JP2008131079A - Information processor, terminal device, information processing method, and key generation method - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an information processor in which the number of keys to be held by a user and the amount of computation required for the user to generate a key can be decreased, and to provide a terminal device, an information processing method, and a key generation method. <P>SOLUTION: The information processor can generate a directed graph representing an encryption key generation logic which derives a set key for encrypting the content or content key. The information processor divides a set of users (terminals) into a plurality of subsets, assigns a set key and an intermediate key to each subset, and outputs an intermediate key corresponding to a subset associated with a set key corresponding to that subset by a directed branch when the intermediate key corresponding to a subset is inputted. The information processor can reduce the amount of computation and the number of keys to be held by the user by constituting the directed branch included in a directed graph with a longer directed branch based on a predetermined rule and then replacing the directed branch with a shorter one. <P>COPYRIGHT: (C)2008,JPO&INPIT

Description

  The present invention relates to an information processing device, a terminal device, an information processing method, and a key generation method.

  In recent years, there has been a great interest in the development of encryption technology related to content distribution over a network or the like. Among them, a particular attention has been focused on a method for distributing an encryption key for decrypting encrypted content more safely and efficiently. Usually, for one distributor who distributes encrypted content, there are n (n is a natural number of 2 or more) receivers who have a valid reception right, and the infinite number of intercepts existing on the network Among them, a mechanism is required in which only the n recipients can decrypt the encrypted content. Furthermore, since the number n of receivers having the above-mentioned valid reception rights changes with time, a mechanism that can flexibly cope with changes in the set having receivers as elements is required.

  Of course, in order to realize such a mechanism, a processing load relating to generation, retention, distribution, and content encryption of an encryption key is generated on the distributor side, and a decryption key is transmitted to the receiver. Processing load related to retention, reception, content decryption, and the like occurs. Certainly, recently, the load on the above encryption distribution processing load is supported by various technological developments such as improvement of the arithmetic processing capability and storage capacity of information processing equipment, improvement of communication speed of information transmission path, etc. Is relatively reduced. However, as the demand for content distribution services has increased dramatically, and encryption technology with high robustness that can resist a malicious eavesdropper is required, the encryption distribution is also on the top. Will increase the processing load.

  In such a situation, a scheme such as a revocation scheme or a broadcast encryption scheme has been proposed as a method for safely transmitting information to a group of recipients arbitrarily selected by a distributor using a broadcast channel. Among these, as an example of the broadcast encryption scheme, there is an encryption key distribution method disclosed in Non-Patent Document 1 below. The feature of this method is that the key distribution method is further improved from the conventional key distribution method using a hierarchical tree structure. The derivation route is improved. In other words, in this method, a set of recipients is divided into a plurality of subsets, but a receiver that is not included in the subset is added to a certain subset to create a new subset, and this is repeated. A chain of sets is created, and an encryption key corresponding to each subset is derived along the chain. Thereby, it is possible to reduce the number of keys to be held by the receiver, the calculation amount for generating the encryption key, and the communication amount related to key distribution.

Nutapong Attrapadung and Hideki Imai, “Subset Incremental Chain Based Broadcast Encryption with the Short Cipher Text”, The 28th Symposium.

  Certainly, the encryption key distribution method of Non-Patent Document 1 described above has a great advantage compared to the conventional key distribution methods such as the CS method (Complete Subtree scheme) and the SD method (Subset Difference scheme). However, from a practical point of view assuming implementation, when the number of recipients is large, there is a problem that the number of keys to be held in the terminal device on the recipient side and the amount of calculation required for content decryption are still large. Had.

  Therefore, the present invention has been made in view of the above problems, and an object of the present invention is to perform calculation required for deriving an encryption key while reducing the number of keys to be held in the terminal device on the receiver side. It is an object of the present invention to provide a new and improved information processing device, terminal device, information processing method, key generation method, and program capable of reducing the amount.

  In order to solve the above-described problem, according to an aspect of the present invention, for a temporary directed graph composed of a plurality of directed edges, a longer directed edge from among a plurality of directed branches constituting the temporary directed graph. And a directed graph acquisition unit that acquires a directed graph generated by replacing at least one of the remaining directed branches with a shorter directed branch, and a directed graph acquisition unit. And a key generation unit for generating a set key for encrypting or decrypting the content or the content key based on the directed graph.

In order to solve the above problem, according to a certain aspect of the present invention, n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a node other than a root node and a leaf node The number of the leaf node located at the left end among a plurality of leaf nodes arranged below a certain intermediate node v or root node v is lv, for a binary tree structure composed of a plurality of intermediate nodes And the number of the leaf node located at the right end is defined as rv. Furthermore, for natural numbers i and j (i ≦ j), the set (i → j) is {{i}, {i, i + 1}, . . . , {I, i + 1,. . . , J−1, j}} and the set (i ← j) is {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}} and the coordinate points associated with each subset included in the set (1 → n) have an inclusive relationship from left to right on the horizontal coordinate axis. The first horizontal coordinate axis that is arranged so as to be large and is associated with the root node is set, and the coordinate point that is associated with each subset included in the set (2 ← n) is on the horizontal coordinate axis from the right. Arranged so that the inclusion relation increases toward the left, the second horizontal coordinate axis associated with the root node is set, and each intermediate node is included in the set (lv → rv−1) The coordinate points associated with each subset are arranged on the horizontal coordinate axis so that the inclusive relation increases from left to right, a third horizontal coordinate axis associated with a certain intermediate node v is set, and Set (lv + 1 ← rv The coordinate points associated with each subset included in are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the fourth horizontal coordinate axis associated with a certain intermediate node v is set. In addition, for a predetermined integer k, the length n ^{i / k} (i = 0, 1, depending on the natural number x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ... x-1) is an information processing apparatus that processes a temporary directed graph formed by arranging a plurality of directed branches on the first to fourth horizontal coordinate axes, and acquires a temporary directed graph. And a directed graph generation unit that generates a directed graph by leaving a longer directed branch out of a plurality of directed branches that form the temporary directed graph acquired by the temporary directed graph acquisition unit, and a plurality of directed branches that configure the directed graph Determines the maximum number of consecutive directional branches A longest directional path determination unit to be determined, and at least one directional branch constituting the directed graph is replaced with a shorter directional branch so as not to exceed the maximum number of continuous directional branches. An information processing comprising: a directional branch replacement unit; and a key generation unit that generates a set key for encrypting content or a content key based on the directed graph reconstructed by the directional branch replacement unit An apparatus is provided.

In order to solve the above problem, according to a certain aspect of the present invention, n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a node other than a root node and a leaf node A binary tree structure composed of a plurality of intermediate nodes and a natural number i and j (i ≦ j) is set to {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is A tree structure setting unit for setting the number to rv;
The first horizontal corresponding to the root node in which the coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. Coordinate axes and coordinate points associated with each subset included in the set (2 ← n) correspond to root nodes arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. For each of the second horizontal coordinate axis and the intermediate node, the coordinate point associated with each subset included in the set (lv → rv−1) has a greater inclusive relation from left to right on the horizontal coordinate axis. The coordinate points associated with the third horizontal coordinate axis corresponding to a certain intermediate node v and the respective subsets included in the set (lv + 1 ← rv) are arranged on the horizontal coordinate axis from right to left. So that the inclusive relationship is larger A fourth horizontal coordinate axis corresponding to a certain intermediate node v is set, and is located at the right side of the coordinate point located at the right end on the third horizontal coordinate axis and at the left end on the second and fourth horizontal coordinate axes. Two temporary coordinate points are respectively arranged on the left side of the coordinate point, the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, and the right side of the first temporary coordinate point A coordinate axis setting unit for arranging the second temporary coordinate point at
A predetermined integer k is set, and an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} is calculated. Then, for each of the integers i = 0 to x−1, n connecting one or more directional branches directed to the right having a length of ^{i / k} to form a directional path starting from the leftmost coordinate point on the first and third horizontal coordinate axes; a directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} For each of the first to fourth horizontal coordinate axes, the longest of the directional branches that reach each coordinate point on the first to fourth horizontal coordinate axes, excluding all directional branches that have the temporary coordinate point as the starting point or the end point By excluding the directional branch other than the directional branch, the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → r) -1) are respectively generated, and a directional branch having a length of 1 having a first temporary coordinate point on the first horizontal coordinate axis as an end point is generated with respect to the temporary digraph related to the set (1 → n-1). In addition, a temporary digraph generation unit that generates a temporary digraph for the set (1 → n);
A longest directional path determination unit that determines a longest directional path in which the number of directional branches constituting the directional path is the largest among directional paths formed by continuous directional branches;
Replace the directional branch of each directional path with a shorter directional branch so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. There is provided an information processing apparatus including a directed graph generation unit for generating.

