JP2005123678A - Information processing apparatus, information recording medium and information processing method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To construct an encrypted text providing structure that is built up by adopting a combination of an n-multi linear map and a hierarchical tree configuration and can attain efficient processing. <P>SOLUTION: In the hierarchical tree configuration configured to interconnect a root acting like an apex node and leaves being lowermost nodes, an information processing apparatus whose decryption of an encrypted text is permitted is selected among a plurality of information processing apparatuses corresponding to the leaves. In the production processing for the encrypted text decryptable on the basis of only a stored key of the selected encrypted text decryption permitting apparatus, an encryption key is produced by adopting the n-multi linear map (wherein: n is an integer of 2 or over) and a decryptable encrypted text on the basis of only the stored key of the selected encrypted text decryption permitting apparatus is produced and provided. Through the configuration above, the computing volume for reception and decryption processing of the encrypted text can be reduced and the efficient processing can be realized. <P>COPYRIGHT: (C)2005,JPO&NCIPI

Description

  The present invention relates to an information processing apparatus, an information recording medium, an information processing method, and a computer program. More specifically, by constructing a ciphertext distribution configuration that combines a multi-linear map with a hierarchical tree structure, efficient ciphertext transmission / reception and analysis are possible, and the generation of ciphertext can be reduced. The present invention relates to an information processing apparatus, an information recording medium, an information processing method, and a computer program that realize a reduction in calculation amount in an information processing apparatus such as a user device and a receiver that receive and decrypt ciphertext.

  Recently, various software data (hereinafter referred to as content) such as audio data such as music, image data such as movies, game programs, various application programs, etc. are transmitted via a network such as the Internet or It is distributed through information recording media (media) such as CD (Compact Disc), DVD (Digital Versatile Disk), MD (Mini Disk). These distributed contents are played back and used in playback devices such as PCs (Personal Computers), CD players, DVD players, and MD players owned by users, or various information processing devices such as game machines.

  Many contents, such as music data and image data, generally have distribution rights or the like held by the creator or seller. Therefore, when distributing these contents, it is common to adopt a configuration that restricts the use of the contents, that is, permits the use of the contents only to authorized users and prevents unauthorized copying or the like. It is the target.

  In particular, in recent years, recording devices and storage media for digitally recording information are becoming widespread. According to such a digital recording apparatus and storage medium, for example, recording and reproduction can be repeated without degrading images and sound, distribution of illegally copied content via the Internet, recording of CD-R, etc. There is a problem of unauthorized copying of media.

  As one method for preventing such unauthorized use of content, there is a system that provides an encrypted key for decrypting content or encrypted content. For example, an encrypted data providing configuration to which a hierarchical tree structure, which is an aspect of the broadcast encryption method, is applied, by appropriately changing the setting of the ciphertext included in the provided encrypted data. This is a system that provides ciphertext that can be decrypted only by a selected authorized user or authorized device.

  A process for providing encrypted data such as an encryption key to which a hierarchical tree structure is applied will be described with reference to the drawings.

  The hierarchical tree structure shown in FIG. 1 uses a binary tree, the lowest layer of which is called a leaf, and a portion including a vertex, each branching portion, and a leaf is called a node. The vertex is called a root or a root node. In the binary tree hierarchical tree structure shown in FIG. 1, the leaves are 8 to 15, the nodes are 1 to 15, and the root is 1.

  Information processing devices such as a playback device and a receiver as content use devices are assigned to the leaves 8 to 15 in the binary tree hierarchical tree structure one by one.

  One node key is assigned to each node (including leaves) 1 to 15 of the tree. Node keys assigned to the leaves 8 to 15 may be called leaf keys.

  Each information processing apparatus corresponding to a leaf is given a node key assigned to a node on the path from the corresponding leaf to the root. In the configuration of FIG. 1, there are eight information processing devices assigned to the leaves 8 to 15, and node keys are assigned to the nodes 1 to 15, respectively. Four node keys assigned to the nodes 1, 2, 4 and 8 are given. The information processing apparatus 102 corresponding to the leaf 12 is given four node keys assigned to the nodes 1, 3, 6, and 12. The nuclear information processing apparatus securely stores these node keys.

  A method of transmitting information that can be acquired only by the selected information processing apparatus using the setting accompanying the node key distribution process will be described with reference to FIG. For example, encrypted data of content such as specific music and image data is broadcasted, or stored in a recording medium such as a DVD and distributed in a state where anyone can obtain it, and a key for decrypting the encrypted content ( A configuration is realized in which the content key: Kc) can be acquired only by a specific user, that is, a user having a regular content usage right or an information processing apparatus.

  It is assumed that the information processing apparatus assigned to the leaf 14 shown in FIG. 2 is excluded (revoked) as an unauthorized device, and other information processing apparatuses are legitimate information processing apparatuses. In this case, the information processing device assigned to the leaf 14 cannot acquire the content key Kc, but other information processing devices generate a ciphertext that can acquire the content key Kc and record the ciphertext via the network or Store and distribute on media.

  In this case, among the node keys other than the node key (represented by x in FIG. 2) of the information processing device to be revoked (excluded), the key shared by as many information processing devices as possible, that is, the one located above the tree It is only necessary to encrypt the content key and transmit it using

In the example shown in FIG. 2, a set of ciphertexts in which the content key Kc is encrypted is generated and provided using the node keys of the nodes 2, 6, and 15. That is,
E (NK ₂ , Kc), E (NK ₆ , Kc), E (NK ₁₅ , Kc)
Is generated and stored in a network distribution or recording medium. E (A, B) means data obtained by encrypting data B with the key A. NK _n means the n-th node key shown in the figure. Therefore, the above formula is
The encrypted data E (NK ₂ , Kc) obtained by encrypting the content key Kc with the node key NK ₂ , the encrypted data E (NK ₆ , Kc) obtained by encrypting the content key Kc with the node key NK ₆ , and the content key Kc This means that it is a set of three ciphertexts including encrypted data E (NK ₁₅ , Kc) encrypted with the node key NK ₁₅ .

If the above three ciphertexts are created and transmitted to all information processing devices using, for example, a broadcast channel, any information processing device that is not a revoke target (information processing device corresponding to leaves 8 to 13 and 15 shown in FIG. 2) Such a ciphertext can be decrypted with the node key that it has, and the content key Kc can be obtained. However, the information processing apparatus corresponding to the revoked leaf 14 does not have any of the three node keys NK ₂ , NK ₆ , and NK ₁₅ applied to the above three ciphertexts. Even if the sentence is received, the decryption process cannot be performed and the content key Kc cannot be obtained.

In the processing described above, three ciphertexts E (NK ₂ , Kc), E (NK ₆ , Kc), and E (NK ₁₅ , Kc) are provided to each information processing apparatus. Each information processing apparatus that has not been revoked checks which ciphertext can be decrypted by itself, selects the ciphertext that can be decrypted, and performs decryption processing. In the above example, three ciphertexts are set. However, in practice, the number of information processing apparatuses is enormous, and the number of ciphertexts provided to the information processing apparatuses is also large. Therefore, the processing of repeatedly executing the decryption process sequentially from the beginning of the ciphertext increases the burden.

  For this reason, a configuration has been proposed in which, when ciphertext is provided, a key designation code capable of knowing the ciphertext to be selected by each information processing apparatus is provided to each information processing apparatus together with the ciphertext. Details of this configuration are described in Patent Document 1, for example.

  A configuration in which the key designation code is provided to each information processing apparatus together with the ciphertext will be described with reference to FIG. As shown in FIG. 3, the node key used for encryption is represented using a tree structure, and the structure is encoded to create a key designation code, which is broadcasted together with a ciphertext block. The information processing device receives the key designation code and analyzes the received key designation code to know which ciphertext should be decrypted using which node key and can efficiently perform decryption processing. It becomes.

The key designation code will be described. FIG. 3 shows three ciphertexts as an information processing device corresponding to the leaf 14, as in FIG. 2.
E (NK ₂ , Kc), E (NK ₆ , Kc), E (NK ₁₅ , Kc)
The example in the case of transmitting is shown.

  First, in FIG. 3, the subtree indicated by the thick line is a tree in which all nodes 121, 122, and 123 to which the node key used for encryption is assigned are leaves, and the root 120 of the original tree structure is the root. This is called a key designation tree.

  In order to indicate the structure of the key designation tree with data, information indicating whether or not branches are left and right is set from each node.

  Each node is expressed using one of 2-bit information (key designation information) [00] [01] [10] [11]. That is, if the first (left side) bit of the key designation information attached to a certain node is [1], it indicates that there is a branch left from that node (the left side child node exists in the key designation tree), [0] indicates that there is no branch left from that node (the left child node does not exist). Similarly, the last (right side) of the key designation information represents the right branch information.

  That is, if the key designation information bit of a certain node is [11], it indicates that a branch has come out from both sides of the node. If [01], the branch is only on the left side. Indicates that the [00] indicates that no branch has come out, and that the node is a leaf of the key designation tree.

That is, in each node, whether or not there is a branch of the key designation tree on the left and right is indicated by 2-bit information.
If both left and right branches: [11]
When there is a branch only on the left: [10]
When there is a branch only on the right: [01]
When there are no branches on the left and right: [00]
Set the key designation information bit.

The key designation code is set by arranging the key designation information bits in order from the upper layer of the key designation tree and from the left in the same layer. In the case of the configuration shown in FIG. 1, 2, 3, 6, 7 and 15, so that data in which the key designation information bits of each of these nodes are arranged in order, that is,
[110011000100]
Is set as the key designation code.

  The information processing apparatus as the user device that has received the ciphertext block composed of a plurality of ciphertexts and the above key designation code reconstructs the key designation tree based on the key designation code, and uses the node key stored in the own apparatus. It becomes possible to select a ciphertext that can be decrypted, obtain a content key by combining the selected ciphertext, decrypt the content encrypted with the obtained content key, and use the content.

  In this way, using a broadcast channel, a content key, etc. can be securely sent to a recipient of a ciphertext arbitrarily selected by a transmitter (sender) as a ciphertext provider, that is, a group of receivers (receivers). The secret information transmission method is generally called a revocation scheme or a broadcast encryption scheme.

As a main item to evaluate the efficiency of each scheme that realizes revocation schemes and broadcast encryption,
(1) Number of keys (size) that information devices such as user devices and receivers that receive and process ciphertext must securely store
(2) Number of broadcast messages (size),
(3) There are three evaluation items for the amount of calculation required by information processing devices such as user devices and receivers that receive and process ciphertexts.

  A method of reducing all of the above three evaluation items, or a method of reducing at least one or two of the above items is considered to be a better method. In the system, there is a problem that one of the evaluation items becomes large depending on the total number N of receivers or the number r of excluded receivers (revoke receivers) other than the ciphertext decryption allowable receiver.

  Among the methods known so far, in the method described in Non-Patent Document 1, it is assumed that there is a cryptographic n-multilinear map that satisfies the Diffie-Hellman inversion assumption. Basically, a broadcast encryption method has been proposed in which the evaluation items (1) and (2) are both constants. The details of the multi-linear map (n-multilinear map) will be described in [Best Mode for Carrying Out the Invention] of this specification.

However, in this method, the amount of calculation required by the receiver (3) in the evaluation items is proportional to N which is the total number of recipients. For this reason, the development of a method for reducing the amount of calculation is an issue.
JP 2001-352322 A D. Boneh and A.M. Silverberg's paper "Applications of Multiformal Forms to Cryptography" (This paper was published in http://eprint.iacr.org/2002/080/ as a technical report of a website managed by the International Association for Cryptographic Research. And is listed on the website managed by Prof. Boneh, one of the authors, as http://crypto.stanford.edu/~dabo./papers/mlearear.pdf)

  The present invention has been made in view of such circumstances, and there is a multi-linear map that satisfies Diffie-Hellman inversion assumption or generalized Diffie-Hellman assumption described in detail in the following examples. Based on the premise that the ciphertext is distributed, a ciphertext distribution configuration that combines a multi-linear map with a hierarchical tree structure enables efficient ciphertext transmission / reception and analysis, and reduces the amount of ciphertext that is generated. This realizes a reduction in calculation amount in an information processing apparatus such as a user device or a receiver that receives and decrypts ciphertext.

  The reason why the calculation amount is large in the configuration to which the method described in the above paper (Non-Patent Document 1) is applied is that the required multi-linear map is an N linear map (N is the total number of receivers). It is an object of the present invention to provide an information processing apparatus, an information recording medium, an information processing method, and a computer program that can greatly reduce the use of a hierarchical tree structure.

