JP2007020025A - Information processing device, information processing method, and computer program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a configuration for securely and efficiently using data in common among a specific user group. <P>SOLUTION: In an information distribution configuration to which a hierarchical tree structure is applied, data to be used in common are encrypted by a data key DK. Further a set of encrypted messages which the data key DK is encrypted using a selected node key of the hierarchical tree structure are generated and provided to the users by means of, for example, broadcast. Also edited data of received data can be distributed making the edited data available only to a group S similar to a group S which use the original data in common, by broadcasting data encrypted by the data key DK, the set of encrypted messages included in an original file, and a file which stores a copy of information on the group which use the data in common S. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an information processing apparatus, an information processing method, and a computer program. Furthermore, in detail, information that makes it possible to securely and efficiently share encrypted data distributed according to a broadcast encryption system using a hierarchical tree structure and redistribute edited data and the like. The present invention relates to a processing device, an information processing method, and a computer program.

  Recently, various software data (hereinafter referred to as content) such as audio data such as music, image data such as movies, game programs, various application programs, etc. are transmitted via a network such as the Internet or It is distributed through information recording media (media) such as CD (Compact Disc), DVD (Digital Versatile Disk), MD (Mini Disk). These distributed contents are reproduced and used in various information processing apparatuses such as PCs (Personal Computers), players, and game machines owned by users.

  Many contents, such as music data and image data, generally have distribution rights or the like held by the creator or seller. Therefore, when distributing these contents, it is common to adopt a configuration that restricts the use of the contents, that is, permits the use of the contents only to authorized users and prevents unauthorized copying or the like. It is the target.

  In particular, in recent years, recording devices and storage media for digitally recording information are becoming widespread. According to such a digital recording apparatus and storage medium, for example, recording and reproduction can be repeated without degrading images and sound, distribution of illegally copied content via the Internet, recording of CD-R, etc. There is a problem of unauthorized copying of media.

  As one method for preventing such unauthorized use of content, a key for decrypting content or encrypted content is encrypted and distributed, and distribution data can be decrypted only by a specific authorized user or authorized device. There is a system. For example, a configuration using a hierarchical tree structure, which is an aspect of the broadcast encryption method, is known.

  For example, a different encryption key is associated with each node that is a branch point of a hierarchical tree such as a binary tree structure and each leaf set at the lowest layer of the hierarchical tree. Encryption that can be decrypted only by specific user devices selected from leaf-compatible user devices by selectively applying encryption keys corresponding to nodes and leaves of the hierarchical tree to generate encrypted information and broadcast it Data can be distributed. For example, Patent Document 1 discloses an encrypted data distribution configuration to which a broadcast encryption scheme to which this hierarchical tree configuration is applied is applied.

The broadcast encryption method to which this hierarchical tree configuration is applied is an effective method when data is transmitted from a specific data distribution center to a plurality of data receiving destinations (user devices). When data received or edited by one user device is transmitted again to another specific user device safely, i.e., while preventing data leakage, the user device attempting to transmit the data initially distributes data. There is a problem that it is necessary to generate encrypted data similar to the encrypted data generated at the center, and it is necessary to generate and transmit encrypted data with a large amount of data to which a plurality of keys are applied. .
JP 2001-352322 A

  The present invention has been made in view of such a situation, and applies a distribution configuration of encrypted data to which a broadcast encryption scheme to which a hierarchical tree structure is applied is applied, so that information can be efficiently and safely transmitted between users. An object of the present invention is to provide an information processing apparatus, an information processing method, and a computer program that can be shared and redistributed edited data and the like.

The first aspect of the present invention is:
An information processing method for executing encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
There is an information processing method characterized by comprising:

In the information processing method of the present invention, the encrypted data is shared target data (Data), by applying the data key DK encryption function E _D by encrypting encrypted data E _D ( DK, a data), the ciphertext set, the data key DK, is said selected node key (NKn) by applying the encryption function _{E K} by encrypting encrypted data _E K (NKn, DK), The cryptographic function E _D and the cryptographic function E _K are public functions.

  Furthermore, in one embodiment of the information processing method of the present invention, a node key applied to generate a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device is: In the hierarchical tree configuration, the setting includes a node key set in a node from the data sharing device to a route.

Furthermore, the second aspect of the present invention provides
An information processing method for executing decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
Decrypting the ciphertext selected in the ciphertext selection step using a node key held by the ciphertext and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
There is an information processing method characterized by comprising:

  Furthermore, in an embodiment of the information processing method of the present invention, the information processing method further includes a data editing step of editing the plaintext data (Data) acquired in the plaintext data acquisition step to generate edit data (Data2). A file generation step for generating a file including copy data of each of the data (b) and (c), and a step for outputting the file generated in the file generation step. It is characterized by having.

  Furthermore, in an embodiment of the information processing method of the present invention, the ciphertext selection step includes: encrypting ciphertext encrypted by a node key set in a node from the corresponding node to the root in the hierarchical tree configuration. It is a step to select.

Furthermore, the third aspect of the present invention provides
An information processing method for executing encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
A data output step of outputting each of the data (a) to (c) generated in the data generation step;
There is an information processing method characterized by comprising:

  Furthermore, in one embodiment of the information processing method of the present invention, in the information processing method, the data generation step further generates (d) a node addition variable (salt) of a descendant node of the node corresponding to the selected node key. The data output step is a step of outputting the data (a) to (d) generated in the data generation step.

  Furthermore, in an embodiment of the information processing method of the present invention, the hierarchical tree can calculate the node-corresponding value of the upper node by an encryption process (forward operation) applying a Rabin cipher based on the node-corresponding value of the lower node. It is a one-way tree having a setting in which the node correspondence value of the lower node can be calculated by the decryption process (reverse operation) to which the Rabin encryption based on the node correspondence value of the upper node is applied.

In the information processing method of the present invention, the encrypted data is shared target data (Data), by applying the data key DK encryption function E _D by encrypting encrypted data E _D ( DK, a data), the ciphertext set, the data key DK, is said selected node key (NKn) by applying the encryption function _{E K} by encrypting encrypted data _E K (NKn, DK), The cryptographic function E _D and the cryptographic function E _K are public functions.

  Furthermore, in an embodiment of the information processing method of the present invention, the information processing method further defines a size | M | of the modulus M and maps a value of an arbitrary size to a random value of the size | M | A mapping function Hc that maps values of H and size | M | to random values of size C, and a step of defining and publicizing these mapping functions.

  Furthermore, in one embodiment of the information processing method of the present invention, a node key applied to generate a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device is: In the hierarchical tree configuration, the setting includes a node key set in a node from the data sharing device to a route.

Furthermore, the fourth aspect of the present invention provides
An information processing method for executing decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
A node key generation step of generating a node key applied to the ciphertext selected in the ciphertext selection step based on retained data held by itself;
Decrypting the ciphertext selected in the ciphertext selection step by applying the node key generated in the node key generation step, and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
There is an information processing method characterized by comprising:

  Furthermore, in one embodiment of the information processing method of the present invention, in the information processing method, the data input step further inputs (d) a node addition variable (salt) of a descendant node of the node corresponding to the selected node key. The node key generation step is a step of generating a node key applied to the selected ciphertext by applying the node addition variable (salt).

  Furthermore, in an embodiment of the information processing method of the present invention, the information processing method further includes a data editing step of editing the plaintext data (Data) acquired in the plaintext data acquisition step to generate edit data (Data2). The file generation step for generating a file including copy data of each of the data (b), (c), and (d) and the file generated in the file generation step are output to the edit data (Data 2). And a step of performing.

  Furthermore, in an embodiment of the information processing method of the present invention, the ciphertext selection step includes: encrypting ciphertext encrypted by a node key set in a node from the corresponding node to the root in the hierarchical tree configuration. It is a step to select.

Furthermore, the fifth aspect of the present invention provides
An information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data generating means for generating each of the data (a) to (c);
Data output means for outputting each of the data (a) to (c) generated in the data generation means;
There is an information processing apparatus characterized by having.

In the information processing apparatus of the present invention, the encrypted data generated in the data generating means, encrypted by the encryption function E _D share target data (Data), by applying the data key DK Encrypted data E _D (DK, Data), and the ciphertext set includes encrypted data E _K (encrypted by encrypting function E _K by applying the selected node key (NKn) to the data key DK. NKn, DK), and the cryptographic function E _D and the cryptographic function E _K applied by the data generation means are set as public functions.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the data generation means applies the node key set to the node from the data sharing device to the root as the selection node key in the hierarchical tree configuration. The present invention is characterized in that the DK is encrypted to generate a ciphertext set.

Furthermore, the sixth aspect of the present invention provides
An information processing device that performs decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data input means for inputting each of the data (a) to (c);
(C) ciphertext selection means for selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
A data key acquisition unit that decrypts the ciphertext selected by the ciphertext selection unit by applying a node key held by the ciphertext selection unit, and acquires a data key DK;
Plaintext data acquisition means for decrypting encrypted data by applying the acquired data key DK and acquiring plaintext data;
There is an information processing apparatus characterized by having.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the information processing apparatus further includes data editing means for editing the plaintext data (Data) acquired by the plaintext data acquisition means and generating edited data (Data2). The file generation means for generating a file including copy data of the data (b) and (c) in addition to the edit data (Data 2), and the data output means for outputting the file generated by the file generation means It is characterized by having.

  Furthermore, in an embodiment of the information processing apparatus according to the present invention, the ciphertext selection unit is configured to generate a ciphertext encrypted by a node key set in a node from the corresponding node to the root in the hierarchical tree configuration. It is the structure to select.

Furthermore, the seventh aspect of the present invention provides
An information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data generating means for generating each of the data (a) to (c);
Data output means for outputting each of the data (a) to (c) generated in the data generation means;
There is an information processing apparatus characterized by having.

  Furthermore, in one embodiment of the information processing apparatus of the present invention, in the information processing apparatus, the data generation means further generates (d) a node addition variable (salt) of a descendant node of the node corresponding to the selected node key. The data output means outputs the data (a) to (d) generated by the data generation means.

  Furthermore, in one embodiment of the information processing apparatus of the present invention, the hierarchical tree can calculate the node-corresponding value of the upper node by an encryption process (forward operation) applying a Rabin cipher based on the node-corresponding value of the lower node. It is a one-way tree having a setting in which the node correspondence value of the lower node can be calculated by the decryption process (reverse operation) to which the Rabin encryption based on the node correspondence value of the upper node is applied.

In the information processing apparatus of the present invention, the encrypted data generated in the data generating means, encrypted by the encryption function E _D share target data (Data), by applying the data key DK Encrypted data E _D (DK, Data), and the ciphertext set includes encrypted data E _K (encrypted by encrypting function E _K by applying the selected node key (NKn) to the data key DK. NKn, DK), and the cryptographic function E _D and the cryptographic function E _K applied by the data generation means are set as public functions.

  Further, in one embodiment of the information processing apparatus of the present invention, the data generation means further defines a size | M | of the modulus M and maps a value of an arbitrary size to a random value of the size | M | A mapping function Hc that maps values of H and size | M | to random values of size C, and a configuration for determining these mapping functions.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the data generation means applies the node key set to the node from the data sharing device to the root as the selection node key in the hierarchical tree configuration. The present invention is characterized in that the DK is encrypted to generate a ciphertext set.

Furthermore, the eighth aspect of the present invention provides
An information processing device that performs decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data input means for inputting each of the data (a) to (c);
(C) ciphertext selection means for selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
Node key generation means for generating a node key applied to the ciphertext selected by the ciphertext selection means based on retained data held by itself;
A data key acquisition unit that decrypts the ciphertext selected by the ciphertext selection unit by applying the node key generated by the node key generation unit and acquires a data key DK;
Plaintext data acquisition means for decrypting encrypted data by applying the acquired data key DK and acquiring plaintext data;
There is an information processing apparatus characterized by having.

  Furthermore, in one embodiment of the information processing apparatus of the present invention, in the information processing apparatus, the data input means further inputs (d) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key. The node key generation unit generates the node key applied to the selected ciphertext by applying the node addition variable (salt).

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the information processing apparatus further includes data editing means for editing the plaintext data (Data) acquired by the plaintext data acquisition means and generating edited data (Data2). The file generation means for generating a file including copy data of each of the data (b), (c) and (d), and the file generated by the file generation means are output to the edit data (Data 2). Data output means.

  Furthermore, in an embodiment of the information processing apparatus according to the present invention, the ciphertext selection unit is configured to generate a ciphertext encrypted by a node key set in a node from the corresponding node to the root in the hierarchical tree configuration. It is the structure to select.