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

  In addition, the longest directional path determination unit described above is the longest directional among the temporary directed graphs regarding the set (1 → n), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1). For each temporary directed graph that does not include a path, the longest directed path for each temporary directed graph may be determined. Furthermore, the above directed graph generation unit configures each directed path so that the number of directed edges of each directed path does not exceed the number of directed edges of the longest directed path for each temporary directed graph. A directed graph may be generated by replacing a directed edge with a shorter directed edge.

  Further, the information processing apparatus may include a key generation unit that generates a set key for encrypting the content or the content key based on the directed graph.

  Further, in response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the key generation unit described above sets the set key k (S) corresponding to the subset S corresponding to the coordinate point. ), And intermediate keys t (S1), t (S2),..., T (Sk) of the coordinate points S1, S2,. , May be output.

  Further, the key generation unit described above, in response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the coordinate point S1 of the end point of the directional branch starting from the coordinate point S. , S2,..., Sk set keys k (S1), k (S2),..., K (Sk) may be output.

  Furthermore, the information processing apparatus may include an encryption unit that encrypts content or a content key using a set key.

  Furthermore, the information processing apparatus transmits the content or content key encrypted by the encryption unit to the terminal devices associated with some or all of the leaf nodes 1 to n constituting the tree structure. You may provide the transmission part.

  The directed graph generation unit may replace the directional branch of the temporary directed graph so that a shorter directional branch is arranged toward the end point direction of each directional path.

  Furthermore, the information processing apparatus described above is a set of terminal devices that permit decryption of content encrypted with a set key or a content key when a subset of leaf nodes 1 to n constituting a tree structure is defined as Si. (N \ R) is determined, and a subset determination unit that determines m subsets S1 to Sm satisfying the set (N \ R) = S1∪S2∪... Sm so that m is minimized. May be provided.

  Furthermore, the information processing apparatus includes a transmission unit that transmits information representing the set (N \ R) or information representing the subsets S1 to Sm constituting the set (N \ R) to the terminal device. Also good.

  Furthermore, the information processing apparatus may include a decrypting unit that decrypts content or a content key using a set key.

  Further, the information processing apparatus described above is a content or content key that is associated with one or more leaf nodes 1 to n (n is a natural number) constituting a predetermined binary tree structure and is encrypted using a set key. May be provided.

  The encrypted content or content key received by the receiving unit is a leaf that is an element of the set S including the leaf node associated with itself among the set Si defined as a subset of the leaf nodes 1 to n. One or more information processing devices associated with the node may be decodable.

Moreover, in order to solve the above-mentioned problem, according to another aspect of the present invention, it is characterized by including a key generation unit that generates a set key for decrypting content or a content key based on a directed graph. A terminal device is provided. The above directed graph is a binary tree composed of n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node. Set the structure and set the set (i → j) to {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is The root is set with the number rv and the coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. The first horizontal coordinate axis corresponding to the node and the coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. For each of the second horizontal coordinate axis corresponding to the root node and the intermediate node, the coordinate points associated with each subset included in the set (lv → rv−1) are from left to right on the horizontal coordinate axis. Array so that the inclusive relation increases The coordinate point associated with the third horizontal coordinate axis corresponding to a certain intermediate node v and each subset included in the set (lv + 1 ← rv) has an inclusion relation from right to left on the horizontal coordinate axis. A fourth horizontal coordinate axis corresponding to a certain intermediate node v, which is arranged so as to be larger, is set, and the right side of the coordinate point located at the right end on the third horizontal coordinate axis, and the second and fourth horizontal coordinate axes Two temporary coordinate points are respectively arranged on the left side of the coordinate point located at the left end, the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, and the first temporary coordinate point is set. A second temporary coordinate point is arranged on the right side of the coordinate point, a predetermined integer k is set, and an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} is calculated. in, for each integer i = 0 to ^x-1, the right direction with a length of ^{n i / k} direction To form a directional path starting from the coordinate point at the leftmost of the first and third on the horizontal coordinate axis by connecting one or more directional branches, the left having a length of n i ^{/ k} One or a plurality of directed branches facing each other are connected to form a directed path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes. For each of the first to fourth horizontal coordinate axes, Exclude all directional branches starting from the coordinate point and ending, and excluding directional branches other than the longest directional branch among the directional branches that reach each coordinate point on the first to fourth horizontal coordinate axes. As a result, temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) are generated, respectively, and the set (1 → n−1) To the temporary directed graph for, add a directional branch of length 1 with the first temporary coordinate point on the first horizontal coordinate axis as the end point. A temporary directed graph for (1 → n) is generated, and the longest directional path with the maximum number of directional branches constituting the directional path is determined from the directional paths formed by the continuous directional branches. The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. It is done.

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

  Further, the key generation unit described above receives the set key k (S) corresponding to the subset S corresponding to the coordinate point in response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph. ), And intermediate keys t (S1), t (S2),..., T of the subsets S1, S2,. (Sk) may be output.

  Further, the key generation unit described above, in response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the coordinate point S1 of the end point of the directional branch starting from the coordinate point S. , S2,..., Sk set keys k (S1), k (S2),..., K (Sk) may be output.

  Furthermore, the terminal device may include a decryption unit that decrypts the encrypted content key using the set key and decrypts the encrypted content using the decrypted content key. .

  Further, the terminal device described above is a set of terminal devices (N \) that permits decryption of content encrypted with a set key or a content key when a subset of leaf nodes 1 to n of a tree structure is defined as Si. R) is determined, and m subsets S1 to Sm satisfying the set (N \ R) = S1∪S2∪ ... ∪Sm are determined, and information representing the set (N \ R) or the set ( N \ R), when receiving information representing subsets S1 to Sm, the terminal device determines whether the terminal device belongs to any of subsets S1 to Sm based on the received information. A determination unit that determines and determines whether or not the decryption of the encrypted content is permitted based on the determination result. In addition, when it is determined that the terminal device belongs to any of the subsets S1 to Sm, the decryption unit uses the set key corresponding to the subset to which the terminal device belongs to May be decrypted.

  In order to solve the above-described problem, according to still another aspect of the present invention, for a temporary directed graph composed of a plurality of directional branches, from among a plurality of directed branches constituting the temporary directed graph. A directional graph acquisition step for acquiring a directional graph generated by replacing a long directional branch and replacing at least one directional branch with a shorter directional branch from the remaining directional branch; And a key generation step of generating a set key for encrypting or decrypting the content or the content key based on the directed graph acquired by the section. An information processing method is provided.

In order to solve the above-described problem, according to still another aspect of the present invention, n leaf nodes, root nodes, root nodes and leaves associated with numbers 1 to n (n is a natural number) are associated. For a binary tree structure composed of a plurality of intermediate nodes other than nodes, the number of the leaf node located at the left end among a plurality of leaf nodes arranged below a certain intermediate node v or root node v is lv, and the number of the leaf node located at the right end is defined as rv. Furthermore, for natural numbers i and j (i ≦ j), the set (i → j) is {{i}, {i, i + 1 },. . . , {I, i + 1,. . . , J−1, j}} and the set (i ← j) is {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}} and the coordinate points associated with each subset included in the set (1 → n) have an inclusive relationship from left to right on the horizontal coordinate axis. The first horizontal coordinate axis that is arranged so as to be large and is associated with the root node is set, and the coordinate point that is associated with each subset included in the set (2 ← n) is on the horizontal coordinate axis from the right. Arranged so that the inclusion relation increases toward the left, the second horizontal coordinate axis associated with the root node is set, and each intermediate node is included in the set (lv → rv−1) The coordinate points associated with each subset are arranged on the horizontal coordinate axis so that the inclusive relation increases from left to right, a third horizontal coordinate axis associated with a certain intermediate node v is set, and Set (lv + 1 ← rv The coordinate points associated with each subset included in are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the fourth horizontal coordinate axis associated with a certain intermediate node v is set. In addition, for a predetermined integer k, the length n ^{i / k} (i = 0, 1, depending on the natural number x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ... x-1) is an information processing method for processing a temporary directed graph formed by arranging a plurality of directed branches on the first to fourth horizontal coordinate axes, and acquiring a temporary directed graph. And a directed graph generation step for generating a directed graph by leaving a longer directional branch out of a plurality of directed branches constituting the temporary directed graph acquired by the temporary directed graph acquisition unit, and a plurality of directed branches constituting the directed graph Within a directed directional branch A longest directional path determining step for determining the maximum number of directional graphs, and replacing the directional graph by replacing at least one directional branch constituting the directed graph with a shorter directional branch so as not to exceed the maximum number of consecutive directional branches. A directional edge replacement step for reconfiguration, and a key generation step for generating a set key for encrypting the content or content key based on the directed graph reconstructed by the directional edge replacement unit, An information processing method is provided.

