JP2007189597A - Encryption device, encryption method, decoding device, and decoding method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To restrain limitations imposed on a transmitting party of contents in a multicasting encryption system. <P>SOLUTION: The multicasting encryption system 1 is used for obtaining a first to a third multicasting encryption method and composed of a transmitter 10 which encrypts contents and transmits the encrypted contents, a receiving terminal device 20 which receives the encrypted contents and decodes the encrypted contents, and a communication network 30 which connects the transmitter 10 and the receiving terminal device 20 together. Moreover, two or more receiving terminal devices 20 are provided. The first multicasting encryption method utilizes an SD method and BTE. The second multicasting encryption method utilizes the SD method, BTE and FS. The third multicasting encryption method utilizes a BGW Scheme, BTE and FS. The multicasting encryption system 1 of this invention can be applied to the multicasting of contents by broadcasting or the dissemination of recording medium. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to an encryption device, an encryption method, a decryption device, and a decryption method, and more particularly, to an encryption device, an encryption method, and a decryption method that are suitable for data encryption and broadcast communication. The present invention relates to an apparatus and a decoding method.

  In a service that transmits content such as video or music as a television broadcast or radio broadcast, distributes it via a network typified by the Internet, or records and distributes it on a recording medium, In order to protect copyright and prevent content from being viewed by unauthorized users, the content is encrypted with the content key, and this content key is encrypted with the device key. Of a system that transmits (or distributes or records), decrypts a content key encrypted using a device key held in advance in the receiving terminal device, and decrypts the content using the resulting content key Use is common. Hereinafter, such a system is referred to as a broadcast communication encryption system.

  In the broadcast communication encryption system, when a key held in the receiving terminal device leaks out due to some accident or illegal work, a legitimate receiving terminal device operated by a user who has the right to view content An unauthorized receiving terminal device (a legitimate receiving terminal device operated by a user who does not have content viewing authority) can reproduce the content.

  Therefore, in order to prevent such a situation, there is a revocation scheme (Revocation Scheme) that can perform encryption so that the leaked device key cannot be decrypted. However, this invalidation key management method has a problem that the number of keys required in advance as a system becomes enormous when a key is simply invalidated for an individual receiving terminal device.

  Subset-Cover Revocation exists as a key management technique that can reduce the number of device keys required in advance for the system. In Subset-Cover Revocation, device keys are managed using a tree structure, a receiving terminal device is assigned to a leaf of the tree structure (the lowest layer of the tree structure), and a device key is assigned to a node. A Subset Difference Method (SD method) is known as a specific method for realizing Subset-Cover Revocation (see Non-Patent Document 1).

D.Naor, M.Naor, and J.Lotspiech, “! Revocation and tracing schemes for stateless receivers”, CRYPTO, '01, 2001.

  The SD method can keep the message length of the encrypted code string short even if the number of device keys to be invalidated increases. However, in the case of a key management method in which encryption is performed using a secret key on the transmission side, content transmission is limited to a trusted organization that can know the secret key. In addition, even if the device key is invalidated even if the device key is invalidated, there is a problem that encrypted content that has already been transmitted is reproduced using the invalidated device key.

  The present invention has been made in view of such a situation. By using a public key for encryption on the transmission side of the broadcast communication encryption system, the restriction on the content sender is removed.

  According to a first aspect of the present invention, there is provided an encryption device (encryption method) for encrypting content so that an unauthorized one cannot be decrypted among a plurality of decryption devices assigned to each leaf of a binary tree. And determining means (step) for determining covering in the binary tree corresponding to the leaf to which the unauthorized decryption device is assigned based on the SD method, and encrypting the content using a content key A first encryption means (step), a second encryption means (step) for encrypting the content key corresponding to the determined covering, an encryption result of the content, and the content key An encryption device (encryption method) including output means (step) for outputting ciphertext including an encryption result.

  In the first aspect of the present invention, based on the SD method, covering in a binary tree is determined corresponding to a leaf to which an unauthorized decryption device is assigned, and content corresponding to the determined covering is determined. The key is encrypted, and a ciphertext including the content encryption result and the content key encryption result is output.

  According to a second aspect of the present invention, there is provided a binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding devices assigned to each leaf of the binary tree based on the SD method. Determining means for determining covering, first encrypting means for encrypting the content using a content key, and second encrypting means for encrypting the content key corresponding to the determined covering In the decryption device (decryption method) that decrypts the ciphertext including the content encryption result and the content key encryption result output from the encryption device including Deriving means (step) for deriving a second secret key corresponding to the covering based on one secret key, and the content key from the ciphertext based on the derived second secret key Obtaining means Tokusuru (step), based on the acquired the content key, (a decoding method) decoding means (step) and decoding apparatus comprising obtaining said content by decrypting the ciphertext.

  In the second aspect of the present invention, a second secret key corresponding to the covering is derived based on the first secret key held in advance, and the ciphertext is derived based on the derived second secret key. The content key is obtained from the content, and the ciphertext is decrypted based on the obtained content key to obtain the content.

According to a third aspect of the present invention, there is provided an encryption device (encryption method) for encrypting content so that unauthorized ones cannot be decrypted among a plurality of decryption devices assigned to each leaf of a binary tree. And determining means (step) for determining covering in the binary tree corresponding to the leaf to which the unauthorized decryption device is assigned based on the SD method, and encrypting the content using a content key A first encryption means (step), a second encryption means (step) corresponding to the determined covering and encrypting the content key at time t ₂ , the content encryption result, An encryption device (encryption method) including an encryption unit (encryption method) that outputs an encryption result including a content key encryption result and a time t ₂ .

In the third aspect of the present invention, based on the SD method, covering in the binary tree is determined corresponding to a leaf to which an unauthorized decryption device is assigned, and the content is encrypted using the content key. The Then, in response to the determined covering, a content key at the time t ₂ it is encrypted, the encryption result of the content, encryption result of the content key, and the ciphertext that includes the time t ₂ is output.

According to a fourth aspect of the present invention, there is provided a binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding devices assigned to each leaf of the binary tree based on the SD method. Determining means for determining covering; first encryption means for encrypting the content using a content key; and second means for encrypting the content key at time t ₂ corresponding to the determined covering. In the decryption device for decrypting the ciphertext including the encryption result of the content, the encryption result of the content key, and the time t ₂ output from the encryption device including the encryption means of Derivation means (step) for deriving a second secret key at time t ₂ corresponding to the covering based on the first secret key at time t ₁ (≦ t ₂ ), and derived time t ₂ The second of Obtaining means (step) for obtaining the content key from the ciphertext based on a secret key; and decrypting means (step) for obtaining the content by decrypting the ciphertext based on the obtained content key. It is a decoding apparatus (decoding method) including.

The deriving means generates a second secret key at time t ₁ corresponding to the covering based on the first secret key held at time t _{1 and} holds the second secret key at the generated time t ₁ . of it can be made to update to the second secret key of the time the secret key t _2.

The derivation means obtains the two second secret keys by updating the generated second secret key at time t ₁ , one of which is the second secret key at time t ₂ , Can be accumulated.

The deriving means updates the first secret key at time t ₁ held in advance to the first secret key at time t ₂ , and based on the updated first secret key at time t ₂ , The second secret key at time t ₂ corresponding to the covering can be generated.

In the fourth aspect of the present invention, a _second secret key at time t ₂ corresponding to the covering is derived based on the first secret key at time t ₁ (≦ t ₂ ) held in advance. A content key is acquired from the ciphertext based on the derived second secret key at time t ₂ , and the content is obtained by decrypting the ciphertext based on the acquired content key.

According to a fifth aspect of the present invention, in an encryption apparatus (encryption method) for encrypting content based on the BGW Scheme, the ciphertext C is obtained by the encryption algorithm ENC _{BGW_FS} (S, K, t) at time t = t ₂ . , Hdr generating means (step) and the generated ciphertext C, Hdr output means (step), wherein the ciphertext Hdr includes a time t. ).

In the present invention a fifth aspect, the time t = t encryption algorithm ENC _{BGW_FS} in ₂ (S, K, t) by the ciphertext C, Hdr is generated, the generated ciphertext C, Hdr is output.

A sixth aspect of the present invention, the time t = encryption algorithm at _{t 2 ENC BGW_FS (S, K} , t) by the ciphertext C, a generating means for generating Hdr, said ciphertext Hdr contains time t In the decryption device (decryption method) for decrypting the ciphertexts C and Hdr output from the encrypted device, the ciphertext is based on the secret key corresponding to the time t ₁ (≦ t ₂ ) held in advance. Deriving means (step) for deriving a secret key corresponding to time t = t ₂ included in Hdr, and acquiring means for acquiring a session key from the ciphertext Hdr based on the secret key corresponding to the derived time t ₂ A decryption device (decryption method) including (step) and decryption means (step) for decrypting the ciphertext C to obtain the content based on the acquired session key.

The derivation means derives _two secret keys based on the secret key corresponding to the time t ₁ (≦ t ₂ ) held in advance, and one of them corresponds to the time t = t ₂ included in the ciphertext Hdr. The other can be stored as a secret key.

