and (c)
If an invalid node exists in the layer one step lower than the process target node, all invalid nodes may be newly set as the process target node unless the one step layer is the lowest layer.

As described above, the information such as the decryption key is associated with each node in the tree structure, and the decryption key to be assigned to each terminal is determined based on the information and the position of each node in the tree structure. By the method of specifying the encryption key used for encryption of
That is, while suppressing the increase in the amount of encrypted data to be distributed, if a decryption key held by a particular terminal is exposed by an illicit person due to analysis of the particular terminal, etc. It is possible to realize a system that achieves the purpose of not being able to correctly decode data and allowing other terminals to correctly decode data.

Further, the determination of the plurality of combination patterns by the key storage device for each node except the lowest layer when the tree structure is assumed is determined by the one-stage lower layer which is reached from the node (parent node). Of the N nodes, the combination pattern is defined so as to correspond to all combinations formed by combining two or more nodes, and the key storage device defines a separate decryption key for each combination pattern thus determined. The decryption keys thus determined may be stored in association with the node (parent node).

As a result, in the method of specifying the encryption key used for encrypting the data for distribution to each terminal by using the tree structure of the n-ary tree, the number of specified encryption keys is kept small. Therefore, as a result, the data amount of the encrypted distribution data distributed to each terminal can be kept relatively small. Further, the key storage device determines the plurality of combination patterns for each node except the lowest layer in the case of assuming the tree structure, and N of one lower layer that is reached from the node (parent node) is determined. Out of N nodes
This is done by defining combination patterns so as to correspond to all the combinations and all of the (N-1) combinations, and the key storage device defines a separate decryption key for each of the determined combination patterns. Each defined decryption key may be stored in association with the node (parent node).

As a result, in the method of specifying the encryption key used for encrypting the data for distribution to each terminal by using the tree structure of the n-ary tree, the number of decryption keys assigned to each terminal is compared. As a result, the data amount of the decryption key group stored and held by each terminal can be kept relatively small. Further, the encryption means, for each of all the encryption keys specified by the encryption key specifying device, the encrypted distribution data generated by encryption using the encryption key, and the key storage device. The decryption key corresponding to the encryption key and the encryption key node identification information for specifying the location in the tree structure of the node associated with the encryption key are output in association with each other, and each terminal outputs a predetermined key. Each decryption key individually assigned by the assigning method is stored in association with the decryption key node identification information for identifying the location in the tree structure of the node associated with the decryption key by the key storage device. Therefore, the encrypted distribution data group and the encryption key node identification information group output from the encryption device are acquired and matched with the decryption key node identification information stored in the terminal. The encrypted delivery data corresponding to the encryption key node identification information, may be decrypted using a decryption key corresponding to the decryption key node identification information relating to the match.

As a result, each terminal obtains the encrypted distribution data group in which the distribution data is encrypted by using one or more encryption keys, respectively, and then acquires the encryption key node identification information group. By referring to it, it becomes possible to easily specify which of the decryption keys held by the own terminal should be used for decryption, and by trial and error, the decryption keys held by the own terminal are sequentially used for decryption. Compared to the case where it is performed, the time required for correct decoding is shortened.

Further, the encryption key specifying device has an encryption key storage means for storing an encryption key corresponding to each decryption key stored in the key storage device, and the corresponding decryption key The encryption key and the encryption key may be different from each other. As a result, even if the decryption key is exposed due to unauthorized analysis of a certain terminal, etc., the encryption key for encrypting the data so that it can be decrypted correctly by multiple terminals will be illegally known and misused. It becomes possible to prevent the occurrence of such a situation.

The output by the encryption means is
Recording the generated encrypted distribution data group in a data recording medium, wherein each of the terminals transmits the encrypted distribution data group from the data recording medium in which the encrypted distribution data group is recorded by the encryption device. Read the group and get it,
The encrypted distribution data may be decrypted. As a result, data is encrypted and recorded on an optical disk such as a DVD-ROM or other recording medium, so that, for example, a recording medium having the same content as that recording medium can be mass-produced and distributed to a large number of people for a fee or for free. Then, the person who receives the distributed recording medium can set the recording medium in the terminal and use the data recorded in the recording medium through the terminal.

The encryption means includes a content storage section that stores content data that is a digital work, a random number data generation section that generates the distribution data that is a random number, and the random number data generation section. A content encryption unit that encrypts the content data by using the generated distribution data as a key to generate encrypted content data, and the encryption unit is specified by the encryption key specifying device. The encrypted distribution data group is generated by encrypting the distribution data generated by the random number data generation unit by sequentially using all the encryption keys, and the encrypted distribution data group, The encrypted content data generated by the content encryption unit is recorded on the data recording medium, and each terminal encrypts the data from the data recording medium. Content data and reads and acquires encrypted distribution data group, decrypts the encrypted distribution data, by using the distribution data for a decoding result, it is also possible to decrypt the encrypted content data.

As a result, the key required to decrypt the encrypted digital content such as video and audio is encrypted, and the encrypted digital content and the data including the encrypted key are recorded in the recording medium. , A recording medium having the same content as the recording medium is distributed to a large number of people, and a person who receives the distributed recording medium can set the recording medium in a terminal and play digital contents through the terminal. Like

The data protection system further includes an encryption key identification information recording device for recording the encryption key identification information for identifying the encryption key identified by the encryption key identification device on a data recording medium. Each of the terminals includes a random number data generation unit that generates the distribution data that is a random number, a content storage unit that stores content data that is a digital work, and an encryption key identification from the data recording medium. An encryption key selection unit that reads information and selects an encryption key identified by the encryption key identification information from the encryption key group corresponding to the decryption key group stored in the terminal, The encryption means encrypts the distribution data generated by the random number data generation unit by sequentially using all the encryption keys selected by the encryption key selection unit for encrypted distribution. A data group and records it in the data recording medium, wherein each terminal is further stored in the content storage section using the distribution data generated by the random number data generation section as a key. Content encryption unit that encrypts the content data stored therein to generate the encrypted content data and records the encrypted content data in the data recording medium; and each terminal, from the data recording medium to the encrypted content data and The encrypted distribution data group may be read and acquired, the encrypted distribution data may be decrypted, and the encrypted content data may be decrypted using the decryption result distribution data.

As a result, in a system in which a user of a terminal can record and distribute digital contents such as video and audio on a recording medium such as a DVD-RAM, the terminal can be analyzed by analyzing the specific terminal. If the decryption key held by is exposed by an unauthorized person, it will be possible to encrypt digital contents so that the data cannot be decrypted correctly on that particular terminal and on other terminals. .