The first aspect of the present invention is:
An information processing apparatus that executes ciphertext generation processing,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. A cipher processing unit that executes a process for generating a ciphertext that can be decrypted based only on the storage key of the ciphertext decryption-permitted device.
The cryptographic processing unit
Generate an encryption key by applying an n multi-linear map (where n is an integer equal to or greater than 2), and generate a ciphertext that can be decrypted based on only the storage key of the ciphertext decryption permitted device using the generated encryption key An information processing apparatus is characterized by being configured to execute processing.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, each of the plurality of information processing apparatuses corresponding to the leaf has a node key corresponding to a node on a path from the root to the own leaf, and the cryptographic process The unit is configured to execute a process for generating a ciphertext that can be decrypted only in a storage node key of the ciphertext decryption-permitted device.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the encryption processing unit defines the following definition as a key generated by applying the n multi-linear map:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Is a configuration for generating a session key Ks based on
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i and satisfies g _i ∈G ₁ ,
g is the generator of G ₁
It is characterized by being.

に基づくセッションキーＫｓを生成する構成である、
ただし、Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
ｇは、群Ｇ_１の生成元であり、
ｘ_ｉは、階層木構成における各構成ノードｉに設定されるノードキーであり、ｈ_ｉ＝ｇ^ｘｉが公開値として設定される、
ことを特徴とする。 Furthermore, in one embodiment of the information processing apparatus of the present invention, the encryption processing unit defines the following definition as a key generated by applying the n multi-linear map:

Is a configuration for generating a session key Ks based on
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
It is characterized by that.

として設定し、
ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップを用いる場合、

として設定する構成、
ただし、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｒは、前記暗号文復号許容機器以外のリボーク（排除）機器数、

は、ｒｌｏｇ（Ｎ／ｒ）以下の最大の整数、
であることを特徴とする。 Furthermore, in an embodiment of the information processing apparatus of the present invention, the information processing apparatus uses a specified number n of n multi-linear maps to be applied to the encryption key generation process,
When using an n multi-linear map that satisfies Diffie-Hellman inversion assumption,

Set as
When using an n multi-linear map that satisfies the generalized Diffie-Hellman assumption,

Configuration to set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r),
It is characterized by being.

  Furthermore, in one embodiment of the information processing apparatus of the present invention, the information processing apparatus can handle a predetermined number n of n multi-linear maps applied to the encryption key generation process to any r satisfying r ≦ N. The number n, that is, the configuration is set as an integer value corresponding to the maximum value of rlog (N / r).

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the information processing apparatus sets the maximum number n of n multi-linear maps to be applied to the encryption key generation process for the maximum number of revocation (exclusion) devices r. The value R is set, and is configured to be set as an integer value corresponding to the value n of rlog (N / r) when r = R, which is a number n that can correspond to an arbitrary number r ≦ R. And

Furthermore, the second aspect of the present invention provides
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing apparatus set corresponding to the leaf,
A storage unit storing a node key corresponding to a node on a path from the root to the self-leaf;
An encryption processing unit that performs decryption processing of ciphertext, and performs encryption key calculation processing generated by applying an n multi-linear map (where n is an integer of 2 or more) that is an encryption processing key for ciphertext, An encryption processing unit that executes by applying the node key and executes decryption processing of ciphertext based on the generated encryption key;
There is an information processing apparatus characterized by having.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the encryption processing unit is defined as follows:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
A process for decrypting ciphertext encrypted by a session key Ks based on
As the process for calculating the session key Ks, the following processes 1 to 4, that is,
1. Prepare counter j and set j = 1.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K, check whether i and I match.
i. If i = I, set Φ _j = s _i , increase j by 1 and move on to the next i.
ii. If i ≠ I, set Φ _j = g _i , increase j by 1 and move on to the next i processing.
3. If j ≦ n, repeat the following process while j ≦ n.
(A) Set Φ _j = g and increase j by 1.
4). Find Ks = (φ ₁ ,..., Φ _n ),
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the Diffie-Hellman inversion assumption.
α is α∈ [1, p−1], where p is the order of G ₁ ,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is a specified number n of n multi-linear maps and is an integer of 2 or more,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
s _i is the node key of node i,
g _i is the public value of node i,
g is the generator of G ₁
I is a node included in the subtree root set K,
It is the structure which performs the calculation of the session key Ks by performing the said processes 1-4.

に基づくセッションキーＫｓによって暗号化された暗号文の復号処理を実行する構成であり、
セッションキーＫｓの算出処理として、下記処理１〜４、すなわち、
１．カウンタｊ，ｌを用意し、ｊ＝１，ｌ＝２Ｎとセットする、
２．カウンタｉを用意し、以下の処理を行いながらｉを１から２Ｎ−１まで１ずつ増加させる、
（ａ）もしｉ∈Ｋかつｉ≠ＩならばΦ_ｊ＝ｈ_ｉとセットし、ｊを１増やして次のｉの処理に移る、
３．もしｊ≦ｎならばｊ≦ｎの間、下記の処理を繰り返す。
（ａ）Φ_ｊ＝ｈ_ｌとセットし、ｌを１増やし、ｊを１増やす、
４．セッションキーＫｓを、

により算出する、
ただし、
Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
Ｋは、前記階層木構成において、暗号文復号許容機器のみを選択して設定される部分木ルート集合、
ｘ_ｉは、階層木構成における各構成ノードｉに設定されるノードキーであり、ｈ_ｉ＝ｇ^ｘｉが公開値、
Ｉは、部分木ルート集合Ｋに含まれるノード、
ｇは、群Ｇ_１の生成元、
上記処理１〜４を実行してセッションキーＫｓの算出を実行する構成であることを特徴とする。 Furthermore, in one embodiment of the information processing apparatus of the present invention, the encryption processing unit is defined as follows:

A process for decrypting ciphertext encrypted by a session key Ks based on
As the process for calculating the session key Ks, the following processes 1 to 4, that is
1. Prepare counters j and l, and set j = 1 and l = 2N.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1 and move on to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1 and increase j by 1.
4). Session key Ks

Calculated by
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption.
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is a public value,
I is a node included in the subtree root set K,
g is the generator of group G ₁ ,
It is the structure which performs the calculation of the session key Ks by performing the said processes 1-4.

Furthermore, the third aspect of the present invention provides
An information recording medium storing ciphertext,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. Store the ciphertext that can be decrypted based only on the storage key of the ciphertext decryption permitted device,
The ciphertext is
It is an information recording medium characterized in that it is a ciphertext encrypted with an encryption key generated by applying an n multi-linear map (where n is an integer of 2 or more).

Furthermore, in one embodiment of the information recording medium of the present invention, the ciphertext is a key generated by applying the n multi-linear map, that is, the following definition:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Ciphertext encrypted with a session key Ks based on
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i,
g is the generator of G ₁
It is characterized by being.

に基づくセッションキーＫｓによって暗号化された暗号文、
ただし、Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
ｇは、群Ｇ_１の生成元であり、
ｘ_ｉは、階層木構成における各構成ノードｉに設定されるノードキーであり、ｈ_ｉ＝ｇ^ｘｉが公開値として設定される、
であることを特徴とする。 Furthermore, in one embodiment of the information recording medium of the present invention, the ciphertext is a key generated by applying the n multi-linear map, that is, the following definition:

Ciphertext encrypted with a session key Ks based on
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
It is characterized by being.

Furthermore, the fourth aspect of the present invention provides
An information processing method for executing ciphertext generation processing,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. An encryption processing step for executing a process for generating a decryptable ciphertext based only on the storage key of the ciphertext decryption-permitted device,
The cryptographic processing step includes
a key generation step of generating an encryption key by applying an n multilinear map (where n is an integer of 2 or more);
And a ciphertext generation step of executing a ciphertext generation process that can be decrypted based on only the storage key of the ciphertext decryption permitted device using the generated encryption key.

  Furthermore, in an embodiment of the information processing method of the present invention, each of the plurality of information processing devices corresponding to the leaf has a node key corresponding to a node on a path from the root to the leaf, and the cryptographic processing The step is characterized in that a process of generating a ciphertext that can be decrypted only in a storage node key of the ciphertext decryption-permitted device is executed.

Furthermore, in an embodiment of the information processing method of the present invention, the key generation step includes the following definitions as keys generated by applying the n multi-linear map:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Generating a session key Ks based on:
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i,
g is the generator of G ₁
It is characterized by being.

に基づくセッションキーＫｓを生成するステップである、
ただし、Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
ｇは、群Ｇ_１の生成元であり、
ｘ_ｉは、階層木構成における各構成ノードｉに設定されるノードキーであり、ｈ_ｉ＝ｇ^ｘｉが公開値として設定される、
ことを特徴とする。 Furthermore, in an embodiment of the information processing method of the present invention, the key generation step includes the following definitions as keys generated by applying the n multi-linear map:

Generating a session key Ks based on:
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
It is characterized by that.

として設定し、
ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップを用いる場合、

として設定する構成、
ただし、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｒは、前記暗号文復号許容機器以外のリボーク（排除）機器数、

は、ｒｌｏｇ（Ｎ／ｒ）以下の最大の整数、
を有することを特徴とする。 Furthermore, in one embodiment of the information processing method of the present invention, the information processing method further includes a specified number n of n multi-linear maps to be applied to the encryption key generation process.
When using an n multi-linear map that satisfies Diffie-Hellman inversion assumption,

Set as
When using an n multi-linear map that satisfies the generalized Diffie-Hellman assumption,

Configuration to set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r),
It is characterized by having.

  Furthermore, in an embodiment of the information processing method of the present invention, in the information processing method, the specified number n of n multi-linear maps applied to the encryption key generation process can correspond to any r of r ≦ N. It is set as an integer value corresponding to the maximum value of the number n, that is, rlog (N / r).

  Furthermore, in one embodiment of the information processing method of the present invention, in the information processing method, the prescribed number n of n multi-linear maps applied to the encryption key generation processing is set to the maximum for the number r of revoke (exclusion) devices. The value R is set, and is set to a number n that can correspond to an arbitrary number r ≦ R, that is, an integer value corresponding to the value of rlog (N / r) when r = R.

Furthermore, the fifth aspect of the present invention provides
An information processing method for executing decryption processing of ciphertext,
An encryption key calculation process generated by applying an n multi-linear map (where n is an integer equal to or greater than 2) is performed on the path from the root as a vertex node in the hierarchical tree structure to the corresponding leaf of the own device. A key calculation step executed by applying a node key set in the node; and
A ciphertext decryption step for performing ciphertext decryption processing based on the cipher key calculated in the key calculation step;
There is an information processing method characterized by comprising:

Furthermore, in one embodiment of the information processing method of the present invention, the key calculation step has the following definition:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
As the process for calculating the session key Ks based on the following processes 1-4,
1. Prepare counter j and set j = 1.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K, check whether i and I match.
i. If i = I, set Φ _j = s _i , increase j by 1 and move on to the next i.
ii. If i ≠ I, set Φ _j = g _i , increase j by 1 and move on to the next i processing.
3. If j ≦ n, repeat the following process while j ≦ n.
(A) Set Φ _j = g and increase j by 1.
4). Find Ks = (φ ₁ ,..., Φ _n ),
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the Diffie-Hellman inversion assumption.
α is α∈ [1, p−1], where p is the order of G ₁ ,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is a specified number n of n multi-linear maps and is an integer of 2 or more,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
s _i is the secret key of node i,
g _i is the public key of node i,
g is the generator of G ₁
I is a node included in the subtree root set K,
It is a step of executing the above-described processes 1 to 4 and calculating a session key Ks.

に基づくセッションキーＫｓの算出処理として、下記処理１〜４、すなわち、
１．カウンタｊ，ｌを用意し、ｊ＝１，ｌ＝２Ｎとセットする、
２．カウンタｉを用意し、以下の処理を行いながらｉを１から２Ｎ−１まで１ずつ増加させる、
（ａ）もしｉ∈Ｋかつｉ≠ＩならばΦ_ｊ＝ｈ_ｉとセットし、ｊを１増やして次のｉの処理に移る、
３．もしｊ≦ｎならば、ｊ≦ｎの間、下記の処理を繰り返す。
（ａ）Φ_ｊ＝ｈ_ｌとセットし、ｌを１増やし、ｊを１増やす、
４．上記セッションキーＫｓを算出する、
ただし、
Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
Ｋは、前記階層木構成において、暗号文復号許容機器のみを選択して設定される部分木ルート集合、
ｘ_ｉは、階層木構成における各構成ノードｉに設定されるノードキーであり、ｈ_ｉ＝ｇ^ｘｉが公開値、
Ｉは、部分木ルート集合Ｋに含まれるノード、
ｇは、群Ｇ_１の生成元、
上記処理１〜４を実行してセッションキーＫｓの算出を実行するステップであることを特徴とする。 Furthermore, in one embodiment of the information processing method of the present invention, the key calculation step has the following definition:

As the process for calculating the session key Ks based on the following processes 1-4,
1. Prepare counters j and l, and set j = 1 and l = 2N.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1 and move on to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1 and increase j by 1.
4). Calculating the session key Ks;
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption.
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is a public value,
I is a node included in the subtree root set K,
g is the generator of group G ₁ ,
It is a step of executing the above-described processes 1 to 4 and calculating a session key Ks.