In the sixth aspect of the present invention, a secret key corresponding to time t = t ₂ included in the ciphertext Hdr is derived based on a secret key corresponding to time t ₁ (≦ t ₂ ) held in advance. The session key is acquired from the ciphertext Hdr based on the secret key corresponding to the derived time t _2, and the ciphertext C is decrypted based on the acquired session key to obtain the content.

  As described above, according to the first and second aspects of the present invention, it is possible to remove restrictions on the content sender in the broadcast encryption system. In addition, the number of public keys prepared in advance as a system can be reduced, and a secret key can be derived with a relatively small amount of calculation.

  According to the third and fourth aspects of the present invention, it is possible to remove the restriction on the content sender in the broadcast encryption system. In addition, the number of public keys prepared in advance as a system can be reduced, and a secret key can be derived with a relatively small amount of calculation. Furthermore, it becomes possible to prevent the ciphertext transmitted in the past from being decrypted.

  According to the fifth and sixth aspects of the present invention, it is possible to remove restrictions on the content sender in the broadcast encryption system. Further, the message length can be kept constant regardless of the total number of decoding devices or the number of illegal decoding devices. Furthermore, it becomes possible to prevent the ciphertext transmitted in the past from being decrypted.

  Hereinafter, specific embodiments to which the present invention is applied will be described in detail with reference to the drawings.

  FIG. 1 shows a configuration example of a broadcast communication system to which the present invention is applied. The broadcast communication system 1 realizes three types of broadcast encryption described later, a transmission device 10 that encrypts and transmits content, and a reception terminal device that receives and decrypts the encrypted content. 20, a communication network 30 connecting the transmission device 10 and the reception terminal device 20. It is assumed that there are a plurality of receiving terminal devices 20.

  The transmitting device 10 encrypts the content using a public key held in advance, and transmits the content encrypted by the encrypting unit 11 to the receiving terminal device 20 via the communication network 30. The transmitting unit 12 is configured.

  The receiving terminal device 20 is based on a receiving unit 21 that receives encrypted content via the communication network 30, and a secret key that is stored in advance by the receiving unit 21. And a decoding unit 22 for decoding.

  The communication network 30 is a broadcasting network such as television broadcasting, radio broadcasting, and cable broadcasting, a data network such as a WAN (Wide Area Network) and a LAN (Local Area Network) represented by the Internet, and encrypted data. Recording on a recording medium and distributing it.

  The encryption unit 11 of the transmission device 10 and the decryption unit 22 of the reception terminal device 20 may be realized by hardware or software.

  When realized by software, a program constituting the software can execute various functions by installing a computer incorporated in dedicated hardware or various programs. For example, FIG. It is installed from a recording medium in a general-purpose personal computer configured as shown in FIG.

  The personal computer 50 includes a CPU (Central Processing Unit) 51. An input / output interface 55 is connected to the CPU 51 via the bus 54. A ROM (Read Only Memory) 52 and a RAM (Random Access Memory) 53 are connected to the bus 54.

  The input / output interface 55 includes an input unit 56 including an input device such as a keyboard and a mouse, an output unit 57 including a display such as a CRT (Cathode Ray Tube) or LCD (Liquid Crystal Display) for displaying an operation screen, a program, A storage unit 58 composed of a hard disk drive or the like for storing various data, and a communication unit 59 composed of a modem, a LAN (Local Area Network) adapter, etc., for performing communication processing via a network represented by the Internet are connected. . Also, a magnetic disk (including a flexible disk), an optical disk (including a CD-ROM (Compact Disc-Read Only Memory), a DVD (Digital Versatile Disc)), a magneto-optical disk (including an MD (Mini Disc)), or a semiconductor A drive 60 for reading / writing data from / to a recording medium 61 such as a memory is connected.

  A program for causing the personal computer 50 to execute processing as the encryption unit 11 or the decryption unit 22 is supplied to the personal computer 50 while being stored in the recording medium 61, read by the drive 60, and stored in the storage unit 58. Installed on the internal hard disk drive. The program installed in the storage unit 58 is loaded from the storage unit 58 to the RAM 53 and executed by a command of the CPU 51 corresponding to a command from the user input to the input unit 56.

  Next, three types of broadcast ciphers realized by the broadcast communication system 1 (hereinafter referred to as a first broadcast cipher, a second broadcast cipher, or a third broadcast cipher, respectively). ), That is, the SD method, BTE (Binary Tree Encryption), FS (Forward Security), and BGW Scheme will be described.

  The first broadcast encryption uses the SD method and BTE. The second broadcast cipher uses the SD method, BTE, and FS. The third broadcast cipher uses BGW Scheme, BTE, and FS. Hereinafter, the symbol “20” of the receiving terminal device 20 is omitted as appropriate.

SD method The SD method is a kind of Subset-Cover Revocation. In Subset-Cover Revocation, a process for preventing encrypted content from being decrypted is referred to as invalidation (Revocation), and the entire set of multiple receiving terminal devices is N, and the set of receiving terminal devices to be invalidated Is R, the receiving terminal device ∈ N \ R having the authority to decrypt the encrypted content from the transmitting device 10 can decrypt the encrypted content, but the invalidated reception The terminal device ∈ R prevents the encrypted content from being decrypted even if a large number of the terminal devices ε R are collaborated.

The SD method is a method for solving the disadvantage of the CS (Complete Subtree method) method in which the number of subtrees to be covered (message length) increases as the size of the set R increases, and a plurality of receiving terminal devices 20 are grouped together. When receiving, the receiving terminal device to be invalidated is included in the subtree under it, and covering is performed using the difference SDa _{, c} of the complete subtree. Here, a is the route of the external complete subtree, and c is the route of the internal complete subtree including the receiving terminal device to be invalidated. For example, as shown in FIG. 3, when the set R = {u ₀₁₁ , u ₁₁₀ , u ₁₁₁ } of receiving terminal devices (indicated by x in the figure) to be invalidated, the covering is SD _0,011 , SD _1,11. It becomes.

According to the SD method, a security requirement against an attack that attempts to decrypt content encrypted by a plurality of invalidated receiving terminal devices is defined as covering SD _{a, c} for grouping receiving terminal devices. Assign a different key for each. However, the number of keys necessary for assigning different keys to all coverings SD _{a, c} is O (nlogn).

Non-Patent Document 1 discloses a method of reducing the number of necessary keys to O (log ² n) by using a pseudo-random number generator so that a child key can be created from a parent key. In this method, different keys can be generated by setting all labels (original data for generating keys) assigned to the internal nodes of the tree, which are input values of the pseudorandom number generator, to different values.

Note that since the covering Sa _{, c} can integrate the subtrees divided in the CS method, the message length (corresponding to the number of subtrees necessary for covering) is shorter than that in the CS method. Further, when the total number of receiving terminal devices to be invalidated is r, the upper limit of the number of subtrees is known to be 2r-1.

BTE
BTE is a simplified hierarchical ID-based cipher (HIDE) into a binary tree. If the root node is ε and the parent node is wε {0,1} ^* , the left child node w0 is changed to the right child. The node is regarded as an ID with w1.

Hereinafter, the bit length of the node w is described as | w |, and the left to i-th bit of the node w is described as w | _i . However, when “w | _i ” or the like is used as a subscript, the subscript of i is canceled and written as _{| w | i} for convenience of description. Further, w0 is a value obtained by adding 0 to the least significant bit side of the node w, and w1 is a value obtained by adding 1 to the least significant bit side of the node w. For example, when the node w = 1011, | w | = 4, w | ₂ = 10, w | ₃ = 101, w0 = 10110, w1 = 10111.

The safety of BTE is based on the difficulty of the BDH (Bilinear Diffie-Hellman) problem. G ₁ and G ₂ are cyclic groups with orders of prime number q, where G ₁ is an additive group and G ₂ is a multiplicative group, bilinear mapping e: G ₁ × G ₁ → G ₂ is For P, QεG ₁ , ∀a, bεZ _q , e (aP, bQ) = e (bP, aQ) = e (P, Q) ^ab .

A setup algorithm GEN _BTE , a key generation algorithm DER _BTE , an encryption algorithm ENC _BTE , and a decryption algorithm DEC _{BTE in BTE} will be described.

Setup algorithm GEN _BTE
The setup algorithm GEN _BTE (1 ^λ , h) when the security parameter 1 ^λ and the tree height h are input comprises the following processes (1) to (4).
(1) The BDH parameter generator IG (1 ^λ ) is executed to generate groups q ₁ and G ₂ of order q and a bilinear map e.
(2) PεG ₁ and αεZ _q are selected at random, and Q = αP. Here, Z _q is a set of integers of 0 or more and less than q.
(3) Select cryptographic hash function H: {0, 1} ^* → G ₁ .
(4) Let PK = (G ₁ , G ₂ , e, P, Q, H) be the public key, and S _ε = αH (ε) be the root secret key.