Furthermore, the ninth aspect of the present invention provides
A computer program that causes a computer to execute encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
There is a computer program characterized by comprising:

Furthermore, the tenth aspect of the present invention provides
A computer program for executing decryption processing of encrypted data on a computer,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
Decrypting the ciphertext selected in the ciphertext selection step using a node key held by the ciphertext and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
There is a computer program characterized by comprising:

Furthermore, an eleventh aspect of the present invention is
A computer program that causes a computer to execute encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
There is a computer program characterized by comprising:

  Furthermore, in one embodiment of the computer program of the present invention, in the computer program, the data generation step further includes: (d) a node addition variable (salt) of a descendant node of the node corresponding to the selected node key. The step of generating and outputting the data is a step of outputting each of the data (a) to (d) generated in the data generation step.

Furthermore, the twelfth aspect of the present invention is
A computer program for executing decryption processing of encrypted data on a computer,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
A node key generation step of generating a node key applied to the ciphertext selected in the ciphertext selection step based on retained data held by itself;
Decrypting the ciphertext selected in the ciphertext selection step by applying the node key generated in the node key generation step, and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
There is a computer program characterized by comprising:

  Furthermore, in an embodiment of the computer program of the present invention, in the computer program, the data input step further inputs (d) a node addition variable (salt) of a descendant node of the node corresponding to the selected node key. The node key generation step is a step of generating a node key applied to the selected ciphertext by applying the node addition variable (salt).

  The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format to a computer system capable of executing various program codes, such as a CD, FD, or MO. It is a computer program that can be provided by a recording medium or a communication medium such as a network. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of the present invention, in an information distribution configuration to which a hierarchical tree structure that is an aspect of the broadcast encryption method is applied, decoding is possible only in a set of specific selected users (receivers). Data can be generated and provided, and data sharing in a specific set of users can be performed securely and efficiently. Specifically, the ciphertext set is generated by encrypting the data to be shared with the data key DK, and further encrypting the data key DK using the selected node key of the hierarchical tree structure, and for example, by broadcasting to the user provide.

  Furthermore, according to the configuration of the present invention, in the receiver that has received the shared data, the edited data generated by editing the data can be redistributed in a form that can be used only in the shared set S of the original data. Can do. Specifically, a file storing the encrypted data obtained by encrypting the edit data with the data key DK is generated, and the data key DK included in the original file is encrypted using the selected node key of the hierarchical tree configuration. A set similar to the shared set S of the original data is obtained by copying the ciphertext set and the information related to the data shared set S, storing the encrypted data of the edited data in a file storing the data, and broadcasting the file, for example. Editing data can be redistributed in a form that can be used only in S.

  Details of the information processing apparatus, information processing method, and computer program of the present invention will be described below with reference to the drawings.

The description will be made according to the following items.
1. 1. Basic configuration of encrypted data distribution processing using a hierarchical tree structure 2. Configuration of information processing apparatus Shared processing of encrypted data (3.1) Setup (3.2) File generation / distribution (3.3) File usage Processing configuration applying Rabin Tree (4.1) About configuration of Rabin Tree (4.2) Encryption data sharing processing applying Rabin Tree (4.2.1) Setup (4.2.2) File generation・ Distribution (4.2.3) File usage

[1. Basic configuration of encrypted data distribution processing using hierarchical tree structure]
First, a basic configuration of encrypted data distribution processing to which a hierarchical tree structure is applied will be described with reference to the drawings. First, an outline of the Complete Subtree (CS) method known as a broadcast encryption method using an existing hierarchical tree structure will be described.

  The hierarchical tree structure shown in FIG. 1 uses a binary tree structure, the lowermost layer is called a leaf, and the part including the vertex, each branching part, and the leaf is called a node. The vertex is called a root or a root node. In the binary tree hierarchical tree structure shown in FIG. 1, a receiver is assigned to each leaf (u1 to u16 in FIG. 1). FIG. 1 shows an example in which the number of receivers N = 16. Further, each node (node) of the tree is used to represent “a set of receivers assigned to the leaves of the sub-tree having the node as a vertex”. Node i101 in FIG. 1 represents a set of receivers u5 and u6.

  A key (node key) is defined for each component node of the binary tree shown in FIG. Each receiver is given a node key assigned to a node on the path from the leaf to which each receiver is assigned to the root (vertex) of the tree, and the receiver stores these node keys in a secure memory. Hold on. A trusted management center called a Trusted Center (TC) performs tree definition, node key definition, receiver assignment, node key distribution, and the like.

  As shown in FIG. 2, 16 receivers u1 to u16 are assigned to the hierarchical tree, and 31 nodes 31 to 31 exist. The receiver u4 is given five node keys assigned to the nodes 1, 2, 4, 9, and 19. That is, when the total number of receivers is N, each receiver holds logN + 1 node keys.

  With reference to FIG. 3, description will be given of how secret information (for example, a content key for decrypting encrypted content) is transmitted to a non-revoked receiver using this setting. Here, it is assumed that the management center (TC) is a sender of secret information. Now, it is assumed that the receivers u2, u11, u12 are revoked receivers. In other words, the receivers u2, u11, u12 can be excluded (revoked) as unauthorized devices, and information can be safely received only by other receivers, that is, decryption based on ciphertext that is broadcast can be performed. To do.

  When the management center (TC) transmits secret information, the node key assigned to the node on the path from the leaf to which the revoke receiver u2, u11, u12 is assigned to the root of the tree is used as the encryption key. Generate and send a set of ciphertext without using it.

  When the node keys assigned to the leaves or nodes on the path from the leaf (leave) to which the revoked receivers u2, u11, u12 are assigned to the root of the tree are used, these are the keys of the receiver to be revoked. As a result, confidential information can be obtained in the revoke device. Therefore, a ciphertext set is generated and broadcasted without using these keys.

  If nodes and paths on the path from the leaf to which the revoke receiver u2, u11, u12 is assigned to the root of the tree are excluded from the tree, one or more subtrees remain. For example, a partial tree having the node 5 as a vertex or a partial tree having the node 12 as a vertex.

The sender of the secret information encrypts the secret information using the node key assigned to the node closest to the top of each subtree, that is, the nodes 5, 7, 9, 12, and 16 in the example shown in FIG. Send a set of encrypted ciphertexts. For example, if the transmission secret information is a content key Kc applied to decryption of encrypted content, and the node keys assigned to the nodes 5, 7, 9, 12, 16 are NK5, NK7, NK9, NK12, NK16, the secret information The sender of
E (NK5, Kc), E (NK7, Kc), E (NK9, Kc), E (NK12, Kc), E (NK16, Kc)
The ciphertext set is generated and stored in a network distribution or recording medium. E (A, B) means data obtained by encrypting data B with the key A.

  The ciphertext set cannot be decrypted only by the revoke receivers u2, u11, u12, and can be decrypted by other receivers. By generating and transmitting such a ciphertext set, it is possible to transmit secret information efficiently and safely.

  The receiver is encrypted using the node key corresponding to the node on the path from the leaf (leaf) to which the receiver is assigned, that is, the encrypted ciphertext that can be decrypted by the receiver. Secret information can be obtained by decrypting things. In the above example, since the receiver u4 holds the node key of the node 9, the encrypted text E (NK9, Kc) can be decrypted using this. In this way, there is always one ciphertext that can be decrypted by a non-revoked receiver in the received ciphertext set.

[2. Configuration of information processing apparatus]
Next, a configuration example of an information processing apparatus constituting a management center (TC) (transmitter) as a transmission entity of encrypted data and a user (receiver) as a reception entity of encrypted data will be described. FIG. 4 is a block diagram as an example of the information processing apparatus.

  An information processing apparatus 200 illustrated in FIG. 4 includes a controller 201, an arithmetic unit 202, an input / output interface 203, a secure storage unit 204, a main storage unit 205, a network interface 206, and a media interface 207.

  The controller 201 controls the entire processing executed by the information processing apparatus 200. For example, it is configured by a CPU having a function as a control unit that executes data processing according to a computer program. The arithmetic unit 802 functions as, for example, a dedicated arithmetic unit and cryptographic processing unit for generating an encryption key, generating a random number, and performing cryptographic processing.

  The input / output interface 203 is an interface corresponding to data input from input means such as a keyboard and a mouse and data output to an external output device.

  When the information processing apparatus 200 is an information processing apparatus that executes ciphertext generation processing, the secure storage unit 204 stores data that should be held safely or secretly, such as node keys and various IDs that are generated in a setup phase that will be described later, for example. To do. When the information processing apparatus 200 is an information processing apparatus as a receiver, the secure storage unit 204 stores an encryption key such as a node key.

  The main storage unit 205 is a memory area used for, for example, a data processing program executed in the controller 201, other temporary storage processing parameters, a work area for program execution, and the like. The secure storage unit 204 and the main storage unit 205 are memories configured with, for example, a RAM, a ROM, and the like. The network interface 206 is an interface corresponding to data transmission / reception processing via a network. The media interface 207 provides a read / write function for media such as a CD, a DVD, and an MD.

[3. Encryption data sharing process]
Next, a method of sharing a data file between a management center (TC) (transmitter) as a transmission entity of encrypted data and a user (receiver) as a reception entity of encrypted data will be described. The data file sharing sequence is divided into the following three processing phases.
(1) Setup (2) File generation / distribution (3) File usage Hereinafter, specific processes in these three phases will be described in order.

(3.1. Setup)
The setup process is performed only once at system startup. Subsequent information distribution and reception and decoding processes are performed each time information to be transmitted is generated. For example, it is executed whenever an information recording medium such as a DVD storing new content is distributed or when new information is distributed via a network. Note that the setup process may be executed by a management center (TC) independent of the entity that actually executes the ciphertext distribution, or may be executed by the entity that executes the ciphertext distribution. Here, as an example, the setup process will be described as an example in which the management center (TC) executes.

a. Step 1
The management center (TC) defines a tree that is a binary tree and has N leaves. For each node in the tree, k (k = 1, 2,..., 2N−1) and a node-corresponding number are set. However, the root, which is the highest node in the binary tree, is set to 1, and the subsequent numbers are set with breadth priority (breadth first order). That is, node corresponding numbers such as 1 to 31 shown in FIGS. 2 and 3 are set. By this processing, node numbers 1 to 2N−1 are set to the respective nodes in the binary tree. Further, the receiver um (m = 1, 2,..., N) is assigned to each leaf of the tree.

b. Step 2
The management center (TC)
A data encryption function E _D applied to encryption of the distribution data;
And the key encryption function E _K to be applied for encryption of the encryption key,
Determine and publish.
The same function may be applied to the data encryption function E _D and the key encryption function E _K.
Next, the management center (TC) determines a node key NK _i corresponding to each node i defined in step 1. Specifically, a random number C _K bits for each node i occurs, and the random number C _K and node keys NK _i for each node i. Here, _{C K} is the size of a key of the encryption function _{E K.}

c. Step 3
The management center (TC) assigns a receiver to each of the receivers um (m = 1, 2,..., N) set corresponding to the leaves as the end nodes of the tree. The node key NK _i set to the node on the path from the leaf to the root is given. LogN + 1 node keys are given to each of the receivers um (m = 1, 2,..., N) set corresponding to each leaf.

For example, in the configuration shown in FIG. 2, the receiver u4 assigned to the leaf node 19 has logN + 1 = log16 + 1 = 5 node keys as node keys of nodes on the path from the node 19 to the root.
NK ₁₉ , NK ₉ , NK ₄ , NK ₂ , NK ₁ ,
Is given.
The receiver keeps the node correspondence value secret so as not to leak.

  FIG. 5 shows the flow of the setup process described above. Each step of the flow of FIG. 5 will be described. First, in step S101, the management center (TC) defines a binary tree having N leaves. The root, which is the highest node in the binary tree, is set to 1, and the subsequent numbers are set with breadth priority (breadth first order). That is, node correspondence numbers 1 to 31 as shown in FIGS. Further, the receiver um (m = 1, 2,..., N) is assigned to each leaf of the tree.

In step S102, the management center (TC)
A data encryption function E _D applied to encryption of the distribution data;
And the key encryption function E _K to be applied for encryption of the encryption key,
Determine and publish.
Further, a node key NK _i corresponding to each node i in the hierarchical tree is determined.

Next, in step S103, the management center (TC) receives the receiver um (m = 1, 2,..., N) set corresponding to the leaf as the end node of the tree. The node key NK _i set for the node on the path from the leaf to which the receiver is assigned to the root is given. LogN + 1 node keys are given to each of the receivers um (m = 1, 2,..., N) set corresponding to each leaf.

(3.2. File generation and distribution)
Next, file generation and distribution executed for sharing a data file between a management center (TC) (transmitter) as a transmission entity of encrypted data and a user (receiver) as a reception entity of encrypted data. Details of the processing will be described. This process is executed by a management center (TC) as a transmission entity of encrypted data.