Furthermore, the sixth aspect of the present invention provides
A computer program for executing ciphertext generation processing;
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. An encryption processing step for executing a process for generating a decryptable ciphertext based only on the storage key of the ciphertext decryption-permitted device,
The cryptographic processing step includes
a key generation step of generating an encryption key by applying an n multilinear map (where n is an integer of 2 or more);
And a ciphertext generation step for executing a ciphertext generation process that can be decrypted based on only the storage key of the ciphertext decryption permitted device using the generated encryption key.

Furthermore, the seventh aspect of the present invention provides
A computer program for performing decryption processing of ciphertext,
An encryption key calculation process generated by applying an n multi-linear map (where n is an integer equal to or greater than 2) is performed on the path from the root as a vertex node in the hierarchical tree structure to the corresponding leaf of the own device. A key calculation step executed by applying a node key set in the node; and
A ciphertext decryption step for performing ciphertext decryption processing based on the cipher key calculated in the key calculation step;
There is a computer program characterized by comprising:

  The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format to a computer system capable of executing various program codes, such as a CD, FD, or MO. It is a computer program that can be provided by a recording medium or a communication medium such as a network. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of the present invention, in a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, information that allows decryption of ciphertext from a plurality of information processing devices corresponding to the leaf In a ciphertext generation process that can be decrypted based on only the storage key of the selected ciphertext decryption permitted device by selecting a processing device, an encryption key is applied by applying an n multi-linear map (where n is an integer of 2 or more) Can be generated as a single ciphertext that can be decrypted based only on the storage key of the ciphertext decryption permitting device, and as a receiver for receiving ciphertext and performing decryption processing. The amount of calculation in the user device is reduced, and efficient processing is realized.

  According to the configuration of the present invention, a hierarchical tree configuration is constructed by constructing a ciphertext distribution configuration in which a hierarchical tree structure is combined with a multi-linear map that satisfies Diffie-Hellman inversion assumption or generalized Diffie-Hellman assumption. It is possible to reduce the necessary number of ciphertexts that can be decrypted based only on the storage key of the ciphertext decryption-permitted device selected from a plurality of information processing devices corresponding to the middle leaf. Even when factors such as an increase in devices occur, an efficient ciphertext generation and provision configuration without increasing the number of necessary ciphertexts is realized.

  The details of the information processing apparatus, information recording medium, information processing method, and computer program of the present invention will be described below with reference to the drawings.

  In the first embodiment, on the assumption that there is a multi-linear map that satisfies Diffie-Hellman inversion assumption, each receiver can combine a key distribution technique using a multi-linear map with a hierarchical tree structure. This is a configuration example that can reduce the amount of calculation required.

  First, based on the non-patent document “D. Boneh and A. Silverberg” “Applications of Multilinear Forms to Cryptography” described in the background section above, a cryptographic n-multilinear map is used. Will be described.

（３）もしｇ∈Ｇ_１がＧ_１の生成元であるならば、ｅ（ｇ，・・・ｇ）はＧ_２の生成元である。 The n multi-linear map e: G ₁ ⁿ → G ₂ satisfies the following conditions (1), (2), and (3).
(1) G ₁ and G ₂ are groups having the same prime order.
(2) The following conditions are satisfied.

(3) If gεG ₁ is a generator of G ₁ , e (g,... G) is a generator of G ₂ .

And the cryptographic n-multilinear map (n-multilinear map) is
(1) computation of the group on _{G 1} and _{G 2} can be performed efficiently.
(2) The n multi-linear map e can be calculated efficiently.
(3) there is no efficient algorithm to solve the discrete logarithm problem on G _1.
It is an n multi-linear map that satisfies the following three conditions.

  To date, it is considered that for n = 2, a cryptographic n multi-linear map can be constructed using a technique called Tate paring or Weil paring.

In the description of this embodiment, a specific ciphertext distribution configuration will be described in the order of the following modes (a) and (b).
(A) Assuming that there is a cryptographic n-multilinear map for an arbitrary number n (n> 1), a broadcast encryption scheme using such a map n-multilinear map e (b) n = Broadcast encryption method using a cryptographic 2 multi-linear map

  In this embodiment, the sender who executes the ciphertext distribution process defines a hierarchical tree in which the number of leaves is N, as shown in FIG. And associate a receiver (or user) with each node. Each leaf has a different key. These detailed configurations will be described later.

  Based on this hierarchical tree structure, a specific selected leaf is set as a ciphertext decryption-allowed leaf, and other leaves are set as revoke (exclusion) leaves as leaves that cannot be decrypted. That is, the ciphertext provider generates and transmits a ciphertext that can be decrypted only in the ciphertext decryption allowable leaf.

  The ciphertext is provided through communication via a network or an information recording medium such as a CD or DVD. This ciphertext can be acquired by all leaf-compatible receivers (users). However, the provided ciphertext cannot be decrypted by using the key stored in the revoked device, and the key stored in the device other than the revoked device, that is, the device corresponding to the ciphertext decryption allowable leaf is used. Can only decrypt.

  The present invention is a processing configuration in which a broadcast encryption scheme using an n-multilinear map is applied to a ciphertext providing configuration to which such a hierarchical tree structure is applied.

  (A) Broadcast encryption scheme using an arbitrary number n (n> 1) of n multi-linear maps e

  First, a broadcast encryption scheme using an arbitrary number n (n> 1) of n multi-linear maps e will be described.

The broadcast encryption method described in this embodiment is
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
It is divided into three phases. The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

The entities that make up the broadcast encryption scheme are:
(A) a sender (transmitter) as an information processing device that performs ciphertext generation and provision processing;
(B) Receiver or receiver (user) such as a user device as an information processing apparatus for receiving and decrypting ciphertext
(C) A management center that manages the broadcast encryption system.

  Let N be the total number of information processing devices or users that receive and decrypt ciphertext. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

  For simplicity, the total number of information processing apparatuses or users that receive ciphertext: N is a power of 2. If actual N is not a power of 2, the smallest number of powers of 2 larger than N may be used as N.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or a transmitter, and an entity or information processing apparatus that receives a ciphertext will be described as a receiver or a receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  As shown in FIG. 4, the sender defines a binary tree having N leaves as the number of recipients as a hierarchical tree, and assigns a number to each node i. That is, the root (vertex node) of the hierarchical tree is set to 1, and thereafter, the node number 2 as a node identifier is assigned to each node from the upper node and from the left node within the same level node with breadth priority (breadth first order). , 3, 4,.

  Leaf numbers as leaf identifiers from N to 2N−1 are assigned to leaves (leaves) that are nodes at the lowest layer of the binary tree.

  The receiver assigns each leaf one by one. FIG. 4 shows the definition of the binary tree with the number of recipients N = 16 and the assignment of receivers. Leaf numbers from N = 16 to 2N−1 = 31 are assigned to the leaves.

  Referring to FIG. 5, an information processing device such as a transmission device that generates and provides ciphertext, and an information processing device such as a reception device that receives ciphertext and executes processing for selecting and decrypting the ciphertext (hierarchical tree) A configuration example of a device set in the leaf of the structure will be described. In this system, when ciphertext and key designation code are stored and provided on a recording medium such as a disc, the transmitting device is constituted by a disc writing device or disc manufacturing device, and the receiver is constituted by an information processing device such as a disc reproducing device. Is done.

  As illustrated in FIG. 5, the information processing apparatus as an example includes a controller 301, an arithmetic unit 302, an input / output interface 303, a secure storage unit 304, a main storage unit 305, and a large capacity storage unit 306.

  The controller 301 is configured by a CPU having a function as a control unit that executes data processing according to a computer program, for example. The arithmetic unit 302 provides a dedicated arithmetic function for generating cryptographic keys, random numbers, and cryptographic processing, for example. The input / output interface 303 is an interface corresponding to data input from an input unit such as a keyboard and a mouse, data output to an external output device, and data transmission / reception processing via a network.

  The secure storage unit 304 is a storage unit that stores data that should be held safely or secretly, such as a node key as an encryption key and various IDs. The main storage unit 305 is a memory area used for, for example, a data processing program executed by the controller 301, other temporary storage processing parameters, a work area for program execution, and the like. The secure storage unit 304 and the main storage unit 305 are memories configured by, for example, RAM, ROM, and the like. The large-capacity storage unit 306 is a storage unit that can record and read large-capacity data such as hard disks, CDs, DVDs, and MDs, and records encrypted content and the like.

  In the following description, for ease of understanding, an information processing device that provides ciphertext is referred to as a transmitter, and an information processing device that receives ciphertext (associated with a leaf) is referred to as a receiver. explain. However, the provision of ciphertext to the user can be provided via a network or stored in an information recording medium as described above, and the data transmission / reception configuration is not necessarily provided on the ciphertext providing side and the receiving side. Not a required configuration.

  As described in the background section, the applicant assigns a node key to each node of the tree shown in FIG. 4, for example, in Japanese Patent Application Laid-Open No. 2001-352322, which has been filed earlier, and each receiver is assigned by himself / herself. In addition, a broadcast encryption system configured to hold a node key of a node on a path from a leaf to a root is disclosed.

In this method, the number of keys held by each receiver is logN + 1, and the upper limit of the number of ciphertexts to be broadcast is rlog (N / r). The calculation amount required for each receiver is one decryption process. That is, each receiver selects one ciphertext that can be decrypted by the node key of its own device (receiver) from a plurality of ciphertexts provided from the transmitter, and performs a decryption process on the selected ciphertext. .
However,
N: Total number of users (receivers) r: Number of receivers that are not selected (revoked) as information recipients.

Specifically, for example, when the binary tree configuration having the configuration of FIG. 6 is used, that is, when the revocation (exclusion) device is one information processing device corresponding to the leaf 14,
Total number of receivers N = 8 (No. 8 to No. 15)
Number of revoke receivers r = 1 (No. 14)
And
The number of keys that each receiver has is logN + 1 = log8 + 1 = 4
The upper limit of the number of ciphertexts to be broadcast is rlog (N / r) = 3
It becomes.

That is, when the revoke device is one information processing device corresponding to the leaf 14, the following three ciphertexts (rlog (N / r) = 3):
E (NK ₂ , Kc), E (NK ₆ , Kc), E (NK ₁₅ , Kc)
It is necessary to send

  In the present invention, by applying an n multilinear map in which n = rlog (N / r) is used in the above-described conventional method, which requires transmission of a maximum of rlog (N / r) ciphertexts, Only by deriving one key and transmitting one ciphertext encrypted with the key, it is possible to provide a ciphertext that can be decrypted only by a ciphertext decryption acceptable receiver excluding the revoke device.

  A sender as a system administrator or ciphertext provider defines an n multi-linear map that satisfies Diffie-Hellman inversion assumption and publishes it to the receiver.

Here, satisfying Diffie-Hellman inversion assumption means that when g and g ^b ∈G ₁ are given,
e (g,... g) ^{1 / b} ∈ G ₂
Say that it is difficult to calculate. Incidentally, g is a generator of the group _{G 1.}

However, n is determined by one of the following methods.
(I) A required number n of n multilinear maps required is determined from all combinations of the total number of receivers N and the number of revoke receivers r.
(II) An upper limit R of the number r of revoke receivers is determined by the system, and a prescribed number n of necessary n multi-linear maps is determined therefrom.

として設定できる。
ただし、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｒは、前記暗号文復号許容機器以外のリボーク（排除）機器数、

は、ｒｌｏｇ（Ｎ／ｒ）以下の最大の整数である The formula for calculating the prescribed number n of the n multi-linear map applied to the encryption key generation process is:
When using an n multi-linear map satisfying Diffie-Hellman inversion assumption, for example,

Can be set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r)

  Now, assuming that the total number of receivers N = 16, the value of the maximum required cryptographic fraction rlog (N / r) in the conventional method for each value from the number of revoke receivers r = 1 to r = 15 is as shown in the table below. become.