Key generation algorithm DER _BTE
A key generation algorithm DER _BTE (PK, w, which outputs the private keys SK _w0 and SK _w1 corresponding to the left child node w0 and the right child node w1, respectively, with the public key PK and the secret key SK _w corresponding to the node w as inputs. SK _w ) includes the following processes (1) and (2).
(1) ρ _w0 , ρ _w1 εZ _q are selected at random, R _w0 = ρ _w0 P, R _w1 = ρ _w1 P, S _w0 = S _w + ρ _w0 H (w0), S _w1 = S _w + ρ _w1 H (w1) is calculated.
(2) _SKw0 = ( _{Rw | 1} ,..., _{Rw || w |} , _Rw0 , _Sw0 ), _SKw1 = ( _{Rw | 1} ,..., _{Rw || w |} , _Rw1 , S _w1 ) is output.

Encryption algorithm ENC _BTE
The encryption algorithm ENC _BTE (PK, w, M) that receives the public key PK, the node w, and the message MεG ₂ and outputs the ciphertext C includes the following processes (1) and (2).
(1) Generate a random number rεZ _q .
(2) C = (rP, rH (w | ₁ ), rH (w | ₂ ),..., RH (w | _{| w |} ), M · d) = (U ₀ , U ₁ ,..., U _{| w |} , V) is output.
Here, U ₀ = rP, U _i = rH (w | _i ) (i is an integer of 1 or more and | w | or less), and d = e (Q, H (ε)) ^r .

（２）Ｖ／ｄを算出することによりメッセージＭを得る。Ｍ＝Ｖ／ｄ Decryption algorithm DEC _BTE
Public key PK, node w, secret key _{SK w = (R w | 1} , ..., R w || w |, S w) on the basis of the decoding algorithm to decrypt the ciphertext C DEC _BTE (PK, w , SK _w , C) includes the following processes (1) and (2).
(1) Calculate d based on SK _w and C.

(2) The message M is obtained by calculating V / d. M = V / d

FS
The FS updates the device key (secret key) held in the receiving terminal device at a predetermined cycle based on itself, so that even if the device key leaks at a certain point in time, it is already encrypted. It is impossible to decrypt the content that is being stored.

In the present invention, FS is realized by applying a method using a stack for storing BTE and a secret key. The secret key is associated with all nodes in the binary tree. When the height of the binary tree is h, the maximum number of secret keys to be updated is 2 ^{h + 1} −1.

As in the binary tree of time shown in FIG. 4, the update of the secret key starts from the root of the tree at time t = 0 and is in the order of pre-order. Let the node corresponding to time t be w ^(t) . However, if you want to use, such as "w ^(t)" as a subscript, for the convenience of notation, also described as ^{w (t)} to release the superscript (t). The secret key corresponding to the node w ^(t) is SK _{w (t)} . The node w ^{(t + 1)} corresponding to the time t + 1 is set to w ^{(t + 1)} = w ^(t) 0 when the node w ^(t) is an internal node, and the node w ^(t) is a leaf. In this case, w ^{(t + 1)} = (w + 1) | _{i '} . Here, | _{i ′} represents a value obtained by deleting 0 until 1 appears from the least significant bit side.

For example, since node w ⁽⁵⁾ = 01 _t at time t = 5 and this node w ⁽⁵⁾ is an internal node, node w ⁽⁶⁾ = 010 _{t at} time t = 6. Since node w ⁽⁶⁾ is a leaf, node w ⁽⁷⁾ = 010 + 1 = 011 at time t = 7, and 1 appears in the least significant bit, so w ⁽⁷⁾ = 011 _t . Since the node w ⁽⁷⁾ is a leaf, the node w ⁽⁸⁾ = 011 + 1 = 100 at time t = 8, and it is 1 when 0 is erased until 1 appears from the least significant bit side. Therefore, node w ⁽⁸⁾ = 1 _t .

When the secret key SK _{w (t) at} time t is assigned to the internal node, the secret key SK _{w (t) 0} assigned to one of its child nodes is updated to the secret key at the next time t + 1. And the secret key SK _{w (t) 1} assigned to the other is stored in the stack. If the secret key SK _{w (t)} is assigned to the leaf, the secret key stored last in the stack is taken out and used as the secret key at time t + 1.

A setup algorithm GEN _FS , a key update algorithm KUD _FS , an encryption algorithm ENC _FS , and a decryption algorithm DEC _{FS in FS} will be described.

Setup algorithm GEN _FS
In the setup algorithm GEN _FS (1 ^λ , L) when the security parameter 1 ^λ and the maximum update count L are input, by executing the GEN _BTE (1 ^λ , h) described above, the public key PK and the root node The secret key SK _ε = S _ε is obtained. Note that L is an integer of 2 ^{h + 1} −1 or less.

Key update algorithm KUD _FS
The key update algorithm KUD _FS (PK, t, SK _{w (t)} ) for obtaining the secret key at time t includes the following processes (1) to (4).
(1) The node w ^(t) at time t is calculated.
(2) It is determined whether the node w ^(t) is an internal node or a leaf of the binary tree.
(3) When the node w ^(t) is an internal node, the above-described key generation algorithm DER _BTE (PK, w ^(t) , SK _{w (t)} ) is executed to execute the secret key SK _{w (t) 0} , SK. Generate _{w (t) 1} . Then, the secret key SK _{w (t) 0} is set as the secret key SK _{w (t + 1)} at time t + 1, the secret key SK _{w (t) 1} is stored in the stack, and the secret key SK _{w (t)} is deleted. .
(4) When the node w ^(t) is a leaf, the secret key stored in the stack is extracted and set as the secret key SK _{w (t + 1) at} time t + 1.

Encryption algorithm ENC _FS
The encryption algorithm ENC _FS (PK, t, M) that receives the public key PK, the time t, and the message MεG ₂ and outputs the ciphertext C includes the following processes (1) and (2).
(1) The node w ^(t) at time t is calculated.
(2) The ciphertext C is obtained by executing the above-described ENC _BTE (PK, w ^(t) , M).

Decryption algorithm DEC _FS
The decryption algorithm DEC _FS (PK, t, SK _{w (t)} , C) for decrypting the ciphertext C based on the public key PK, the secret key SK _{w (t)} at time t, and time t is as follows: The process consists of (1) and (2).
(1) The node w ^(t) at time t is calculated.
(2) The message M is obtained by executing the above-described DEC _BTE (PK, w ^(t) , SK _{w (t)} , C).

BGW Scheme
BGW Scheme is a technique disclosed in D.Boneh, C.Gentry, and B.Waters, “Collusion Resistant Broadcast Encryption With Short Ciphertext and Private Keys”, CRYPTO'05,2005. Regardless of n or the number of illegal receiving terminal devices (the number of receiving terminal devices to be invalidated), the message length can always be 2 and the number of secret keys held by each receiving terminal device can be 1 It is a public key type broadcast encryption.

The safety of BGW Scheme is based on the difficulty of the BDH problem, as is the safety of BTE. G ₁ and G ₂ are cyclic groups with orders of prime q, and when each is a multiplicative group, bilinear mapping e: G ₁ × G ₁ → G ₂ is given by ∀P, Q∈G ₁ , For ∀a, bεZ _q , e (P ^a , Q ^b ) = e (P ^b , Q ^a ) = e (P, Q) ^ab

A setup algorithm GEN _BGW , an encryption algorithm ENC _BGW , and a decryption algorithm DEC _BGW in BGW Scheme will be described.

（３）ＰＫ＝（ｇ，ｇ₁，…，ｇ_n，ｇ_n+2，…，ｇ_2n，ｖ）を公開鍵、ｓｋ_iを受信端末装置ｉ（ｉ＝１，…，ｎ，ｎ＋２，…，２ｎ）の秘密鍵、α，βをシステムの秘密鍵とする。 Setup algorithm GEN _BGW
The setup algorithm GEN _BGW (1 ^λ , n) when the security parameter 1 ^λ and the total number n of receiving terminal devices are input includes the following processes (1) to (3).
(1) The BDH parameter generator IG (1 ^λ ) is executed to generate the multiplicative groups G ₁ and G _{2 of} order q and the bilinear map e.
(2) G ₁ generators α and βεZ _q are selected at random, and g _i , sk _i , and v are calculated.

(3) PK = (g, g ₁ ,..., G _n , g _{n + 2} ,..., G _2n , v) is a public key, and sk _i is a receiving terminal device i (i = 1,..., N, n + 2, .., 2n) and α and β are system secret keys.

（３）暗号文ＣとHdrを出力する。 Encryption algorithm ENC _BGW
An encryption algorithm ENC _BGW (S, PK) that receives a set of regular receiving terminal devices S⊆ {1, 2,..., N} and a public key PK is obtained from the following processes (1) to (3). Become. Note that an encryption function using a session key K for a set S⊆ {1, 2,..., N} of regular receiving terminal devices is E _K.
(1) Generate a random number rεZ _q and determine a session key K = e (gn _{+ 1} , g) ^r . Note that e (g _{n + 1} , g) is calculated based on (g _n , g ₁ ).
(2) The content M is encrypted using the encryption function E _K to obtain a ciphertext C = E _K (M). Further, Hdr is calculated.

(3) Output ciphertext C and Hdr.

（２）Ｅ_K（Ｃ）でコンテンツＭを復号化する。 Decryption algorithm DEC _BGW
Decoding algorithm DEC _BGW to decrypt the ciphertext C (C, Hdr, S, i, sk i, PK) consists of the following processes (1) and (2).
(1) In the receiving terminal device i satisfying iεS, the session key K is calculated using the held secret key ski _i .