In order to solve the above-described problem, according to still another aspect of the present invention, n leaf nodes, root nodes, root nodes and leaves associated with numbers 1 to n (n is a natural number) are associated. A binary tree structure including a plurality of intermediate nodes other than nodes is set, and a set (i → j) is set to {{i}, {i, i + 1}, for natural numbers i and j (i ≦ j), . . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is The tree structure setting step for setting the number as rv and the coordinate points associated with each subset included in the set (1 → n) so that the inclusion relation increases from left to right on the horizontal coordinate axis. The arranged first horizontal coordinate axis corresponding to the root node and the coordinate point associated with each subset included in the set (2 ← n) have a large inclusion relation from right to left on the horizontal coordinate axis. For each of the second horizontal coordinate axis corresponding to the root node and the intermediate node, the coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis. Inclusion from left to right The third horizontal coordinate axis corresponding to a certain intermediate node v and the coordinate point associated with each subset included in the set (lv + 1 ← rv) arranged so as to be large are on the horizontal coordinate axis from right to left. A fourth horizontal coordinate axis corresponding to a certain intermediate node v, which is arranged so that the inclusive relation increases, and sets the right side of the coordinate point located at the right end on the third horizontal coordinate axis, the second and second Four temporary coordinate points are respectively arranged on the left side of the coordinate point located at the left end on the four horizontal coordinate axes, and the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, A coordinate axis setting step for placing the second temporary coordinate point on the right side of the first temporary coordinate point and a predetermined integer k are set, and n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x /} after having calculated the integer x satisfying ^k, each integer i = 0 to x-1 For, the directional path starting from the coordinate point at the leftmost of the first and third on the horizontal coordinate axis by connecting one or more directional branches facing rightward having a length of n i ^{/ k} A directional path formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k} and starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes For each of the first to fourth horizontal coordinate axes, excluding all directional branches having the temporary coordinate point as the start point or the end point, and reaching the coordinate points on the first to fourth horizontal coordinate axes. Among them, by excluding the directional branch other than the longest directional branch, the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) are related. A temporary digraph is generated for each of the temporary digraphs on the first horizontal coordinate axis with respect to the temporary digraph relating to the set (1 → n−1). A temporary directed graph generation step for generating a temporary directed graph for a set (1 → n) by adding a directional branch having a length of 1 with a point as an end point, and a directed path formed by continuous directed branches , The longest directional path determination step for determining the longest directional path that has the maximum number of directional branches constituting the directional path, and the directional branch number of each directional path is the directional of the longest directional path. A directed graph generation step of generating a directed graph by replacing the directed branches constituting each directed path with a shorter directed branch so as not to exceed the number of branches, and an information processing method comprising: Provided.

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

In order to solve the above problems, according to another aspect of the present invention, there is provided a key distribution method including a key generation step for generating a set key for decrypting content or a content key based on a directed graph. The The above directed graph is a binary tree composed of n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node. Set the structure and set the set (i → j) to {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is The root is set with the number rv and the coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. The first horizontal coordinate axis corresponding to the node and the coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. For each of the second horizontal coordinate axis corresponding to the root node and the intermediate node, the coordinate points associated with each subset included in the set (lv → rv−1) are from left to right on the horizontal coordinate axis. Array so that the inclusive relation increases The coordinate point associated with the third horizontal coordinate axis corresponding to a certain intermediate node v and each subset included in the set (lv + 1 ← rv) has an inclusion relation from right to left on the horizontal coordinate axis. A fourth horizontal coordinate axis corresponding to a certain intermediate node v, which is arranged so as to be larger, is set, and the right side of the coordinate point located at the right end on the third horizontal coordinate axis, and the second and fourth horizontal coordinate axes Two temporary coordinate points are respectively arranged on the left side of the coordinate point located at the left end, the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, and the first temporary coordinate point is set. A second temporary coordinate point is arranged on the right side of the coordinate point, a predetermined integer k is set, and an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} is calculated. in, for each integer i = 0 to ^x-1, the right direction with a length of ^{n i / k} direction To form a directional path starting from the coordinate point at the leftmost of the first and third on the horizontal coordinate axis by connecting one or more directional branches, the left having a length of n i ^{/ k} One or a plurality of directed branches facing each other are connected to form a directed path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes. For each of the first to fourth horizontal coordinate axes, Exclude all directional branches starting from the coordinate point and ending, and excluding directional branches other than the longest directional branch among the directional branches that reach each coordinate point on the first to fourth horizontal coordinate axes. As a result, temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) are generated, respectively, and the set (1 → n−1) To the temporary directed graph for, add a directional branch of length 1 with the first temporary coordinate point on the first horizontal coordinate axis as the end point. A temporary directed graph for (1 → n) is generated, and the longest directional path with the maximum number of directional branches constituting the directional path is determined from the directional paths formed by the continuous directional branches. The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. It is what

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

In order to solve the above-described problem, according to still another aspect of the present invention, n leaf nodes, root nodes, root nodes and leaves associated with numbers 1 to n (n is a natural number) are associated. A binary tree structure including a plurality of intermediate nodes other than nodes is set, and a set (i → j) is set to {{i}, {i, i + 1}, for natural numbers i and j (i ≦ j), . . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is The tree structure setting function for setting the number to rv and the coordinate points associated with each subset included in the set (1 → n) so that the inclusion relation increases from left to right on the horizontal coordinate axis. The arranged first horizontal coordinate axis corresponding to the root node and the coordinate point associated with each subset included in the set (2 ← n) have a large inclusion relation from right to left on the horizontal coordinate axis. For each of the second horizontal coordinate axis corresponding to the root node and the intermediate node, the coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis. The inclusion relationship is large from left to right The coordinate points associated with the third horizontal coordinate axis corresponding to a certain intermediate node v and each subset included in the set (lv + 1 ← rv) are arranged from right to left on the horizontal coordinate axis. A fourth horizontal coordinate axis corresponding to a certain intermediate node v, which is arranged so that the inclusive relation increases, and sets the right side of the coordinate point located at the right end on the third horizontal coordinate axis, the second and second Four temporary coordinate points are respectively arranged on the left side of the coordinate point located at the left end on the four horizontal coordinate axes, and the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, A coordinate axis setting function for placing the second temporary coordinate point on the right side of the first temporary coordinate point and a predetermined integer k are set, and n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x /} after having calculated the integer x satisfying ^k, with each integer i = 0 to x-1 , Form a directed path that coordinate point is the starting point at the top left of the first and third on the horizontal coordinate axis by connecting one or more directional branches facing rightward having a length of n i ^{/ k} A directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} For each of the first to fourth horizontal coordinate axes, out of all the directional branches having the temporary coordinate point as a start point or an end point, and reaching each coordinate point on the first to fourth horizontal coordinate axes By excluding a directional branch other than the longest directional branch, a provisional regarding the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) is obtained. Each directed graph is generated, and the first temporary coordinate point on the first horizontal coordinate axis is terminated for the temporary directed graph relating to the set (1 → n−1). A temporary directed graph generation function for generating a temporary directed graph related to the set (1 → n) by adding a directional branch of length 1 and a directed path from the directed paths formed by continuous directed edges The longest directional path determination function that determines the longest directional path that has the maximum number of directional branches that make up the path, and the number of directional branches of each directional path is the number of directional branches of the longest directional path. A program for causing a computer to realize a directed graph generation function for generating a directed graph by replacing the directed edges constituting each directed path with shorter directional branches is provided.

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

In order to solve the above-described problem, according to still another aspect of the present invention, a computer is provided with a key generation function for generating a set key for decrypting content or a content key based on a directed graph. A program is provided. The above directed graph is a binary tree composed of n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node. Set the structure and set the set (i → j) to {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the leaf node located at the right end is The root is set with the number rv and the coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. The first horizontal coordinate axis corresponding to the node and the coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. For each of the second horizontal coordinate axis corresponding to the root node and the intermediate node, the coordinate points associated with each subset included in the set (lv → rv−1) are from left to right on the horizontal coordinate axis. Array so that the inclusive relation increases The coordinate point associated with the third horizontal coordinate axis corresponding to a certain intermediate node v and each subset included in the set (lv + 1 ← rv) has an inclusion relation from right to left on the horizontal coordinate axis. A fourth horizontal coordinate axis corresponding to a certain intermediate node v, which is arranged so as to be larger, is set, and the right side of the coordinate point located at the right end on the third horizontal coordinate axis, and the second and fourth horizontal coordinate axes Two temporary coordinate points are respectively arranged on the left side of the coordinate point located at the left end, the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, and the first temporary coordinate point is set. A second temporary coordinate point is arranged on the right side of the coordinate point, a predetermined integer k is set, and an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} is calculated. in, for each integer i = 0 to ^x-1, the right direction with a length of ^{n i / k} direction To form a directional path starting from the coordinate point at the leftmost of the first and third on the horizontal coordinate axis by connecting one or more directional branches, the left having a length of n i ^{/ k} One or a plurality of directed branches facing each other are connected to form a directed path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes. For each of the first to fourth horizontal coordinate axes, Exclude all directional branches starting from the coordinate point and ending, and excluding directional branches other than the longest directional branch among the directional branches that reach each coordinate point on the first to fourth horizontal coordinate axes. As a result, temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) are generated, respectively, and the set (1 → n−1) To the temporary directed graph for, add a directional branch of length 1 with the first temporary coordinate point on the first horizontal coordinate axis as the end point. A temporary directed graph for (1 → n) is generated, and the longest directional path with the maximum number of directional branches constituting the directional path is determined from the directional paths formed by the continuous directional branches. The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. It is what

  As described above, in the encryption key distribution method using the intermediate key and the set key, when the distributed encryption information is decrypted by enabling the distribution of the intermediate key based on the directed graph or the generation of the set key, In addition, it is possible to reduce the worst value of the amount of calculation required for each user (terminal device) to generate a decryption key and to reduce the number of keys that each user should hold.