The output from the encryption means is
Transmitting the generated encrypted distribution data group to each terminal, each terminal receiving and acquiring the encrypted distribution data group transmitted by the encryption device, and transmitting the encrypted distribution data group. The data may be decrypted. As a result, the distribution data is encrypted and transmitted to each terminal, so that each terminal can easily use the distribution data by receiving it.

The decryption key determination device according to the present invention is for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. A decryption key determination device, wherein: (a) each of the terminals further includes the same one or more terminals so that they belong to at least one of the terminal sets, which is a set including two or more terminals as elements. A plurality of terminal sets included in the elements, and the plurality of terminals for which a relation that any one terminal set in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets is established. So that a set exists, two or more terminal sets are determined, and (b) a decryption key setting unit that associates a different decryption key for each terminal and each determined terminal set, and for each terminal,
A decryption key group that determines the decryption key associated with the terminal by the decryption key setting means and all the decryption keys associated with each of all the terminal sets including the terminal as the decryption key group to be assigned to the terminal. It may be provided with an allocation means.

Further, the decryption key determination method according to the present invention is for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. A decryption key determination method, wherein each of the terminals further includes the same one or more terminals as elements so that the terminals belong to at least one of the terminal sets, which is a set including two or more terminals as elements. There is a plurality of terminal sets in which there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. As described above, a terminal set determining step for determining two or more terminal sets, and a decryption key for associating a separate decryption key for each terminal and each terminal set determined by the terminal set determining step For the responding step and for each of the terminals, the decryption key associated with the terminal in the decryption key associating step and all the decryption keys associated with each of all the terminal sets including the terminal are And a decryption key group assignment step of determining a decryption key group to be assigned to the terminal.

Also, the decoding terminal system according to the present invention is
A decryption terminal system comprising three or more terminals for acquiring and decrypting encrypted data, wherein each of the terminals stores a decryption key group individually assigned by a predetermined key assignment method. A decryption key group storage means, an encrypted data acquisition means for obtaining encrypted data, and a decryption key stored in the decryption key group storage means for the data obtained by the encrypted data acquisition means. And a decrypting means for decrypting using the predetermined key assigning method, wherein (a) each terminal belongs to at least one of a terminal set which is a set including two or more terminals as elements, Further, a plurality of terminal sets each including the same one or more terminals as elements,
There are two or more terminal sets such that there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. Determine the terminal set, (b)
Determining a separate decryption key for each terminal and for each determined terminal set, (c) for each terminal, the decryption key defined for the terminal, and all terminal sets including the terminal Is a method of allocating all the decryption keys defined for each of the above.

The decryption terminal according to the present invention is a decryption terminal for acquiring and decrypting encrypted data, and stores a decryption key group individually assigned by a predetermined key assignment method. Decryption key group storage means, encrypted data acquisition means for acquiring encrypted data, and data obtained by the encrypted data acquisition means using the decryption key stored in the decryption key group storage means. And a predetermined key allotment method. (A) When three or more terminals including this terminal are assumed, this terminal is a plurality of terminals that are a set including two or more terminals as elements. A plurality of terminal sets each including this terminal as an element so as to belong to a set, and any one terminal set in the plurality of terminal sets is a subset of each of the other terminal sets in the plurality of terminal sets. Not Seki Determining two or more terminal sets so that there are a plurality of terminal sets for which the relationship is established, and (b) separate decoding is performed for this terminal and for each determined terminal set. Set the key, (c) for this terminal,
The method is characterized in that a decryption key defined corresponding to this terminal and a decryption key defined corresponding to each of all terminal sets including this terminal are allotted.

As a result, for example, when recording the encrypted data on the recording medium to each terminal and distributing the recording medium, the increase in the amount of data recorded on the recording medium is suppressed. So, if the decryption key held by that terminal due to analysis of a particular terminal is exposed by an illicit person, so that the data cannot be correctly decrypted at that particular terminal and the data can be decrypted correctly at other terminals, It becomes possible to implement the encryption.

Further, the encrypted data acquisition means may read the encrypted data from the data recording medium and acquire it. As a result, it becomes possible to record the encrypted data in the data recording medium and distribute the recording medium to the user of each terminal so that the user of each terminal can use the data.

Also, the data recording medium has encryption key specifying information for specifying an encryption key recorded therein,
The terminal further reads random number data generating means for generating key data which is a random number, content storing means which stores content data which is a digital work, and encryption key specifying information from the data recording medium, Encryption key selection means for selecting an encryption key specified by the encryption key specifying information from the encryption key group corresponding to the decryption key group stored in the decryption key group storage means, and the encryption key selection An encryption key data group is generated by sequentially encrypting the key data generated by the random number data generation means by sequentially using all the encryption keys selected by the means, and the encryption key data group is converted into the data. Content stored in the content storage unit using a key data encryption unit to be recorded on a recording medium and the key data generated by the random number data generation unit as a key Content encryption means for generating encrypted content data by encrypting the data, and recording the encrypted content data in the data recording medium, wherein the encrypted data acquisition means stores in the data recording medium. The recorded encrypted key data and encrypted content data are acquired, and the decryption means stores the encrypted key data acquired by the encrypted data acquisition means in the decryption key group storage means. Key data is generated by decrypting using a decryption key, and the terminal further uses the key data generated by the decryption unit as the encrypted content data acquired by the encrypted data acquisition unit. A content decryption means for decrypting by using the content may be provided.

As a result, the user of each terminal can encrypt digital contents such as video and audio and record them in the recording medium. Further, the encrypted data may be transmitted from an external transmission device, and the encrypted data acquisition means may acquire the encrypted data by receiving the encrypted data.

As a result, the transmitted data such as digital contents can be easily used by each terminal upon reception. Further, the encryption key identifying device according to the present invention is an encryption key identifying device that identifies an encryption key to be used for encrypting distribution data to three or more terminals. A plurality of terminal sets each including the same one or more terminals as elements so that the terminal belongs to at least one of the terminal sets which is a set including two or more terminals as elements, Two or more terminal sets such that there is a relationship in which any one of the terminal sets in the above is not a subset of each of the other terminal sets in the plurality of terminal sets. And (b) a decryption key group associating unit that associates different decryption keys for each terminal and each determined terminal set, and for each terminal, is associated with the terminal by the decryption key setting unit. In addition to the decryption key Decryption key setting means for associating all the decryption keys associated with each of all the terminal sets including the terminals with the relevant terminal, invalidation terminal identification means for identifying one or more terminals as invalidation terminals, and the decryption Of all the decryption keys associated with the terminal by the key group associating means, when the decryption key other than the decryption key associated with the invalidation terminal is defined as the valid decryption key, the selected valid decryption key is When it is assumed that the procedure of selecting valid decryption keys associated with the most terminals that are not associated is repeated until there is no terminal that is not associated with the selected valid decryption keys, As a result, an encryption key specifying unit that specifies an encryption key corresponding to each valid decryption key that has been selected as a result is provided.