(2) The content M is decrypted with E _K (C).

  Next, first to third broadcast ciphers realized by the broadcast communication system 1 to which the present invention is applied will be described.

In the first broadcast cipher, BTE is applied to the SD method using a public key on the transmission side. In BTE, as described above, a child secret key can be created from a parent secret key. Therefore, when a child secret key is generated using the internal node a of the binary tree as a base point, the secret is generated using different ρ _{a, c.} If the keys SK _{a, c} are created, different secret keys can be assigned to the respective covers. Also, since BTE uses bilinear mapping, it is possible to realize a broadcast communication cipher that performs encryption using a public key.

The setup algorithm GEN _SD , initial key generation algorithm DER_CENT _SD , key derivation algorithm DER_TERM _SD , encryption algorithm ENC _SD , and decryption algorithm DEC _{SD in} the first broadcast encryption will be described.

Setup algorithm GEN _SD
The setup algorithm GEN _SD (1 ^λ , h) when the security parameter 1 ^λ and the tree height h are input comprises the following processes (1) to (4).
(1) The BDH parameter generator IG (1 ^λ ) is executed to generate groups q ₁ and G ₂ of order q and a bilinear map e.
(2) PεG ₁ and αεZ _q are selected at random, and Q = αP. Here, Z _q is a set of integers of 0 or more and less than q.
(3) Select cryptographic hash function H ₁ : {0, 1} ^* → G ₁ .
(4) PK = (G ₁ , G ₂ , e, P, Q, H ₁ ) is the public key, S _ε = αH ₁ (ε) is the root secret key, and S _{ε ′} = αH ₁ (ε ′) It is assumed that the secret key does not correspond to the SD method covering when there is no receiving terminal device to be invalidated.

Initial key generation algorithm DER_CENT _SD
The initial key generation algorithm DER _SD (PK, a, b) for generating the secret key SK _{a, b} corresponding to the SD method covering SD _{a, b} , which is held in the receiving terminal device, is the following (1) and ( 2).
(1) ρ _{a, b} εZ _q is selected at random, and R _{a, b} = ρ _{a, b} P, S _{a, b} = S _ε + ρ _{a, b} H ₁ (b) is calculated.
(2) SK _{a, b} = (R _{a, b} , S _{a, b} ) is output.

The receiving terminal device holds the same number of secret keys SK _{a, b} and secret keys S _{ε ′} as in the SD method. For example, in the receiving terminal device assigned to the node w, if the node on the path from the root to the node w is a and the node branching from the path is b, the secret key SK _{a, b} = (R _{a, b} , S _{a, b} ) = (ρ _{a, b} P, S _ε + ρ _{a, b} H (b)) is held.
a is w | _i 0 ≦ i <logn
b is a sibling node of w | _j 1 ≦ j ≦ logn

Key derivation algorithm DER_TERM _SD
The key derivation algorithm DER_TERM _SD (PK, a, b, SK _{a, b} ) for deriving the child secret keys SK ′ _{a, b0} , SK ′ _{a, b1} from the parent secret key SK _{a, b} in the receiving terminal device is: It consists of the following processes (1) and (2). Note that “′” such as SK ′ _{a, b0} means a secret key derived in the receiving terminal device and its key component.
(1) ρ ′ _{a, b0} , ρ ′ _{a, b1} ∈Z _q are selected at random, and R ′ _{a, b0} = ρ ′ _{a, b0} P, R ′ _{a, b1} = ρ ′ _{a, b1} P, S ' _{a, b0} = S _{a, b} + ρ' _{a, b0} H ₁ (b0), S ' _{a, b1} = S _{a, b} + ρ' _{a, b1} H ₁ (b1) are calculated.
(2) SK ′ _{a, b0} = (R _{a, b} , R ′ _{a, b0} , S ′ _{a, b0} ), SK ′ _{a, b1} = (R _{a, b} , R ′ _{a, b1} , S ′ _{a, b1} ) is output.

Encryption algorithm ENC _SD
The encryption algorithm ENC _SD (PK, a, c, K) that receives the content key KεG ₂ and outputs the ciphertexts U _a , V _a corresponding to the covering SD _{a, c} is as follows (1) To (5).
(1) Generate _a random number r _a εZ _q .
(2) The child node b of the node a existing on the path from the node a to the node c is detected.
(3) V _a = K · d _a is calculated. Here, d _a = e (Q, H ₁ (ε)) ^ra .
(4) U _a = (r _a P, r _a H ₁ (c || _{b |} ), r _a H ₁ (c _{|| b | +1} ), ..., r _a H ₁ (c _{|| c |} ) ) = (U _{a, 0} , U _{a, c || b |} ,..., U _{a, c || c |} ) is calculated.
(5) for outputting the ciphertext U _a, V _a and the random number r _a.

ここで、Ｄは次式のとおりである。

（３）Ｖ_a／ｄ_aを算出することによりコンテンツ鍵Ｋを得る。Ｋ＝Ｖ_a／ｄ_a
（４）コンテンツ鍵Ｋを用いて暗号文Ｅ_K（Ｍ）を復号化し、コンテンツＭを得る。 Decryption algorithm DEC _SD
A decryption algorithm DEC _SD (PK, a, b, c, SK _{a, b} , U _a , V _a ) for decrypting the ciphertext U _a , V _a based on the secret key SK _{a, b} at the receiving terminal device. Consists of the following processes (1) and (2).
(1) Using the secret key SK _{a, b} held by the receiving terminal device, the above-described key derivation algorithm DER_TERM _SD (PK, a, b, SK _{a, b} ) is repeated until the node b reaches the node c. By executing, the secret key SK ′ _{a, c} = (R _{a, c || b |} , R ′ _{a, c || b | +1} ,..., R ′ _{a, c || c |} , S ′ _{a , c} ).
(2) Calculate d _a based on the following equation.

Here, D is as follows.

(3) The content key K is obtained by calculating V _a / d _a . K = V _a / d _a
(4) The ciphertext E _K (M) is decrypted using the content key K to obtain the content M.

  Next, as shown in FIG. 5, for example, three of u001, u100, and u101 among eight receiving terminal devices (the receiving terminal device assigned to the leaf 000 is described as u000, and so on). The first broadcast communication cipher will be specifically described by taking as an example a case where content is transmitted so as to invalidate the content and the content is reproduced in u010.

Note that u010 includes secret keys SK _{ε, 1} , SK _{ε, 00} , SK _{ε, 011} , SK _0,00 , SK _0,011 , SK generated using the secret key S _{ε ′} and the initial key generation algorithm DER_CENT _{SD. Assume} that _01,011 is held in advance.

  FIG. 6 is a flowchart for explaining the processing (first encryption processing) of the transmission apparatus 10 in the first broadcast encryption.

In step S1, the encryption unit 11 determines the covering SD _{a, c} in the SD method based on the node of the receiving terminal device to be invalidated. In the example of FIG. 5, two coverings SD _0,001 and SD _1,10 are determined.

In step S2, the encryption unit 11 selects the content key K, encrypts the content M using the selected content key K, and obtains E _K (M).

In step S3, the encryption unit 11 executes the encryption algorithm ENC _SD corresponding to the coverings SD _{a and c} determined in step S1, respectively. In the example of FIG. 5, the encryption algorithms ENC _SD (PK, 0, 001, K) and ENC _SD (PK, 1, 10, K) are executed. As a result of the encryption algorithm ENC _SD (PK, ₀ , 001, K), U ₀ = (r ₀ P, r ₀ H ₁ (00), r ₀ H ₁ (001)), V ₀ = K · obtain d _0. Further, U ₁ = (r ₁ P, r ₁ H ₁ (10)), V ₁ = K · d ₁ is obtained as a result of the encryption algorithm ENC _SD (PK, 1, 10, K). Here, d ₀ = e (Q, H ₁ (ε)) ^{r 0} and d ₁ = e (Q, H ₁ (ε)) ^r ₁ .

In step S < _b > 4, the encryption unit 11 generates the ciphertext C _SD by adding the search information i to the processing results of steps S < _b > 2 and S < _b > _{3 by} the number of coverings SD _{a, c} and outputs it to the transmission unit 12. In the case of the example in FIG. 5, ciphertext C _SD = <i ₀ , i ₁ ; U ₀ , U ₁ ; V ₀ , V ₁ ; E _K (M)> is generated by adding search information i ₀ and i _1. And output to the transmitter 12. The retrieval information i ₀ and i ₁ is for retrieving the encryption keys U ₀ and U ₁ ; V ₀ and V ₁ from the ciphertext C _SD in the receiving terminal device. Transmitter 12 transmits via the communication network 30 the ciphertext C _SD. This completes the first encryption process.

  FIG. 7 is a flowchart for explaining the process (first decryption process) of the receiving terminal apparatus u010 in the first broadcast cipher.