  As described above, according to the present invention, it is possible to reduce the amount of calculation required for deriving the encryption key while reducing the number of keys to be held in the terminal device on the receiver side.

Exemplary embodiments of the present invention will be described below in detail with reference to the accompanying drawings. In addition, in this specification and drawing, about the component which has the substantially same function structure, duplication description is abbreviate | omitted by attaching | subjecting the same code | symbol. In addition, although there exists a part which has expressed the subscript by the normal font on description, these are the same. For example, it should be noted that to express the same thing as the BTR and BT _R.

[Configuration of Encryption Key Distribution System 100]
First, the configuration of the encryption key distribution system 100 according to an embodiment of the present invention will be described. FIG. 1 is an explanatory diagram showing a configuration of an encryption key distribution system 100 according to the present embodiment.

  Referring to FIG. 1, an encryption key distribution system 100 includes a key distribution server 102 configured as an example of an information processing apparatus according to the present embodiment, a plurality of terminal devices 122 respectively owned by a plurality of users, and these keys. It is comprised from the network which connects the delivery server 102 and the terminal device 122. FIG.

  The network is a communication line network that connects the key distribution server 102 and the terminal device 122 so that bidirectional communication or one-way communication is possible. This network includes, for example, the public network such as the Internet, a telephone line network, a satellite communication network, a broadcast communication path, a WAN (Wide Area Network), a LAN (Local Area Network), an IP-VPN (Internet Protocol-Virtual Private). Network), a dedicated line network such as a wireless LAN, etc., regardless of wired / wireless.

  The key distribution server 102 is composed of a computer device or the like having a server function, and can transmit various types of information to an external device via a network. For example, the key distribution server 102 can generate an encryption key of a broadcast encryption scheme scheme and distribute this encryption key to the terminal device 122. The key distribution server 102 according to the present embodiment has a function as a content distribution server that provides a content distribution service such as a video distribution service or an electronic music distribution service, and can distribute the content to the terminal device 122. It is. Of course, the key distribution server 102 and the content distribution server may be configured as separate devices.

  Here, the content is, for example, a movie (video) content such as a movie, a television program, a video program, a chart, or a video (Video) content, a music, a lecture, a radio program, a game content, Arbitrary content data such as document content and software may be used. The video content may include not only video data but also audio data.

  The terminal device 122 is a key distribution server capable of data communication with an external device via a network, and is owned by each user. The terminal device 122 is configured by a computer device (a notebook type or a desktop type) such as a personal computer (hereinafter referred to as “PC”) as shown in the figure, but is not limited to this example. If the device has a communication function via a network, for example, a PDA (Personal Digital Assistant), a home game machine, a DVD / HDD recorder, a television receiver, and other information home appliances, a television broadcast tuner, It can also be composed of a decoder or the like. Further, the terminal device 122 may be a portable device (Portable Device) that can be carried by the user, for example, a portable game machine, a mobile phone, a portable video / audio player, a PDA, a PHS, or the like.

  The terminal device 122 can receive various information from the key distribution server 102. For example, the terminal device 122 can receive content distributed from the key distribution server 102. At the time of content distribution, the key distribution server 102 can encrypt and distribute various electronic data. For example, the key distribution server 102 can generate and distribute a content key that encrypts content. This content key may be expressed by, for example, a random number (pseudorandom number) calculated by a pseudorandom number generator, a predetermined character string, a number sequence, or the like. Then, the key distribution server 102 can encrypt the content using a predetermined encryption logic using the content key. The key distribution server 102 can distribute the content key or the decryption key corresponding to the content key to any terminal device 122. On the other hand, the terminal device 122 can decrypt the encrypted content using the content key received from the key distribution server 102 or the decryption key corresponding to the content key.

  The pseudo random number generator used to generate the content key is a device or program that can output a long-period pseudo random number sequence by inputting a predetermined seed value. It is realized by using a logic such as a congruential method or Mersenne Twister method. Of course, the pseudo-random number generator applicable to the present embodiment is not limited to this, and the pseudo-random number may be generated using other logic, or includes special information or conditions. It may be a device or a program capable of generating a pseudo random number sequence.

  Furthermore, the key distribution server 102 according to the present embodiment is configured to encrypt and distribute not only the content itself but also the content key. Certainly, a certain level of security can be ensured by encrypting and distributing the content itself. However, the content key itself is encrypted and distributed in order to flexibly cope with the addition or deletion of a user (hereinafter referred to as “permitted user”) who grants the right to use the content from among a large number of users. The scheme is advantageous. In this case, in this embodiment, first, the key distribution server 102 generates a plurality of set keys for encrypting and decrypting the content key. As will be described in detail later, each of the plurality of set keys is associated with a subset group of a plurality of authorized users extracted from a large number of users. In other words, the key distribution server 102 encrypts the content key with the set key set so that only the set of authorized users can decrypt the content key, and encrypts the content key for the terminal devices 122 of all users. Is delivered. With this configuration, only the licensed user terminal device 122 can decrypt the encrypted content key, and the encrypted content can be decrypted using the content key to view the content. It becomes like this. If the set of authorized users is changed, the key distribution server 102 can respond by changing the set key used for encrypting the content key. In order for the above encryption key distribution logic to be established, it is necessary to configure the key distribution server 102 and the like so as to realize algorithms related to generation and distribution of set keys.

  Hereinafter, first, hardware configuration examples of the key distribution server 102 and the terminal device 122 according to the present embodiment will be described. Secondly, a basic technology related to the encryption key distribution logic according to the present embodiment will be described. Third, the configuration of the key distribution server 102 and the terminal device 122 according to the present embodiment will be described in detail, and differences from the basic technology regarding the configuration and effects will be clearly described. Finally, an application example of the encryption key distribution system according to the present embodiment will be described.

[Hardware Configuration of Key Distribution Server 102 and Terminal Device 122]
First, a hardware configuration example of the key distribution server 102 and the terminal device 122 according to the present embodiment will be described with reference to FIG. FIG. 2 is an example of a hardware configuration capable of realizing the functions of the key distribution server 102 or the terminal device 122 according to the present embodiment.

  The key distribution server 102 and the terminal device 122 include, for example, a controller 202, an arithmetic unit 204, an input / output interface 206, a secure storage unit 208, a main storage unit 210, a network interface 212, and a media interface 216. Prepare.

(Controller 202)
The controller 202 is connected to other components via a bus, and mainly plays a role of controlling each unit in the apparatus based on a program and data stored in the main storage unit 210. The controller 202 may be configured by an arithmetic processing device such as a CPU (Central Processing Unit).

(Calculation unit 204 (key distribution server 102))
The arithmetic unit 204 included in the key distribution server 102 can execute, for example, content encryption, content key encryption, set key generation, and derivation of an intermediate key used to generate a set key. Therefore, the arithmetic unit 204 can function as a pseudo-random number generator that generates pseudo-random numbers based on predetermined data (seed value, etc.), and at the same time encrypts content or content key based on a predetermined algorithm. Is possible. The predetermined algorithm may be stored in the main storage unit 210 as a program that can be read by the arithmetic unit 204. The predetermined information may be stored in the main storage unit 210 or the secure storage unit 208. Note that the arithmetic unit 204 can record an output result obtained by executing the various arithmetic processes in the main storage unit 210 or the secure storage unit 208. In addition, the arithmetic unit 204 may be configured by an arithmetic processing device such as a CPU, or may be configured integrally with the controller 202 described above.