  As described above, in this method, it is only necessary to transmit rlog (N / r) ciphertexts at the worst for each number of revoke receivers r. It is sufficient to transmit a maximum of 8 ciphertexts, and the maximum number of ciphertexts = 8.

  In the present invention, instead of broadcasting a plurality of ciphertexts, one ciphertext based on a key created using an n-multilinear map is transmitted.

There are the above-mentioned (I) and (II) as the method of determining the prescribed number n of the n multi-linear map necessary for the ciphertext transmission system.
When the method (I) is applied, n = 8 so that any number of revoke receivers r less than the total number N of receivers can be handled.

  When the above method (II) is applied, an upper limit R of the number r of revoke receivers corresponding to the system is determined in advance. For example, in this system, when revoking of up to two receivers is performed, that is, R = 2, rlog (N / r) = 6 when r = 2 from the above table, so that n = 6 is determined. .

Next, for each node i (where i = 1, 2,..., 2N−1)
Public value g _i ∈G ₁
Determine.

g _i may each select a random element in G ₁ , or may be determined by another method from the previously determined multi-linear map. Each g _i will be published along with the correspondence between the nodes. Also, define a random value α∈ [1, p−1], and for each i,
Private key s _i = g _i ^α
Calculate

Where p is the order of the group G _i. Further, the secret key s _i of the node on the path from the leaf to which the receiver u _m is assigned to the root is secretly given to the receiver u _m (where m = 1,..., N). The receiver securely stores the private key s _i . The sender to publish select the generator g of the group G _i.

In the example shown in FIG. Nineteen receivers u ₄ are given secret keys s ₁ , s ₂ , s ₄ , s ₉ and s ₁₉ .

(2) Encryption and transmission The sender is a set of receivers for decoding information in the communication among the N receivers in total number of receivers, that is, an information decryption allowable receiver set S⊆ {1,. , N}. Next, all the branches from the leaf to the root that are not included in the information decoding allowable receiver set S, that is, assigned to the receiver to be revoked, nodes, and branches that contact the nodes are removed. Then, one or more separated subtrees remain, but the set of roots of each subtree is set as K.

In FIG. 7, the partial tree in the case of revoking the _three receivers u ₃ , u ₁₁ , u ₁₂ with the setting of FIG. 4 is indicated by a thick line. As shown in the figure, the set of roots of the subtree is K = {5, 7, 9, 12, 16}. In the configuration shown in FIG. 7, the subtree has five elements, that is, subtrees 131, 132, 133, 134, and 135, each of which is a set of receivers S = {16, 18 that allows decoding of information in communication. -19, 20-23, 24-25, 28-30} are subtrees configured as leaves.

  Here, when the method (I) is adopted in the above method of determining n, for any value of the number of revoke devices r, and when the method (II) is adopted, r ≦ R where r ≦ R. That is, for any number of revoke receivers r less than or equal to the maximum number of revoke receivers R, the number of elements of the root tree set K, that is, | K | | K | is the number of elements of the subtree root set K. In the configuration of FIG. 7, | K |, that is, the number of elements of the subtree root set K = {5, 7, 9, 12, 16} is 5.

Then, the session key Ks in the communication is represented as Ks = (Φ ₁ ,..., Φ _n ) ^α ∈ G ₂
Calculate as However, Φ _j is determined as follows.
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1, and proceed to the next processing of i.
(3) If j ≦ n, the following processing is repeated while j ≦ n.
(3a) Set Φ _j = g and increase j by one.

The above processing uses g _i for i included in the subtree root set K as input of the n multilinear map e, and uses g (dummy) for the other n− | K | inputs. Finally the output of the n multi-linear map (on G ²⁾ is to multiply alpha. | K | is the number of elements of the subtree root set K.

In the setting of FIG. 7, when n = 8, the session key Ks is
_{Ks = (g 5, g 7} , g 9, g 12, g 16, g, g, g) α
It becomes.

  The sender encrypts the information to be transmitted using the session key Ks and uses the broadcast channel together with information (for example, a list of node numbers) representing the node set K used to create the session key Ks. Send to receiver. The information representing the subtree root set K may be represented using tag information such as the key designation code described in the background art section. Furthermore, the information encryption may use the session key Ks as it is, or may use a value obtained by inputting the session key Ks into a hash function such as SHA-1 or MD5 and converting it to a desired size. .

  For example, in the case of a broadcast application, after transmitting information indicating the information decryption allowable receiver set S in the communication, the broadcast content may be transmitted after being encrypted with the session key Ks. The content encrypted and the content encrypted with the session key Ks may be transmitted after transmitting the information and the ciphertext obtained by encrypting the content key Kc using the session key Ks. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

(3) Reception and Decoding The receiver u _m is included in a set of receivers that receive information transmitted from the broadcast channel and decode the information in the communication, that is, an information decoding allowable receiver set S. Find out if.

This can be performed by checking whether or not a node having a secret key (a node on a path from the leaf to which the node is assigned) is included in the subtree root set K. If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If oneself is included in the information decryption allowable receiver set S, the session key Ks is obtained by the following process, and the transmitted information is decrypted using this. If the receiver u _m is included in the information decoding allowable receiver set S, only one of the nodes included in the subtree root set K is one of the nodes where u _m holds the secret key. Become. Let this node be I.

1. A counter j is prepared and j = 1 is set.
2. A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(A) If iεK, check whether i and I match.
i. If i = I, Φ _j = s _i is set, j is incremented by 1, and the process proceeds to the next i.
ii. If i ≠ I, Φ _j = g _i is set, j is incremented by 1, and the process proceeds to the next i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = g and increase j by one.
4). Ks = (φ ₁ ,..., Φ _n ) is obtained.

For example, in the setting of FIG. 7, the receiver u ₄ has the secret key s ₉ = g ₉ ^α of the node 9.
_{Ks = (g 5, g 7} , s 9, g 12, g 16, g, g, g)
To obtain the session key Ks.

  With the above configuration, a broadcast encryption method can be configured using n multi-linear maps.

  The ciphertext broadcast by the method of this embodiment is one, and the number of keys securely held by each receiver is logN + 1. Further, n can be determined with rlog (N / r) as an upper limit. The amount of function execution depends on the number of input elements. In the method proposed in the above paper, since the number of input elements is n = N, the amount of calculation required for this mapping is expected to increase. However, in the present invention, the amount of calculation is reduced by reducing the number of input elements. doing.

  Under the premise that there is a multi-linear map satisfying the above-described processing example, that is, Diffie-Hellman inversion assumption, each reception is performed by combining a hierarchical tree structure with a key distribution technique using the multi-linear map. In a configuration example that can reduce the amount of calculation required by the machine, a ciphertext is generated and a processing sequence that is executed in an information processing device that provides the ciphertext, and a leaf compatible that receives the ciphertext and performs decryption processing For example, a processing sequence in an information processing apparatus such as a receiver will be described with reference to a flowchart.

  First, a processing sequence executed in an information processing apparatus that generates and provides a ciphertext will be described with reference to FIG.

  In step S101, the information processing apparatus on the ciphertext transmission side first selects a set S⊆ {1,..., N} of receivers to decrypt information in the communication among the N receivers.

  In step S102, a set K of subtree routes determined based on a set S of receivers that decode information excluding the revoke device is determined. For example, in the configuration of FIG. 7, the set of roots of the subtree is K = {5, 7, 9, 12, 16}.

In step S103, a session key Ks is set. The session key Ks is represented as Ks = (Φ ₁ ,..., Φ _n ) ^α ∈ G ₂
Calculate as

A specific calculation example of the session key Ks is shown in FIG. The process shown in FIG. 9 is as described above.
Ks = (Φ ₁ ,..., Φ _n ) ^α ∈ G ₂
Calculate as However, Φ _j is determined as follows.
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1, and proceed to the next processing of i.
(3) If j ≦ n, the following processing is repeated while j ≦ n.
(3a) Set Φ _j = g and increase j by one.

The above processing uses g _i for i included in K as the input of map e, uses g for the other n− | K | inputs, and finally outputs the map (on G ² )) To the power of α.

In step S104,
The content key Kc is encrypted with the session key Ks, and the encrypted content key Enc (Ks, Kc)
Is calculated.

In step S105,
a. Information indicating the root set K of the subtree (for example, a list of node numbers)
b. Encrypted content key Enc (Ks, Kc)
c. Encrypted content Enc (Kc, Con)
Is transmitted via a communication path. Or it writes in an information recording medium and provides.

An example of information stored in the information recording medium is shown in FIG. The information recording medium 400 is an information recording medium such as a CD or a DVD. here,
Information indicating the root set K of the subtree (for example, a list of node numbers) 401
Encrypted content key Enc (Ks, Kc) 402
Encrypted content Enc (Kc, Con) 403
Store and serve.

  Any information processing apparatus as user equipment corresponding to a leaf having a hierarchical tree structure can receive such information via a broadcast communication path or an information recording medium. However, only a device included in the set S of receivers that decrypts information in the communication holds the session key Ks applied to the ciphertext Enc (Ks, Kc) 402 as its own possessed key. Since the session key Ks applied to the ciphertext Enc (Ks, Kc) 402 is not held, only the device included in the receiver set S decrypts the ciphertext Enc (Ks, Kc) 402 and obtains the content key Kc. Based on the acquired content key Kc, the encrypted content Enc (Kc, Con) 403 can be decrypted to acquire the content (Con).

Referring to FIG.
a. Information indicating the root set K of the subtree (for example, a list of node numbers)
b. Encrypted content key Enc (Ks, Kc)
c. Encrypted content Enc (Kc, Con)
A processing procedure in the information processing apparatus as the user equipment that has received the information items a to c will be described.

  First, in step S201, information (for example, a list of node numbers) indicating the root set K of the subtree is read.

  In step S202, it is determined whether or not its own device is included in a set of receivers that decode information in the communication, that is, an information decoding allowable receiver set S. This can be executed by checking whether or not a node having a secret key (a node on the path from the leaf to which the node is assigned) is included in the root set K of the subtree. If it is not included in the information decoding allowable receiver set S, the communication cannot be decoded and the process is terminated.

  If it is included in the information decoding permission receiver set S, the process proceeds to step S203, and the session key Ks is derived.

A specific calculation example of the session key Ks is shown in FIG. The process shown in FIG. 12 is the following process as described above.
1. A counter j is prepared and j = 1 is set.
2. A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(A) If iεK, check whether i and I match.
i. If i = I, Φ _j = s _i is set, j is incremented by 1, and the process proceeds to the next i.
ii. If i ≠ I, Φ _j = g _i is set, j is incremented by 1, and the process proceeds to the next i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = g and increase j by one.
4). Ks = (φ ₁ ,..., Φ _n ) is obtained.

  In step S204, the ciphertext Enc (Ks, Kc) is decrypted by applying the session key Ks to acquire the content key Kc, and the encrypted content Enc (Kc, Con) is decrypted based on the acquired content key Kc. To acquire the content (Con).

  (B) Broadcast encryption method using a cryptographic two-multilinear map with n = 2

  In the above-described embodiment, it is assumed that there is a cryptographic n-multilinear map for an arbitrary n (n> 1). Hereinafter, n = 2 that has already been demonstrated. A specific example of the cryptographic n multi-linear map, that is, the two multi-linear map will be described. For the cryptographic n multi-linear map with n = 2, see D.C. Boneh and M.M. Franklin's paper "Identity-Based Encryption from the Weil Paring" .Published as .pdf)

  As described above, the present applicant assigns a node key to each node of the tree shown in FIG. 4 in Japanese Patent Laid-Open No. 2001-352322, and each receiver has a path from a leaf (leaf) to which it is assigned to the root. A broadcast encryption method configured to hold the node key of the upper node is disclosed.

In the conventional method, the number of keys held by each receiver is log N + 1, and the upper limit of the number of ciphertexts to be broadcast is r log (N / r). The amount of calculation required for each receiver is one decryption process.
However,
Where N is the total number of users (receivers) r is the number of receivers that are not selected (revoked) as information recipients.

とすることができる。 In such a ciphertext distribution system having a hierarchical tree structure, a maximum of nlog (N / r) ciphertexts are generated according to the number of revoked devices r. Ciphertext number of

It can be.