In step S11, the receiving unit 21, and outputs the acquired ciphertext C _SD transmitted from the transmitting apparatus 10 to the decoder 22. In step S12, the decryption unit 22 retrieves the encryption keys U ₀ , U ₁ ; V ₀ , V ₁ based on the retrieval information i ₀ , i ₁ included in the ciphertext C _SD and holds them in advance. The secret key SK _0,00 is input and the key derivation algorithm DER_TERM _SD (PK, 0, 00, SK _0,00 ) is executed to generate secret keys SK ′ _0,000 and SK ′ _0,001 . Among these, the secret key SK ′ _0,001 is the target secret key.

In step S13, the decryption unit 22 uses the secret key SK ′ _0,001 = (R _0,00 , R ′ _0,001 , S ′ _0,001 ) and calculates d ₀ as in the following equation. However, it should be noted that ρ ′ _0,001 generated in the process of calculating d ₀ is different from ρ _0,001 generated in the transmission apparatus 10. Further, the decryption unit 22 obtains the content key K by calculating V ₀ / d ₀ .

In step S14, the decryption unit 22 decrypts E _K (M) using the content key K generated in step S13, and acquires content M. Thus, the first decoding process by the receiving terminal device u010 is completed.

For example, since the receiving terminal device u0O0 holds the secret key SK _0,001 in advance, the process of step S12 can be omitted.

  Next, the second broadcast communication encryption will be described. As the second broadcast cipher, FS is applied to the first broadcast cipher described above. That is, in the second broadcast cipher, two binary trees for generating a child secret key from a parent secret key in the SD method and two binary trees for updating each secret key at a predetermined time period are used. Wood is used.

The setup algorithm GEN _{SD_FS} , key generation algorithm DER_CENT _{SD_FS} , key update algorithm KUP_TERM _{SD_FS} , encryption algorithm ENC _{SD_FS} , and decryption algorithm DEC _{SD_FS in} the second broadcast encryption will be described.

Setup algorithm GEN _{SD_FS}
The setup algorithm GEN _{SD_FS} (1 ^λ , h) when the security parameter 1 ^λ and the tree height h are input comprises the following processes (1) to (3).
(1) The public key PK is obtained by executing the setup algorithm GEN _SD (1 ^λ , h).
(2) Cryptographic hash function H ₂ : {0, 1} ^* → G ₁ is selected.
(3) H ₂ is added to PK, and PK = (G ₁ , G ₂ , e, P, Q, H ₁ , H ₂ ) is used as a public key.

Key generation algorithm DER_CENT _{SD_FS}
A key generation algorithm DER _{SD_FS} (PK, a, b, which generates _a secret key SK _{a, b, w (0)} at time t = 0 corresponding to the SD method covering SD _{a, b} , which is held in the receiving terminal device t) consists of the following processes (1) and (2).
(1) The initial key generation algorithm DER_CENT _SD is executed to obtain SK _{a, b} = (R _{a, b} , S _{a, b} ).
(2) Output SK _{a, b} as a secret key SK _{a, b, w (0)} .

Key update algorithm KUP_TERM _{SD_FS}
In the receiving terminal device, the key update algorithm KUP_TERM _{SD_FS} (PK ₎ for updating the stored secret key SK _{a, b, w (t)} at time t to the secret key SK _{a, b, w (t + 1)} at time t + 1. , T, SK _{a, b, w (t)} ) includes the following processes (1) to (5).
(1) The node w ^(t) corresponding to the time t is calculated.
(2) It is determined whether the node w ^(t) is an internal node or a leaf of the binary tree.
(3) When the node w ^(t) is an internal node of the binary tree, σ ′ _{w (t) 0} and σ ′ _{w (t) 1} ∈Z _q are selected at random, and R ′ _{w (t) 0} = Σ ' _{w (t) 0} P, R' _{w (t) 1} = σ ' _{w (t) 1} P, S' _{a, b, w (t) 0} = S _{a, b, w (t)} + σ ' _{w (t) 0} H ₂ (w ^(t) 0), S ′ _{a, b, w (t) 1} = S _{a, b, w (t)} + σ ′ _{w (t) 1} H ₂ (w ^(t) 1) is calculated.
Furthermore, the secret key SK ' _{a, b, w (t) 0}
= (R _{a, b} , R ′ _{w | 1} ,..., R ′ _{w || w (t) |} , R ′ _{w (t) 0} , S ′ _{a, b, w (t) 0} )
Secret key SK ' _{a, b, w (t) 1}
= (R _{a, b} , R ′ _{w | 1} ,..., R ′ _{w || w (t) |} , R ′ _{w (t) 1} , S ′ _{a, b, w (t) 1} )
And the secret key SK ′ _{a, b, w (t) 0} is used as the secret key SK ′ _{a, b, w (t + 1)} at time t + 1, and the secret key SK ′ _{a, b, w (t )} Accumulate ₁ on the stack.
(4) When the node w ^(t) is a leaf of the binary tree, the secret key stored in the stack is taken out and used as the secret key secret key SK ′ _{a, b, w (t + 1) at time t + 1} To do.
(5) Delete the secret key SK _{a, b, w (t)} at time t.

Encryption algorithm ENC _{SD_FS}
The encryption algorithm ENC _{SD_FS} can be executed by setting a different time t for each of the covering SDs _{a and b} . When the receiving terminal device holds the secret key SK ′ _{a, b, w (t1)} at time t ₁ , the execution timing of the encryption algorithm ENC _{SD_FS} is set to time t ₂ (t ₂ ≧ t ₁ ). However, "t _1", when used as "t _2" superscript and subscript, etc., for the convenience of notation, to release the attached underneath the numbers, ^{_{t1, t2,} t1, t2} both describe. An encryption algorithm ENC _{SD_FS} (PK, a, c, t, K) that receives the content key KεG ₂ and outputs ciphertexts U _a , V _a corresponding to the covering SD _{a, c} and time t = t2 Consists of the following processes (1) to (4).
(1) The node w ^(t2) at time t ₂ is calculated.
_{(2) ENC SD (PK,} a, c, K) was performed to obtain a ciphertext U _a, V _a and the random number r _a.
(3) (r _a H ₂ (w ^(t2) | ₁ ),..., R _a H ₂ (w ^(t2) _{|| w (t2) |} )) = (U _{a, w (t2) | 1,.} , U _{a, w (t2) | w (t2)} , t ₂ ) are added to U _a .
(4) Output ciphertexts U _a and V _a .

ここで、Ｄ₁、Ｄ₂は次式のとおりである。

（２）受信端末装置が保持している秘密鍵ＳＫ’_a,b,w(t2)を用い、鍵導出アルゴリズムDER_TERM_SD（ＰＫ，ａ，ｂ，ＳＫ’_a,b,w(t2)）をノードｂからノードｃに到るまで繰り返し実行することにより、秘密鍵ＳＫ’_a,c,w(t2)を得る。
（３）Ｖ_a／ｄ_aを算出することによりコンテンツ鍵Ｋを得る。Ｋ＝Ｖ_a／ｄ_a
（４）コンテンツ鍵Ｋを用いて暗号文Ｅ_K（Ｍ）を復号化し、コンテンツＭを得る。 Decryption algorithm DEC _{SD_FS}
In the receiving terminal apparatus, a private key SK _'a time t ₁ for _{holding, b,} based on _{w (t1),} the ciphertext U _a, decoding algorithm to decode the _{V a DEC SD_FS (PK, a} , b, c, SK _{a, b, w (t)} , U _a , V _a ) are composed of the following processes (1) to (4).
(1) The secret key SK ′ _{a, b, w (t2)} is obtained by applying the key update algorithm KUP_TERM _{SD_FS} (PK, t, SK ′ _{a, b, w (t1)} ) until time t ₂ . D _a is calculated based on the following equation.

Here, D ₁ and D ₂ are as follows.

(2) Using the secret key SK ′ _{a, b, w (t2)} held by the receiving terminal device, the key derivation algorithm DER_TERM _SD (PK, a, b, SK ′ _{a, b, w (t2)} ) By repeatedly executing from the node b to the node c, the secret key SK ′ _{a, c, w (t2)} is obtained.
(3) The content key K is obtained by calculating V _a / d _a . K = V _a / d _a
(4) The ciphertext E _K (M) is decrypted using the content key K to obtain the content M.

The secret key stored in the stack is the secret key obtained as a result of executing the key update algorithm KUP_TERM _{SD_FS} with the secret key initially stored in the receiving terminal as input, and the execution result of the key derivation algorithm DER_TERM _SD is input Note that it is not a private key obtained by executing the key update algorithm KUP_TERM _{SD_FS} as

  Next, the second broadcast communication cipher will be specifically described by taking the case shown in FIG. 5 as an example.

Note that u010 includes secret keys S _{ε ′, w (t1)} corresponding to time t ₁ and secret keys SK _{ε, 1, w (t1)} , SK _ε, generated using the initial key generation algorithm DER_CENT _{SD_FS . 00, w (t1)} , SK _{ε, 011, w (t1)} , SK _{0,00, w (t1)} , SK _{0,011, w (t1)} , SK _{01,011, w (t1)} To do.

  FIG. 8 is a flowchart for explaining the processing (second encryption processing) of the transmitting apparatus 10 in the second broadcast encryption.

In step S21, the encryption unit 11 determines the covering SD _{a, c} in the SD method based on the node of the receiving terminal device to be invalidated. In the example of FIG. 5, two coverings SD _0,001 and SD _1,10 are determined.