(Calculation unit 204 (terminal device 122))
On the other hand, the arithmetic unit 204 included in the terminal device 122 can execute, for example, content decryption, content key decryption, set key generation, and generation of an intermediate key used to generate a set key. Therefore, the arithmetic unit 204 can function as a pseudo-random number generator that generates pseudo-random numbers based on predetermined data (seed value, etc.), and at the same time, can decrypt the content or content key based on a predetermined algorithm. Is possible. The predetermined algorithm may be stored in the main storage unit 210 as a program that can be read by the arithmetic unit 204. Further, the predetermined information may be stored in the main storage unit 210 or the secure storage unit 208. Note that the arithmetic unit 204 can record an output result obtained by executing the various arithmetic processes in the main storage unit 210 or the secure storage unit 208. In addition, the arithmetic unit 204 may be configured by an arithmetic processing device such as a CPU, or may be configured integrally with the controller 202 described above.

(I / O interface 206)
The input / output interface 206 is mainly connected to an input device for a user to input information and an output device for outputting a calculation result or content contents. For example, the input device may be a keyboard, a mouse, a trackball, a touch pen, a keypad, a touch panel, or the like, and may be connected to the input / output interface 206 by wire or wirelessly. In some cases, the input device may be a portable electronic device such as a mobile phone or a PDA (Personal Digital Assistant) connected by wire or wirelessly. On the other hand, the output device may be, for example, a display device such as a display, or an audio output device such as a speaker, and may be connected to the input / output interface 206 by wire or wirelessly. The input / output device may be built in or integrated with the key distribution server 102 or the terminal device 122.

  The input / output interface 206 is connected to other components via a bus and can transmit information input via the input / output interface 206 to the main storage unit 210 and the like. On the contrary, the input / output interface 206 displays information stored in the main storage unit 210 or the like, information input via the network interface 212 or the like, or a result obtained by the arithmetic unit 204 calculating these information, or the like. Can be output to an output device.

(Secure storage unit 208)
The secure storage unit 208 securely stores mainly information that needs to be concealed, such as a content key, a set key, and an intermediate key. The secure storage unit 208 may be configured by, for example, a magnetic storage device such as a hard disk, an optical storage device such as an optical disk, a magneto-optical storage device, or a semiconductor storage device. Further, the secure storage unit 208 may be configured by a storage device having tamper resistance, for example.

(Main storage unit 210)
The main storage unit 210 is, for example, a control program for controlling other components, an encryption program for encrypting content or content key, and a decryption for decrypting encrypted content or content key. A program or a key generation program for generating a set key or an intermediate key may be stored. Further, the main storage unit 210 temporarily or permanently stores the calculation result output from the arithmetic unit 204, or stores information input from the input / output interface 206, the network interface 212, the media interface 216, or the like. May be. The main storage unit 210 may be configured by, for example, a magnetic storage device such as a hard disk, an optical storage device such as an optical disk, a magneto-optical storage device, or a semiconductor storage device. The main storage unit 210 may be configured integrally with the secure storage unit 208.

(Network interface 212)
The network interface 212 is connected to, for example, another communication device on the network. For example, information such as encrypted content or content key, set key, intermediate key, parameter information related to encryption, and licensed user Interface means for transmitting and receiving information on the set of The network interface 212 is connected to other components via a bus and transmits information received from an external device on the network to other components, or information held by other components is external to the network. Can be sent to the device.

(Media interface 216)
The media interface 216 is an interface for reading / writing information by attaching / detaching the information medium 218, and is connected to other components via a bus. For example, the media interface 216 can read information from the mounted information medium 218 and transmit the information to another component, or write information supplied from the other component to the information medium 218. The information medium 218 may be a portable storage medium (detachable storage medium) such as an optical disk, a magnetic disk, or a semiconductor memory, or may be wired / wirelessly connected at a relatively short distance without going through a network. It may be a storage medium of an information terminal.

  Heretofore, an example of the hardware configuration capable of realizing the functions of the key distribution server 102 and the terminal device 122 according to the present embodiment has been shown. Each component described above may be configured using a general-purpose member, or may be configured by hardware specialized for the function of each component. Therefore, it is possible to change the hardware configuration to be used as appropriate according to the technical level at the time of carrying out this embodiment. The hardware configuration described above is merely an example, and it goes without saying that the present invention is not limited to this. For example, the controller 202 and the arithmetic unit 204 may be configured by the same arithmetic device, and the secure storage unit 208 and the main storage unit 210 may be configured by the same storage device. Further, depending on the usage mode, a configuration in which the media interface 216 or the input / output interface 206 is omitted may be possible. Hereinafter, an encryption key distribution method realized by the key distribution server 102 and the terminal device 122 having the above hardware configuration will be described in detail.

[Encryption key distribution method for basic technology]
First, prior to detailed description of the encryption key distribution method according to the present embodiment, technical matters that form the basis for realizing the present embodiment will be described. In addition, this embodiment is comprised so that a more remarkable effect can be acquired by adding improvement to the fundamental technique described below. Therefore, the technology related to the improvement is the only part that characterizes this embodiment. In other words, the present embodiment follows the basic concept of the technical matters described here, but the essence is rather concentrated in the improved portion, the configuration is clearly different, and the effect is in line with the basic technology. Please note that

  An encryption key distribution method related to the basic technology described below will be referred to as a basic method. This basic scheme is a scheme in which a set of terminal devices of users to whom content is distributed is divided into a plurality of subsets, and the content key is encrypted by a set key assigned to each subset and distributed. This basic scheme is designed to reduce the amount of communication associated with encryption key distribution, the number of decryption keys that each user should hold, or the amount of calculation for each user to generate a decryption key. One solution is provided for the problem of how to select, how to generate a set key, and how to distribute the set key. Therefore, this basic method will be described with reference to FIGS.

(Tree structure setting)
First, in the basic scheme, a set of terminal devices (users) that are targets of content distribution is divided into a plurality of subsets. Therefore, with reference to FIG. 3, how to divide the subset according to the base scheme will be described. Of course, there is not one way to divide the subset, but the basic method adopts a method of dividing the subset using a binary tree structure. As will be described in detail below, the basic scheme assigns a predetermined subset to each node (node) constituting the binary tree structure in consideration of the positional relationship between the nodes. Thus, a subset of users having a predetermined combination is comprehensively selected. The strangeness of this selection method can be understood more clearly from the specific example of the binary tree structure shown in FIG. Therefore, a method for constructing a binary tree structure will be described with reference to FIG.

First, a set used for the following explanation is defined.
A set N = {1, 2,..., N} of all terminal devices (users) (n is a power of 2)
For natural numbers i and j (i ≦ j)
[I, j] = {i, i + 1, i + 2,..., J}
(I → i) = (i ← i) = {{i}}
(I → j) = {{i}, {i, i + 1},..., {I, i + 1,..., J}}
= {[I, i], [i, i + 1], [i, i + 2], ..., [i, j]}
(I ← j) = {{j}, {j, j−1},..., {J, j−1,..., I}}
= {[J, j], [j-1, j], [j-2, j], ..., [i, j]}

  In the following, a node located at the end of a binary tree structure (BT) is a leaf node, a node located at the vertex is a root node, and each node located between the root node and the leaf node is an intermediate node. I will call it. A leaf node corresponds to each terminal device. In the following, for convenience of explanation, it is assumed that the terminal device and the user have a 1: 1 correspondence, and the “terminal device” associated with the leaf node may be described as “user”. FIG. 3 shows an example in which the number of leaf nodes n of the BT is n = 64.

  First, a BT is created so that the number of leaf nodes is n (= 64). Then, for each leaf node, numbers 1, 2,. . . , N.

  Next, indices lv and rv for defining a subset to be assigned to a certain intermediate node v are defined. Of the leaf nodes located below a certain intermediate node v, the leftmost leaf node number is defined as lv, and the rightmost leaf node number is defined as rv. However, v may be considered as a consecutive number assigned to each intermediate node. That is, the intermediate node v indicates an intermediate node on the BT using v as an index.

  Next, the intermediate nodes on the BT are defined by being classified into two sets. Among the intermediate nodes on the BT, a set of intermediate nodes positioned on the left side of the parent node is defined as BTL, and a set of intermediate nodes positioned on the right side of the parent node is defined as BTR. Here, the parent-child relationship means a vertical relationship between nodes connected on the BT, and indicates a relationship in which the parent node is positioned higher and the child node is positioned lower.

  Next, a subset of the user set associated with each leaf node is associated with the root node on the BT. First, a set (1 → n) and a set (2 ← n) are associated with the root node. Since all the leaf nodes are connected below the root node, the root node is expressed by a set that comprehensively or selectively includes these leaf nodes. Specifically, the root node in FIG. 3 is associated with a set (1 → 64) and a set (2 ← 64). Therefore, consider the set (1 → 64). The set (1 → 64) includes subsets [1,1], [1,2],..., [1,64] as its elements. For example, in order to express all users (leaf nodes), a subset [1, 64] may be used, which is included as an element of the set (1 → 64). In order to express all users except the user with the number 16, the subsets [1, 15] and [17, 64] may be used, and the set (1 → 64) and the set (2 ← 64), respectively. Included as an element. In this way, the combination of leaf nodes (users) positioned below the root node can be expressed by a subset of the associated set.