The encryption device according to the present invention is an encryption device for encrypting distribution data to each of three or more terminals, and (a) each terminal includes two or more terminals. A plurality of terminal sets each further including the same one or more terminals as elements so as to belong to at least one of the terminal sets which are sets included in the elements, and any one terminal in the plurality of terminal sets. Two or more terminal sets are determined so that there exists such a plurality of terminal sets that a relationship that a set is not a subset of each of the other terminal sets in the plurality of terminal sets is established. And decryption key setting means for associating different decryption keys for each determined terminal set,
For each terminal, in addition to the decryption key associated with the terminal by the decryption key setting means, all the decryption keys associated with each of all the terminal sets including the terminal are associated with the terminal. Decryption key group associating unit, invalidation terminal identifying unit for identifying one or more terminals as invalidation terminals, and invalidation terminal of all the decryption keys associated with the terminals by the decryption key group associating unit When a decryption key other than the decryption key associated with is defined as the valid decryption key, the valid decryption key associated with the largest number of terminals to which the selected valid decryption key is not associated is selected. Assuming that the procedure described above is repeated until there is no terminal to which the selected valid decryption key is not associated, there is a secret code corresponding to all the valid decryption keys that have been selected. Encryption key specifying means for specifying an encryption key and encryption means for encrypting distribution data by sequentially using all the encryption keys specified by the encryption key specifying means to generate an encrypted distribution data group And an output means for outputting the encrypted distribution data group generated by the encryption means to the outside.

The encryption key specifying method according to the present invention is
What is claimed is: 1. An encryption key specifying method for specifying an encryption key to be used for encrypting data for distribution to three or more terminals, wherein each terminal is a set including two or more terminals as elements. A plurality of terminal sets each including the same one or more terminals as elements so as to belong to at least one of the certain terminal sets, and any one terminal set in the plurality of terminal sets is associated with the plurality of terminal sets. A terminal set determining step of determining two or more terminal sets, such that there is a plurality of terminal sets for which the relationship that they are not subsets of other terminal sets in the terminal set exist; A decryption key associating step of associating a different decryption key for each terminal set determined by the set determining step, and corresponding to each terminal by the decryption key associating step In addition to the generated decryption key, a decryption key group associating step of associating all decryption keys associated with each of all terminal sets including the terminal with the relevant terminal, and disabling one or more terminals And a decryption key other than the decryption key associated with the invalidation terminal among all the decryption keys associated with the terminal in the decryption key group association step as the valid decryption key. In the case where it is determined, the procedure of selecting the valid decryption key associated with the most terminals that are not associated with the selected valid decryption key is the terminal that is not associated with the selected valid decryption key. Is repeated until no longer exists, and an encryption key specifying step for specifying an encryption key corresponding to each of all the effective decryption keys that have been selected as a result is included.

As a result, for example, when recording the encrypted data on the recording medium to each terminal and distributing the recording medium, the number of encryption keys used for encryption can be kept relatively small. Therefore, while suppressing an increase in the amount of data recorded on the recording medium, if a decryption key held by the terminal is exposed by an unauthorized person due to analysis of the specific terminal, etc. Then, the encryption can be performed so that the data cannot be correctly decrypted and the other terminals can correctly decrypt the data.

[Brief description of drawings]

FIG. 1 is a schematic configuration diagram of a data protection system 100 according to a first embodiment of the present invention.

FIG. 2 is a functional configuration diagram of an encryption device 101 and a decryption device 103a.

FIG. 3 is a functional configuration diagram of a key setting system 104.

FIG. 4 is a diagram showing a tree structure of a quadtree.

FIG. 5 is a diagram illustrating an example of a tree structure of a quadtree when the number of decoding devices is 64.

FIG. 6 is a diagram showing an example of route invalidation information.

FIG. 7 is a diagram illustrating an example of route invalidation information.

FIG. 8 is a diagram showing keys assigned corresponding to nodes in the level 0 and level 1 hierarchies of a quadtree tree structure.

9 is a diagram showing a configuration of key information stored in a key information storage unit 301. FIG.

FIG. 10 is a flowchart showing a key assignment process executed by the decryption key determination unit 305.

FIG. 11 shows a decryption key group 905 to be assigned to the decryption device (terminal 1) corresponding to the leaf of relative number 1 of level 3 and the decryption key group 905 determined by the key assignment process, assuming that there are only 64 decryption devices. FIG.

FIG. 12 is a flowchart showing revocation information updating processing executed by the key information updating unit 304.

FIG. 13 is a flowchart showing a key identifying process executed by the encryption key identifying unit 306.

FIG. 14 is a diagram showing an encryption key and the like in a state where there is no invalidation terminal, assuming that there are only 64 decryption devices.

FIG. 15 is a diagram showing an encryption key and the like when terminal 1 is an invalidation terminal, assuming that there are only 64 decryption devices.

16 is a diagram showing an example of key identification information corresponding to the encryption key shown in FIG.

FIG. 17 is a diagram that is constructed when the number of decryption devices is 64 in the second data protection system according to the second embodiment.
It is a figure which shows the example of a tree structure of four quadtrees.

FIG. 18 is a diagram showing an encryption key and the like when the terminal 1 is a revocation terminal in the second data protection system.

FIG. 19 is a diagram showing a decryption key assigned to each node in the quadtree tree structure used in the third embodiment.

FIG. 20 is a diagram showing a decryption key group 1705 assigned to the decryption device (terminal 1) corresponding to the leaf of relative number 1 in level 3 when it is assumed that there are only 64 decryption devices.

FIG. 21 is a diagram showing an encryption key and the like when terminal 1, terminal 2, and terminal 17 are invalidation terminals, assuming that there are only 64 decryption devices.

FIG. 22 is a schematic configuration diagram of a fourth data protection system according to the fourth embodiment of the present invention.