In step S22, the encryption unit 11 selects the content key K, encrypts the content M using the selected content key K, and obtains E _K (M).

In step S23, the encryption unit 11 executes the encryption algorithm ENC _{SD_FS} corresponding to the covering SD _{a, c} determined in step S21, and obtains a ciphertext. In the case of the example of FIG. 5, the encryption algorithms ENC _{SD_FS} (PK, 0, 001, t ₂ , K), ENC _{SD_FS} (PK, 1, 10, t ₂ , K) are executed, and the ciphertexts U ₀ , V ₀ And ciphertexts U ₁ and V ₁ are obtained.

In step S24, the encryption unit 11 adds the search information i corresponding to the number of coverings SD _{a, c} to the processing results of steps S22 and S23 to generate the ciphertext C _SD and outputs it to the transmission unit 12 To do. In the case of the example in FIG. 5, ciphertext C _SD = <i ₀ , i ₁ ; U ₀ , U ₁ ; V ₀ , V ₁ ; E _K (M)> is generated by adding search information i ₀ and i _1. And output to the transmitter 12. Transmitter 12 transmits via the communication network 30 the ciphertext C _SD. This completes the second encryption process.

  FIG. 9 is a flowchart for explaining the process (second decryption process) of the receiving terminal apparatus u010 in the second broadcast cipher.

In step S31, the receiving unit 21, and outputs the acquired ciphertext C _SD transmitted from the transmitting apparatus 10 to the decoder 22. In step S32, the decoding unit 22, an encryption key U _0, U ₁ on the basis of the search information i _0, i ₁ included in the ciphertext C _SD; Search V _0, V _1. Then, the secret key SK _0,00 of time t ₁ held in _advance, the key update algorithm KUP_TERM _{SD_FS w (t) is} as an input _{(PK, t, SK '0,00} , w (t1)) the time t ₂ To generate a secret key SK ′ _{0,00, w (t2)} . Further, the generated secret key SK ′ _{0,00, w (t2)} is used as an input to execute a key derivation algorithm DER_TERM _SD (PK, 0,00, SK _{0,00, w (t2)} ), and the secret key SK ′ _{0,000 , w (t2)} , SK ′ _{0,001, w (t2)} .

In step S33, the decryption unit 22 calculates d ₀ using the secret key SK ′ _{0,001, w (t2)} , and obtains the content key K by calculating V ₀ / d ₀ .

In step S34, the decryption unit 22 decrypts E _K (M) using the content key K generated in step S33, and acquires the content M. Above, the 2nd decoding process by the receiving terminal device u010 is complete | finished.

If time t ₂ = t ₁ , the key update algorithm KUP_TERM _{SD_FS} executed in step S32 can be omitted.

  Next, the third broadcast communication encryption will be described. As the third broadcast cipher, FS is applied to the above-described BGW Scheme.

A setup algorithm GEN _{BGW_FS} , a key update algorithm KUP_TERM _{BGW_FS} , an encryption algorithm ENC _{BGW_FS} , and a decryption algorithm DEC _{BGW_FS in} the third broadcast cipher will be described.

（３）ＰＫ＝（ｇ，ｇ₁，…，ｇ_n，ｇ_n+2，…，ｇ_2n，ｖ）を公開鍵、ｓｋ_i,w(0)を受信端末装置ｉ（ｉ＝１，…，ｎ，ｎ＋２，…，２ｎ）の時刻ｔ＝０における秘密鍵、α，βをシステムの秘密鍵とする。 Setup algorithm GEN _{BGW_FS}
The setup algorithm GEN _{BGW_FS} (1 ^λ , n) when the security parameter 1 ^λ and the total number n of receiving terminal devices are input includes the following processes (1) to (3).
(1) The BDH parameter generator IG (1 ^λ ) is executed to generate the multiplicative groups G ₁ and G _{2 of} order q and the bilinear map e.
(2) G ₁ generator g and α, β∈Z _q are selected at random, and g _i , ski _{i, w (0)} , v are calculated.

(3) PK = (g, g ₁ ,..., G _n , g _{n + 2} ,..., G _2n , v) is the public key, and sk _{i, w (0)} is the receiving terminal device i (i = 1,. , N, n + 2,..., 2n) at time t = 0, and α, β are the system secret keys.

さらに、秘密鍵ＳＫ’_i,w(t)0
＝（Ｒ’_i,w|1，…，Ｒ’_i,w||w(t)|，Ｒ’_i,w(t)0，ｓｋ_i,w(t)0）
秘密鍵ＳＫ’_i,w(t)1
＝（Ｒ’_i,w|1，…，Ｒ’_i,w||w(t)|，Ｒ’_i,w(t)1，ｓｋ_i,w(t)1）
を生成して、秘密鍵ＳＫ’_i,w(t)0を時刻ｔ＋１の秘密鍵ＳＫ’_i,w(t+1)として使用し、秘密鍵ＳＫ’_i,w(t)1をスタックに蓄積する。
（４）ノードｗ^(t)が２分木のリーフである場合、スタックに蓄積されている秘密鍵を取り出して時刻ｔ＋１の秘密鍵秘密鍵ＳＫ’_i,w(t+1)として使用する。
（５）時刻ｔの秘密鍵ＳＫ_i,w(t)を消去する。 Key update algorithm KUP_TERM _{BGW_FS}
In the receiving terminal device, the key update algorithm KUP_TERM _{BGW_FS} (PK, t, SK ₎ for updating the stored secret key SK _{i, w (t)} at time t to the secret key SK _{i, w (t + 1)} at time t + 1. _{i, w (t)} ) includes the following processes (1) to (5).
(1) The node w ^(t) corresponding to the time t is calculated.
(2) It is determined whether the node w ^(t) is an internal node or a leaf of the binary tree.
(3) When the node w ^(t) is an internal node of the binary tree, σ ′ _{w (t) 0} and σ ′ _{w (t) 1} ∈Z _q are selected at random, and R ′ is based on the following equation: _{i, w (t) 0} , R'i _{, w (t) 1} , ski _{, w (t) 0} , ski _{, w (t) 1} are calculated.

Furthermore, the private key SK ' _{i, w (t) 0}
= ( _{R'i, w | 1} ,..., _{R'i, w || w (t) |} , R'i _{, w (t) 0} , ski _{, w (t) 0} )
Secret key SK ' _{i, w (t) 1}
= (R ′ _{i, w | 1} ,..., R ′ _{i, w || w (t) |} , R ′ _{i, w (t) 1} , sk _{i, w (t) 1} )
And using the secret key SK ′ _{i, w (t) 0} as the secret key SK ′ _{i, w (t + 1)} at time t + 1, and using the secret key SK ′ _{i, w (t) 1} in the stack accumulate.
(4) When the node w ^(t) is a leaf of the binary tree, the secret key stored in the stack is taken out and used as the secret key secret key SK ′ _{i, w (t + 1) at} time t + 1.
(5) The secret key SK _{i, w (t)} at time t is deleted.

（４）（Ｈ（ｗ^(t2)｜₁）^r，…,Ｈ（ｗ^(t2)｜_|w(t2)|）^r）
＝（Ｕ_w(t2)|1，…，Ｕ_{w(t2)||w(t2)|}）をHdrに追加する。
（５）ｔをHdrに追加する。
（６）暗号文ＣとHdrを出力する。 Encryption algorithm ENC _{BGW_FS}
An encryption algorithm ENC _{BGW_FS} (S, PK, t) that receives a set S 正規 {1, 2,..., N} of regular receiving terminal devices, a public key PK, and a time t ₂ has the following (1) to (1) to It consists of the process of (6). Note that an encryption function using a session key K for a set S⊆ {1, 2,..., N} of regular receiving terminal devices is E _K.
(1) The node w ^(t2) corresponding to the time t ₂ is calculated.
(2) Generate a random number rεZ _q and determine a session key K = e (gn _{+ 1} , g) ^r . Note that e (g _{n + 1} , g) is calculated based on (g _n , g ₁ ).
(3) The content M is encrypted using the encryption function E _K to obtain a ciphertext C = E _K (M). Further, Hdr is calculated.

(4) (H (w ^(t2) | ₁ ) ^r , ..., H (w ^(t2) _{|| w (t2) |} ) ^r )
= ( _{Uw (t2) | 1} ,..., _{Uw (t2) || w (t2) |} ) is added to Hdr.
(5) t is added to Hdr.
(6) Output ciphertext C and Hdr.

（３）Ｅ_K（Ｃ）でコンテンツＭを復号化する。 Decryption algorithm DEC _{BGW_FS}
In the receiving terminal device, the decryption algorithm DEC _{BGW_FS} (C, Hdr, S, i, SK _{i, w )} that decrypts the ciphertext C using the _stored secret key SK _{i, w (t1)} at time t1. _(t1) , PK) includes the following processes (1) to (3).
(1) In the receiving terminal device of the receiving terminal device i satisfying i∈S, the key update algorithm KUP_TERM _{BGW_FS} is applied until the time t = t _{2 in} which the stored secret key SK _{i, w (t1)} is included in Hdr. To obtain a secret key SK _{i, w (t2)} .
(2) The session key K is calculated using the secret key SK _{i, w (t2)} .