  Next, a subset of the user set is associated with the intermediate node on the BT. First, a set (lv + 1 ← rv) is associated with the intermediate node v belonging to the set BTL. On the other hand, a set (lv → rv−1) is associated with the intermediate node v belonging to the set BTR. Of course, these sets are associated with all intermediate nodes v on the BT. Referring to FIG. 3, it can be seen that these sets are described beside each intermediate node. For example, when an intermediate node associated with the set (2 ← 4) is viewed, two intermediate nodes associated with the set (2 ← 2) and the set (3 → 3) are subordinate to the intermediate node. In addition, leaf nodes numbered 1 to 4 are connected. Therefore, if an attempt is made to express a combination of leaf nodes excluding the number 3 from these leaf nodes, {[1,1] [2,2], [4,4]} or {[1,2], [4 , 4]}. Subsets [1,1] and [1,2] are elements of the set (1 → 64) assigned to the root node, while subsets [2,2] and [4,4] are respectively It is an element of the sets (2 ← 2) and (2 ← 4).

  Thus, in the basic scheme, a subset of the user set is defined using the binary tree structure BT. This method makes it possible to represent a subset of users with various combinations. Note that the whole set constructed by these subsets is called a set system Φ and is defined as the following equation (1). That is, the following expression (1) is a mathematical expression of the binary tree structure constructed by the above method.

  The method for setting the binary tree structure that defines the subset has been described above. The basic concept of the infrastructure system is to set a set key for encrypting the content key for each of these subsets, encrypt the content key with each set key, and distribute it to all users. By defining subsets as described above, at least one means of classifying user combinations was defined. Hereinafter, an algorithm for generating a set key using these subsets will be described.

(Generate directed graph)
Here, a method for generating a directed graph representing an algorithm for generating a set key will be described with reference to FIG. However, prior to this, the relationship between the set key for encrypting the content key and the intermediate key for generating the set key will be described.

  As briefly mentioned above, in the basic scheme, a special pseudo random number generator PRSG (Pseudo-Random Sequence Generator) is used to generate a set key. When an intermediate key t (S0) corresponding to a certain subset S0 is input to this PRSG, the set key k (S0) corresponding to the subset S0 and the subsets S1, S2,. ... Output intermediate keys t (S1), t (S2),..., T (Sk) corresponding to Sk. Of course, the sets S0 and S1,..., Sk are any of the subsets constituting the set system Φ. That is, this PRSG is the key generation device. The feature of the base system is in the logic that defines the relationship between the input and output of the PRSG. A directed graph that defines the relationship between the set S0 and the sets S1, S2,..., Sk will be described.

Here, symbols used in the following description are defined.
Intermediate key corresponding to subset Si: t (Si)
Set key corresponding to subset Si: k (Si)
・ Content key: mek
-Pseudo random number generator: PRSG
(However, inputting t (S0) is expressed as PRSG (t (S0)).
On the other hand, the output of PRSG is t (S1) || ... || t (Sk) |
Notation is as follows. )
・ Directed graph: H
(However, the directed graph corresponding to the set (i ← j) is expressed as H (i ← j).)
・ Directed branch: E
・ Directed path: P

  First, a parameter k (k is a natural number) is determined. Here, for the sake of simplicity, k | log (n) (hereinafter, the bottom of the log is 2). Since this parameter k is related to the number of intermediate keys to be held by the terminal device 122 and the amount of calculation required to generate the set key as a result, it is a parameter that should be set appropriately according to the situation. is there. In FIG. 4, for example, k = 6 is set.

  Next, we describe how to draw a specific directed graph. First, as an example, a directed graph H (lv → rv−1) corresponding to an intermediate node v belonging to BTR will be described.

(Step 1) A horizontal coordinate axis for configuring the directed graph H (lv → rv−1) is set. A subset Si that constitutes an element of the set (lv → rv−1) is assigned to the coordinate axis as a coordinate point. The subsets Si forming these coordinate points are arranged so that the inclusion relationship increases from left to right. For example, taking the directed graph H (5 → 7) = H ({[5,5], [5,6], [5,7]}) as an example, the coordinate axis is a subset [5,5 in order from the left. ], [5, 6], and [5, 7].

  In the right directed graph H on the first and third horizontal coordinate axes, when the vertical line where the starting point is located is x, the intersection of the effective graph H and the vertical line y represents [x, y], and In the left directed graph H on the second and fourth horizontal coordinate axes, when the vertical line where the starting point is located is z, the intersection of the effective graph H and the vertical line y represents [y, z].

  Thereafter, a temporary coordinate point serving as a start point is set on the left side of the coordinate point located on the leftmost side of the coordinate axis, and a temporary coordinate point serving as an end point is set on the right side of the coordinate point located on the rightmost side of the coordinate axis. The coordinate axis set in this way has a length Lv from the leftmost temporary coordinate point (start point) to the rightmost temporary coordinate point (end point) as Lv = rv−lv + 1.

(Step 2) A directional branch constituting the directed graph H (lv → rv−1) is set.
(2-1) An integer x satisfying n ^{(x−1) / k} <Lv ≦ n ^{x / k} is calculated. This integer x satisfies 1 ≦ x ≦ k.
(2-2) The following operation is repeated while moving the counter i from 0 to x-1. Starting from the starting point at the left end of the horizontal coordinate axis, jump setting a rightward directional branch extending from the coordinate point to n ^{i / k} apart coordinate point (from the coordinate point to n ^{i / k} apart coordinate points ) Is repeated until the end of the directed edge reaches the end point at the right end of the horizontal coordinate axis, or the end of the next directed branch exceeds the end point.
(Step 3) All directional branches having a temporary coordinate point as a start point or an end point are deleted.
(Step 4) If there are a plurality of directional branches that reach a certain coordinate point, only the longest directional branch is left, and all directional branches other than the longest directional branch are deleted.

  When the above (Step 1) to (Step 4) are executed, the directed graph H (lv → rv−1) is completed. For example, referring to the directed graph H (33 → 63) located on the right side of the third row from the top in FIG. 4 as an example, it is connected to the effective branch of the arch-shaped curve and one end of the arch-shaped curve, and in the horizontal direction. A set of lines constituted by the extended straight lines is the substance of the directed graph H (33 → 63). Further, each curve and straight line constituting the directed graph H (33 → 63) is a directed branch. And the intersection of the edge part of a directed branch and a vertical line is a coordinate point. Although the horizontal coordinate axis is not explicitly shown in FIG. 4, the horizontal coordinate axis is configured by a set of intersections between the vertical lines and the ends of the directed branches. Further, a white arrow is drawn on the upper portion of the directed graph H (33 → 63), and this indicates the direction of the directed branch. That is, all the directional branches constituting the directed graph H (33 → 63) are directed rightward.

  Similar to the directed graph H (lv → rv−1), the directed graph H (lv + 1 ← rv) associated with the intermediate node v belonging to the BTL, the directed graph H (1 → n) associated with the root node, and Set H (2 ← n). However, when setting the coordinate axes of the directed graphs H (lv + 1 ← rv) and H (2 ← n), the subset Si is arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. Turn the counter branch to the left. The directed graph H (1 → n) is generated by adding the directed edge E ([1, n−1], [1, n]) to the directed graph H (1 → n−1). On the other hand, the directed graph H (2 ← n) is set by the same method as the directed graph H (lv + 1 ← rv).

  Here, a description is added by taking the directed graph H (1 → 64) in FIG. 4 as an example. First, the horizontal coordinate axis of the directed graph H (1 → 64) is [1, 1] = {1} at the leftmost coordinate point (intersection with the vertical line 1), and the right coordinate point (vertical line 2 and ) Is [1,2] = {1,2}, and the right coordinate point is [1,3] = {1,2,3}. In addition, an arrow drawn immediately above or directly below each directed graph represents the direction indicated by all the directed branches constituting the directed graph H. For example, the directed graph H (1 → 64) has a directional branch from the coordinate point [1,1] to [1,2], and the coordinate point [1,2] to [1,3] and [1,3]. 4] There are two directed branches extending to Also, the black circles drawn at the bottom of FIG. 4 represent the directed graphs H (2 → 2), H (3 → 3),..., H (63 → 63), respectively, from the left.

  The setting method of the directed graph H has been described above. FIG. 4 shows the directed graph H corresponding to each intermediate node and root node on the BT by the above method. In this example, n = 64 and k = 6. Below, the logic which produces | generates a set key using this directed graph H is described.