[Explanation of symbols]

100 data protection system 101 encryption device 102 optical disc 103a-103n Decoding device 104 key setting system 201 Content storage unit 202 random number generator 203 encryption key group storage unit 204 key encryption unit 205 Content encryption unit 206 Output section 211 Acquisition unit 212 Decryption Key Group Storage Unit 213 Decryption Key Selection Unit 214 key decryption unit 215 Content Decoding Unit 216 Playback section 301 Key information storage 302 Key information generation unit 303 Invalidation terminal identification unit 304 Key information update unit 305 Decryption key determination unit 306 Encryption key specifying unit 1501 Key identification information recording device 1502a to 1502n User data encryption device

   ─────────────────────────────────────────────────── ─── Continued front page    (72) Inventor Natsume Matsuzaki             1006 Kadoma, Kadoma-shi, Osaka Matsushita Electric             Sangyo Co., Ltd. (72) Inventor Makoto Tatebayashi             1006 Kadoma, Kadoma-shi, Osaka Matsushita Electric             Sangyo Co., Ltd. F-term (reference) 5C053 FA13 FA24 GB40                 5D044 BC02 CC04 DE50 EF05 FG18                       GK12 GK17 GK20                 5J104 AA12 AA16 EA04 MA05 NA02                       NA27

Claims (41)