First, the management center (TC) defines a set S⊆N of users (receivers) that share information (data).
The management center (TC) generates a random data key DK of C _D bits, and used to encrypt the information (data) to be shared with users Ui∈S. For example, when certain content data is shared, the content is provided after being encrypted by the data key DK.

In this embodiment, the user and the receiver owned by the user are both represented as ui. Here, C _D is the key size of the encryption function E _D for data described above. In this embodiment, the management center (TC) stores encrypted data in a file.

  Next, a user to be excluded that is not included in the set S⊆N of users (receivers) sharing information (data) is set as uj. uj is ujεS \ N. Assuming that the user uj to be excluded is revoked, the application node key is determined. Here, the node key is applied as the encryption key of the above-described data key DK, that is, the data key DK that is a key applied to encryption of shared information (for example, content).

For example, as shown in FIG. 3, 13 receivers excluding three receivers (3 users) u1, u11, u12 from 16 receivers (16 users) u1 to u16. If the user constitutes a set S of users (receivers) sharing information (data), five node keys (NK ₅ , NK ₇ , NK) corresponding to the nodes ₅ , ₇ , 9, 12, 16 _{9, NK} 12, _{NK 16)}
Is applied as the encryption key of the data key DK.

And as encrypted data, data (Data) such as contents encrypted with the data key DK, that is,
(A) Encrypted data: E _D (DK, Data),
In the file that stores
(B) Information designating a set S of users (receivers) sharing information (data) (in this example, user (receiver) numbers = u1, u3-u10, u13-u16)
(C) Ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), that is,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
Add and store. Such information may be stored in the header of the file.
Ea (X, Y) indicates that the data Y is encrypted by applying the encryption function Ea and applying the key X.

Further, the information specifying the set S of users (receivers) sharing the information (data) is not the above-mentioned user (receiver) number = u1, u3-u10, u13-u16, but the node key used for encryption. Information specifying (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ) may be replaced. In this case, in the above example, 5, 7, 9, 12, 16 and node key numbers may be listed, or a method using an expression tree is applicable.

The ciphertext obtained by encrypting the data key DK with each node key is stored in ascending order of the node number corresponding to the node key. That is, in the above example,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
Store in order.

By using this configuration, in the above example, 13 users (u1, u3 to u10, u13 to u16) and 16 encrypted files among 16 users (u1 to u16 in FIG. 2 and FIG. 3). When trying to share five ciphertexts:
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
May be stored in a file in which encrypted data of shared data: E _D (DK, Data) is stored.

  When each encrypted data is generated by applying 13 individual keys, it is necessary to generate and distribute 13 encrypted data, but in the above example, only 5 ciphertexts are used. It is possible to generate an encrypted data file that can be shared by different users. As described above, in the configuration of this embodiment, the message size (communication amount) is reduced and efficient file sharing is possible.

  FIG. 6 shows a flow of file generation / distribution. A processing procedure will be described. In step S201, the management center (TC) first determines a receiver (user) that shares the information. That is, a set S of users (receivers) sharing information (data) is determined.

Next, in step S202, generation of encrypted data, that is, data key DK is applied to encrypt data (Data) to be shared, and encrypted data: E _D (DK, Data) is generated.

  Next, in step S203, a node key to be applied to generation of ciphertext, that is, a node key to be applied to generation of a ciphertext set obtained by encrypting the data key DK with the node key is selected. Assuming that an exclusion target user not included in the set S⊆N of users (receivers) sharing information (data) is uj (ujεS \ N), the exclusion target user uj is revoked. Determine the applicable node key. The node key is applied as an encryption key of a data key DK that is a key applied to encryption of shared information (for example, content).

  Next, in step S204, use node key designation information or user designation information as index data for selecting a ciphertext that can be decrypted is generated in a receiver that receives the ciphertext. This is tag information or an expression code indicating which node key has been selected.

In step S205, as encrypted data, data (Data) such as content encrypted with the data key DK, that is,
(A) Encrypted data: E _D (DK, Data),
In the file that stores
(B) Information specifying a set S of users (receivers) sharing information (data) (c) Ciphertext obtained by encrypting the data key DK with the selected node key, that is,
E _K (NK ₅ , DK), etc.
A file storing these is generated and transmitted using a broadcast channel. Alternatively, it is stored in an information recording medium and distributed.

  FIG. 7 is a block diagram illustrating a functional configuration of an information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device. The setup processing means 310 executes the processing described above with reference to the flow of FIG. 5, sets a node key for each node, and constructs a hierarchical tree structure in which a predetermined node key is assigned to each receiver.

The data generation unit 320 includes an encrypted data generation unit 321, a data sharing set information generation unit 322, and a ciphertext set generation unit 323.
The encrypted data generation means 321
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
The data sharing set information generation means 322
(B) Information of the set S that makes it possible to identify the data sharing device,
The ciphertext set generation means 323
(C) a ciphertext set generated by encrypting the data key DK by applying the selected node key selected based on the data sharing device based on the hierarchical tree configuration in the broadcast encryption method;
Each of these data is generated.

The encrypted data generation means 321 generates encrypted data E _D (DK, Data) obtained by encrypting the data to be shared (Data) with the encryption function E _D using the data key DK, and generates a ciphertext set means 323, the data key DK, to generate an encrypted by the encryption function _{E K} by applying selected is determined based on the data sharing device node key (NKn) encrypted data _E K (NKn, DK). That is, the node key set for the node from the data sharing device to the root is applied as the selected node key, and the data key DK is encrypted to generate a ciphertext set. The data output means 330 outputs, for example, the data (a) to (c) generated by the data generation means 320 by broadcast.

(3.3. File usage)
Next, file use processing in the receiver on the user side that has received the information will be described. The above file, ie
(A) Encrypted data: E _D (DK, Data),
(B) Information specifying a set S of users (receivers) sharing information (data) (c) Ciphertext obtained by encrypting the data key DK with the selected node key,
A file containing these data is provided to the receiver by broadcast distribution. Alternatively, it is stored in an information recording medium and provided to the receiver. This file can be received by all receivers, but the receivers other than the set S of users (receivers) sharing information (data), that is, users (receivers) sharing information (data). Since the user to be excluded that is not included in the set S⊆N cannot obtain the node key that is applied to decrypt the ciphertext obtained by encrypting the data key DK with the selected node key, the data key DK Can't get.

  When the transmitted file is received, first, the user (receiver) ui confirms that it is included in the set S. If the set S is directly specified in the file distributed by the management center (TC), it is sufficient to directly check uiεS, and if the information specifying the node key is stored, the leaf to which it is assigned is stored. Or just confirm that its ancestor node is included. If it is not included in the set S, the process ends there.

  The receiver that has confirmed that it is included in the set S of users (receivers) that share information (data) decrypts itself from the set of received ciphertext (the ciphertext obtained by encrypting the data key DK with the selected node key). Identify the ciphertext that can be used and the node key to be used. The node key used for encrypting the ciphertext included in the received ciphertext set includes the node key directly held by itself.

  If the information specifying the node key is stored in the file, it is the node key that the leaf or ancestor node to which it is assigned and what it contains, and the ciphertext in the corresponding order must be decrypted It becomes. When the set S is directly specified, it is determined from which information the node key used by the management center (TC) to create the ciphertext, and based on the information, as described above, the encryption is performed. The node key used and owned by itself is specified, and the corresponding ciphertext is specified. Then, the ciphertext corresponding to the node key is decrypted to derive the data key DK.

For example, a specific processing example in the above example will be described. In the received file,
(A) Encrypted data: E _D (DK, Data),
(B) Information designating a set S of users (receivers) sharing information (data) (in this example, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) Ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), that is,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
These data are included.

Processing of one user (receiver) u9 included in the set S will be described. User (receiver) u9 includes a node keys _{NK 12} used to encrypt the data key DK, identifies the corresponding ciphertext _{E K (NK 12, DK)} , the ciphertext, using the node key _{NK 12} To obtain the data key DK.
Next, the encrypted data E _D (DK, Data) is decrypted using the obtained data key DK to obtain plain text data (Data).

  The above-described processing example has been described as a processing example in which information is shared in a management center (TC) with a plurality of selected user sets S. For example, a user ui included in the set S has obtained by decoding When editing the data (Data) and wishing to share this edited data with other users or the management center (TC) in the set S, the same processing as that executed by the management center (TC) in the above processing is performed. The user ui executes the editing data again and transmits the editing data, so that the editing data can be shared.

In this case, the user edits the plaintext data and the edit data (Data2) is encrypted with the data key DK, that is,
(A) A file including encrypted data E _D (DK, Data2) is created, and information included in the original file received from the management center (TC) is created in this file, that is,
(B) Information designating a set S of users (receivers) sharing information (data) (for example, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) a ciphertext obtained by encrypting the data key DK with the selected node key;
These data are copied from the original file, additionally stored in a file containing the encrypted data of the edited data, and transmitted using the broadcast channel.

The user and management center (TC) in the set S that has received the file including the edited data decrypts the ciphertext obtained by encrypting the data key DK with the selected node key in the same manner as the user ui performs. It is possible to acquire the data key DK, apply the acquired data key DK, execute decryption processing of the encrypted data E _D (DK, Data2), and obtain plaintext edit data (Data2). Note that the user of the set S or the management center (TC) can edit the edited data again and re-transmit the re-edited data as encrypted data in the same manner.

A file usage sequence will be described with reference to the flowchart shown in FIG. First, in step S301, a file is received. The file contains
(A) Encrypted data: E _D (DK, Data),
(B) Information designating a set S of users (receivers) sharing information (data) (for example, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) a ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), for example,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
These data are included.

  In step S302, the user (receiver) ui confirms that it is included in the set S. If the set S is directly specified in the file distributed by the management center (TC), it is sufficient to directly check uiεS, and if the information specifying the node key is stored, the leaf to which it is assigned is stored. Or just confirm that its ancestor node is included. If it is not included in the set S, the process ends there.

  In step S303, the receiver that has confirmed that it is included in the set S of users (receivers) that share information (data) sets the received ciphertext (ciphertext obtained by encrypting the data key DK with the selected node key). Specifies the ciphertext that can be decrypted by itself and the node key to be used.

In step S304, the corresponding ciphertext is decrypted with the owned node key to obtain the data key DK. In step S305, the encrypted data E _D (DK, Data) is decrypted using the obtained data key DK to obtain plain text data (Data).

  Next, a processing sequence for generating and retransmitting data (Data 2) by editing the data (Data) obtained by decoding will be described with reference to the flow shown in FIG. In step S321, the data (Data) acquired by the decoding process is edited to generate data (Data2).

In step S322, the data (Data2) is encrypted with the data key DK to generate encrypted data: E _D (DK, Data2), and a file storing the encrypted data is generated. In step S323, the definition information of the set S stored in the original file, that is, the file storing the encrypted data of the data (Data) before editing, and the ciphertext that is the encrypted data of the data key DK by the selected node key The set is acquired from the original file, and these are copied and stored in the edit data storage file.

In step S324, the generated file is transmitted. The generated file contains
(A) Encrypted data: E _D (DK, Data2),
(B) Information designating a set S of users (receivers) sharing information (data) (for example, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) a ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), for example,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
These data are included.

The user and management center (TC) in the set S that has received the file including the edited data decrypts the ciphertext obtained by encrypting the data key DK with the selected node key in the same manner as the user ui performs. The data key DK is acquired, and the acquired data key DK is applied to execute decryption processing of the encrypted data E _D (DK, Data2) to obtain edit data (Data2).

FIG. 10 is a block diagram illustrating a functional configuration of an information processing apparatus corresponding to a receiver as a user device that executes a process of decrypting encrypted data. The data input means 351 is
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
The data (a) to (c) are input.

  The ciphertext selection means 352 selects a ciphertext that can be decrypted by the node key stored in its own memory 353 from the ciphertext set (c). In the hierarchical tree structure, the ciphertext encrypted by the node key set in the node from the corresponding node to the root is selected. The node key acquisition unit 354 acquires from the memory 353 a node key that is applied to the decryption of the ciphertext selected by the ciphertext selection unit 352.

  The data key acquisition unit 355 applies the node key held in the memory 353, decrypts the ciphertext selected by the ciphertext selection unit 352, and acquires the data key DK. The plaintext data acquisition unit 356 applies the acquired data key DK to decrypt the encrypted data and acquires plaintext data.

  The data editing unit 357 edits the plaintext data (Data) acquired by the plaintext data acquisition unit 356 to generate editing data (Data2), and the file generation unit 358 further adds the above-described ((2) to the editing data (Data2). A file including copy data of each data of b) and (c) is generated. The data output unit 359 outputs the file generated by the file generation unit 358.