(Generate set key)
As already described, in the basic scheme, the content key mek is encrypted and distributed using the set key k (Si) assigned to each subset Si constituting the set system Φ. That is, each coordinate point of the directed graph H corresponds to a subset Si composed of one or more users, and is assigned a set key k (Si). Further, the intermediate key t (Si) is also assigned to each of the subsets Si and used to generate the set key k (Si).

  By the way, since the number of repetitions in the above-described process (2-2) is x and 1 ≦ x ≦ k, there are at most k directional branches from each coordinate point of the directed graph H. . A subset of coordinate points to which one or more directional branches from a certain coordinate point (subset S0) reach is set in the order close to the certain coordinate point (in the order of short directional branch), S1, S2,..., Sk. However, when the number of directional branches from the coordinate point (subset S0) is q (q <k), S (q + 1), S (q + 2),. Not actually used.

  In the base scheme, the above-described PRSG that outputs (k + 1) λ bits with respect to the input of λ bits is used to generate the set key k (Si). When this PRSG receives an intermediate key t (S0) corresponding to a certain coordinate point (subset S0), each coordinate point (subset S1, S2,. The intermediate keys t (S1), t (S2),..., T (Sk) corresponding to Sk) and the set key k (S0) of the subset S0 are output. That is, t (S1) || ... || t (Sk) || k (S0) ← PRSG (t (S0)). By dividing the PRSG output into λ bits from the left, intermediate keys t (S1), t (S2),..., T (Sk) and set key k (S0) are obtained.

  For example, referring to the directed graph H (1 → 64) in FIG. 4 and focusing on the coordinate point (subset S0) = [1,8] (the eighth coordinate point from the left end), there are four from the coordinate point S0. Directed ends, and the end points are S1 = [1,9], S2 = [1,10], S3 = [1,12], and S4 = [1,16], respectively. Therefore, when the intermediate key t (S0) is input to the PRSG, k (S0), t (S1), t (S2), t (S3), and t (S4) can be obtained. Further, when the obtained t (S4) is input to the PRSG, k (S4), S11 = [1,17], S12 = [1,18], S13 = [1,20], S14 = [1, 24], S15 = [1, 32], t (S11), t (S12), t (S13), t (S14), and t (S15) can be obtained. Thus, a plurality of set keys can be calculated by repeatedly using PRSG.

  The intermediate key is used for the purpose of improving security. There is no need to pay special attention to security, but if you want to reduce the amount of computation for generating a set key, do not use an intermediate key, but instead calculate one set key directly from another set key. Also good. For example, in the above example, the output when the set key k (S0) of the subset S0 is input to the PRSG is k (S1), k (S2), k (S3), k (S4), It is good also as a set key of subset S1-4.

  As can be easily inferred from the above example, an intermediate key corresponds to a coordinate point that can be reached by a chain of directional branches extending from the coordinate point corresponding to the intermediate key by repeatedly using PRSG. An intermediate key and a set key can be derived. Therefore, each user only needs to hold a minimum number of intermediate keys that can derive all the intermediate keys corresponding to the subset in which the user is included. On the other hand, if the key distribution server that generates the set key for encrypting the content key holds only the intermediate key corresponding to at least the head coordinate point of each directed graph H, the calculation by PRSG is repeated, A set key corresponding to another coordinate point of the directed graph can be derived.

  Therefore, the administrator of the key distribution system sets, for example, a λ-bit random number as an intermediate key of the first coordinate point (root) of each directed graph H in the key distribution server when setting up the key distribution system. Here, the head coordinate point (root) of the directed graph H is a coordinate point where a directional branch comes out from the coordinate point but does not reach the coordinate point. For example, the first coordinate point of the directed graph H (1 → 64) in FIG. 4 is the [1, 1] coordinate point at the left end of the horizontal coordinate axis.

  The set key generation method has been described above. The set key generation method is used not only in the key generation server on the content key sender side but also in the terminal device on the receiver side.

(Intermediate key distribution)
Here, the distribution of the intermediate key from the key distribution server to the terminal device of each user will be described. As already described briefly, each user terminal device must be provided with a plurality of intermediate keys from which set keys corresponding to all subsets including the user terminal device can be derived. Of course, an intermediate key capable of deriving a set key corresponding to a subset not including the user's terminal device must not be given, and the number of intermediate keys to be given is minimal from the viewpoint of increasing the amount of memory. It is preferable.

  Therefore, the intermediate key distributor may refer to a subset to which the terminal device of the user u belongs (hereinafter referred to as “subset to which the user u belongs” or “subset to which the user u is included”). All the directed graphs H included in the elements are extracted. When the user u is included in the subset corresponding to the leading coordinate point (root) of the directed graph H, only the intermediate key corresponding to the leading coordinate point is given to the terminal device of the user u. Further, when the user u belongs to any of the subsets corresponding to the coordinate points other than the head coordinate point of the directed graph H, the user u is included in the subset S0, but the portion that is the parent of the subset S0 A subset S0 that is not included in the set parent (S0) is found, and the intermediate key t (S0) of the subset S0 is given to the terminal device of the user u. In other words, in the directed graph H, when there are a plurality of coordinate points including the user u in the subset corresponding to the coordinate point other than the head coordinate point, the subset S0 is selected from the coordinate points. A coordinate point S0 that does not include the user u in the subset parent (S0) corresponding to the starting point of the directional branch that reaches the corresponding coordinate point is extracted, and the intermediate key t (S0) of the coordinate point S0 is extracted from the user u is given to the terminal device. If there are a plurality of such coordinate points S0, each intermediate key t (S0) is given. Here, the parent-child relationship of the coordinate points is determined by the directional branch, and the start point coordinate point of the directional branch is a parent of the end point coordinate point, and the end point coordinate point of the directional branch is a child of the start point coordinate point. Hereinafter, the starting point coordinate point (S0) of the directional branch that reaches a certain coordinate point S0 is referred to as a parent coordinate point. When a coordinate point S0 is the start point of the valid graph H, there is no parent coordinate point, and when it is not the start point of the valid graph H, there is only one parent coordinate point. For one effective graph H, there may be a plurality of coordinate points that include the user u in a subset corresponding to itself and do not include the user u in a subset corresponding to the parent coordinate point.

The above intermediate key distribution method will be described in detail with reference to the example of FIG.
(Example 1) Consider an intermediate key distributed to user 1. First, when a directed graph H having a subset to which the user 1 belongs as an element is searched, it can be seen that only the directed graph H (1 → 64). The user 1 belongs to the subset [1, 1] that is the leading coordinate point of the directed graph H (1 → 64). Therefore, only the intermediate key t ([1, 1]) is given to the user 1.
(Example 2) Consider an intermediate key distributed to the user 3. First, when a directed graph H having a subset to which the user 3 belongs as an element is searched, the directed graph H (1 → 64), H (2 ← 64), H (2 ← 32), H (2 ← 16), H (2 ← 8), H (2 ← 4), and H (3 → 3) are applicable. Considering the directed graph H (1 → 64), the user 3 does not belong to the subset [1, 1] of the first coordinate point, and the subset [1, 3], It can be seen that it belongs to [1,4],..., [1,64]. Of these coordinate points, the only coordinate points that do not include the user 3 in the parent coordinate point are [1, 3] and [1, 4]. That is, the coordinate point [1,3], which is the parent coordinate point of the coordinate point [1,3], [1,4] including the user 3 ([1,3]) and the coordinate point [1,2] which is the parent ([1,4]). Does not include user 3. Therefore, the user 3 is given t ([1,3]) and t ([1,4]) as intermediate keys corresponding to the directed graph H (1 → 64). In the same manner, other directed graphs H (2 ← 64), H (2 ← 32), H (2 ← 16), H (2 ← 8), H (2 ← 4), H (3 → 3) Also, the corresponding intermediate key is selected and given to the user 3. As a result, the user 3 is given a total of eight intermediate keys.

  Here, with reference to FIG. 5, processing until the intermediate key is distributed to the terminal device of each user will be briefly organized. FIG. 5 is a flowchart showing a processing flow related to intermediate key distribution in the key distribution server at the time of system setup.

  As shown in FIG. 5, first, the key distribution server of the key distribution system sets various parameters and the like. For example, the number of users n, the number of bits λ of the set key and the intermediate key, a predetermined parameter k, and a pseudo random number generation algorithm based on PRSG are determined and disclosed to the terminal devices of all users (S102). Next, the key distribution server divides the set of users into a predetermined subset, determines the set system Φ (see the above equation (1)) expressed by the union, and publishes it (S104). Then, the directed graph H and the directed branch T constituting the directed graph H are determined and disclosed (S106). Further, an intermediate key corresponding to each subset constituting the set system Φ is determined (S108). Thereafter, a necessary intermediate key is distributed to the terminal device 122 of each user so that each user can derive a set key corresponding to a subset including the user (S110).