For the broadcast encryption method described below, as in the example of processing using any n described above,
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
These will be described in the following three phases. The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

  As an entity constituting the broadcast encryption system, a sender (transmitter) as an information processing device that performs ciphertext generation and provision processing, a user device as an information processing device that performs ciphertext reception and decryption processing, and the like And N is the total number of information processing apparatuses or users who receive and decrypt ciphertexts. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

  For simplicity, the total number of information processing apparatuses or users that receive ciphertext: N is a power of 2. If actual N is not a power of 2, the smallest number of powers of 2 larger than N may be used as N.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or transmitter, and an entity or information processing apparatus that receives ciphertext will be described as a receiver or receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  The sender defines a 2-multilinear map that satisfies Diffie-Hellman inversion assumption and publishes it to the receiver.

Here, satisfying Diffie-Hellman inversion assumption means that when g and g ^b ∈G ₁ are given,
e (g,... g) ^{1 / b} ∈ G ₂
Say that it is difficult to calculate. Incidentally, g is a generator of the group _{G 1.}

For each node i (where i = 1, 2,..., 2N−1)
Public value g _i ∈G ₁
Determine.

g _i may each select a random element in G ₁ , or may be determined by another method from the previously determined multi-linear map. Each g _i will be published along with the correspondence between the nodes. Also, define a random value α∈ [1, p−1], and for each i,
Private key s _i = g _i ^α
Calculate

Where p is the order of the group G _i. Further, the secret key s _i of the node on the path from the leaf to which u _m is allocated to the root is secretly given to the receiver u _m (where m = 1,..., N). The receiver securely stores the private key s _i . The sender to publish select the generator g of the group G _i.

In the example shown in FIG. 4, the receiver u ₄ is given secret keys s ₁ , s ₂ , s ₄ , s ₉ , s ₁₉ .

(2) Encryption and transmission The sender selects a set S⊆ {1,..., N} of receivers to decrypt information in the communication among N receivers. Next, all branches from the leaf to the root that are not included in the information decoding allowable receiver set S, that is, assigned to the receiver to be revoked, nodes, and branches that contact the nodes are removed. Then, one or more separated subtrees remain, but the set of roots of each subtree is set as K.

個のサブグループＳＧ_ｋに分割する。
ただし、

である。 Next, the elements of the subtree root set K are arranged in order of the number i, two by two,

Divide into subgroups SG _k .
However,

It is.

は、｜Ｋ｜／２以上である最小の整数を表す。 In addition,
| K | indicates the number of elements of the subtree root set K,

Represents the smallest integer greater than or equal to | K | / 2.

に部分木のルートの集合Ｋの要素が１つしか入らない場合には、ノード番号２Ｎのダミーノードの存在を仮定し、このダミーノードがこのサブグループのもう１つの要素となる。 However, the last subgroup

If there is only one element of the root set K in the subtree, it is assumed that there is a dummy node with node number 2N, and this dummy node is another element of this subgroup.

As in the above example, assume the binary tree configuration shown in FIG. 4, that is, the binary tree configuration in which each receiver is assigned to each leaf and the number of recipients is N = 16. As shown in FIG. 4, processing when the three receivers u ₃ , u ₁₁ , and u ₁₂ are revoked with the setting shown in FIG. 4 will be described.

As shown in FIG. 7, the set of roots of the subtree is K = {5, 7, 9, 12, 16}. In this case, the subgroup is
SG ₁ = {5,7}
SG ₂ = {9,12}
SG ₃ = {16, 32}
It becomes.

Then, the sub-group key _{K SGk} for the sub-group SG _k in its communication,
K _SGk = e (Φ _j1 , Φ _j2 ) ^α ∈ G ₂
Determine as
Φ _j1 and Φ _j2 are public keys g _j1 and g _j2 corresponding to nodes j ₁ and j ₂ (assuming j ₁ <j ₂ ) that are elements of the subgroup SG _k .
However, _{j 2} is not an element of K. That is, if it is a dummy node,
Let Φ _j2 = g.

In the above example, each subgroup key K _SGk is set as _follows .
K _SG1 = e (g ₅ , g ₇ ) ^α
K _SG2 = e (g ₉ , g ₁₂ ) ^α
K _SG3 = e (g ₁₆ , g) ^α
It is.

  Next, the entire session key Ks in the communication is determined randomly. The session key Ks is a key for encrypting the contents of communication (for example, content such as a movie). For example, when the 128-bit version of the American standard AES is used for the encryption algorithm, the session key Ks is 128 bits.

を、暗号文
ＣＴ_ｋ＝Ｅ（Ｈ（Ｋ_ＳＧｋ），Ｋｓ）として設定する。
ただし、Ｅ（Ａ，Ｂ）は鍵Ａを用いた平文Ｂの暗号化を示す。 Next, ciphertext obtained by encrypting the session key Ks using each subgroup key

_Is set as ciphertext CT _k = E (H (K _SGk ), Ks).
Here, E (A, B) indicates encryption of plaintext B using the key A.

As an encryption algorithm, for example, a 128-bit version of AES of American standard is used. Function H, any element of G _2, a condensation promises hash function to the key length of the encryption algorithm (e.g. 128bit) to be used. The encryption algorithm E and the hash function H are predetermined by the system (may be determined by the sender) and are made public.

とを、ともに同報通信路で受信機に送信する。 The sender encrypts information to be transmitted by using the session key K _s , information (for example, a list of node numbers) representing the root tree set K, and the above ciphertext,

Are transmitted to the receiver via a broadcast channel.

を送信し、その後に放送コンテンツをセッションキーＫｓで暗号化して送信してもよい。 For example, in the case of a broadcast application, after sending information representing a set K of subtree roots,

After that, the broadcast content may be encrypted with the session key Ks and transmitted.

と、セッションキーＫｓで暗号化したコンテンツキーＫｃを送信した後に、コンテンツキーＫｃで暗号化されたコンテンツを送信してもよい。ＣＤなどの記録メディアのアプリケーションの場合には、放送アプリケーションにおいて放送していた情報をディスクに記録して配布すればよい。 Alternatively, information representing a set S of receivers for decrypting information in communication and ciphertext

Then, after transmitting the content key Kc encrypted with the session key Ks, the content encrypted with the content key Kc may be transmitted. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

(3) Reception and decoding The receiver u _m receives information transmitted from the broadcast channel and checks whether it is included in the set S of receivers for decoding information in the communication. This can be done by checking whether K includes a node having a secret key (node on the path from the leaf to which it is assigned to the root).

If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If it is included in the information decryption allowable receiver set S, it is checked which subgroup ciphertext should be decrypted by itself. This can be obtained by searching for the number of nodes when the elements of the sub-tree root set K are divided into two when the node having the secret key is entered. Then, the receiver u _m obtains the sub group key of the sub group SG _k corresponding to the secret key owned by itself as follows.
K _SGk = e (s _i , Φ _j ) ∈G ₂ (when i <j)
K _SGk = e (Φ _j , s _i ) εG ₂ (when i> j)

Here, s _i is a secret key corresponding to the node i in which the receiver u _m has a secret key among the elements of the subgroup SG _k , and Φ _j is a public key corresponding to the node j that is not i is information _{g i.} However, if j is not an element of the root tree set K, that is, is a dummy node, Φ _j = g.

For example, in the above example, the receiver u _m possesses the secret key s ₉ = g ₉ ^α of the node g.
K _SG2 = e (s ₉ , Φ ₁₂ )
Can be determined subgroup key _{K SG2} subgroup SG ₂ as.

Next, the receiver u _m calculates a hash value H (K _SGk ) from the subgroup key K _SGk obtained above, and uses this to decrypt the ciphertext CTk to obtain a session key Ks, which is used. The information sent is decrypted.

となる。 With the configuration as described above, it is possible to configure a system that can securely distribute a key (session key Ks) to N receivers using two multi-linear maps. In the above configuration, the receiver has only one key (x _i ) that must be securely stored. For example, when the session key Ks is directly used for content encryption, it is broadcast for key distribution. The number of messages

It becomes.

It is known that the maximum value of the number of elements | K | of the subtree root set K is rlog ₂ (N / r), where r is the number of receivers to be revoked.

となり、上記のｎ＝２の場合に比べてこの面での効率がよくなる。 The above has described in detail the method using two multi-linear maps. However, as described above, this method can be directly extended to a method using n multi-linear maps for an arbitrary integer n> 1. As n increases, the number of keys stored by the receiver remains one, whereas the number of broadcast messages is

Therefore, the efficiency in this aspect is improved as compared with the case of n = 2.

に部分木ルート集合Ｋの要素が１つしか入らない場合には、ノード番号２Ｎのダミーノードを利用していたが、変形例としてはそのサブグループにＫの要素が１つしか入らない場合には、そのノードｉの秘密鍵ｓ_ｉを用いて、セッションキーを暗号化してもよい。 (Modification)
In the embodiment described above, the last subgroup

In the case where only one element of the sub-tree root set K is included, the dummy node having the node number 2N is used. However, as a modified example, only one element of K is included in the subgroup. May encrypt the session key using the secret key s _i of the node i.

として設定してもよい。ここで、Ｈ'は、Ｇ_１の任意の要素を、使用する暗号化アルゴリズムの鍵長（たとえば１２８ｂｉｔ）に縮約するハッシュ関数であり、公開されているものとする。 That is, the ciphertext

May be set as Here, H ′ is a hash function that reduces an arbitrary element of G ₁ to the key length (for example, 128 bits) of the encryption algorithm to be used, and is publicly available.

  It is possible to reduce the amount of calculation required for each receiver by combining a hierarchical tree structure with the above-described processing example, that is, key distribution technology using two multi-linear maps satisfying Diffie-Hellman inversion assumption. In the configuration example, see the flowchart for the processing sequence executed in the information processing apparatus that generates and provides the ciphertext and the processing sequence in the information processing apparatus such as a receiver that accepts the ciphertext and performs the decryption processing. To explain.

  First, a processing sequence executed in an information processing apparatus that generates and provides a ciphertext will be described with reference to FIG.

  First, in step S301, the information processing apparatus on the ciphertext transmission side selects a set S⊆ {1,..., N} of receivers to decrypt information in the communication among the N receivers.

  In step S302, a root set K of subtrees determined based on a set S of receivers for decoding information excluding the revoke device is determined. For example, in the configuration of FIG. 7, the set of roots of the subtree is K = {5, 7, 9, 12, 16}.

In step S303, the sub-group key _{K SGk} for the sub-group SG _k,
K _SGk = e (Φ _j1 , Φ _j2 ) ^α ∈ G ₂
Determine as

  In step S304, the entire session key Ks in the communication is randomly determined. The session key Ks is a key for encrypting the contents of communication (for example, content such as a movie). For example, when the 128-bit version of the American standard AES is used for the encryption algorithm, the session key Ks is 128 bits.

Next, in step S305, a ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting the session key Ks using each subgroup key is derived.

In step S306, the content key Kc is encrypted with the session key Ks, and the encrypted content key Enc (Ks, Kc) is encrypted.
Is calculated.

In step S307,
a. Information indicating the root set K of the subtree (for example, a list of node numbers)
b. _Ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting session key Ks using each subgroup key
c. Encrypted content key Enc (Ks, Kc)
d. Encrypted content Enc (Kc, Con)
Is transmitted via a communication path. Or it writes in an information recording medium and provides.

An example of information stored in the information recording medium is shown in FIG. The information recording medium 500 is an information recording medium such as a CD or a DVD. here,
Information (for example, a list of node numbers) 501 indicating the root set K of the subtree
_Ciphertext CT _k = E (H (K _SGk ), Ks) 502 _obtained by encrypting session key Ks using each subgroup key
Encrypted content key Enc (Ks, Kc) 503
Encrypted content Enc (Kc, Con) 504
Store and serve.

Any information processing apparatus as user equipment corresponding to a leaf having a hierarchical tree structure can receive such information via a broadcast communication path or an information recording medium. However, only the devices included in the set S of receivers that decrypt the information in the communication can encrypt the ciphertext CT _k = E (H (K _SGk ), Ks with the session key Ks encrypted using the individual subgroup keys. ) The secret key for deriving the sub group key applied to 502 is held as its own key, and the revoke device uses the sub key applied to the ciphertext CT _k = E (H (K _SGk ), Ks) 502. Since the private key for deriving the group key is not held, only the device included in the receiver set S decrypts the ciphertext CT _k = E (H (K _SGk ), Ks) 502 and the session key Ks Furthermore, the encrypted content key Enc (Ks, Kc) is decrypted with the acquired session key Ks to acquire the content key Kc, and the acquired content key Encrypted content Enc (Kc, Con) 504 by decoding the can acquire the content (Con) based on Kc.

Referring to FIG.
a. Information indicating the root set K of the subtree (for example, a list of node numbers)
b. _Ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting session key Ks using each subgroup key
c. Encrypted content key Enc (Ks, Kc)
d. Encrypted content Enc (Kc, Con)
A processing procedure in the information processing apparatus as the user equipment that has received the information items a to d will be described.