  As described above, in the configuration of the present embodiment, data encrypted by the data key DK is distributed using the broadcast encryption technology, and shared by a plurality of users among the node keys arranged in the tree structure. The data key DK is encrypted and distributed using the node key. Efficient encrypted file sharing with reduced message size (communication volume) compared to the configuration that generates and distributes each encrypted data by applying the individual key of each person sharing information. A system is built.

Specifically, as described above, in the tree structure of FIG. 2 and FIG. 3, when information is shared among 13 people u1, u3 to u10, u12 to u16, Although it is necessary to generate and distribute encrypted data, in the above example, ciphertext obtained by encrypting five data keys, that is,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
Can be shared among 13 different users. As described above, in the configuration of this embodiment, the message size (communication amount) is reduced and efficient file sharing is possible.

  Further, after editing the data obtained by decrypting and acquiring the user ui included in the information sharing set S, it is also possible to send the encrypted data to share the edited data again in the same user set S. Is encrypted with the data key DK, and the definition information of the set S included in the Salani original file and the ciphertext set that is the encrypted data of the data key DK with the selected node key are copied and stored in the edited data storage file Thus, the sharing of the edited file among the members of the set S can be performed efficiently and safely.

[4. Processing configuration applying Rabin Tree]
(4.1) Configuration of Rabin Tree Next, a processing configuration to which Rabin Tree is applied will be described. Rabin Tree also implements a data distribution configuration using a hierarchical tree. The Rabin Tree has a configuration that realizes reduction of key information to be held by the receiver. First, before the description of the configuration of the Rabin Tree, a system using the RSA encryption as the basis will be described. This method is proposed by Nojima et al. And Ogata et al. In “2004 Cryptography and Information Security Symposium Proceedings, pp.189-194” and “2004 Ciphering and Information Security Symposium Proceedings, pp.195-199”, for example. This is the method.

In this method, as shown in FIG. 11, for example, forward substitution (f) and backward substitution (f ⁻¹ ) of RSA encryption are used. If the RSA cryptography method is M, the public exponent is e, and the secret exponent is d, then the forward permutation (f) and the secret exponent: d are known if you know the law: M and the public exponent: e. Otherwise, backward substitution (f ⁻¹ ) is difficult to execute.

  Details of the RSA cipher can be found in, for example, A.1. J. et al. Menezes, P.M. C. van Oorschot and S.V. A. Introduced by Vanstone, "Handbook of Applied Cryptography," CRC Press, 1996.

In the system using the RSA encryption, only the management center (TC) keeps the secret index: d secret, and the law: M and the public index: e are disclosed to each receiver. The management center (TC)
Secret value: K∈Z ^* _M
An agreement, this is a key NK ₁ of the route. That is,
Let NK ₁ = K. Note that K∈Z ^* _M is the value of K in the group Z ^* _M (that is, the group consisting of elements of the group Z _M = {0, 1,..., M−1} having an inverse element) Means original.

と、そのノードの番号ｌから、下式、

に従って算出する。
上記式において、Ｈは任意のサイズの入力をＺ_Ｍの要素にマッピングする公開関数である。 The key of node l (el) other than the root is the key of its parent node,

From the node number l,

Calculate according to
In the above formula, H is a public function that maps an input of arbitrary size to an element of Z _M.

により親ノードの鍵（ノードキー）、

を導出することができる。 In this way, the child node key can be obtained from the parent node key only by the management center (TC) that knows the secret index: d, but conversely, the receiver that knows the child node key NK _l is Using the published law: M, the public index: e, and the public function: H,

By the key of the parent node (node key),

Can be derived.

  Next, Rabin Tree set as a one-way tree will be described. “Rabin Tree” is not a general term but a term used to describe the present invention. For a complete binary tree with N leaves, number the root as 1 and the subsequent nodes from the top, 2, 3,..., 2N-1 from the left. Configure the Tree.

Similar to the configuration using the RSA cipher described above, the management center (TC) determines and publicizes the product M of two large prime numbers. The management center (TC)
Secret value: Y∈Z ^* _M
And set this as the value NV ₁ corresponding to the vertex (node 1). YεZ ^* _M means that Y is an element of the group Z ^* _M.

を用いてを求める。 A value NV _l corresponding to a node 1 (el) (l = 2, 3,..., 2N−1) other than the vertex is a node corresponding value corresponding to the node number l and a parent node,

Use to find out.

First, tmp _l is defined by the following equation.

Find the smallest non-negative integer salt _l such that the value tmp _l defined by the above equation is the quadratic residue modulo the product M of the two large prime numbers described above. The salt _l is a node addition variable set in correspondence with the node l.

In the above equation, l‖salt _l represents a connection between l and salt _l, and H is a public function that maps an input of an arbitrary size to the size | M | of the product M of the two large prime numbers described above. It is. As an example of such a function, using a SHA-1 hash function as a contraction function that outputs 160 bits for an input of an arbitrary length, | M | −160 bits of 0 and SHA-1 The value of | M | bits obtained by bit-concatenating the output when l is input can be used as H (l). Regarding SHA-1 as a contraction function, for example, A.I. J. et al. Menezes, P.M. C. van Oorschot and S.V. A. Introduced by Vanstone, "Handbook of Applied Cryptography," CRC Press, 1996.

上記両式を満たすかどうかにより判別できる。なお、上記式において、（ａ／ｐ）はルジャンドル（Ｌｅｇｅｎｄｒｅ）記号である。
すなわち、上記両式を満たした場合、またその場合のみ、ＫがＫ∈ＱＲ_Ｍを満たす。 Here, the fact that a certain number K is a quadratic residue modulo M means that
a ² mod M = K
That there is a number a that holds,
K ∈ QR _M
Represent as Whether a number K satisfies K∈QR _M, prime factors p of M, if you know q, following equation,

It can be discriminated by whether or not both the above equations are satisfied. In the above formula, (a / p) is a Legendre symbol.
That is, when met above two equations, also in which case only, K satisfies K∈QR _M.

Furthermore, what knows prime factors p and q of M is
a ² mod M = K
The number a can be obtained. The method is described, for example, on page 114 of Tatsuaki Okamoto, Hiroshi Yamamoto, “Contemporary Cryptography”, and Industrial Books.

vice versa,
When it is K∈QR _M,
a ² mod M = K
It is difficult to obtain a number a that does not know the prime factors p and q of M. In fact, this has proven to be equivalent to factoring M.

As above,
tmp _l ∈ QR _M
If we find the smallest non-negative integer salt _{l such} that
tmp _l ^1/2 modM
It was calculated, any of the four numbers obtained as the solution, the value corresponding to the node l (el), i.e., a node associated value NV _l of the node l (el).

In this way, the node correspondence values NV ₂ and NV ₃ of the child nodes ₂ and ₃ are determined from the route value NV ₁ , and this is repeated to determine the values of all nodes (node correspondence values) up to NV _2N−1. To do.

・・・（数式１）
の関係を満たす。すなわち、あるノードの値であるノード対応値ＮＶ_ｌとノード付加変数ｓａｌｔ_ｌからその親ノードのノード対応値、

を求めることは、関数：Ｈおよび、法：Ｍが公開されているため容易である。 The node-corresponding value NV _l (l = 2, 3,..., 2N−1) of each node l (L) thus determined is expressed by the following equation:

... (Formula 1)
Satisfy the relationship. That is, the node correspondence value NV _l which is the value of a certain node and the node addition variable salt _l from the node correspondence value of its parent node,

Is easy because the function: H and the method: M are disclosed.

An example of an algorithm for constructing a Rabin Tree of a binary tree having N leaves is shown below. The input of this algorithm is
[input]
Number of leaves constituting the binary tree: N
Size of method M: | M |
| M | Bit Output Mapping Function H
And the output of this algorithm is
[output]
Number of 2N−1 | M | bits (corresponding to node values): NV ₁ , NV ₂ ,..., NV _2N−1
2N-2 numbers (node additional variables): salt ₂ , salt ₃ ,..., Salt _2N−1 .

・・・（数式２）
が、Ｍを法とする平方剰余になるような最小の非負整数ｓａｌｔ_ｌを見つける。
ｂ．ｔｍｐ_ｌ ^１／２ｍｏｄＭを求め、４つの解のうちのいずれかを、ノードｌ（エル）のノード対応値ＮＶ_ｌと定める。
４．２Ｎ−１個の｜Ｍ｜ビットの数（ノード対応値）：ＮＶ_１，ＮＶ_２，・・・，ＮＶ_２Ｎ−１と、２Ｎ−２個の数（ノード付加変数）：ｓａｌｔ_２，ｓａｌｔ_３，・・・，ｓａｌｔ_２Ｎ−１
を出力して終了する。 Based on the above [input], the algorithm for obtaining the above [output] is as follows.
1. Determine two large prime numbers of size | M | / 2 and calculate their product M.
2. A value NV ₁ εZ ^* _M as a node corresponding value of the root node is selected at random.
3. The following processes a and b are performed while incrementing 1 from 2 to 2N-1 by using l as a counter.
a. The following formula,

... (Formula 2)
Find the smallest non-negative integer salt _l such that modulo M.
b. tmp _l ^1/2 modM is obtained, and one of the four solutions is determined as the node corresponding value NV _l of the node _l .
4.2 Number of | M | bits (node-corresponding values): NV ₁ , NV ₂ ,..., NV _2N−1 and 2N−2 numbers (node additional variables): salt ₂ , salt ₃ ,..., salt _2N-1
And exit.

The output value NV _l becomes the node-corresponding value of the node 1 (El) of the Rabin Tree. Note that the total number of nodes of the complete binary tree with N leaves is 2N−1, and the node output values of all nodes are output by the above output.

  FIG. 12 shows the flow of the above algorithm. Each step of the flow will be described. In step S401, the number N of leaves constituting the binary tree, the size | M | of the modulus M, and the mapping function H of | M | -bit output are input.

In step S402, two large prime numbers of size | M | / 2 are determined, their product M is calculated, and a value NV ₁ εZ ^* _M as a node-corresponding value of the root node is randomly selected. In step S403, a setting of l = 2 is made as an initial setting of the value: l.

In step S404, the minimum non-negative integer salt _l is found such that tmp _l defined in Equation 2 is a quadratic residue modulo M. This is a node additional variable.
In step S405, tmp _l ^1/2 modM is obtained, and one of the four solutions is determined as the node corresponding value NV _l of the node _l .

In step S406, it is determined whether or not l = 2N-1. If l = 2N-1, the process proceeds to step S407, where l is incremented by 1, and the processes of steps S404 and S405 are executed. Steps S404 and S405 are repeatedly executed until it is determined in step S407 that l = 2N−1. If it is determined that l = 2N−1 in step S407, 2N−1 | M | Number of bits (node-corresponding values): NV ₁ , NV ₂ ,..., NV _2N−1 and 2N−2 numbers (node additional variables): salt ₂ , salt ₃ ,. Output _2N-1 and end.

を求めることは容易だが、その逆は困難なものとなる。 FIG. 13 shows the configuration of the Rabin Tree in which the node correspondence value NV ₁ of each node is determined by the above processing. The tree constituted by the node corresponding value NV _l determined by the above processing is obtained by calculating the node corresponding value of the parent node from the node corresponding value NV _l of the certain node and the node additional variable salt _l ,

Is easy, but the opposite is difficult.

13, the straight arrows shown along the function f, by applying the function f as an input node associated value NV _l lower node indicates that the node corresponding value of the parent node is determined . The function f is a calculation using a forward calculation (two multiplications on modM) F. The node-corresponding value of the parent node of a certain node (child node) is calculated from the node-corresponding values NV _l and salt _l of the child node according to the above-described Equation 1 by applying the published function: H and modulus: M. can do.

In FIG. 13, the straight arrow shown along the function f ⁻¹ indicates that the node correspondence value of the lower node can be obtained by adopting the function f ⁻¹ with the node correspondence value of the upper node as an input. Show. The function f ⁻¹ is a calculation using a backward calculation (½ multiplication on modM) F ⁻¹ . In order to obtain the node correspondence value of the child node from the node correspondence value of the upper node, it is necessary to know the secret information p and q (prime factor of M), and only the management center (TC) can perform.

As described above, the node correspondence value NV can be calculated according to the above-described Equation 1 by applying the published function: H and modulus: M in one direction from the lower to the upper, but the reverse direction is difficult. A one-way tree is generated. A one-way tree constituted by the node correspondence value NV ₁ having such a setting is called a Rabin Tree. This is because the Rabin cipher uses a self multiplication on modM for encryption (forward calculation) and a root (1/2 power) calculation on modM for decryption (reverse calculation).