(3) Decrypt the content M with E _K (C).

  Next, a case where the set of receiving terminal devices is {1, 2, 3}, the set of regular receiving terminal devices S = {1, 2}, the height of the binary tree of time h = 3, and the time t = 1. The third broadcast communication cipher will be specifically described as an example.

  FIG. 10 is a flowchart for explaining the processing (third encryption processing) of the transmission device 10 in the third broadcast communication encryption.

である。 In step S41, the encryption unit 11 _executes ENC _{BGW_FS} (S, PK, 1) and sends the ciphertext C, Hdr = (C ₀ , C ₁ , U ₀ , 1) obtained as a result to the transmission unit 12. Output. here,

It is.

  In step S <b> 42, the transmission unit 12 transmits the ciphertext C and HDR via the communication network 30. This completes the third encryption process.

  FIG. 11 is a flowchart for explaining processing (third decryption processing) by the legitimate receiving terminal device 1 in the third broadcast communication encryption.

In step S <b> 51, the reception unit 21 acquires the ciphertext C and Hdr transmitted from the transmission device 10 and outputs the ciphertext C and HDR to the decryption unit 22. In step S52, the decryption unit 22 _{applies the} decryption algorithm DEC _{BGW_FS} (C, Hdr, S, i, SK _{1, ε} , PK) to the secret key SK _{1, ε} held in advance, and the session key. Get K.

さらに、秘密鍵ＳＫ’_1,0＝（Ｒ’_1,0，ｓｋ_1,0），ＳＫ’_1,1＝（Ｒ’_1,1，ｓｋ_1,1）を生成し、秘密鍵ＳＫ’_1,0，ＳＫ’_1,1のうち、一方の秘密鍵ＳＫ’_1,0を時刻ｔ＝１の秘密鍵として使用する。他方の秘密鍵ＳＫ’_1,1はスタックに蓄積される。そして、時刻ｔ＝１の秘密鍵ＳＫ’_1,0を用いてセッション鍵Ｋが算出される。

Specifically, time information t = 1 is read from Hdr, and node w ⁽¹⁾ = 0 is calculated. Then, the key update algorithm KUP_TERM _{BGW_FS} (PK, 1, SK _{1, ε} ) is executed with the secret key SK _{1, ε} as an input. Since ε is an internal node of the binary tree, σ ′ _1,0 , σ ′ _1,1 εZ _q is selected at random, and R ′ _1,0 , R ′ _1,1 , sk based on the following equation: _1,0 and sk _1,1 are calculated.

Further, a secret key SK ′ _1,0 = (R ′ _1,0 , sk _1,0 ), SK ′ _1,1 = (R ′ _1,1 , sk _1,1 ) is generated, and a secret key SK ′ _{1 , 0} , SK ′ _1,1 , one secret key SK ′ _1,0 is used as a secret key at time t = 1. The other secret key SK ′ _1,1 is stored in the stack. Then, the session key K is calculated using the secret key SK _'1,0 of time t = 1.

After the session key K obtained in this way is obtained, the decrypting unit 22 decrypts the content M with E _K (C) in step S53. Above, the 3rd decoding process by the regular receiving terminal device 1 is complete | finished.

  Note that the third decryption process by the legitimate receiving terminal device 2 is executed in the same manner, and the content M can be obtained as a process result. On the contrary, the content M cannot be obtained by the unauthorized receiving terminal device 3 that is not legitimate. The security against this unauthorized receiving terminal device 3 will be described.

When the unauthorized receiving terminal device 3 _{executes the} decryption algorithm DEC _{BGW_FS} (C, Hdr, S, i, SK _{3, ε} , PK), K serving as a session key is calculated as follows.

Since e (g ₃ , (vg ₃ g ₂ ) ^r ) = e (g ^r , vg ₆ g ₅ ) is obtained from the first term of the numerator, e (g ^r , g ₄ ) corresponding to the session key is obtained. I can't understand. Therefore, the content M cannot be obtained.

If e (g ^r , g ₄ ) corresponding to the session key is obtained, the ID is forged against the algorithm, and the first term of the numerator is changed to e (g ₁ , (vg ₃ g ₂ ) ^r ). K as a session key is calculated as follows.

  Thus, if the public key used in the first term on the first line (in this case, g1) is changed to something other than its own ID, the second term of the numerator on the fourth line cannot be deleted. . That is, the session key cannot be obtained. Therefore, the security against the unauthorized receiving terminal device 3 of the third broadcast communication encryption was proved.

Next, it will be described that the third broadcast communication cipher satisfies FS (Forward Security). For example, 'assuming _1,0 leaks, the secret key SK' secret key SK at time t = 1 the normal of the receiving terminal apparatus 1 ciphertext C at time t = 0 on the basis of _1,0, are Hdr Indicates that it cannot be decrypted.

First, it is shown that the secret key SK ′ _{1, ε} at time t = 0 cannot be calculated from the secret key SK ′ _1,0 . The leaked secret key SK ′ _1,0 = (R ′ _1,0 , sk _1,0 ) = (g ^ρ′1,0 , sk _{1, ε} · H (0) ^ρ′1,0 ). Therefore, ρ ′ _1,0 cannot be obtained from the secret key SK ′ _1,0 . Therefore, SK ′ _{1, ε} cannot be calculated from SK ′ _1,0 .

このとき、復号化アルゴリズムDEC_{BGW_FS}（Ｃ，Hdr，Ｓ，ｉ，ＳＫ’_1,0，ＰＫ）を実行して得られるＫは、

となる。 Next, a can not be obtained ciphertext C, the session key K from Hdr of time t = 0 by using the secret key SK _{'1, 0.} Here, C, K, Hdr, C ₀ and C ₁ are as follows.

At this time, K obtained by executing the decoding algorithm DEC _{BGW_FS} (C, _HDR , S, i, SK ′ _1,0 , PK) is

It becomes.

From this equation, if e (R ′ _1,0 , H (0) ^r ) can be multiplied by the numerator, this can be canceled with the denominator to obtain e (g ^r , g ₄ ) corresponding to the session key. It will be. However, although R ′ _1,0 = g ^ρ′1,0 can be derived from the leaked secret key SK ′ _1,0 , H (0) ^r cannot be derived. This is because r is a value that only the content transmission side can know. Therefore, it is not possible to ciphertext C of time t = 0 by using the secret key SK _'1,0, from Hdr obtain the session key K. Thus, it has been proven to not be able to ciphertext C, and Hdr decoding of the time t = 0 on the basis of the secret key SK _'1,0.

  Next, the performances of the first to third broadcast ciphers will be compared.

  FIG. 12 shows the message length of each of the first to third broadcast ciphers, the amount of calculation required for key derivation, the absolute evaluation of the number of public keys used at the time of decryption, and the presence or absence of the FS function. The advantages of the first broadcast cipher include a small amount of calculation required for key derivation and a small public key. The second broadcast encryption has advantages such as a small amount of calculation required for key derivation, a small number of public keys, and an FS function. The third broadcast cipher cipher has advantages in that the message length is short regardless of the number of legitimate receiving terminal devices and the number of illegal receiving terminal devices, and that it has an FS function.

  FIG. 13 shows the number of device keys (secret keys) held in the receiving terminal device for each of the first to third broadcast ciphers, the message length included in the encrypted ciphertext, and the key derivation at the receiving terminal device And the evaluation value of the number of public keys used at the time of encryption and decryption. FIG. 13 also shows a broadcast cipher (Y. Dois, and N. Fazio, “Public Key Broadcast Encryption for Stateless Receivers”, proceeding of ACM FRM '02, 2002) in which hierarchical ID-based encryption is applied to the SD method. (Hereinafter referred to as DF02) and the evaluation values corresponding to the BGW Scheme were also added.

The evaluation value indicates the worst value that can be assumed, and the number of keys is a value that also considers the number of key components. For example, since the number of device keys in the first broadcast encryption is SK _{a, b} = (R _{a, b} , S _{a, b} ), the number of device keys in the SD method is set to double.

  From FIG. 13, it can be seen that the first broadcast cipher is more advantageous than DF02 and BGW Scheme in terms of the number of public keys. On the other hand, the number of device keys and message length are more disadvantageous than DF02 and BGW Scheme. However, the number of device keys is only twice that of SDF02.

  Since the second and third broadcast ciphers have an FS function that has not been considered in the past, they cannot be simply compared with DF02 or BGW Scheme. Although the number of device keys is increased due to the key update due to the function, the other items maintain the same performance as the first broadcast cipher.

  The third broadcast cipher has the same FS function as the second broadcast cipher, but the message length is slightly longer because of the FS function. Yes.

  The evaluations of the first to third broadcast communication ciphers described above are summarized as follows. That is, the first broadcast cipher realizes the broadcast cipher using the public key without significantly increasing the number of device keys and the message length, and obtains a target secret key in the receiving terminal device. The amount of calculation required is significantly less than BGW Scheme. Here, when the comparison is made in consideration of the number r of receiving terminal devices to be invalidated, when r is small, it can be said that the first broadcast cipher is more advantageous than BGW Scheme. From this, when the FS function is taken into consideration, it can be said that the third broadcast encryption is advantageous when r is large, and the second broadcast encryption is advantageous when r is small.