  First, in step S401, information (for example, a list of node numbers) indicating the root set K of the subtree is read.

  In step S402, it is determined whether or not its own device is included in a set of receivers that decode information in the communication, that is, an information decoding allowable receiver set S. This can be executed by checking whether or not a node having a secret key (a node on the path from the leaf to which the node is assigned) is included in the root set K of the subtree. If it is not included in the information decoding allowable receiver set S, the communication cannot be decoded and the process is terminated.

If it is included in the information decryption allowable receiver set S, the process proceeds to step S403, and the subgroup key of the subgroup SGk corresponding to the private key that it owns is _obtained as described above. .
K _SGk = e (s _i , Φ _j ) ∈G ₂ (when i <j)
K _SGk = e (Φ _j , s _i ) εG ₂ (when i> j)

Next, in step S404, a hash value H (K _SGk ) is calculated from the subgroup key K _SGk , and using this, the ciphertext CT _k = E (H (K _SGk ), Ks, which is the encrypted data of the session key. ) To obtain the session key Ks.

  In step S405, the ciphertext Enc (Ks, Kc) is decrypted by applying the session key Ks to obtain the content key Kc. In step S406, the encrypted content Enc (Kc, Con is based on the obtained content key Kc. ) To obtain the content (Con).

  The second embodiment of the present invention will be described below. In the second embodiment, on the assumption that there is a multilinear map satisfying the generalized Diffie-Hellman assumption, each receiver is configured by combining a hierarchical tree structure with a key distribution technique using a multilinear map. This is an embodiment that makes it possible to reduce the amount of calculation required.

Also in the description of the present embodiment, as in the first embodiment, a specific ciphertext distribution configuration will be described in order for each of the following modes (a) and (b).
(A) Assuming that there is a cryptographic n-multilinear map for an arbitrary number n (n> 1), a broadcast encryption scheme using such a map n-multilinear map e (b) n = Broadcast encryption method using a cryptographic 2 multi-linear map

  (A) Broadcast encryption scheme using an arbitrary number n (n> 1) of n multi-linear maps e

  First, a broadcast encryption method using an n multilinear map e in which an arbitrary number n (n> 1) is set will be described.

Hereinafter, the broadcast encryption method in the second embodiment is the same as in the first embodiment.
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
These will be described in the following three phases.

  The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

  As an entity constituting the broadcast encryption system, a sender (transmitter) as an information processing device that performs ciphertext generation and provision processing, a user device as an information processing device that performs ciphertext reception and decryption processing, and the like And N is the total number of information processing apparatuses or users who receive and decrypt ciphertexts. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

  For simplicity, the total number of information processing apparatuses or users that receive ciphertext: N is a power of 2. If actual N is not a power of 2, the smallest number of powers of 2 larger than N may be used as N.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or a transmitter, and an entity or information processing apparatus that receives a ciphertext will be described as a receiver or a receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  As in the first embodiment, the sender defines a binary tree with N leaves and assigns a number to each node i. The receiver assigns each leaf one by one.

  The sender defines an n-multilinear map that satisfies the generalized Diffie-Hellman assumption and publishes it to the receiver. However, n is determined as n = N−1 with respect to the total number N of receivers.

と、
ｎ個の受信機｛１，・・・，ｎ｝のうちの部分集合、情報復号許容受信機集合Ｓ⊂｛１，・・・，ｎ｝に対する

が与えられたときに、

を求めることが困難であることを言う。ここでｇは群Ｇ_１の生成元である。 Here, satisfying the generalized Diffie-Hellman assumption:

When,
a subset of n receivers {1,..., n}, information decoding allowable receiver set S⊂ {1,.

Is given,

Saying that it is difficult to seek. Where g is the generator of the group G _1.

However, n is set to minus 1 obtained by the method of the first embodiment. In Example 1, n was determined by one of the following methods.
(I) Necessary n is determined from all combinations of the total number of receivers N and the number of revoke receivers r.
(II) An upper limit R of the number r of revoke receivers is determined by the system, and necessary n is determined therefrom.

として設定可能である。
ただし、
Ｎは階層木構成の最下位ノードであるリーフに対応する情報処理装置の総数、
ｒは、前記暗号文復号許容機器以外のリボーク（排除）機器数、

は、ｒｌｏｇ（Ｎ／ｒ）以下の最大の整数である。 The formula for calculating the prescribed number n of the n multi-linear map applied to the encryption key generation process is:
When using an n multi-linear map that satisfies the generalized Diffie-Hellman assumption, for example,

Can be set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r).

  In the second embodiment, for example, when N = 16 as in the first embodiment, when the method (I) of the first embodiment is used, n = 8, but in the second embodiment, n = 7. . Similarly, when the method (II) is adopted, n = 6 in the first embodiment, but n = 5 in the present embodiment.

を計算する。ここでｐは群Ｇ_１の位数であり、ｇはＧ_１の生成元である。各ｈ_ｉを公開する。 Then, for each i of i = 1, 2,..., 2N + n−1, choose a random value xi∈ [1, p−1],

Calculate Here, p is the order of the group G ₁ and g is the generator of G ₁ . Make each h _i public.

The receiver u _m is given logN + 1 x _j corresponding to each node j on the path from the leaf to which it is assigned to the root. The receiver stores x _j securely.

Now, assume that N = 16 and n = 7 in the setting of FIG. Then, since the 2N + n-1 = 38, the sender _{x 1,} ···, _{x 38} and _{h 1,} ···, to expose the _{h i} are prepared _{h 38.} For example, the receiver u ₄ is provided with x ₁ , x ₂ , x ₄ , x ₉ , x ₁₉ corresponding to the nodes ₁ , ₂ , ₄ , ₉ , ₁₉ .

(2) Encryption and transmission The sender selects a set of receivers that decrypt information in the communication among N receivers, that is, an information decryption allowable receiver set S⊆ {1,..., N}. select. Next, all branches from the leaf to the root that are not included in the information decoding allowable receiver set S, that is, assigned to the receiver to be revoked, nodes, and branches that contact the nodes are removed.

Then, one or more separated subtrees remain, but the set of roots of each subtree is set as K. FIG. 7 shows a subtree when the three receivers u ₃ , u ₁₁ , and u ₁₂ are revoked with the setting shown in FIG.

  As shown in FIG. 7, the subtree root set K = {5, 7, 9, 12, 16}. Here, when (I) is adopted in the method of determining n above, for any value of the number of revoke receivers r, and when (II) is adopted, r ≦ r such that r ≦ R, That is, for any number r of revoke receivers less than the maximum number of revoke receivers R, the number of elements | K | of the root tree set K is at most n + 1. r is the number of receivers that are not selected (revoked) as recipients of information. R is the maximum number of revokes r on the system.

A session key Ks in communication to which a hierarchical tree structure is applied is derived as described below, and information is encrypted using the session key Ks and broadcasted together with information representing K.

Here, it should be noted that when the number of elements | K | = n + 1 of the subtree root set K, the portion of x _2N x _{2N + 1} ... X _{2N + n− | K |}

となる。 When n = 7 in the setting of FIG.

It becomes.

  Further, the information representing K may be represented using tag information such as a key designation code described in the background art section. Furthermore, the information encryption may use the session key Ks as it is, or may use a value obtained by inputting the session key Ks into a hash function such as SHA-1 or MD5 and converting it to a desired size. .

  For example, in the case of a broadcast application, after transmitting information representing the information decryption allowable receiver set S, the broadcast content may be transmitted after being encrypted with the session key Ks. After transmitting the ciphertext obtained by encrypting the content key Kc using the session key Ks, the content encrypted with the session key Ks may be transmitted. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

By the way, when the sender derives the session key Ks, another method may be used. That is, i of the number of elements | K | in the subtree root set K with i∈K is picked up, and n + 1− | K | i from 2N to 2N + n− | K | are picked up. Obtains the output of the map e a h _i corresponding to n of the picked-up a total of (n + 1) i as input, respectively, x _i-th power for one remaining for that output i (on G ₂₎ By doing so, Ks equal to the above can be obtained. Note that this Determination is similar to the method described below, the receiver u _m seeks Ks.

(3) Reception and Decoding The receiver u _m is included in a set of receivers that receive information transmitted from the broadcast channel and decode the information in the communication, that is, an information decoding allowable receiver set S. Find out if. This can be done by checking whether K includes a node having a secret key (node on the path from the leaf to which it is assigned to the root). If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If oneself is included in the information decryption allowable receiver set S, the session key Ks is obtained by the following process, and the transmitted information is decrypted using this. If the receiver u _m is included in the information decryption allowable receiver set S, only one of the nodes included in K is one of the nodes where u _m holds the secret key. Let this node be I.

1. Counters j and l are prepared, and j = 1 and l = 2N are set.
2. A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1, and proceed to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1, and increase j by 1.
4). The following session key Ks is obtained.

によりＫｓを求める。 For example, in the setting of FIG. 7, the receiver u ₄ possesses the secret key x ₉ of the node 9.

To obtain Ks.

  With the above configuration, the broadcast encryption method can be configured using the n multi-linear map, as in the first embodiment.

  The ciphertext broadcast by the method of this embodiment is one, and the number of keys securely held by each receiver is logN + 1. Further, n can be determined with rlog (N / r) -1 as the upper limit. The amount of function execution depends on the number of input elements. In the method proposed in the above paper, since the number of input elements is n = N, the amount of calculation required for this mapping is expected to increase. However, in the present invention, the amount of calculation is reduced by reducing the number of input elements. doing.

  Under the premise that there is a multi-linear map that satisfies the above-described processing example, ie, generalized Diffie-Hellman assumption, each reception is performed by combining a key distribution technique using a multi-linear map with a hierarchical tree structure. In a configuration example that can reduce the amount of calculation required by the machine, a ciphertext is generated and a processing sequence that is executed in an information processing device that provides the ciphertext, and a leaf compatible that receives the ciphertext and performs decryption processing For example, the processing sequence in the information processing apparatus such as a receiver is the same as the ciphertext transmitting side sequence described with reference to FIG. 8 in the first embodiment and the ciphertext receiving side sequence described with reference to FIG. Become.

  However, in the second embodiment, the process for calculating the session key Ks in the process on the ciphertext sending side and the process for calculating the session key Ks in the process on the ciphertext receiving side are different.

によって算出する。 That is, the session key Ks in step S103 in FIG. 8 is calculated as shown in FIG. 16, that is, as described above,

Calculated by

  On the other hand, the calculation process of the session key Ks in the process on the ciphertext receiving side, that is, the session key Ks in step S203 in FIG. 11 is performed according to the calculation process shown in FIG. Find the key Ks.

1. Counters j and l are prepared, and j = 1 and l = 2N are set.
2. A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1, and proceed to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1, and increase j by 1.
4). The following session key Ks is obtained.

  (B) Broadcast encryption method using a cryptographic two-multilinear map with n = 2

  In the above-described embodiment, it is assumed that there is a cryptographic n-multilinear map for an arbitrary n (n> 1). Hereinafter, n = 2 that has already been demonstrated. A specific example of the cryptographic n multi-linear map, that is, the two multi-linear map will be described. For the cryptographic n multi-linear map with n = 2, see D.C. Boneh and M.M. Franklin's paper "Identity-Based Encryption from the Wel Paring" (this article is available on the website managed by Prof. Boneh, one of the authors: http://crypto.stanford.edu/~dabos/. .Published as .pdf)

In the following, the broadcast encryption method applying the 2 multi-linear map with n = 2 is similar to the above example.
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
These will be described in the following three phases.

  The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

  As an entity constituting the broadcast encryption system, a sender (transmitter) as an information processing device that performs ciphertext generation and provision processing, a user device as an information processing device that performs ciphertext reception and decryption processing, and the like And N is the total number of information processing apparatuses or users who receive and decrypt ciphertexts. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

  For simplicity, the total number of information processing apparatuses or users that receive ciphertext: N is a power of 2. If actual N is not a power of 2, the smallest number of powers of 2 larger than N may be used as N.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or a transmitter, and an entity or information processing apparatus that receives a ciphertext will be described as a receiver or a receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  As in the first embodiment, the sender defines a binary tree with N leaves and assigns a number to each node i. The receiver assigns each leaf one by one.

  The sender defines an n-multilinear map that satisfies the generalized Diffie-Hellman assumption and publishes it to the receiver. However, n = 2.