  That is, the node correspondence value set for the node of the Rabin Tree as a one-way tree has the following setting. That is, the node-corresponding value of the upper node is calculated by the encryption process (forward calculation) based on the node-corresponding value of the lower node, and the decryption process (Applying the Rabin cipher based on the node-corresponding value of the upper node) In this configuration, the node-corresponding value of the lower node is calculated by the reverse calculation. With this configuration, calculation of the node correspondence values from the lower to the higher can be performed according to the above-described Equation 1 by applying the publicly disclosed function: H and modulus: M. The calculation is difficult only with the publicly disclosed function: H and modulus: M, and only the management center (TC) that knows the secret information p, q (the prime factors of M) can be calculated. As for the Rabin cipher, for example, the A. J. et al. Menezes, P.M. C. van Oorschot and S.V. A. By Vanstone, "Handbook of Applied Cryptography," CRC Press, 1996 pp. There is a detailed description in 292-294.

In the Rabin Tree configured as described above, the node key NK _l is determined for each node of the hierarchical tree, and this is a value that can be calculated using the node correspondence value NV _l defined above. That is, the node key NK _l of the node _l is
NK _l = Hc (NV _l )
And The function Hc is a hash function that maps the value of the size | M | to a random value of the size C. For example, when C is 160 bits, there is the above-described SHA-1 as a function that outputs a 160-bit value for an input of an arbitrary size, and when C is 128 bits, a 128-bit value is input for an input of an arbitrary size. MD5 is known as an output function, and these functions can be applied. For MD5, the above A.I. J. et al. Menezes, P.M. C. van Oorschot and S.V. A. A detailed description can be found in Vanstone, "Handbook of Applied Cryptography," CRC Press, 1996.

  Since the node key is used to encrypt information to be transmitted to the receiver, such as a session key, the size C can be determined by the size of the encryption algorithm key used there. For example, when using 128-bit AES (Advanced Encryption Standard FIPS197) as an encryption algorithm, C may be set to 128 bits.

Also, leaf ₁ N leaves of the Rabin Tree, from the left, respectively, leaf _2, · · · ·, leaf _N and numbered (i.e., since the node number of the leftmost leaf ₁ is N, the leaf _i The node number is N-1 + i), and the receiver ui is assigned to leaf _i . The receiver ui is given a value NV _{N-1 + i} corresponding to leaf _i leaves (nodes) and logN node additional variables salt _l of nodes on the path from leaf _i to the root.

When the receiver is allocated as shown in FIG. 14, the receiver u4 allocated to the node 19 that is the leaf has the node correspondence value NV ₁₉ of the node 19 and the node on the path from the node 19 to the route. The node addition variables salt ₁₉ , salt ₉ , salt ₄ , and salt ₂ are given.

With this setting, the receiver u4 has the given node correspondence value: NV ₁₉ and the node additional variables of the nodes on the path from the node 19 to the route: salt ₁₉ , salt ₉ , salt ₄ , salt _2. Can be used to determine the values of all nodes on the path from the node 19 to the root, that is, the node corresponding value NV. Further, the node key NK _l of each node is calculated from the node corresponding value NV _l as described above, that is,
NK _l = Hc (NV _l )
Can be calculated.

In the receiver assignment configuration shown in FIG. 14, the receiver u4 assigned to the node 19 which is a leaf has a node corresponding value NV ₁₉ of the node 19 and a node additional variable of the node on the path from the node 19 to the route. Some salt ₁₉ , salt ₉ , salt ₄ , salt ₂ are given. The calculation of the node correspondence value NV of the higher order node (node number = 1, 2, 4, 9) and the calculation of the node key NK in the receiver u4 are executed according to the following processing procedure.

(A1) calculating from the node associated value _{NV 19} of the node 19 of the node associated value NV ₉ of the upper node 9,
NV ₉ = ((NV ₁₉ ) ² XOR H (19 || salt ₁₉ )) mod M
(A2) calculating the node associated value NV ₄ upper node 4 from the node associated value NV ₉ node 9,
NV ₄ = ((NV ₉ ) ² XOR H (9 || salt ₉ )) mod M
(A3) calculating from the node associated value NV ₄ nodes 4 nodes of the parent node 2 corresponding value NV _2,
NV ₂ = ((NV ₄ ) ² XOR H (4 || salt ₄ )) mod M
(A4) calculating from the node associated value NV _second node 2 of the node associated value NV ₁ of the upper node 1,
NV ₁ = ((NV ₂ ) ² XOR H (2 || salt ₂ )) mod M
By the calculation based on the above formula, the node correspondence value of the upper node is calculated from the node correspondence value of the lower node.

Further, the node key can be calculated from the node correspondence value of each node by the following formula.
(B1) The node key NK ₁₉ of the node ₁₉ is calculated from the node corresponding value NV ₁₉ of the node 19;
NK ₁₉ = Hc (NV ₁₉ )
(B2) The node key NK ₉ of the node ₉ is calculated from the node corresponding value NV ₉ of the node 9;
NK ₉ = Hc (NV ₉ )
(B3) calculating the node key NK ₄ nodes 4 from the node associated value NV ₄ of node 4,
NK ₄ = Hc (NV ₄ )
(B4) The node key NK ₂ of the node ₂ is calculated from the node corresponding value NV ₂ of the node 2;
NK ₂ = Hc (NV ₂ )
(B5) The node key NK ₁ of the node ₁ is calculated from the node corresponding value NV ₁ of the node 1;
NK ₁ = Hc (NV ₁ )

By the way, the receiver u4 needs to keep the node correspondence value NV ₁₉ secret, but it is not necessary to keep each node additional variable salt secret. For this reason, it is good also as a structure where all the receivers hold | maintain all the salt _l .

Here, the size of each node additional variable salt is considered. Since the probability that a number will be a quadratic residue under the modulus M is about ¼, if four values of salt _l are tried, it is expected that there will be an average of one in which tmp _l is a quadratic residue Therefore, the size required to represent the node additional variable salt _l is expected to be 2 bits.

On the other hand, none of the four values may be a quadratic residue. For example, when L values are tried as the node addition variable salt _l , the probability that none of tmp _l is a quadratic residue (a square non-residue) is 3 ^L / 4 ^L. Therefore, when L = 4, 3 ^{4/4 4} ≒ 42.2% of any in the probability tmp _l do not even quadratic residue. However, consider the 8-bit value as a node attached variable salt _l, if tried 256 number, the probability that any tmp _l also not a quadratic residue and ^{3 256/4 256 ≒ 1.0 ×} 10 -32 Even if a large number such as 2 ³⁰ ≈10 ⁹ or 2 ⁴⁰ ≈10 ¹² is considered as the number N of leaves, the tmp _l becomes a square remainder at any node. The probability that a new node addition variable salt _l is not found is small enough to be ignored.

(4.2) Shared processing of encrypted data using Rabin Tree Next, using Rabin Tree, which is a tree structure in which the node corresponding value NV ₁ corresponding to each node 1 of the binary tree is set by the above-described processing. A process for sharing data will be described. Here, a method of sharing a data file between a management center (TC) (transmitter) as a transmission entity of encrypted data and a user (receiver) as a reception entity of encrypted data will be described. The data file sharing sequence is divided into the following three processing phases.
(1) Setup (2) File generation / distribution (3) File usage Hereinafter, specific processes in these three phases will be described in order.

(4.2.1) Setup Setup process is performed only once at system startup. Subsequent information distribution and reception and decoding processes are performed each time information to be transmitted is generated. For example, it is executed whenever an information recording medium such as a DVD storing new content is distributed or when new information is distributed via a network. Note that the setup process may be executed by a management center (TC) independent of the entity that actually executes the ciphertext distribution, or may be executed by the entity that executes the ciphertext distribution. Here, as an example, the setup process will be described as an example in which the management center (TC) executes.

a. Step 1
The management center (TC) defines a tree that is a binary tree and has N leaves. For each node in the tree, k (k = 1, 2,..., 2N−1) and a node-corresponding number are set. However, the root, which is the highest node in the binary tree, is set to 1, and the subsequent numbers are set with breadth priority (breadth first order). That is, node corresponding numbers such as 1 to 31 shown in FIG. 14 are set. By this processing, node numbers 1 to 2N−1 are set to the respective nodes in the binary tree. Further, the receiver um (m = 1, 2,..., N) is assigned to each leaf of the tree.

b. Step 2
The management center (TC)
A data encryption function E _D applied to encryption of the distribution data;
And the key encryption function E _K to be applied for encryption of the encryption key,
Determine and publish.
The same function may be applied to the data encryption function E _D and the key encryption function E _K.

Furthermore, the management center (TC)
A size | M | of the modulus M is determined, and a mapping function H that maps an arbitrary size value to a random value of the size | M | is determined. The mapping function H is disclosed. Further, a function Hc for mapping the value of the size | M | to the random value of the size C is defined and disclosed. Here, C is the size of a key of the encryption function E _K.
Next, using a tree-structured leaf number N, modulus M size | M |, and mapping function H as inputs, a binary with N leaves according to the algorithm described with reference to the flow of FIG. Create a tree Rabin Tree. That is, node correspondence values corresponding to node 1 to node 2N-1, NV ₁ , NV ₂ ,..., NV _2N-1, and 2N−2 numbers corresponding to node 2 to node 2N-1 (node Additional variables): salt ₂ , salt ₃ ,..., Salt _2N−1 are determined.
The management center (TC) calculates the key corresponding to the node 1 created in step 1, that is, the node key NK _l of the node l (L) of the tree from the node corresponding value NV _l , that is,
NK _l = Hc (NV _l )
Set as.

c. Step 3
For the receiver um (m = 1, 2,..., N) set corresponding to the leaf (leaf) as the end node of the tree, the management center (TC) uses the node key based on the following rules: give. As shown in FIG. 14, the receiver is assigned to the leaves of the tree, that is, the node numbers 16 to 31. In the example illustrated in FIG. 14, 16 receivers u1 to u16 assigned to node numbers 16 to 31 are set.

  Note that the path from the leaf to the root to which the receiver um is assigned is represented as a path m [path-m]. A set of nodes on the path m [path-m] is represented as a path node m [PathNodes-m].

In the example of FIG.
PathNodes-1 = {1, 2, 4, 8, 16}
PathNodes-4 = {1, 2, 4, 9, 19}
PathNodes-11 = {1, 3, 6, 13, 26}
It becomes.

  The line connecting the nodes 1, 2, 4, 8, and 16 shown in FIG. 14 is the path 1 [path-1] of the receiver u1, and is configured by PathNodes-1 = {1, 2, 4, 8, 16}. Is done. The path 4 [path-4] of the receiver u4 is a line connecting the nodes 1, 2, 4, 9, 19 shown in FIG. 14, and is configured by PathNodes-4 = {1, 2, 4, 9, 19}. Is done.

The management center (TC) for each receiver um
(A) Node correspondence value NV _{l of} the leaf node (leaf) to which the receiver um is assigned
(B) A salt value corresponding to the path node excluding the route on the path of the receiver um is assigned.

In the configuration shown in FIG. 14, the receiver u4 assigned to the node 19 which is a leaf has a node corresponding value NV ₁₉ of the node 19 and a salt additional variable ₁₉ of the node on the path from the node 19 to the route. , Salt ₉ , salt ₄ , salt ₂ are given.

That is, the receiver ui is given a node corresponding value NV _{N-1 + i} corresponding to leaf _i (node) and log N node additional variables salt _l of nodes on the path from leaf _i to the root.

  The receiver keeps the node correspondence value secret so as not to leak. Note that the node addition variable salt is a value that may be a public value and does not need to be kept secret.

  FIG. 15 shows the flow of the setup process described above. Each step in the flow of FIG. 15 will be described.

  First, in step S501, the management center (TC) defines a binary tree having N leaves. The root, which is the highest node in the binary tree, is set to 1, and the subsequent numbers are set with breadth priority (breadth first order). That is, node correspondence numbers 1 to 31 as shown in FIGS. Further, the receiver um (m = 1, 2,..., N) is assigned to each leaf of the tree.

In step S502, the management center (TC)
A data encryption function E _D applied to encryption of the distribution data;
And the key encryption function E _K to be applied for encryption of the encryption key,
Determine and publish.
Furthermore, the management center (TC)
A size | M | of the modulus M is determined, and a mapping function H that maps an arbitrary size value to a random value of the size | M | is determined. The mapping function H is disclosed. Further, a function Hc for mapping the value of the size | M | to the random value of the size C is defined and disclosed. Further, a binary tree having N leaves according to the algorithm described with reference to the flow of FIG. 12 using the number N of leaves (leaf), the size | M | of the modulus M, and the mapping function H as inputs. Create a Rabin Tree. That is, node correspondence values corresponding to node 1 to node 2N-1, NV ₁ , NV ₂ ,..., NV _2N-1, and 2N−2 numbers corresponding to node 2 to node 2N-1 (node Additional variables): salt ₂ , salt ₃ ,..., Salt _2N−1 are determined. Further, the management center (TC) calculates the key corresponding to the node 1 created in step 1, that is, the node key NK _l of the node l (L) of the tree from the node corresponding value NV _l , that is,
NK _l = Hc (NV _l )
Set as.