[Claims] 1. A data protection system comprising three or more terminals, an encryption device, and an encryption key identification device, wherein the data for distribution to each terminal is encrypted and protected by the encryption device. Stores a decryption key group individually assigned by a predetermined key assigning method, acquires the encrypted distribution data group output from the encryption device, and stores the encrypted distribution data. The predetermined key allotment method is: (a) each terminal belongs to at least one of a terminal set that is a set including two or more terminals. Further, it is a plurality of terminal sets each including the same one or more terminals as elements, and any one terminal set in the plurality of terminal sets is not a subset of the other terminal sets in the plurality of terminal sets. When the relationship Of the plurality of terminal sets exist, two or more terminal sets are determined, (b) a separate decryption key is defined for each terminal and for each determined terminal set, (c) A method of allocating, to each terminal, a decryption key defined corresponding to the terminal and a decryption key defined corresponding to each of all terminal sets including the terminal, wherein the encryption key specifying device is A device for identifying an encryption key, and invalidating terminal identifying means for identifying one or more terminals as invalidation terminals, and invalidation among all the decryption keys assigned to the terminals by the predetermined key assignment method. When a decryption key other than the decryption key assigned to the encrypted terminal is set as the valid decryption key, the assigned valid decryption key is selected for the most terminals to which the selected valid decryption key is not assigned. Follow the procedure to restore the selected An apparatus having an encryption key specifying means for specifying an encryption key corresponding to each of all valid decryption keys that is selected as a result of assuming that the process is repeated until there is no terminal to which a key is not assigned. The encryption device encrypts the distribution data by sequentially using all the encryption keys specified by the encryption key specifying device, and generates and outputs an encrypted distribution data group. A data protection system comprising: 2. The predetermined key allotment method is further configured such that there exists a terminal set that completely includes the plurality of terminal sets.
And a plurality of terminal sets each including the same one or more terminal sets, wherein any one terminal set in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. The data protection system according to claim 1, wherein the data protection system is a method of performing the determination of the terminal set such that the plurality of terminal sets for which the relationship is established exist. 3. The predetermined key allotment method further comprises: a terminal set such that each terminal set includes three or more terminals as elements, and a terminal set including three or more terminal sets exists. 3. The data protection system according to claim 2, wherein the data protection system is a method of making the determination of. 4. The data protection system is the lowest in the case where a tree structure of N-branch trees (N is a natural number of 3 or more) of a plurality of layers in which each terminal is associated with a node in the lowest layer is provided. For each node other than the layer, a plurality of combination patterns that include a combination of two or more of the N nodes of the one-stage lower layer that is reached from the node (parent node) and include all N combinations are determined and determined. A separate decryption key is defined for each combination pattern, and each of the defined decryption keys is stored in association with the node (parent node). Further, a separate decryption key is associated with each node in the lowest layer. A stored key storage device and a device that executes the predetermined key allocation method and determines a decryption key group to be allocated to each terminal, and for each terminal, a node in the lowest layer corresponding to the terminal. From the top layer For each node that is not the lowest layer located on the route to the node, it is located on the route in the layer one step lower than the node among the decryption keys stored in the key storage device in association with the node. Decryption key determination that determines the decryption keys corresponding to all the combination patterns related to the combination including the node and the decryption key stored in the key storage device in association with the terminal as the ones to be assigned to the terminal A device, each terminal set corresponds to each combination pattern one-to-one, and all terminals corresponding to nodes of the lowest layer to reach from all nodes combined in the corresponding combination pattern as elements. The encryption key identifying means is the lowest corresponding to any revocation terminal when the tree structure is assumed. All nodes that reach the layer nodes are defined as invalid nodes, the top layer node is set as the processing target node, and the encryption key specifying process is repeated until there is no unprocessed processing target node. The key identification processing is performed for one unprocessed processing target node (a) in the case where there is the combination pattern related to the combination including all nodes other than the invalid node in the layer one level lower than the processing target node, An encryption key corresponding to the decryption key stored in the key storage device is specified corresponding to the combination pattern, and (b) includes all nodes other than the invalid node in the layer one level lower than the processing target node. When the combination pattern related to the combination does not exist, if the one-stage lower layer is the lowest layer, all nodes other than invalid nodes in the one-stage lower layer Correspondingly, the encryption key corresponding to the decryption key stored in the key storage device is specified, and if the one-stage lower layer is not the lowest layer, all nodes other than the invalid nodes in the one-stage lower layer are identified. (C) If there is an invalid node in the layer one level lower than the node to be processed, all invalid nodes are newly set as the node to be processed unless the one-stage layer is the lowest layer. The data protection system according to claim 3, wherein 5. The key storage device determines the plurality of combination patterns for each node except the lowest layer when the tree structure is assumed, and the one-stage lower layer is reached from the node (parent node). Of N nodes of
This is done by defining a combination pattern so as to correspond to each of all combinations of two or more combinations. The key storage device determines a separate decryption key for each of the determined combination patterns and assigns each of the determined decryption keys. The data protection system according to claim 4, wherein the data protection system stores the data in association with the node (parent node). 6. The key storage device determines the plurality of combination patterns for each node except for the lowest layer in the case of assuming the tree structure, and the one lower layer reached from the node (parent node). Of N nodes of
This is done by defining combination patterns so as to correspond to all N combinations and all (N-1) combinations, and the key storage device defines a separate decryption key for each of the determined combination patterns. The data protection system according to claim 4, wherein each of the determined decryption keys is stored in association with the node (parent node). 7. The encryption means, for each of all the encryption keys specified by the encryption key specifying device,
The encrypted distribution data generated by encryption using the encryption key and the location in the tree structure of the node associated with the decryption key corresponding to the encryption key by the key storage device are specified. And outputs the encrypted key node identification information in association with each other. Each terminal associates each decryption key individually assigned by a predetermined key assignment method with the decryption key by the key storage device. Stored in association with the decryption key node identification information for identifying the location of the node in the tree structure, and the encrypted distribution data group and the encryption key node identification information group output from the encryption device. And the encrypted distribution data corresponding to the encryption key node identification information that matches the decryption key node identification information stored in the terminal, and the decryption key node identification information related to the match. The data protection system according to claim 4, wherein decryption is performed using a corresponding decryption key. 8. The encryption key specifying device has encryption key storage means for storing an encryption key corresponding to each decryption key stored in the key storage device, and the corresponding decryption key The data protection system according to claim 4, wherein the encryption key and the encryption key are different from each other. 9. The output by the encryption means is to record the generated encrypted distribution data group in a data recording medium, wherein each of the terminals uses the encryption device to generate an encrypted distribution data group. 2. The data protection system according to claim 1, wherein the encrypted distribution data group is read and acquired from the data recording medium in which is recorded, and the encrypted distribution data is decrypted. 10. The encryption means includes a content storage unit that stores content data that is a digital work, a random number data generation unit that generates the distribution data that is a random number, and a random number data generation unit. A content encryption unit that encrypts the content data using the generated distribution data as a key to generate encrypted content data, and the encryption unit is specified by the encryption key specifying device. The encrypted distribution data group is generated by encrypting the distribution data generated by the random number data generation unit by sequentially using all the encryption keys, and the encrypted distribution data group, The encrypted content data generated by the content encryption unit is recorded in the data recording medium, and each terminal encrypts the data from the data recording medium. Content data and an encrypted distribution data group are read and acquired, the encrypted distribution data is decrypted, and the encrypted content data is decrypted using the decryption result distribution data. Item 9. The data protection system according to Item 9. 11. The encryption key identification information recording device for recording encryption key identification information for identifying an encryption key identified by the encryption key identification device on a data recording medium. Each of the terminals includes a random number data generation unit that generates the distribution data that is a random number, a content storage unit that stores content data that is a digital work, and an encryption key identification from the data recording medium. Read the information,