を計算する。ただし、ｎ＝２であるのでｉ＝１〜２Ｎ＋１である。また、ここでｐは群Ｇ_１の位数であり、ｇはＧ_１の生成元である。各ｈ_ｉを公開する。 Then, for each i of i = 1, 2,..., 2N + n−1, choose a random value xi∈ [1, p−1],

Calculate However, since n = 2, i = 1 to 2N + 1. Here, p is the order of the group G ₁ and g is a generator of G ₁ . Make each h _i public.

Note that x _i and h _i correspond to the node i, but it is assumed that dummy nodes having node numbers 2N and 2N + 1 exist, x _2N and h _2N correspond to the node 2N, and x _{2N + 1} and h _{2N + 1} correspond to the node 2N + 1. I think so.

The receiver u _m is given logN + 1 x _j corresponding to each node j on the path from the leaf to which it is assigned to the root. The receiver stores x _j securely.

Now, in the setting of FIG. 4, N = 16 and n = 2, so 2N + n−1 = 33, so that the sender is x ₁ ,..., X ₃₃ and h _{1 ,.} the prepared to publish the h _i. For example, the receiver u ₄ is provided with x ₁ , x ₂ , x ₄ , x ₉ , x ₁₉ corresponding to the nodes ₁ , ₂ , ₄ , ₉ , ₁₉ .

(2) Encryption and transmission The sender selects a set of receivers to decrypt information in the communication among N receivers, that is, an information decryption allowable receiver set S⊆ {1,..., N}. To do. Next, all branches from the leaf to the root that are not included in the information decoding allowable receiver set S, that is, assigned to the receiver to be revoked, nodes, and branches that contact the nodes are removed. Then, one or more separated subtrees remain, but the set of roots of each subtree is set as K.

個のサブグループＳＧ_ｋに分割する。 Next, three elements of K in the order of the number i,

Divide into subgroups SG _k .

である。 However,

It is.

は、｜Ｋ｜／３以上である最小の整数を表す。 In addition,
| K | indicates the number of elements of the subtree root set K,

Represents the smallest integer greater than or equal to | K | / 3.

にＫの要素が１つしか入らない場合には、ダミー受信機２Ｎと２Ｎ＋１もサブグループの要素であるとし、また、

に、部分木のルートの集合Ｋの要素が２つだけ入る場合には、ダミーの受信機２Ｎもこのサブグループの要素であるとする。 However, the last subgroup

, The dummy receivers 2N and 2N + 1 are also subgroup elements, and

If only two elements of the root tree set K are included, the dummy receiver 2N is also an element of this subgroup.

As in the above example, assume the binary tree configuration shown in FIG. 4, that is, the binary tree configuration in which each receiver is assigned to each leaf and the number of recipients is N = 16. As shown in FIG. 4, processing when the three receivers u ₃ , u ₁₁ , and u ₁₂ are revoked with the setting shown in FIG. 4 will be described.

As shown in FIG. 7, the set of roots of the subtree is K = {5, 7, 9, 12, 16}. In this case, the subgroup is
SG ₁ = {5, 7, 9}
SG ₂ = {12, 16, 32}
It becomes.
However, the node 32 is a dummy node.

として定める。 Then, the sub-group key _{K SGk} for the sub-group SG _k in its communication,

Determine as

In the above example, a subgroup key subgroup SG ₁ and subgroup SG ₂ is shown as follows.

  Next, the entire session key Ks in the communication is determined randomly. The session key Ks is a key for encrypting the contents of communication (for example, content such as a movie). For example, when the 128-bit version of the American standard AES is used for the encryption algorithm, the session key Ks is 128 bits.

を、暗号文
ＣＴ_ｋ＝Ｅ（Ｈ（Ｋ_ＳＧｋ），Ｋｓ）として設定する。
ただし、Ｅ（Ａ，Ｂ）は鍵Ａを用いた平文Ｂの暗号化を示す。 Next, ciphertext obtained by encrypting the session key Ks using each subgroup key

_Is set as ciphertext CT _k = E (H (K _SGk ), Ks).
Here, E (A, B) indicates encryption of plaintext B using the key A.

As an encryption algorithm, for example, a 128-bit version of AES of American standard is used. Function H, any element of G _2, a condensation promises hash function to the key length of the encryption algorithm (e.g. 128bit) to be used. The encryption algorithm E and the hash function H are predetermined by the system (may be determined by the sender) and are made public.

とを、ともに同報通信路で受信機に送信する。 The sender encrypts information to be transmitted by using the session key K _s , information (for example, a list of node numbers) representing the root tree set K, and the above ciphertext,

Are transmitted to the receiver via a broadcast channel.

を送信し、その後に放送コンテンツをセッションキーＫｓで暗号化して送信してもよいし、通信において情報を復号させる受信機の集合、すなわち情報復号許容受信機集合Ｓを表す情報と、暗号文

と、セッションキーＫｓで暗号化したコンテンツキーＫｃを送信した後に、コンテンツキーＫｃで暗号化されたコンテンツを送信してもよい。ＣＤなどの記録メディアのアプリケーションの場合には、放送アプリケーションにおいて放送していた情報をディスクに記録して配布すればよい。 For example, in the case of a broadcast application, after sending information representing a set K of subtree roots,

And then the broadcast content may be transmitted after being encrypted with the session key Ks, or a set of receivers for decrypting information in communication, that is, information indicating an information decryption allowable receiver set S, and ciphertext

Then, after transmitting the content key Kc encrypted with the session key Ks, the content encrypted with the content key Kc may be transmitted. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

(3) Reception and Decoding The receiver u _m is included in a set of receivers that receive information transmitted from the broadcast channel and decode the information in the communication, that is, an information decoding allowable receiver set S. Find out if. This can be done by checking whether K includes a node having a secret key (node on the path from the leaf to which it is assigned to the root).

If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If it is included in the information decryption allowable receiver set S, it is checked which subgroup ciphertext should be decrypted by itself. This can be obtained by searching for the number of nodes having a secret key when the elements of the set K of the root of the subtree are divided into three. Then, the receiver u _m obtains the sub group key of the sub group SG _k corresponding to the secret key owned by itself as follows.

ここで、ｘ_ｉは、サブグループＳＧ_ｋの要素のうち、受信機ｕ_ｍが秘密鍵を持つノードｉに対応する秘密鍵であり、ｈ_ｊ１、ｈ_ｊ２は、ｉではないほうのノードｊ_１，ｊ_２に対応する公開情報ｇ_ｉである。ただし、ｉが、サブグループ

の要素であり、このサブグループに部分木のルートの集合Ｋの要素（実在の要素）が１つしか含まれない場合には、ダミーノード２Ｎおよび２Ｎ＋１に対応する公開情報ｈ_２Ｎ，ｈ_２Ｎ＋１を用い、このサブグループに部分木のルートの集合Ｋの要素（実在の要素）が２つだけ含まれる場合には、ダミーノード２Ｎに対応する公開情報ｈ_２Ｎを用いる。

Here, x _i is a secret key corresponding to the node i in which the receiver u _m has a secret key among the elements of the subgroup SG _k , and h _j1 and h _j2 are the nodes j ₁ that are not i. , it is a public information _{g i} corresponding to the _{j 2.} Where i is a subgroup

And when this subgroup includes only one element (real element) of the root tree set K, the public information h _2N and h _{2N + 1} corresponding to the dummy nodes 2N and 2N + 1 are obtained. If the subgroup includes only two elements (existing elements) of the root tree set K, the public information h _2N corresponding to the dummy node _2N is used.

For example, in the above example, the receiver u ₄ possesses the secret key x ₉ of the node 9, so
K _SG1 = e (h ₅ , h ₇ ) ^{x 9}
Can be determined subgroup key _{K SG1} subgroup SG ₁ as.

Next, the receiver u _m calculates a hash value H (K _SGk ) from the subgroup key K _SGk obtained above, and uses this to decrypt the ciphertext CTk to obtain a session key Ks, which is used. The information sent is decrypted.

となる。 With the configuration as described above, it is possible to configure a system that can securely distribute a key (session key Ks) to N receivers using two multi-linear maps. In the above configuration, the receiver has only one key (x _i ) that must be securely stored. For example, when the session key Ks is directly used for content encryption, it is broadcast for key distribution. The number of messages

It becomes.

It is known that the maximum value of the number of elements | K | of the subtree root set K is rlog ₂ (N / r), where r is the number of receivers to be revoked.

となり、上記のｎ＝２の場合に比べてこの面での効率がよくなる。 The above has described in detail the method using two multi-linear maps. However, as described above, this method can be directly extended to a method using n multi-linear maps for an arbitrary integer n> 1. As n increases, the number of keys stored by the receiver remains one, whereas the number of broadcast messages is

Therefore, the efficiency in this aspect is improved as compared with the case of n = 2.

  By combining a hierarchical tree structure with the above-described processing example, that is, a key distribution technique using two multi-linear maps satisfying the generalized Diffie-Hellman assumption, it is possible to reduce the amount of calculation required for each receiver. In the configuration example, the processing sequence executed in the information processing apparatus that generates and provides the ciphertext, and the processing sequence in the information processing apparatus such as a receiver that accepts the ciphertext and performs the decryption processing, The processing sequence is the same as in FIG. 13 (ciphertext providing side) and FIG. 15 (ciphertext receiving side) described in the first embodiment. However, the subgroup key calculation processing method differs in each process. The sub group key calculation process is as described above.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

  The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, or a semiconductor memory. It can be stored (recorded). Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the removable recording medium as described above, or is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet. The computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  As described above, according to the configuration of the present invention, in a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, encryption is performed from a plurality of information processing devices corresponding to the leaf. In the process of generating a ciphertext that can be decrypted based only on the storage key of the selected ciphertext decryption permitted device, selecting an information processing device that permits the decryption of the text, n multi-linear map (where n is an integer of 2 or more) ) To generate a cipher key that can be generated as a single ciphertext that can be decrypted based only on the storage key of the ciphertext decryption-permitted device. The amount of calculation in the user device as a receiver that executes the above is reduced, and efficient processing is realized. Therefore, the present invention can be used in a ciphertext providing configuration to which a hierarchical tree structure is applied. Specifically, it can be applied to an information processing apparatus that executes ciphertext generation, provision, and transmission, an information processing apparatus as a user device that executes decryption and reproduction of ciphertext, and an information recording medium that stores encrypted content. is there.

  According to the configuration of the present invention, a hierarchical tree configuration is constructed by constructing a ciphertext distribution configuration in which a hierarchical tree structure is combined with a multi-linear map that satisfies Diffie-Hellman inversion assumption or generalized Diffie-Hellman assumption. It is possible to reduce the necessary number of ciphertexts that can be decrypted based only on the storage key of the ciphertext decryption-permitted device selected from a plurality of information processing devices corresponding to the middle leaf. Even when factors such as an increase in devices occur, an efficient ciphertext generation and provision configuration without increasing the number of necessary ciphertexts is realized. Therefore, the present invention can be used in a ciphertext providing configuration to which a hierarchical tree structure is applied. Specifically, it can be applied to an information processing apparatus that executes ciphertext generation, provision, and transmission, an information processing apparatus as a user device that executes decryption and reproduction of ciphertext, and an information recording medium that stores encrypted content. is there.

It is a figure explaining a binary tree hierarchical tree structure. It is a figure explaining the method of transmitting the information which only the selected information processing apparatus can acquire in a binary tree hierarchical tree structure. It is a figure explaining the structure which provides a key specification code to each information processing apparatus with a ciphertext. It is a figure which shows the hierarchical tree structural example whose number of the leaves (leaf) which can apply this invention is the number N of recipients. It is a figure which shows the structural example of information processing apparatuses, such as a transmitter which produces | generates and provides a ciphertext, and information processing apparatuses, such as a receiver which receives a ciphertext and acquires information. It is a figure explaining the number of possessed keys of a leaf and the number of provided ciphertexts in a configuration that provides ciphertexts to an information processing device based on a hierarchical tree configuration. It is a figure explaining the subtree structure which excluded the revoke receiver. It is a flowchart explaining the process sequence performed in the information processing apparatus which produces | generates and provides a ciphertext. It is a figure explaining the specific calculation example of the session key Ks performed in the information processing apparatus which produces | generates and provides a ciphertext. It is a figure which shows the example of information recording medium storage of the information produced | generated in the information processing apparatus which produces | generates and provides a ciphertext. It is a flowchart explaining the process sequence performed in the information processing apparatus which receives and decrypts a ciphertext. It is a figure explaining the specific calculation example of the session key Ks performed in the information processing apparatus which receives and decrypts a ciphertext. It is a flowchart explaining the process sequence performed in the information processing apparatus which produces | generates and provides a ciphertext at the time of applying the multi-linear map of n = 2. It is a figure which shows the example of information recording medium storage of the information produced | generated in the information processing apparatus which produces | generates and provides a ciphertext at the time of the multi-linear map of n = 2. It is a flowchart explaining the process sequence performed in the information processing apparatus which receives and decrypts a ciphertext at the time of applying the multi-linear map of n = 2. It is a figure explaining the specific calculation example of the session key Ks performed in the information processing apparatus which produces | generates and provides a ciphertext. It is a figure explaining the specific calculation example of the session key Ks performed in the information processing apparatus which receives and decrypts a ciphertext.