Next, in step S503, the management center (TC) receives the receiver um (m = 1, 2,..., N) set corresponding to the leaf (leaf) as the end node of the tree. The data mentioned above, ie
(A) Node correspondence value NV _{l of} the leaf node (leaf) to which the receiver um is assigned
(B) A salt value corresponding to the path node excluding the route on the path of the receiver um is assigned.

Note that the distribution to the receiver regarding the salt value corresponding to the path node excluding the route on the path of the receiver um described above may be executed in the next file generation and distribution process, not at the time of this setup process. .

(4.2.2. File generation / distribution)
Next, file generation and distribution executed for sharing a data file between a management center (TC) (transmitter) as a transmission entity of encrypted data and a user (receiver) as a reception entity of encrypted data. Details of the processing will be described. This process is executed by a management center (TC) as a transmission entity of encrypted data.

First, the management center (TC) defines a set S⊆N of users (receivers) that share information (data).
The management center (TC) generates a random data key DK of C _D bits, and used to encrypt the information (data) to be shared with users Ui∈S. For example, when certain content data is shared, the content is provided after being encrypted by the data key DK.

In this embodiment, the user and the receiver owned by the user are both represented as ui. Here, C _D is the key size of the encryption function E _D for data described above. In this embodiment, the management center (TC) stores encrypted data in a file.

  Next, a user to be excluded that is not included in the set S⊆N of users (receivers) sharing information (data) is set as uj. uj is ujεS \ N. Assuming that the user uj to be excluded is revoked, the application node key is determined. Here, the node key is applied as the encryption key of the above-described data key DK, that is, the data key DK that is a key applied to encryption of shared information (for example, content).

For example, as shown in FIG. 16, 13 users excluding 3 receivers (3 users) u1, u11, u12 from 16 receivers (16 users) u1 to u16 However, if a set S of users (receivers) sharing information (data) is configured, five node keys (NK ₅ , NK ₇ , NK ₉₎ corresponding to the nodes ₅ , ₇ , ₉ , 12, 16 , NK ₁₂ , NK ₁₆ )
Is applied as the encryption key of the data key DK.

And as encrypted data, data (Data) such as contents encrypted with the data key DK, that is,
(A) Encrypted data: E _D (DK, Data),
In the file that stores
(B) Information designating a set S of users (receivers) sharing information (data) (in this example, user (receiver) numbers = u1, u3-u10, u13-u16)
(C) In the ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), that is, in the example shown in FIG.
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
(D) A node addition variable (salt) of a descendant node of the node corresponding to the selected node key. That is, in the example shown in FIG. 16, (salt ₁₀ , salt ₁₁ , salt ₁₄ , salt ₁₅ , salt ₁₈ , salt ₁₉ , salt ₂₀ , salt ₂₁ , salt ₂₂ , salt ₂₃ , salt ₂₄ , salt ₂₈ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt _{25 29} , salt ₃₀ , salt ₃₁ )
Add and store. Such information may be stored in the header of the file. Ea (X, Y) indicates that the data Y is encrypted by applying the key X and applying the encryption function Ea.

Further, the information specifying the set S of users (receivers) sharing the information (data) is not the above-mentioned user (receiver) number = u1, u3-u10, u13-u16, but the node key used for encryption. Information specifying (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ) may be replaced. In this case, in the above example, 5, 7, 9, 12, 16 and node key numbers may be listed, or a method using an expression tree is applicable.

The ciphertext obtained by encrypting the data key DK with each node key is stored in ascending order of the node number corresponding to the node key. That is, in the above example,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
Store in order.
Similarly, node addition variables (salt) are stored in ascending order of corresponding node numbers.

By using this configuration, in the above example, an attempt is made to share an encrypted file with 13 users (u1, u3 to u10, u13 to u16) among 16 users (u1 to u16 in FIG. 16). If you want to
5 ciphertexts, ie
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), and _{E K (NK 16, DK)} ,
16 node additional variables (salt), ie
_{(Salt 10, salt 11, salt} 14, salt 15, salt 18, salt 19, salt 20, salt 21, salt 22, salt 23, salt 24, salt 25, salt 28, salt 29, salt 30, salt 31)
May be stored in a file in which encrypted data of shared data: E _D (DK, Data) is stored.

Here, if the size of one ciphertext is 16 bytes and the size of one node additional variable (salt) is 1 byte, five ciphertexts,
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), and _{E K (NK 16, DK)} ,
16 node additional variables (salt),
_{(Salt 10, salt 11, salt} 14, salt 15, salt 18, salt 19, salt 20, salt 21, salt 22, salt 23, salt 24, salt 25, salt 28, salt 29, salt 30, salt 31)
The overall data size is 96 bytes.

On the other hand, when the encrypted data is generated by applying the individual keys of 13 persons, it is necessary to generate and distribute the 13 encrypted data, but when the size of one ciphertext is 16 bytes ,
A size of 13 × 16 = 208 bytes is required, which is larger than the data size of 96 bytes required in the above example.

  As described above, in this embodiment, it is possible to generate an encrypted data file that can be shared by 13 different users with only 5 ciphertexts and 16 node addition variables. With this configuration, the message size (communication amount) is reduced, and efficient file sharing becomes possible.

  FIG. 17 shows a flow of file generation / distribution. A processing procedure will be described. In step S601, the management center (TC) first determines a receiver (user) that shares the information. That is, a set S of users (receivers) sharing information (data) is determined.

Next, in step S602, the generation of encrypted data, that is, the data key DK is applied to encrypt the data (Data) to be shared to generate encrypted data: E _D (DK, Data).

  Next, in step S603, a node key to be applied to generation of ciphertext, that is, a node key to be applied to generation of a ciphertext set obtained by encrypting the data key DK with the node key is selected. Assuming that an exclusion target user not included in the set S⊆N of users (receivers) sharing information (data) is uj (ujεS \ N), the exclusion target user uj is revoked. Determine the applicable node key. The node key is applied as an encryption key of a data key DK that is a key applied to encryption of shared information (for example, content).

  Next, in step S604, use node key designation information or user designation information as index data for selecting a ciphertext that can be decrypted is generated in a receiver that receives the ciphertext. This is tag information or an expression code indicating which node key has been selected.

In step S605, as encrypted data, data (Data) such as content encrypted with the data key DK, that is,
(A) Encrypted data: E _D (DK, Data),
In the file that stores
(B) Information specifying a set S of users (receivers) sharing information (data) (c) Ciphertext obtained by encrypting the data key DK with the selected node key, that is,
E _K (NK ₅ , DK), etc.
(D) Furthermore, a node addition variable (salt) of a descendant node of the node corresponding to the selected node key,
A file storing these is generated and transmitted using a broadcast channel. Alternatively, it is stored in an information recording medium and distributed.

  FIG. 18 is a block diagram illustrating a functional configuration of an information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device. The setup processing means 410 executes the processing described above with reference to the flow of FIG. 15 to set the node corresponding value (NV) and the node additional variable (salt) corresponding to each node, and each reception A hierarchical tree structure is constructed in which predetermined node-corresponding values and node addition variables are assigned to the machine.

The data generation unit 420 includes an encrypted data generation unit 421, a data sharing set information generation unit 422, a ciphertext set generation unit 423, and a node addition variable (salt) generation (selection) unit 424.
The encrypted data generation means 421
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
The data sharing set information generation means 422
(B) Information of the set S that makes it possible to identify the data sharing device,
The ciphertext set generation means 423
(C) a ciphertext set generated by encrypting the data key DK by applying the selected node key selected based on the data sharing device based on the hierarchical tree configuration in the broadcast encryption method;
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Each of these data is generated or selected. The data output unit 430 broadcasts the data (a) to (d) generated by the data generation unit 420, for example.

  Note that the hierarchical tree used here can calculate the node-corresponding value of the upper node by the encryption process (forward calculation) applying the Rabin cipher based on the node-corresponding value of the lower node, and the node-corresponding value of the upper node. Is a one-way tree having a setting in which the node correspondence value of the lower node can be calculated by the decryption process (reverse operation) to which the Rabin cipher based on the above is applied.

Further, the encrypted data generated encrypted data generation unit 421 of the data generation means 420, data to be shared with (Data), the encrypted data E _D encrypted by the encryption function E _D by applying the data key DK (DK, Data), and the ciphertext set generated by the ciphertext set generation means 423 is the encrypted data E _K (encrypted with the encryption function E _K by applying the selected node key (NKn) to the data key DK). NKn, DK). In the hierarchical tree configuration, the node key set for the node from the data sharing device to the root is applied as the selected node key, and the data key DK is encrypted to generate a ciphertext set.

  Further, the data generation means 420 further determines a size | M | of the modulus M, a mapping function H that maps a value of an arbitrary size to a random value of the size | M |, and a value of the size | M | A mapping function Hc for mapping to a random value of C and a process for determining these mapping functions are also executed.

(4.2.2. File usage)
Next, file use processing in the receiver on the user side that has received the information will be described. The above file, ie
(A) Encrypted data: E _D (DK, Data),
(B) Information specifying a set S of users (receivers) sharing information (data) (c) Ciphertext obtained by encrypting the data key DK with the selected node key,
(D) Furthermore, a node addition variable (salt) of a descendant node of the node corresponding to the selected node key,
A file containing these data is provided to the receiver by broadcast distribution. Alternatively, it is stored in an information recording medium and provided to the receiver. This file can be received by all receivers, but the receivers other than the set S of users (receivers) sharing information (data), that is, users (receivers) sharing information (data). Since the user to be excluded that is not included in the set S⊆N cannot obtain the node key that is applied to decrypt the ciphertext obtained by encrypting the data key DK with the selected node key, the data key DK Can't get.

  When the transmitted file is received, first, the user (receiver) ui confirms that it is included in the set S. If the set S is directly specified in the file distributed by the management center (TC), it is sufficient to directly check uiεS, and if the information specifying the node key is stored, the leaf to which it is assigned is stored. Or just confirm that its ancestor node is included. If it is not included in the set S, the process ends there.

  The receiver that has confirmed that it is included in the set S of users (receivers) that share information (data) decrypts itself from the set of received ciphertext (the ciphertext obtained by encrypting the data key DK with the selected node key). Identify the ciphertext that can be used and the node key to be used.

Some node keys used in the encryption of the encrypted text included in the set of received ciphertext may itself be derived from a node associated value NV _l held directly, it can be obtained from a holding or file salt node key Is included. Information (data) receiver included in the set S of user (receiver) that share includes a node associated value NV _l, the salt, the node associated value NV _k corresponding to node key NK _k applied to encrypt derived derives the node key NK _k from the node associated value NV _k, the derived node key can be obtained data key DK as secret information if decrypt the ciphertext using. In order to specify the ciphertext to be decrypted by the receiver, the node key designation information described above may be used.

The receiver um holds the node correspondence value NV _l of the leaf l to which the receiver um is assigned. If the node key applied to the specified ciphertext to be decrypted is a node key corresponding to its own leaf, the node corresponding value (NV _l ) owned by itself is applied to the hash function HC. And the node key is the following formula,
NK _l = Hc (NV _l )
Can be calculated.

を、下式、

により求め、さらにこれを繰り返すことにより、自己ノードｌからルートまでのパス上の任意のノードｋのノード対応値ＮＶ_ｋを導出する。そして、ノードｋのノード対応値ＮＶ_ｋから、ノードｋのノードキーＮＫ_ｋを、
ＮＫ_ｋ＝Ｈｃ（ＮＶ_ｋ）
により導出する。導出したノードキーを適用して暗号文を復号する。 On the other hand, if the node key applied to the identified ciphertext is not the node key corresponding to this leaf, the node corresponding value of the parent node from the node additional variable salt ₁ to 1 obtained from the holding or file,

With the following formula:

Then, by repeating this, the node correspondence value NV _k of an arbitrary node k on the path from the self node 1 to the root is derived. Then, the node key NK _{k of the} node k is _obtained from the node corresponding value NV _k of the node k.
NK _k = Hc (NV _k )
Derived by The ciphertext is decrypted by applying the derived node key.

  A specific example will be described with reference to FIG. Now, assuming that the receiver u4 (node number = 19) is a receiver included in a set S of users (receivers) sharing information (data), the processing of the receiver u4 will be considered. The node key used for encryption always includes a node key that matches the node number included in the nodes {1, 2, 4, 9, 19} from the receiver u4 to the root.