An encryption key selecting unit that selects an encryption key identified by the encryption key identification information from the encryption key group corresponding to the decryption key group stored in the terminal, and the encryption unit is , An encrypted distribution data group is generated by sequentially encrypting the distribution data generated by the random number data generation unit by sequentially using all the encryption keys selected by the encryption key selection unit, The content data is recorded on a data recording medium, and each terminal further encrypts the content data stored in the content storage unit by using the distribution data generated by the random number data generation unit as a key, and encrypts the content data. A content encryption unit that generates encrypted content data and records the encrypted content data in the data recording medium; and each terminal, from the data recording medium. Data and an encrypted distribution data group are read and acquired, the encrypted distribution data is decrypted, and the encrypted content data is decrypted using the decryption result distribution data. Item 9. The data protection system according to Item 9. 12. The output by the encryption means is to transmit the generated encrypted distribution data group to each of the terminals, and each terminal transmits the encrypted distribution transmitted by the encryption device. The data protection system according to claim 1, wherein the data protection system receives and acquires the data group for decryption, and decrypts the encrypted distribution data. 13. A decryption key determination device for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data, comprising: ) Such that each of the terminals belongs to at least one of the terminal sets which is a set including two or more terminals as elements, and further, a plurality of terminal sets each including the same one or more terminals as elements , Two or more such that there is a plurality of terminal sets for which a relation that any one of the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets is present. And (b) a decryption key setting means for associating a separate decryption key for each terminal and each determined terminal set; and for each terminal, by associating the decryption key setting means with the relevant terminal. Was And a decryption key group assigning unit that determines all decryption keys associated with each of all terminal sets including the terminal as a decryption key group to be assigned to the terminal. apparatus. 14. The decryption key setting means further includes a terminal set that completely includes the plurality of terminal sets.
And a plurality of terminal sets each including the same one or more terminal sets, wherein any one terminal set in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. 14. The decryption key determination device according to claim 13, wherein the determination of the terminal set is performed so that the plurality of terminal sets for which the relationship is established exist. 15. The decryption key setting means further includes a terminal set such that each terminal set includes three or more terminals as elements and a terminal set including three or more terminal sets exists. 15. The decryption key determination device according to claim 14, wherein the determination is performed. 16. The decryption key setting means assumes a tree structure of N-branch trees (N is a natural number of 3 or more) of a plurality of layers in which each terminal is associated with a node of a different lowest layer. For each node except the lower layer, a plurality of combination patterns including N or more combinations of two or more of the N nodes of the one-stage lower layer reached from the node (parent node) are determined, A separate decryption key is determined for each determined combination pattern, and each determined decryption key is stored in association with the relevant node (parent node). Further, a separate decryption key is associated with each node in the lowest layer. Storing the decryption key group assigning means, for each terminal, for each node that is not the lowest layer located on the path from the lowest layer node corresponding to the terminal to the highest layer node, Corresponding to the node Of the decryption keys stored by the decryption key key setting means, the decryption keys corresponding to all the combination patterns related to the combination including the node located on the route in the one-stage lower layer of the node, The decryption key stored by the decryption key setting means in association with the terminal is determined as one to be assigned to the terminal, and each terminal set corresponds to and corresponds to each combination pattern one-to-one. The decryption key determination device according to claim 15, wherein the decryption key determination device corresponds to a set including all terminals corresponding to nodes in the lowest layer reached from all nodes combined in the combination pattern as elements. 17. The decryption key setting means determines the plurality of combination patterns for each node except for the lowest layer in the case of assuming the tree structure by one step lower than the node (parent node). This is done by defining combination patterns so as to correspond to all combinations formed by combining two or more of the N nodes in the layer, and the decryption key setting means separates decryption keys for each of the determined combination patterns. 17. The decryption key determination device according to claim 16, wherein each of the determined decryption keys is stored in association with the node (parent node). 18. The decryption key setting means determines the plurality of combination patterns for each node except for the lowest layer in the case of assuming the tree structure by one step lower than the node (parent node). Among the N nodes of the layer, the combination patterns are determined so as to correspond to all the N combinations and all the (N-1) combinations, and the decryption key setting means sets the determined combinations. 17. The decryption key determination device according to claim 16, wherein a separate decryption key is determined for each pattern, and each determined decryption key is stored in association with the node (parent node). 19. A decryption key determination method for determining a decryption key group for decryption, which is individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. The terminal belongs to at least one of the terminal sets, which is a set including two or more terminals as elements, and is a plurality of terminal sets each including the same one or more terminals as elements. Two or more terminal sets such that there exists a plurality of terminal sets for which a relation is established in which any one terminal set in the other terminal set is not a subset of each of the other terminal sets in the plurality of terminal sets. A terminal set determining step for determining, a decryption key associating step for associating different decryption keys for each terminal and each terminal set determined by the terminal set determining step, and each terminal Against it, the decryption key corresponding with all decryption key associated with each of all the terminals set including the decryption key and the terminal associated with the terminal in step,
A decryption key group allocating step of determining a decryption key group to be assigned to the terminal, the decryption key determining method. 20. To cause a computer to execute a decryption key determination process for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. In the above computer program, the decryption key determination process is performed such that each terminal belongs to at least one of a terminal set which is a set including two or more terminals as elements, and further, the same one or more terminals are A plurality of terminal sets each of which is included in the element, and the plurality of terminal sets in the plurality of terminal sets are not subsets of the other terminal sets in the plurality of terminal sets. A terminal set determining step of determining two or more terminal sets so that the terminal set exists, and a terminal set determined for each terminal and in the terminal set determining step. A decryption key associating step of associating a separate decryption key for each, and a decryption key associated with the terminal by the decryption key associating step for each terminal, and each of all terminal sets including the terminal All the decryption keys associated with
And a decryption key group assigning step for determining a decryption key group to be assigned to the terminal. 21. To cause a computer to execute a decryption key determination process for determining a decryption key group to be individually assigned to each of three or more terminals for acquiring and decrypting encrypted data. In the recording medium having the computer program recorded therein, the decryption key determination processing is performed such that each of the terminals belongs to at least one of the terminal sets which is a set including two or more terminals as elements. A relationship is established in which a plurality of terminal sets each including one or more terminals are elements, and any one terminal set in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. However, the terminal set determining step of determining two or more terminal sets and the terminal set determining step and the terminal set determining step such that the plurality of terminal sets exist. A decryption key associating step of associating a different decryption key for each of the determined terminal sets, and a decryption key associated with the terminal by the decryption key associating step for each terminal, and all including the terminal All decryption keys associated with each of the terminal sets of
A decryption key group assigning step of determining a decryption key group to be assigned to the terminal, the recording medium. 22. A decryption terminal system comprising three or more terminals for acquiring and decrypting encrypted data, wherein each of the terminals is decrypted individually by a predetermined key allotment method. A decryption key group storage unit that stores a key group, an encrypted data acquisition unit that acquires encrypted data, and the data acquired by the encrypted data acquisition unit,
And a decryption unit that decrypts using the decryption key stored in the decryption key group storage unit, wherein the predetermined key allocation method is: (a) each terminal is a set including two or more terminals as elements. Further, it belongs to at least one of the terminal sets, and is a plurality of terminal sets each including the same one or more terminals as elements, and any one terminal set in the plurality of terminal sets is associated with the plurality of terminal sets. Two or more terminal sets are determined so that there are a plurality of terminal sets that satisfy the relationship that they are not subsets of each other terminal set in the terminal set, and (b) each terminal and the determined terminal set. Establish a separate decryption key corresponding to each, (c) For each terminal, determine the decryption key defined for the terminal, and for each of all terminal sets including the terminal That all the decryption keys are assigned Decoding terminal system according to claim. 23. The decryption terminal system according to claim 22, wherein the encrypted data acquisition means reads out the encrypted data from a data recording medium and acquires the encrypted data. 24. The data recording medium stores encryption key identification information for identifying an encryption key, and the terminal further comprises random number data generation means for generating key data which is a random number, A content storage unit that stores content data that is a digital work, and reads the encryption key specifying information from the data recording medium,