Explanation of symbols

101, 102 Information processing device 120 Root node 121, 122, 123 Node 131, 132, 133, 134, 135 Subtree 301 Controller 302 Arithmetic unit 303 Input / output interface 304 Secure storage unit 305 Main storage unit 306 Mass storage unit 400 Information Recording medium 401 Information indicating root set K of subtree 402 Encrypted content key Enc (Ks, Kc)
403 Encrypted content Enc (Kc, Con)
500 Information recording medium 501 Information indicating root set K of subtree 502 _Ciphertext CT _k = E (H (K _SGk ), Ks)
503 Encrypted content key Enc (Ks, Kc)
504 Encrypted content Enc (Kc, Con)

Claims (25)

An information processing apparatus that executes ciphertext generation processing,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. A cipher processing unit that executes a process for generating a ciphertext that can be decrypted based only on the storage key of the ciphertext decryption-permitted device.
The cryptographic processing unit
Generate an encryption key by applying an n multi-linear map (where n is an integer equal to or greater than 2), and generate a ciphertext that can be decrypted based on only the storage key of the ciphertext decryption permitted device using the generated encryption key An information processing apparatus having a configuration for executing processing. Each of the plurality of information processing devices corresponding to the leaf has a node key corresponding to a node on a path from the root to the own leaf,
The cryptographic processing unit
The information processing apparatus according to claim 1, wherein a ciphertext generation process that can be decrypted only by a storage node key of the ciphertext decryption permitted apparatus is executed. The cryptographic processing unit
As a key to be generated by applying the n multi-linear map, the following definition:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Is a configuration for generating a session key Ks based on
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i and satisfies g _i ∈G ₁ ,
g is the generator of G ₁
The information processing apparatus according to claim 1, wherein: The cryptographic processing unit
As a key to be generated by applying the n multi-linear map, the following definition:

Is a configuration for generating a session key Ks based on
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
The information processing apparatus according to claim 1. The information processing apparatus includes:
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
When using an n multi-linear map that satisfies Diffie-Hellman inversion assumption,

Set as
When using an n multi-linear map that satisfies the generalized Diffie-Hellman assumption,

Configuration to set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r),
The information processing apparatus according to claim 1, wherein: The information processing apparatus includes:
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
6. The information processing apparatus according to claim 5, wherein the information processing apparatus is configured to be set as an integer value corresponding to a maximum number n of rlog (N / r), which can correspond to any r of r ≦ N. The information processing apparatus includes:
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
The maximum value R is set for the number r of revoke (exclusion) devices, and this corresponds to the number n that can correspond to an arbitrary number r ≦ R, that is, the value of rlog (N / r) when r = R. The information processing apparatus according to claim 5, wherein the information processing apparatus is configured as an integer value. In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing apparatus set corresponding to the leaf,
A storage unit storing a node key corresponding to a node on a path from the root to the self-leaf;
An encryption processing unit that performs decryption processing of ciphertext, and performs encryption key calculation processing generated by applying an n multi-linear map (where n is an integer of 2 or more) that is an encryption processing key for ciphertext, An encryption processing unit that executes by applying the node key and executes decryption processing of ciphertext based on the generated encryption key;
An information processing apparatus comprising: The cryptographic processing unit
The following definitions
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
A process for decrypting ciphertext encrypted by a session key Ks based on
As the process for calculating the session key Ks, the following processes 1 to 4, that is,
1. Prepare counter j and set j = 1.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K, check whether i and I match.
i. If i = I, set Φ _j = s _i , increase j by 1 and move on to the next i.
ii. If i ≠ I, set Φ _j = g _i , increase j by 1 and move on to the next i processing.
3. If j ≦ n, repeat the following process while j ≦ n.
(A) Set Φ _j = g and increase j by 1.
4). Find Ks = (φ ₁ ,..., Φ _n ),
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the Diffie-Hellman inversion assumption.
α is α∈ [1, p−1], where p is the order of G ₁ ,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
s _i is the secret key of node i,
g _i is the public key of node i,
I is a node included in the subtree root set K,
g is the generator of G ₁
The information processing apparatus according to claim 8, wherein the processes 1 to 4 are executed to calculate a session key Ks. The cryptographic processing unit
The following definitions

A process for decrypting ciphertext encrypted by a session key Ks based on
As the process for calculating the session key Ks, the following processes 1 to 4, that is,
1. Prepare counters j and l, and set j = 1 and l = 2N.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1 and move on to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1 and increase j by 1.
4). Session key Ks

Calculated by
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption.
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is a public value,
I is a node included in the subtree root set K,
g is the generator of group G ₁ ,
The information processing apparatus according to claim 8, wherein the processes 1 to 4 are executed to calculate a session key Ks. An information recording medium storing ciphertext,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. Store the ciphertext that can be decrypted based only on the storage key of the ciphertext decryption permitted device,
The ciphertext is
An information recording medium, which is a ciphertext encrypted with an encryption key generated by applying an n multi-linear map (where n is an integer of 2 or more). The ciphertext is
A key generated by applying the n multi-linear map, that is, the following definition:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Ciphertext encrypted with a session key Ks based on
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i and satisfies g _i ∈G ₁ ,
g is the generator of G ₁
The information recording medium according to claim 11, wherein: The ciphertext is
A key generated by applying the n multi-linear map, that is, the following definition:

Ciphertext encrypted with a session key Ks based on
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
The information recording medium according to claim 11, wherein: An information processing method for executing ciphertext generation processing,
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. An encryption processing step for executing a process for generating a decryptable ciphertext based only on the storage key of the ciphertext decryption-permitted device,
The cryptographic processing step includes
a key generation step of generating an encryption key by applying an n multilinear map (where n is an integer of 2 or more);
An information processing method comprising: a ciphertext generation step of executing a ciphertext generation process that can be decrypted based only on a stored key of the ciphertext decryption-permitted device using the generated encryption key. Each of the plurality of information processing devices corresponding to the leaf has a node key corresponding to a node on a path from the root to the own leaf,
The cryptographic processing step includes
The information processing method according to claim 14, wherein a ciphertext generation process that can be decrypted only with a storage node key of the ciphertext decryption-permitted device is executed. The key generation step includes:
As a key to be generated by applying the n multi-linear map, the following definition:
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
Generating a session key Ks based on:
However, _{G 2} is, Diffie-Hellman inversion assumption satisfying n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
α is α∈ [1, p−1], where p is the order of G ₁ ,
Φ _j is a value determined by the following process,
(1) Prepare a counter j and set j = 1.
(2) A counter i is prepared, and i is incremented by 1 from 1 to 2N−1 while performing the following processing.
(2a) If i∈K, set Φ _j = g _i , increase j by 1 and move to the next processing of i.
(3) If j ≦ n, repeat the following process while j ≦ n.
(3a) Set Φ _j = g and increase j by 1.
Where N is the total number of information processing devices corresponding to the leafs that are the lowest nodes in the hierarchical tree structure,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only the ciphertext decryption permitted device in the hierarchical tree configuration,
g _i is the public value of node i and satisfies g _i ∈G ₁ ,
g is the generator of G ₁
The information processing method according to claim 14, wherein: The key generation step includes:
As a key to be generated by applying the n multi-linear map, the following definition:

Generating a session key Ks based on:
However, _{G 2} is, generalized Diffie-Hellman satisfy assumption n multilinear map _e: a group defines a _G ^{1 n} → _{G 2,}
g is the generator of group G ₁ and
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is set as a public value.
The information processing method according to claim 14. The information processing method further includes:
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
When using an n multi-linear map that satisfies Diffie-Hellman inversion assumption,

Set as
When using an n multi-linear map that satisfies the generalized Diffie-Hellman assumption,

Configuration to set as
However,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
r is the number of revocation (exclusion) devices other than the ciphertext decryption permitted device,

Is the largest integer less than or equal to rlog (N / r),
The information processing method according to claim 14, further comprising: In the information processing method,
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
19. The information processing method according to claim 18, wherein the number n is set as an integer value corresponding to the maximum value of rlog (N / r), which is a number n that can correspond to any r of r ≦ N. In the information processing method,
The specified number n of n multi-linear maps to be applied to the encryption key generation process,
The maximum value R is set for the number r of revoke (exclusion) devices, and this corresponds to the number n that can correspond to an arbitrary number r ≦ R, that is, the value of rlog (N / r) when r = R. The information processing method according to claim 18, wherein the information processing method is set as an integer value. An information processing method for executing decryption processing of ciphertext,
An encryption key calculation process generated by applying an n multi-linear map (where n is an integer equal to or greater than 2) is performed on the path from the root as a vertex node in the hierarchical tree structure to the corresponding leaf of the own device. A key calculation step executed by applying a node key set in the node; and
A ciphertext decryption step for performing ciphertext decryption processing based on the cipher key calculated in the key calculation step;
An information processing method characterized by comprising: The key calculating step includes
The following definitions
Ks = (Φ ₁ , ... Φ _n ) ^α ∈ G ₂
As the process for calculating the session key Ks based on the following processes 1-4,
1. Prepare counter j and set j = 1.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K, check whether i and I match.
i. If i = I, set Φ _j = s _i , increase j by 1 and move on to the next i.
ii. If i ≠ I, set Φ _j = g _i , increase j by 1 and move on to the next i processing.
3. If j ≦ n, repeat the following process while j ≦ n.
(A) Set Φ _j = g and increase j by 1.
4). Find Ks = (φ ₁ ,..., Φ _n ),
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the Diffie-Hellman inversion assumption.
α is α∈ [1, p−1], where p is the order of G ₁ ,
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
s _i is the secret key of node i,
g _i is the public key of node i,
g is the generator of G ₁
I is a node included in the subtree root set K,
22. The information processing method according to claim 21, wherein the information processing method is a step of executing the processes 1 to 4 to calculate a session key Ks. The key calculating step includes
The following definitions

As the process for calculating the session key Ks based on the following processes 1-4,
1. Prepare counters j and l, and set j = 1 and l = 2N.
2. A counter i is prepared and i is incremented by 1 from 1 to 2N-1 while performing the following processing.
(A) If i∈K and i ≠ I, set Φ _j = h _i , increase j by 1 and move on to the next processing of i.
3. If j ≦ n, the following processing is repeated while j ≦ n.
(A) Set Φ _j = h _l , increase 1 by 1 and increase j by 1.
4). Calculating the session key Ks;
However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption.
N is the total number of information processing devices corresponding to the leaves that are the lowest nodes in the hierarchical tree structure;
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
K is a subtree root set that is set by selecting only ciphertext decryption permitted devices in the hierarchical tree configuration;
x _i is a node key set for each configuration node i in the hierarchical tree configuration, and h _i = g ^xi is a public value,
I is a node included in the subtree root set K,
g is the generator of group G ₁ ,
22. The information processing method according to claim 21, wherein the information processing method is a step of executing the processes 1 to 4 to calculate a session key Ks. A computer program for executing ciphertext generation processing;
In a hierarchical tree configuration having a configuration in which a root as a vertex node and a leaf that is the lowest node are connected, an information processing device that allows decryption of ciphertext is selected from a plurality of information processing devices corresponding to the leaf, and is selected. An encryption processing step for executing a process for generating a decryptable ciphertext based only on the storage key of the ciphertext decryption-permitted device,
The cryptographic processing step includes
a key generation step of generating an encryption key by applying an n multilinear map (where n is an integer of 2 or more);
A computer program comprising: a ciphertext generation step for executing a process for generating a ciphertext that can be decrypted based only on a storage key of the ciphertext decryption permitted device with the generated ciphertext. A computer program for performing decryption processing of ciphertext,
An encryption key calculation process generated by applying an n multi-linear map (where n is an integer equal to or greater than 2) is performed on the path from the root as a vertex node in the hierarchical tree structure to the corresponding leaf of the own device. A key calculation step executed by applying a node key set in the node; and
A ciphertext decryption step for performing ciphertext decryption processing based on the cipher key calculated in the key calculation step;
A computer program characterized by comprising:

Images