Assuming that the data key [DK] is secret information, E (NK ₁ , DK), E (NK ₂ , DK), E (NK ₄ , DK), E (NK ₉ , DK), E (NK ₁₉ , DK) A ciphertext set including any of the above is provided by being stored on a network distribution or recording medium. E (A, B) means data obtained by encrypting data B with the key A. The receiver u4 detects from the received ciphertext set the one that matches the node number included in the path node = {1, 2, 4, 9, 19} from the receiver u4 to the root.

After determining which of the node keys NK ₁ , NK ₂ , NK ₄ , NK ₉ , NK ₁₉ is a node key applied to ciphertext encryption, the receiver u4 calculates the determined node key. The node correspondence value NV ₄ held by itself and the node additional variables salt ₂ , salt ₄ , salt ₉ , and salt ₁₉ are applied to calculate the node correspondence value of the upper node, and the node key is calculated from the calculated node correspondence value. Is calculated. The calculation method is as described above.
NV ₉ = ((NV ₁₉ ) ² XOR H (19 || salt ₁₉ )) mod M
NV ₄ = ((NV ₉ ) ² XOR H (9 || salt ₉ )) mod M
NV ₂ = ((NV ₄ ) ² XOR H (4 || salt ₄ )) mod M
NV ₁ = ((NV ₂ ) ² XOR H (2 || salt ₂ )) mod M
By the calculation based on the above formula, the node correspondence value of the upper node is calculated from the node correspondence value of the lower node.

Furthermore, the node key from the node corresponding value of each node,
NK ₁₉ = Hc (NV ₁₉ )
NK ₉ = Hc (NV ₉ )
NK ₄ = Hc (NV ₄ )
NK ₂ = Hc (NV ₂ )
NK ₁ = Hc (NV ₁ )
It calculates with each of these formulas.

The receiver u4 receives one of the node keys of the nodes included in the path node = { ₁ , ₂ , ₄ , ₉ , ₁₉ } from the receiver u4 to the route: NK ₁₉ , NK ₉ , NK ₄ , NK ₂ , NK ₁ By applying, the ciphertext included in the ciphertext set can be decrypted to obtain the data key DK as secret information.

For example, a processing example of the user (receiver) u9 in the above-described example will be described. The user (receiver) u9 specifies the node key NK ₁₂ used for encrypting the data key DK and the corresponding ciphertext E _K (NK ₁₂ , DK). The user (receiver) u9 possesses a node-corresponding value NV ₂₄ , and the node additional variable salt ₂₄ is stored in the received file. Using these, the user (receiver) u9 are node keys _{NK 12,} derived according to the following equation.
NV ₁₂ = ((NV ₂₄ ) ² XOR H (24 || salt ₂₄ )) mod M
NK ₁₂ = Hc (NV ₁₂ )
According to the above equation, the user (receiver) u9 calculates the node key _{NK 12,} using the calculated note key, obtain a data key DK as secret information to decrypt the ciphertext _E K _(NK 12, DK) be able to.

  The above-described processing example has been described as a processing example in which information is shared in a management center (TC) with a plurality of selected user sets S. For example, a user ui included in the set S has obtained by decoding When editing the data (Data) and wishing to share this edited data with other users or the management center (TC) in the set S, the same processing as that executed by the management center (TC) in the above processing is performed. The user ui executes the editing data again and transmits the editing data, so that the editing data can be shared.

In this case, the user edits the plaintext data and the edit data (Data2) is encrypted with the data key DK, that is,
(A) A file including encrypted data E _D (DK, Data2) is created, and information included in the original file received from the management center (TC) is created in this file, that is,
(B) Information designating a set S of users (receivers) sharing information (data) (for example, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) a ciphertext obtained by encrypting the data key DK with the selected node key;
(D) Furthermore, a node addition variable (salt) of a descendant node of the node corresponding to the selected node key,
These data are copied from the original file, additionally stored in a file containing the encrypted data of the edited data, and transmitted using the broadcast channel.

The user and management center (TC) in the set S that has received the file including the edited data decrypts the ciphertext obtained by encrypting the data key DK with the selected node key in the same manner as the user ui performs. It is possible to acquire the data key DK, apply the acquired data key DK, execute decryption processing of the encrypted data E _D (DK, Data2), and obtain plaintext edit data (Data2). Note that the user of the set S or the management center (TC) can edit the edited data again and re-transmit the re-edited data as encrypted data in the same manner.

The file use sequence will be described with reference to the flowchart shown in FIG. First, in step S701, a file is received. The file contains
(A) Encrypted data: E _D (DK, Data),
(B) Information designating a set S of users (receivers) sharing information (data) (for example, in the example shown in FIG. 16, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) Ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), for example, in the example shown in FIG.
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
(D) A node addition variable (salt) of a descendant node of the node corresponding to the selected node key. That is, in the example shown in FIG. 16, (salt ₁₀ , salt ₁₁ , salt ₁₄ , salt ₁₅ , salt ₁₈ , salt ₁₉ , salt ₂₀ , salt ₂₁ , salt ₂₂ , salt ₂₃ , salt ₂₄ , salt ₂₈ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt _{25 29} , salt ₃₀ , salt ₃₁ )
These data are included.

  In step S702, the user (receiver) ui confirms that the user (receiver) ui is included in the set S. If the set S is directly specified in the file distributed by the management center (TC), it is sufficient to directly check uiεS, and if the information specifying the node key is stored, the leaf to which it is assigned is stored. Or just confirm that its ancestor node is included. If it is not included in the set S, the process ends there.

  In step S703, the receiver that has confirmed that it is included in the set S of users (receivers) that share information (data) uses the node key that is used to encrypt the ciphertext included in the received ciphertext set. Extracts the ciphertext encrypted by the node key that can be calculated based on the node correspondence value NV directly held by itself, the node correspondence value that can be derived from the node addition variable salt that can be obtained from the retention or file To do.

In step S704, the node key used for encryption is calculated by applying the node correspondence value NV held by itself and the node additional variable salt. This calculation is performed by calculating the upper node corresponding value according to the above-described (Formula 1), and based on the calculated node corresponding value,
NK _k = Hc (NV _k )
Is executed as a process for obtaining a necessary node key NK _k .

When the node key used for encryption is calculated, the process proceeds to step S705, where the calculated node key is applied to decrypt the ciphertext, and the data key DK as secret information is obtained. Next, in step S706, the encrypted data E _D (DK, Data) is decrypted using the obtained data key DK to obtain plain text data (Data).

  Next, a processing sequence for generating and retransmitting data (Data2) by editing the data (Data) obtained by decoding will be described with reference to the flow shown in FIG. In step S721, the data (Data) acquired by the decryption process is edited to generate data (Data2).

In step S722, the data (Data2) is encrypted with the data key DK to generate encrypted data: E _D (DK, Data2), and a file storing the encrypted data is generated. In step S723, the definition information of the set S stored in the original file, that is, the file storing the encrypted data of the data (Data) before editing, and the ciphertext that is the encrypted data of the data key DK by the selected node key The set and the node addition variable (salt) are acquired from the original file, copied, and stored in the edit data storage file.

In step S724, the generated file is transmitted. The generated file contains
(A) Encrypted data: E _D (DK, Data2),
(B) Information designating a set S of users (receivers) sharing information (data) (for example, in the example shown in FIG. 16, user (receiver) numbers = u1, u3-u10, u13-u16),
(C) Ciphertext obtained by encrypting the data key DK with the selected node key (NK ₅ , NK ₇ , NK ₉ , NK ₁₂ , NK ₁₆ ), for example, in the example shown in FIG.
_{E K (NK 5, DK)} , E K (NK 7, DK), E K (NK 9, DK), E K (NK 12, DK), E K (NK 16, DK)
(D) A node addition variable (salt) of a descendant node of the node corresponding to the selected node key. That is, in the example shown in FIG. 16, (salt ₁₀ , salt ₁₁ , salt ₁₄ , salt ₁₅ , salt ₁₈ , salt ₁₉ , salt ₂₀ , salt ₂₁ , salt ₂₂ , salt ₂₃ , salt ₂₄ , salt ₂₈ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt ₂₅ , salt _{25 29} , salt ₃₀ , salt ₃₁ )
These data are included.

The user and the management center (TC) in the set S that has received the file including the edited data set the node correspondence value (NV) and the node additional variable (salt) in the same manner as the user ui described above. A decryption process of encrypted data E _D (DK, Data2) by applying the acquired data key DK by decrypting a ciphertext obtained by encrypting the node key and data key DK generated by application To obtain edit data (Data 2).

FIG. 22 is a block diagram illustrating a functional configuration of an information processing apparatus corresponding to a receiver as a user device that executes a process for decrypting encrypted data.
The data input means 451
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
The data (a) to (d) are input.

  The ciphertext selection unit 452 selects a ciphertext that can be decrypted with a node key that can be generated based on the retained data held in its own memory 453 from the above-mentioned (c) ciphertext set. The ciphertext encrypted by the node key set in the node from its corresponding node to the root is selected. The node key generation unit 454 generates a node key applied to the ciphertext selected by the ciphertext selection unit 452 based on the held data held by itself. The data key acquisition unit 455 decrypts the ciphertext selected by the ciphertext selection unit 452 using the node key generated by the node key generation unit 454, and acquires the data key DK. The plaintext data acquisition unit 456 decrypts the encrypted data using the acquired data key DK, and acquires plaintext data.

  The data editing unit 457 edits the plaintext data (Data) acquired by the plaintext data acquisition unit 456 to generate editing data (Data2), and the file generation unit 458 further adds the above-described ((2) to the editing data (Data2). A file including copy data of each data of b), (c), and (d) is generated. The data output unit 459 outputs the file generated by the file generation unit 458.

  As described above, in the configuration of the present embodiment, data encrypted by the data key DK is distributed using the broadcast encryption technology, and shared by a plurality of users among the node keys arranged in the tree structure. The data key DK is encrypted and distributed using the node key. Efficient encrypted file sharing with reduced message size (communication volume) compared to the configuration that generates and distributes each encrypted data by applying the individual key of each person sharing information. A system is built.

  Further, after editing the data obtained by decrypting and acquiring the user ui included in the information sharing set S, it is also possible to send the encrypted data to share the edited data again in the same user set S. Is encrypted with the data key DK, and the definition information of the set S included in the Salani original file, the ciphertext set that is the encrypted data of the data key DK with the selected node key, and the node additional variable (salt) are copied. Thus, by storing the edited data in the editing data storage file and transmitting it, sharing of the edited file among the members of the set S can be performed efficiently and safely.

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

  The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, or a semiconductor memory. It can be stored (recorded). Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the removable recording medium as described above, or is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet. The computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  As described above, according to the configuration of the present invention, a specific selected user (receiver) in an information distribution configuration to which a hierarchical tree structure that is an aspect of a broadcast encryption scheme is applied. It is possible to generate and provide data that can be decrypted only in a set of data, and data sharing in a specific set of users can be executed securely and efficiently. Specifically, the ciphertext set is generated by encrypting the data to be shared with the data key DK, and further encrypting the data key DK using the selected node key of the hierarchical tree structure, and for example, by broadcasting to the user provide.

  Furthermore, according to the configuration of the present invention, in the receiver that has received the shared data, the edited data generated by editing the data can be redistributed in a form that can be used only in the shared set S of the original data. Can do. Specifically, a file storing the encrypted data obtained by encrypting the edit data with the data key DK is generated, and the data key DK included in the original file is encrypted using the selected node key of the hierarchical tree configuration. A set similar to the shared set S of the original data is obtained by copying the ciphertext set and the information related to the data shared set S, storing the encrypted data of the edited data in a file storing the data, and broadcasting the file, for example. Editing data can be redistributed in a form that can be used only in S.