An encryption key selecting unit for selecting an encryption key specified by the encryption key specifying information from the encryption key group corresponding to the decryption key group stored in the decryption key group storage unit; The encryption key data group is generated by encrypting the key data generated by the random number data generation means by sequentially using all the encryption keys selected by the selection means, and the encryption key data group is Key data encryption means for recording on a data recording medium, and encrypted content data by encrypting the content data stored in the content storage unit using the key data generated by the random number data generating means as a key And a content encryption unit for recording the encrypted content data on the data recording medium, wherein the encrypted data acquisition unit is The encrypted key data and the encrypted content data recorded on the medium are acquired, and the decryption unit stores the encrypted key data acquired by the encrypted data acquisition unit in the decryption key group storage unit. Key data is generated by decrypting the encrypted content data obtained by the encrypted data obtaining means, and the key data is produced by decrypting the encrypted content data obtained by the decrypting means. 24. The decryption terminal system according to claim 23, further comprising content decryption means for decrypting using data. 25. The encrypted data is transmitted from an external transmission device, and the encrypted data acquisition means acquires the encrypted data by receiving the encrypted data. The decoding terminal system according to claim 22. 26. An encryption key specifying device for specifying an encryption key to be used for encrypting distribution data to three or more terminals, wherein: (a) each terminal has two or more terminals. A plurality of terminal sets each of which includes the same one or more terminals as elements, and which one of the plurality of terminal sets is included in at least one of the plurality of terminal sets. Two or more terminal sets are determined so that there exists such a plurality of terminal sets that a relationship is established that the terminal set is not a subset of each of the other terminal sets in the plurality of terminal sets. (B) Terminals And a decryption key group associating unit that associates different decryption keys for each determined terminal set, and for each of the terminals, in addition to the decryption key associated with the terminal by the decryption key setting unit, All edges including terminals By the decryption key setting means for associating all the decryption keys associated with each of the sets with the relevant terminal, the invalidation terminal identification means for identifying one or more terminals as invalidation terminals, and the decryption key group association means. Of all the decryption keys associated with a terminal, when a decryption key other than the decryption key associated with a revoked terminal is defined as a valid decryption key, the selected valid decryption key is the most unassociated one. Assuming that the procedure of selecting valid decryption keys that are associated with many terminals is repeated until there are no terminals that are not associated with the selected valid decryption keys, the result is that they have been selected. And an encryption key specifying means for specifying an encryption key corresponding to each valid decryption key. 27. The decryption key setting means is further a plurality of terminal sets each including the same one or more terminal sets such that there exists a terminal set that completely includes the plurality of terminal sets. Then, there is a plurality of terminal sets such that there is a relationship that any one of the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. 27. The encryption key specifying device according to claim 26, wherein the determination is made. 28. The decryption key setting means further includes a terminal set such that each terminal set includes three or more terminals as elements and a terminal set including three or more terminal sets exists. 28. The encryption key specifying device according to claim 27, wherein the determination is made. 29. The decryption key setting means assumes a tree structure of N-branch trees (N is a natural number of 3 or more) of a plurality of layers in which each terminal is associated with a separate node of the lowest layer. For each node except the lower layer, a plurality of combination patterns including N or more combinations of two or more of the N nodes of the one-stage lower layer reached from the node (parent node) are determined, A separate decryption key is determined for each determined combination pattern, and each determined decryption key is stored in association with the relevant node (parent node). Further, a separate decryption key is associated with each node in the lowest layer. The decryption key group associating means stores, for each terminal, for each node that is not the lowest layer located on the path from the lowest layer node corresponding to the terminal to the highest layer node. , To the node Of the decryption keys stored by the decryption key setting means in association with each other, the decryption keys corresponding to all the combination patterns related to the combination including the node located on the route in the one-stage lower layer of the node, The decryption key stored by the decryption key setting means in association with the terminal is associated with the terminal, and each terminal set has a one-to-one correspondence with each of the combination patterns, and is combined in a corresponding combination pattern. Corresponds to a set having all terminals corresponding to the nodes in the lowest layer that are reached from all the nodes, and the encryption key specifying means, when assuming the tree structure, invalidates any of them. All nodes that reach the lowest layer node corresponding to the terminal are defined as invalid nodes, and the highest layer node is set as the process target node, and the unprocessed process target node The encryption key identification process is repeated until there is no longer any, and the encryption key identification process is performed for one unprocessed node to be processed (a) When the combination pattern relating to the combination including the node exists, the encryption key corresponding to the decryption key stored by the decryption key setting means corresponding to the combination pattern is specified, and (b) the process If the combination pattern relating to the combination including all the nodes other than the invalid nodes is not present in the one-stage lower layer of the target node, and if the one-stage lower layer is the lowest layer, the invalid node in the one-stage lower layer Other than the node, the encryption key corresponding to the decryption key stored by the decryption key setting means is specified, and if the one lower layer is not the lowest layer, All nodes other than invalid nodes in the one-stage lower layer are newly set as process target nodes, and (c) if an invalid node exists in the one-stage lower layer of the process target node, unless the one-stage layer is the lowest layer. 29. The encryption key specifying device according to claim 28, which is a process of newly setting all invalid nodes as process target nodes. 30. The determination of the plurality of combination patterns by the decryption key setting means for each node except for the lowest layer when the tree structure is assumed is one step lower than the node (parent node). Among the N nodes of the layer, the combination pattern is determined so as to correspond to all combinations formed by combining two or more, and the decryption key setting means is provided for each node (parent node).
As the invalidation pattern information obtained by connecting all of the combination patterns determined with respect to the node (parent node), the values indicating whether or not each of the N nodes reaching from the node is a combination target according to a predetermined node order. The decryption key is stored in association with the node (parent node), and a separate decryption key is defined for each invalidation pattern information, and each decryption key thus defined is associated with the node (parent node) and the invalidation pattern information. The encryption key specifying means, when the tree structure is assumed, defines all the nodes that reach the node of the lowest layer corresponding to any invalidation terminal as an invalid node, and determines the lowest layer. For each node other than, after specifying invalidation information indicating whether or not each of the N nodes of the one-stage lower layer reaching from the node is an invalid node, The encryption key identification process is performed, and in the encryption key identification process, for one unprocessed processing target node, (a) invalidation pattern information that matches the invalidation information specified for the processing target node exists. In this case, the encryption key corresponding to the decryption key stored by the decryption key setting means corresponding to the invalidation pattern information is specified, and (b) the invalidation information specified for the processing target node is specified. If there is no invalidation pattern information that matches
If the one-stage lower layer is the lowest layer, an encryption key corresponding to the decryption key stored by the decryption key setting means is specified for all nodes other than invalid nodes in the one-stage lower layer. If the one-stage lower layer is not the lowest layer, all nodes other than the invalid nodes in the one-stage lower layer are newly set as processing target nodes, and (c) invalid nodes in the one-stage lower layer of the processing target node 30. The encryption key specifying device according to claim 29, wherein, if it exists, the process is a process in which all invalid nodes are newly set as process target nodes unless the one-step layer is the lowest layer. 31. The determination of the plurality of combination patterns by the decryption key setting means for each node except for the lowest layer when the tree structure is assumed is one step lower than the node (parent node). Among the N nodes of the layer, the combination patterns are determined so as to correspond to all the N combinations and all the (N-1) combinations, and the decryption key setting means sets the determined combinations. 30. The encryption key specifying device according to claim 29, wherein a separate decryption key is determined for each pattern, and each determined decryption key is stored in association with the node (parent node). 