  By the way, in this specification, the steps executed based on the program are executed in parallel or individually even if they are not necessarily processed in time series, as well as the processes performed in time series according to the described order. It also includes processing.

  The program may be processed by a single computer, or may be distributedly processed by a plurality of computers. Furthermore, the program may be transferred to a remote computer and executed.

  Further, in this specification, the system represents the entire apparatus constituted by a plurality of apparatuses.

  The embodiment of the present invention is not limited to the above-described embodiment, and various modifications can be made without departing from the gist of the present invention.

It is a block diagram which shows the structural example of the broadcast communication system to which this invention is applied. It is a block diagram which shows the structural example of a general purpose personal computer. It is a figure explaining the cover of SD method. It is a figure which shows the binary tree of the time used by FS. It is a figure for demonstrating the specific example of the 1st broadcast communication encryption. It is a flowchart explaining a 1st encryption process. It is a flowchart explaining a 1st decoding process. It is a flowchart explaining a 2nd encryption process. It is a flowchart explaining a 2nd decoding process. It is a flowchart explaining a 3rd encryption process. It is a flowchart explaining a 3rd decoding process. It is a figure which shows absolute evaluation of the 1st thru | or 3rd broadcast communication encryption. It is a figure which shows the evaluation value of the 1st thru | or 3rd broadcast communication encryption.

Explanation of symbols

  DESCRIPTION OF SYMBOLS 1 Broadcast communication system, 10 Transmission apparatus, 11 Encryption part, 12 Transmission part, 20 Receiving terminal device, 21 Reception part, 22 Decryption part, 30 Communication network, 51 CPU

Claims (16)

Among the plurality of decryption devices assigned to each leaf of the binary tree, in an encryption device that encrypts content so that unauthorized ones cannot be decrypted,
A determination means for determining a covering in the binary tree corresponding to a leaf to which the unauthorized decoding device is assigned based on an SD (Subset Difference) method;
First encryption means for encrypting the content using a content key;
Second encryption means for encrypting the content key corresponding to the determined covering;
And an output unit that outputs ciphertext including the content encryption result and the content key encryption result. In an encryption method of an encryption device for encrypting content so that an unauthorized one cannot be decrypted among a plurality of decryption devices assigned to each leaf of a binary tree,
A determination step of determining a covering in the binary tree corresponding to a leaf to which the unauthorized decoding device is assigned based on an SD method;
A first encryption step of encrypting the content using a content key;
A second encryption step for encrypting the content key in response to the determined covering;
An output step of outputting a ciphertext including the result of encrypting the content and the result of encrypting the content key. Determining means for determining covering in the binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding apparatuses assigned to each leaf of the binary tree based on the SD method;
First encryption means for encrypting the content using a content key;
An encryption result of the content, and an encryption result of the content key, output from an encryption device including: a second encryption unit that encrypts the content key corresponding to the determined covering In a decryption device for decrypting ciphertext,
Derivation means for deriving a second secret key corresponding to the covering based on a first secret key held in advance;
Obtaining means for obtaining the content key from the ciphertext based on the derived second secret key;
And a decryption unit that decrypts the ciphertext and obtains the content based on the acquired content key. Determining means for determining covering in the binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding apparatuses assigned to each leaf of the binary tree based on the SD method;
First encryption means for encrypting the content using a content key;
An encryption result of the content, and an encryption result of the content key, output from an encryption device including: a second encryption unit that encrypts the content key corresponding to the determined covering In the decryption method of the decryption device for decrypting the ciphertext,
A derivation step of deriving a second secret key corresponding to the covering based on a first secret key held in advance;
Obtaining the content key from the ciphertext based on the derived second secret key;
A decrypting method comprising: decrypting the ciphertext based on the acquired content key to obtain the content. Among the plurality of decryption devices assigned to each leaf of the binary tree, in an encryption device that encrypts content so that unauthorized ones cannot be decrypted,
Determining means for determining covering in the binary tree corresponding to a leaf to which the unauthorized decoding device is assigned based on an SD method;
First encryption means for encrypting the content using a content key;
Second encryption means for encrypting the content key at time t2 corresponding to the determined covering;
And an output unit that outputs ciphertext including the result of encrypting the content, the result of encrypting the content key, and time t2. In an encryption method of an encryption device for encrypting content so that an unauthorized one cannot be decrypted among a plurality of decryption devices assigned to each leaf of a binary tree,
A determination step of determining a covering in the binary tree corresponding to a leaf to which the unauthorized decoding device is assigned based on an SD method;
A first encryption step of encrypting the content using a content key;
A second encryption step corresponding to the determined covering and encrypting the content key at time t ₂ ;
An output step of outputting a ciphertext including the result of encrypting the content, the result of encrypting the content key, and time t ₂ . Determining means for determining covering in the binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding apparatuses assigned to each leaf of the binary tree based on the SD method;
First encryption means for encrypting the content using a content key;
An encryption result of the content output from an encryption device corresponding to the determined covering and output from an encryption device including a second encryption means for encrypting the content key at time t ₂ ; In the decryption device for decrypting the ciphertext including the result and time t ₂ ,
Derivation means for deriving a second secret key at time t ₂ corresponding to the covering based on a first secret key at time t ¹ (≦ t ₂ ) held in advance;
Obtaining means for obtaining the content key from the ciphertext based on the derived second secret key at time t ₂ ;
And a decryption unit that decrypts the ciphertext and obtains the content based on the acquired content key. The deriving means generates a second secret key at time t ₁ corresponding to the covering based on the first secret key held at time t _{1 and} holds the second secret key at the generated time t ₁ . The decryption device according to claim 7, wherein the secret key is updated to the second secret key at time t ₂ . The derivation means obtains the two second secret keys by updating the generated second secret key at time t ₁ , one of which is the second secret key at time t ₂ , The decoding device according to claim 8. The deriving means updates the first secret key at time t ₁ held in advance to the first secret key at time t ₂ , and based on the updated first secret key at time t ₂ , decoding apparatus according to claim 7 for generating a second private key time t ₂ corresponding to the covering. Determining means for determining covering in the binary tree corresponding to a leaf to which an illegal one is assigned among a plurality of decoding apparatuses assigned to each leaf of the binary tree based on the SD method;
First encryption means for encrypting the content using a content key;
An encryption result of the content output from an encryption device corresponding to the determined covering and output from an encryption device including a second encryption means for encrypting the content key at time t ₂ ; In the decryption method of the decryption device for decrypting the ciphertext including the result and time t ₂ ,
A derivation step of deriving a second secret key at time t ₂ corresponding to the covering based on a first secret key at time t ₁ (≦ t ₂ ) held in advance;
Obtaining the content key from the ciphertext based on the derived second secret key at time t ₂ ;
A decrypting method comprising: decrypting the ciphertext based on the acquired content key to obtain the content. In an encryption device that encrypts content based on BGW Scheme,
Generating means for generating ciphertexts C and Hdr by the encryption algorithm ENC _{BGW_FS} (S, K, t) at time t = t ₂ ;
Output means for outputting the generated ciphertext C, HDR,
The ciphertext Hdr includes a time t. In the encryption method of the encryption device that encrypts content based on BGW Scheme,
A generation step of generating ciphertexts C and Hdr by the encryption algorithm ENC _{BGW_FS} (S, K, t) at time t = t ₂ ;
An output step for outputting the generated ciphertext C and HDR,
The ciphertext Hdr includes a time t. Generating means for generating ciphertexts C and Hdr by the encryption algorithm ENC _{BGW_FS} (S, K, t) at time t = t ₂ ;
In the decryption device for decrypting the ciphertexts C and Hdr output from the encryption device including the time t in the ciphertext Hdr,
Derivation means for deriving a secret key corresponding to time t = t ₂ included in the ciphertext Hdr based on a secret key corresponding to time t ₁ (≦ t ₂ ) held in advance;
Obtaining means for obtaining a session key from the ciphertext Hdr based on a secret key corresponding to the derived time t ₂ ;
A decrypting device, comprising: decrypting means for decrypting the ciphertext C based on the acquired session key to obtain the content. The derivation means derives _two secret keys based on the secret key corresponding to the time t ₁ (≦ t ₂ ) held in advance, and one of them corresponds to the time t = t ₂ included in the ciphertext Hdr. The decryption device according to claim 14, wherein the other is stored as a secret key. Generating means for generating ciphertexts C and Hdr by the encryption algorithm ENC _{BGW_FS} (S, K, t) at time t = t ₂ ;
In the decryption method of the decryption device for decrypting the ciphertexts C and Hdr output from the encryption device including the time t in the ciphertext Hdr,
A derivation step for deriving a secret key corresponding to time t = t ₂ included in the ciphertext Hdr based on a secret key corresponding to time t ₁ (≦ t ₂ ) held in advance;
An acquisition step of acquiring a session key from the ciphertext Hdr based on a secret key corresponding to the derived time t ₂ ;
A decrypting method comprising: decrypting the ciphertext C based on the acquired session key to obtain the content.

Images