It is a figure explaining the hierarchical tree structure which a node branches in two. It is a figure explaining the node key which the receiver which is set corresponding to the leaf of a hierarchical tree structure has. It is a figure explaining the structure which provides data selectively only to a data sharing receiver. And FIG. 11 is a diagram illustrating a configuration example of an information processing apparatus that performs data transmission or reception. It is a figure which shows the flow of the setup process in the encryption data delivery process to which a hierarchical tree structure is applied. It is a flowchart explaining the procedure of the encryption data delivery process information delivery process to which a hierarchical tree structure is applied. FIG. 11 is a block diagram illustrating a configuration example of an information processing apparatus that executes encrypted data distribution processing to which a hierarchical tree structure is applied. It is a figure which shows the flow explaining the sequence of the file utilization in the encryption data delivery process to which a hierarchical tree structure is applied. It is a figure which shows the flow explaining the redistribution sequence of the edit data in the encryption data distribution process to which the hierarchical tree structure is applied. FIG. 11 is a block diagram illustrating an exemplary configuration of an information processing apparatus that performs reception, decryption, editing, and redistribution processing of encrypted data to which a hierarchical tree structure is applied. It is a figure explaining the tree structure defined using the forward substitution and reverse substitution of RSA encryption. It is a flowchart explaining the production | generation process of the Rabin Tree as a one way permutation tree applied in this invention, a node corresponding value, and the calculation procedure of a node additional variable. It is a figure explaining the tree structure of Rabin Tree as a one way permutation tree applied in the present invention. It is a figure explaining the data provided to a receiver in the system to which Rabin Tree is applied. It is a figure which shows the flow of the setup process in the system to which Rabin Tree is applied. It is a figure explaining the application node key in the case of providing data selectively only to a data sharing receiver. It is a flowchart explaining the procedure of the information delivery process in the system to which Rabin Tree is applied. FIG. 11 is a block diagram illustrating a configuration example of an information processing apparatus that executes encrypted data distribution processing in a system to which Rabin Tree is applied. It is a figure explaining the data provided to a receiver in the system to which Rabin Tree is applied. It is a flowchart explaining the decryption process procedure of the ciphertext in a receiver in the system to which Rabin Tree is applied. It is a figure which shows the flow explaining the redistribution sequence of edit data in the system to which Rabin Tree is applied. FIG. 11 is a block diagram illustrating a configuration example of an information processing apparatus that performs reception, decryption, editing, and redistribution processing of encrypted data in a method to which Rabin Tree is applied.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Node 200 Information processing apparatus 201 Controller 202 Arithmetic unit 203 Input / output interface 204 Secure storage unit 205 Main storage unit 206 Network interface 207 Media interface 310 Setup unit 320 Data processing unit 321 Encrypted data generation unit 322 Data shared set information generation unit 323 Ciphertext set generation means 330 Data output means 351 Data input means 352 Ciphertext selection means 353 Memory 354 Node key acquisition means 355 Data key acquisition means 356 Plaintext data acquisition means 357 Data editing means 358 File generation means 359 Data output means 410 Setup means 420 Data processing means 421 Encrypted data generation means 422 Data sharing set information generation means 423 Issue set generation means 424 Node addition variable generation (selection) means 430 Data output means 451 Data input means 452 Ciphertext selection means 453 Memory 454 Node key generation means 455 Data key acquisition means 456 Plain text data acquisition means 457 Data editing means 458 File generation Means 459 Data output means

Claims (38)

An information processing method for executing encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
An information processing method characterized by comprising: The encrypted data is encrypted data E _D (DK, Data) obtained by encrypting the data to be shared (Data) with the encryption function E _D by applying the data key DK,
The ciphertext set, the data key DK, is said selected node key (NKn) to apply cryptographic function _{E K} by encrypting encrypted data _E K (NKn, DK),
The information processing method according to claim 1, wherein the cryptographic function E _D and the cryptographic function E _K are public functions.   The node key applied to the generation of the ciphertext set generated by applying the selected node key selected based on the data sharing device and encrypting the data key DK is the root key from the data sharing device in the hierarchical tree configuration. The information processing method according to claim 1, wherein the information includes a node key set for each node. An information processing method for executing decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
Decrypting the ciphertext selected in the ciphertext selection step using a node key held by the ciphertext and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
An information processing method characterized by comprising: The information processing method further includes:
A data editing step of editing the plaintext data (Data) acquired in the plaintext data acquisition step, and generating edited data (Data2);
A file generation step of generating a file including copy data of each of the data (b) and (c) in the edit data (Data 2);
Outputting the file generated in the file generation step;
The information processing method according to claim 4, further comprising: The ciphertext selection step includes:
5. The information processing method according to claim 4, wherein in the hierarchical tree configuration, the ciphertext encrypted by a node key set in a node from the corresponding node to the root is selected. An information processing method for executing encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
A data output step of outputting each of the data (a) to (c) generated in the data generation step;
An information processing method characterized by comprising: In the information processing method,
The data generation step further includes:
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Produces
The data output step includes
The information processing method according to claim 7, wherein the information generation method is a step of outputting each of the data (a) to (d) generated in the data generation step.   The hierarchical tree can calculate the node-corresponding value of the upper node by an encryption process (forward calculation) applying the Rabin cipher based on the node-corresponding value of the lower node. The information processing method according to claim 7, wherein the information processing method is a one-way tree having a setting in which a node correspondence value of a lower node can be calculated by an applied decoding process (reverse operation). The encrypted data is encrypted data E _D (DK, Data) obtained by encrypting the data to be shared (Data) with the encryption function E _D by applying the data key DK,
The ciphertext set, the data key DK, is said selected node key (NKn) to apply cryptographic function _{E K} by encrypting encrypted data _E K (NKn, DK),
The information processing method according to claim 7 cryptographic function E _D, and encryption functions E _K, which is a published function. The information processing method further includes:
A mapping function H that defines a size | M | of the modulus M and maps a value of arbitrary size to a random value of size | M |;
A mapping function Hc that maps a value of size | M | to a random value of size C;
The information processing method according to claim 7, further comprising a step of defining and disclosing these mapping functions.   The node key applied to the generation of the ciphertext set generated by applying the selected node key selected based on the data sharing device and encrypting the data key DK is the root key from the data sharing device in the hierarchical tree configuration. The information processing method according to claim 7, wherein the setting includes a node key set for each node to be reached. An information processing method for executing decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
A node key generation step of generating a node key applied to the ciphertext selected in the ciphertext selection step based on retained data held by itself;
Decrypting the ciphertext selected in the ciphertext selection step by applying the node key generated in the node key generation step, and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
An information processing method characterized by comprising: In the information processing method,
The data input step further includes:
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Enter
The node key generation step includes:
14. The information processing method according to claim 13, wherein the node addition variable (salt) is applied to generate a node key applied to the selected ciphertext. The information processing method further includes:
A data editing step of editing the plaintext data (Data) acquired in the plaintext data acquisition step, and generating edited data (Data2);
A file generation step of generating a file including copy data of each of the data (b), (c), and (d) in the edit data (Data 2);
Outputting the file generated in the file generation step;
The information processing method according to claim 13, further comprising: The ciphertext selection step includes:
14. The information processing method according to claim 13, wherein in the hierarchical tree configuration, the ciphertext encrypted by a node key set in a node from the corresponding node to the root is selected. An information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data generating means for generating each of the data (a) to (c);
Data output means for outputting each of the data (a) to (c) generated in the data generation means;
An information processing apparatus comprising: The encrypted data generated by the data generating means is encrypted data E _D (DK, Data) obtained by encrypting the data to be shared (Data) with the encryption function E _D by applying the data key DK,
The ciphertext set, the data key DK, is said selected node key (NKn) to apply cryptographic function _{E K} by encrypting encrypted data _E K (NKn, DK),
18. The information processing apparatus according to claim 17, wherein the cryptographic function E _D and the cryptographic function E _K applied by the data generation unit are set as public functions. The data generation means includes
In the hierarchical tree configuration, the node key set in a node from the data sharing device to the root is applied as a selection node key, and the data key DK is encrypted to generate a ciphertext set. The information processing apparatus according to claim 17. An information processing device that performs decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data input means for inputting each of the data (a) to (c);
(C) ciphertext selection means for selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
A data key acquisition unit that decrypts the ciphertext selected by the ciphertext selection unit by applying a node key held by the ciphertext selection unit, and acquires a data key DK;
Plaintext data acquisition means for decrypting encrypted data by applying the acquired data key DK and acquiring plaintext data;
An information processing apparatus comprising: The information processing apparatus further includes:
Data editing means for editing plaintext data (Data) acquired by the plaintext data acquisition means, and generating edit data (Data2);
File generation means for generating a file including copy data of each of the data (b) and (c) in the edit data (Data 2);
Data output means for outputting the file generated in the file generation means;
The information processing apparatus according to claim 20, further comprising: The ciphertext selecting means includes
21. The information processing apparatus according to claim 20, wherein in the hierarchical tree configuration, a ciphertext encrypted by a node key set in a node from a corresponding node to a root is selected. An information processing apparatus that executes encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data generating means for generating each of the data (a) to (c);
Data output means for outputting each of the data (a) to (c) generated in the data generation means;
An information processing apparatus comprising: In the information processing apparatus,
The data generation means further includes
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Produces
The data output means includes
The information processing apparatus according to claim 23, wherein each of the data (a) to (d) generated by the data generation means is output.   The hierarchical tree can calculate the node-corresponding value of the upper node by an encryption process (forward calculation) applying the Rabin cipher based on the node-corresponding value of the lower node. 24. The information processing apparatus according to claim 23, wherein the information processing apparatus is a one-way tree having a setting in which a node correspondence value of a lower node can be calculated by an applied decoding process (reverse calculation). The encrypted data generated by the data generating means is encrypted data E _D (DK, Data) obtained by encrypting the data to be shared (Data) with the encryption function E _D by applying the data key DK,
The ciphertext set, the data key DK, is said selected node key (NKn) to apply cryptographic function _{E K} by encrypting encrypted data _E K (NKn, DK),
The information processing apparatus according to claim 23, wherein the cryptographic function E _D and the cryptographic function E _K applied by the data generation unit are set as public functions. The data generation means further includes
A mapping function H that defines a size | M | of the modulus M and maps a value of arbitrary size to a random value of size | M |;
A mapping function Hc that maps a value of size | M | to a random value of size C;
The information processing apparatus according to claim 23, wherein the mapping function is determined. The data generation means includes
In the hierarchical tree configuration, the node key set in a node from the data sharing device to the root is applied as a selection node key, and the data key DK is encrypted to generate a ciphertext set. The information processing apparatus according to claim 23. An information processing device that performs decryption processing of encrypted data,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
Data input means for inputting each of the data (a) to (c);
(C) ciphertext selection means for selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
Node key generation means for generating a node key applied to the ciphertext selected by the ciphertext selection means based on retained data held by itself;
A data key acquisition unit that decrypts the ciphertext selected by the ciphertext selection unit by applying the node key generated by the node key generation unit and acquires a data key DK;
Plaintext data acquisition means for decrypting encrypted data by applying the acquired data key DK and acquiring plaintext data;
An information processing apparatus comprising: In the information processing apparatus,
The data input means further includes:
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Enter
The node key generation means includes
30. The information processing apparatus according to claim 29, wherein a node key applied to the selected ciphertext is generated by applying the node addition variable (salt). The information processing apparatus further includes:
Data editing means for editing plaintext data (Data) acquired by the plaintext data acquisition means, and generating edit data (Data2);
File generation means for generating a file including copy data of each data of (b), (c), and (d) in addition to the edit data (Data 2);
Data output means for outputting the file generated in the file generation means;
30. The information processing apparatus according to claim 29, comprising: The ciphertext selecting means includes
30. The information processing apparatus according to claim 29, wherein in the hierarchical tree configuration, a ciphertext encrypted by a node key set in a node from a corresponding node to a root is selected. A computer program that causes a computer to execute encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
A computer program characterized by comprising: A computer program for executing decryption processing of encrypted data on a computer,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key held by itself from the ciphertext set;
Decrypting the ciphertext selected in the ciphertext selection step using a node key held by the ciphertext and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
A computer program characterized by comprising: A computer program that causes a computer to execute encrypted data generation processing that can be decrypted only by a specific selected device,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data generation step for generating each of the data (a) to (c);
Outputting each of the data (a) to (c) generated in the data generation step;
A computer program characterized by comprising: In the computer program,
The data generation step further includes:
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Produces
The data output step includes
36. The computer program according to claim 35, wherein the computer program is a step of outputting each of the data (a) to (d) generated in the data generation step. A computer program for executing decryption processing of encrypted data on a computer,
(A) Encrypted data obtained by encrypting data to be shared (Data) with the data key DK,
(B) information of the set S that makes the data sharing device identifiable, and
(C) a ciphertext set generated by encrypting the data key DK by applying a selected node key selected based on the data sharing device based on a hierarchical tree configuration in the broadcast encryption scheme;
A data input step for inputting each of the data (a) to (c);
(C) a ciphertext selection step of selecting a ciphertext that can be decrypted by a node key that can be generated based on retained data held by itself from the ciphertext set;
A node key generation step of generating a node key applied to the ciphertext selected in the ciphertext selection step based on retained data held by itself;
Decrypting the ciphertext selected in the ciphertext selection step by applying the node key generated in the node key generation step, and obtaining a data key DK;
A plaintext data obtaining step of decrypting the encrypted data by applying the obtained data key DK and obtaining plaintext data;
A computer program characterized by comprising: In the computer program,
The data input step further includes:
(D) a node additional variable (salt) of a descendant node of the node corresponding to the selected node key;
Enter
The node key generation step includes:
38. The computer program product according to claim 37, wherein the node additional variable (salt) is applied to generate a node key applied to the selected ciphertext.

Images