32. An encryption device for encrypting data for distribution to three or more terminals, comprising: (a) a terminal set which is a set including two or more terminals as elements. At least one terminal set is a plurality of terminal sets each including the same one or more terminals as elements, and any one terminal set in the plurality of terminal sets is the other terminal set in the plurality of terminal sets. The two or more terminal sets are determined so that there exists such a plurality of terminal sets that the relationship that each of them is not a subset of each terminal set of (2) is determined separately for each terminal and each determined terminal set. A decryption key setting means for associating a decryption key with each of the terminals, and for each terminal, in addition to the decryption key associated with the terminal by the decryption key setting means, associated with each of all terminal sets including the terminal. All decrypted keys A decryption key group associating unit associated with the terminal, an invalidation terminal identifying unit for identifying one or more terminals as invalidation terminals, and all decryption keys associated with the terminals by the decryption key group associating unit. If a decryption key other than the decryption key associated with the revoked terminal is set as the valid decryption key, the valid decryption key selected is not associated with the most valid terminals. Assuming that the procedure of selecting a decryption key is repeated until there is no terminal to which the selected valid decryption key is not associated, respond to each valid decryption key that has been selected as a result. An encryption key specifying unit that specifies an encryption key, and encrypts distribution data by sequentially using all the encryption keys specified by the encryption key specifying unit, and an encrypted distribution data group Encryption means generated, the encryption apparatus and an outputting means for outputting the encrypted distribution data group generated by the encryption unit to the outside. 33. The output means outputs key identification information for identifying each encryption key identified by the encryption key identification means to the outside together with the encrypted distribution data group. The encryption device according to claim 32. 34. The encryption device further includes a content storage unit that stores content data that is a digital work, a random number data generation unit that generates the distribution data that is a random number, and the random number data generation unit. The content data is encrypted by using the distribution data generated by
A content encryption unit for generating encrypted content data, wherein the output unit outputs the encrypted content data generated by the content encryption unit to the outside together with the encrypted distribution data group. Claim 3
2. The encryption device according to 2. 35. The output by the output means is to record the encrypted distribution data group in a data recording medium. 33. The encryption device according to claim 32, wherein: 36. The encryption device according to claim 32, wherein the output by the output means is to transmit the encrypted distribution data group to each of the terminals. 37. An encryption key specifying method for specifying an encryption key to be used for encrypting distribution data to three or more terminals, wherein each terminal has two or more terminals. A plurality of terminal sets, each of which includes the same one or more terminals as elements, so as to belong to at least one of the terminal sets which is a set including the elements, and which one of the plurality of terminal sets is included. A terminal set determining step of determining two or more terminal sets, such that the plurality of terminal sets exist such that a set is not a subset of other terminal sets in the plurality of terminal sets. A decryption key associating step of associating a different decryption key for each terminal and each terminal set determined by the terminal set determining step; and a decryption key associating step for each terminal. In addition to the decryption key associated with the terminal, all the decryption keys associated with each of all the terminal sets including the terminal are associated with the decryption key group associated with the terminal, and one or more A revocation terminal identifying step of identifying the terminal as a revocation terminal, and a decryption key other than the decryption key associated with the revocation terminal among all the decryption keys associated with the terminal in the decryption key group associating step When the is defined as the valid decryption key, the procedure of selecting the valid decryption key that is associated with the largest number of terminals to which the selected valid decryption key is not associated Repeated until there are no unattached terminals, and as a result, the encryption key identification step of identifying the encryption key corresponding to each of the selected valid decryption keys is included. Encryption key specifying method comprising and. 38. A computer program for causing a computer to execute a specifying process for specifying an encryption key to be used for encrypting data for distribution to three or more terminals, wherein the specifying process includes: Each of the terminals belongs to at least one of the terminal sets which is a set including two or more terminals as elements, and further, a plurality of terminal sets each including the same one or more terminals as elements, There are two or more terminal sets such that there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. A terminal set determining step for determining a terminal set, and a decryption key association for associating a separate decryption key for each terminal and each terminal set determined by the terminal set determining step Step, for each terminal, in addition to the decryption key associated with the terminal in the decryption key associating step, all the decryption keys associated with each of all terminal sets including the terminal, A decryption key group associating step associated with the terminal, an invalidation terminal identifying step of identifying one or more terminals as invalidation terminals, and a decryption key group association step of all the decryption keys associated with the terminals by the decryption key group associating step. If a decryption key other than the decryption key associated with the revoked terminal is defined as the valid decryption key, the valid decryption associated with the most terminals that are not associated with the selected valid decryption key The procedure of selecting keys is repeated until there is no terminal to which the selected valid decryption key is not associated, and as a result, all valid decryption keys that have been selected have been selected. A computer program comprising an encryption key specifying step for specifying an encryption key corresponding to each. 39. A recording medium recording a computer program for causing a computer to execute a specific process for specifying an encryption key to be used for encrypting distribution data to three or more terminals. The specific processing is performed such that each of the terminals belongs to at least one of a terminal set that is a set including two or more terminals as elements, and further, a plurality of terminals each including the same one or more terminals as elements. A plurality of terminal sets in which there is a relationship that any one of the terminal sets in the plurality of terminal sets is not a subset of other terminal sets in the plurality of terminal sets. , A terminal set determining step of determining two or more terminal sets, and a separate decryption key for each terminal and each terminal set determined by the terminal set determining step And a decryption key associating step for each terminal, in addition to the decryption key associated with the terminal in the decryption key associating step, associated with each of all terminal sets including the terminal. The decryption key group association step of associating all the decryption keys with the terminal, the invalidation terminal identification step of identifying one or more terminals as invalidation terminals, and the decryption key group association step are associated with the terminals. When the decryption key other than the decryption key associated with the revoked terminal is defined as the valid decryption key among all the decryption keys, it is associated with the largest number of terminals to which the selected valid decryption key is not associated. The procedure of selecting a valid decryption key that has been selected is repeated until there is no terminal that is not associated with the selected valid decryption key, and as a result, it is already selected. An encryption key specifying step for specifying an encryption key corresponding to each of all valid decryption keys. 40. A computer having recorded therein a plurality of encrypted distribution data obtained by encrypting distribution data to three or more terminals using each of a plurality of encryption keys specified by a specifying process. A readable recording medium, wherein the specific processing is performed such that each terminal belongs to at least one of a terminal set which is a set including two or more terminals as elements, A plurality of terminal sets each including a terminal as an element, and any one of the terminal sets in the plurality of terminal sets is not a subset of each of the other terminal sets in the plurality of terminal sets. A terminal set determining step of determining two or more terminal sets so that a plurality of terminal sets exist, and each terminal set and each terminal set determined by the terminal set determining step. A decryption key associating step of associating separate decryption keys, and for each terminal, in addition to the decryption key associated with the terminal by the decryption key associating step, each of all terminal sets including the terminal A decryption key group associating all the decryption keys associated with the terminal with the terminal, an invalidation terminal identifying step of identifying one or more terminals as invalidation terminals, and a terminal by the decryption key group association step. Among all the decryption keys associated with, when the decryption key other than the decryption key associated with the revoked terminal is defined as the valid decryption key, the most selected valid decryption key is not associated. Repeat the procedure of selecting the valid decryption key that is associated with the selected terminal until there is no terminal that does not have the selected valid decryption key associated with it. A recording medium characterized by including an encryption key specifying step of specifying an encryption key corresponding to each of all the effective decryption keys that have been selected. 41. A decryption terminal for obtaining and decrypting encrypted data, the decryption key group storing means storing a decryption key group individually assigned by a predetermined key assignment method, and Encrypted data acquisition means for acquiring the encrypted data, and the data acquired by the encrypted data acquisition means,
The decryption means for decrypting using the decryption key stored in the decryption key group storage means, and the predetermined key allotment method are: (a) When this terminal is assumed to be three or more terminals including this terminal, To belong to a plurality of terminal sets, which is a set including two or more terminals as elements, and which is a plurality of terminal sets each including this terminal as an element, and which one terminal set in the plurality of terminal sets Also determines two or more terminal sets so that there exists such a plurality of terminal sets that the relationship that it is not a subset of each of the other terminal sets in the plurality of terminal sets exists, and (b) this terminal A separate decryption key is defined for each corresponding and determined terminal set. (C) For this terminal, a decryption key defined for this terminal,
And a method of allocating all the decryption keys defined corresponding to each of all terminal sets including this terminal.