  The intermediate key distribution method has been described above. When this distribution method is used, the minimum intermediate key necessary for the terminal device of each licensed user to generate the set key is distributed, the amount of communication between the key distribution server and the terminal device, and the terminal device of each user It is possible to save the memory amount of the intermediate key in.

(Distribution of content key)
Here, a method of distributing the encrypted content key mek by the key distribution server will be described. First, the key distribution server encrypts the content key mek using a set key that can be generated only by the terminal device 122 of the licensed user. More specifically, the key distribution server determines a set R of terminal devices of users to be excluded (hereinafter, excluded users), and sets N of terminal devices 1 to n of all users, A set N \ R of licensed user terminal devices excluding the set R (hereinafter, “set R of excluded users”) (hereinafter, “set N \ R of licensed users”) is determined. Then, by the union of the subsets Si (i = 1, 2,..., M) selected from the subsets constituting the set system Φ, the authorized user set N \ R = S1∪S2∪ ·・ ・ Expresses ∪Sm. At this time, there are many combinations of subsets Si, but the subset Si that minimizes m is selected. After selecting the subset Si in this way, the content key mek is encrypted with the set key k (Si) corresponding to each subset Si. That is, the content key mek is encrypted with the set keys k (S1), k (S2),..., K (Sm), and becomes m encrypted content keys mek. Then, m encrypted content keys mek are distributed to the terminal devices 1 to n of all users. At this time, information representing the set N \ R of licensed users or information representing m subsets Si is also distributed to the terminal devices 1 to n of all users.

  Here, with reference to FIG. 6, the processing flow relating to the distribution of the encrypted content key mek will be briefly organized. FIG. 6 is a flowchart showing a processing flow relating to distribution of a content key.

  As shown in FIG. 6, first, the key distribution server determines a set R of excluded users, and obtains a set N \ R of permitted users (S112). Next, m subsets Si (i = 1, 2,..., M) whose sum is N \ R are selected from the subsets constituting the set system Φ so that m is minimized. (S114). Then, the content key mek is encrypted using the set key k (Si) corresponding to each selected subset Si (S116). Further, the information representing the authorized user set N \ R or each subset Si and the m encrypted content keys mek are distributed to the terminal devices 1 to n of all users (S118).

  The content key mek encryption method and distribution method have been described above. When this encryption method is used, the subset Si can be efficiently selected so that the number of set keys is minimized. For this reason, since the content key mek is encrypted with the minimum necessary set key, the amount of calculation required for encryption can be reduced, and at the same time, the number of encrypted content keys mek to be distributed can be reduced, and the communication amount can be reduced. It becomes possible to reduce.

(Decryption of content key)
Next, decryption processing of the encrypted content key in the terminal device of each user will be described. This decryption processing obtains a content key mek based on information representing the set N \ R of authorized users or m subsets Si received from the key distribution server by the terminal device and m ciphertexts. It is processing.

  The terminal device receives the encrypted content key and the information representing the set N \ R of licensed users or the information representing the m subsets Si from the key distribution server. Furthermore, the terminal device analyzes the information and determines whether or not it belongs to any of the m subsets Si. If it does not belong to any subset, it is the excluded user's terminal device, so the decoding process is terminated. On the other hand, when the subset Si to which the terminal belongs is found, the terminal device derives a set key k (Si) corresponding to the subset Si using the PRSG. The configuration of the PRSG is as already described.

  At this time, the terminal device is given an intermediate key t (Si) corresponding to the subset Si from the key distribution server at the time of system setup in advance, and if this is held in advance, the intermediate key t (Si) is stored in the PRSG. If input, it is possible to derive the set key k (Si) corresponding to the subset Si. On the other hand, when the intermediate key t (Si) is not held, the terminal device can derive the desired set key k (Si) by repeatedly inputting the held intermediate key to the PRSG. . Further, the terminal device decrypts the encrypted content key mek using the set key k (Si) derived in this way.

  Here, the derivation of the set key k (Si) in the terminal device will be specifically described with reference to the example of FIG. It is assumed that [1,8] is selected as a subset to which the terminal device of user 3 belongs. As described above, the terminal device of the user 3 holds the intermediate key of the subset [1, 4]. Referring to the directed graph H (1 → 64) in FIG. 4, a directional branch extending from a coordinate point of [1, 4] to a coordinate point of [1, 8] is set. Of the directional branches starting from the coordinate point 1,4], the third one is the shortest (jump distance). For this reason, among the outputs when the intermediate key t ([1, 4]) of [1, 4] is input to the PRSG, the third λ-bit portion from the head is the subset [1, 8]. It is an intermediate key t ([1, 8]). The terminal device extracts the intermediate key t ([1, 8]) from the output of the PRSG, and extracts the λ bit of the final part when it is input to the PRSG again, thereby obtaining the desired set key k ([1 , 8]).

  Similarly, it is assumed that [1,8] is selected as a subset to which the terminal device of user 1 belongs. The terminal device of user 1 holds an intermediate key of the subset [1, 1]. In this case, the terminal device 122 outputs the first λ bit portion (intermediate key t ((1)) from the beginning of the output when the intermediate key t ([1, 1]) of [1, 1] is input to the PRSG. [1, 2]))), and then the second λ-bit portion (from the beginning) of the output when the intermediate key t ([1, 2]) is input to the PRSG ( The intermediate key t ([1, 4]) is extracted, and the third λ from the head among the outputs when the intermediate key t ([1, 4]) is input to the PRSG is extracted. A bit part (corresponding to the intermediate key t ([1, 8])) is extracted, and finally, the final part of the output when the intermediate key t ([1, 8]) is input to the PRSG. The desired set key k ([1, 8]) can be obtained by extracting (corresponding to the set key k ([1, 8])).

  Here, the processing flow for decrypting the encrypted content key mek in the terminal device of each user will be organized with reference to FIG. FIG. 7 is a flowchart showing a processing flow related to the decryption of the content key in the terminal device of each user.

  As shown in FIG. 7, first, each user terminal device receives m encrypted content keys mek and information representing a set N \ R of authorized users, or m subsets from the key distribution server. Information representing Si (i = 1, 2,..., M) is received (S120). Next, the terminal device searches the subset Si to which it belongs based on the information (S122), and determines whether it belongs to any of the m subsets Si (S124).

  As a result, when the subset Si to which it belongs is found, the set key k (Si) corresponding to the subset Si is derived using the PRSG (S126). The configuration of the PRSG is as already described. If the intermediate key t (Si) corresponding to the subset Si is given from the key distribution server at the time of setup and held in advance, the set key k (Si) can be derived by using the PRSG once. On the other hand, when the intermediate key t (Si) is not held, a desired set key k (Si) can be derived by repeatedly using PRSG. Next, the terminal device decrypts the encrypted content key mek using the set key k (Si) derived in this way (S128).

  On the other hand, if it is determined in S124 that the terminal device does not belong to any subset Si, the terminal device is excluded from the terminal device that can use the content (is an excluded user). ) Is displayed and output (S130), and the content key decryption process is terminated.

  The content key decryption method in the terminal device has been described above. The above-described decryption method is executed using PRSG that generates an intermediate key and a set key based on information of the directed graph H. Accordingly, directed graph information and PRSG are also required on the terminal device side of each user. However, with this method using PRSG, the number of intermediate keys held by each user's terminal device can be minimized.

Up to this point, the encryption key distribution method according to the basic technology of this embodiment has been described. When this basic scheme is used, the number of intermediate keys to be held by the terminal device of each user is O (k * log (n)), and the amount of calculation required for generating the set key (PRSG operation count) is (2k). −1) * (n ^{1 / k} −1) is not exceeded. However, the encryption key distribution method according to the basic technology has a problem that the number of intermediate keys to be held by each user terminal device is still large, as shown in FIG.

  In addition, the dominant amount of computation required by the terminal device when decrypting the encrypted content key mek depends on how many times PRSG is executed to derive a desired intermediate key. . This worst value is represented by the number of directional branches (that is, the number of jumps) from the head coordinate point (root) in the directed graph H to the farthest end coordinate point (the leaf where the directional branch does not appear). In the example shown in FIG. 4, in order to reach from the first coordinate point [1,1] to the last coordinate point [1,64] of the directed graph H (1 → 64), it passes through 11 directional branches (11 times). This indicates that the PRSG must be executed 11 times. As described above, the encryption key distribution method according to the basic technology has a problem that the amount of calculation for deriving the intermediate key is large because the PRSG is executed many times.

  Accordingly, the inventors of the present application have made intensive efforts to solve the above problems, and have developed an encryption key distribution method according to an embodiment of the present invention as described below. The encryption key distribution method according to the present embodiment generates a temporary directed graph composed of longer directional branches, and then replaces the effective branches constituting the temporary directed graph with shorter directional branches to reconstruct the directed graph. As a result, the amount of calculation required for the terminal device 122 to generate the set key can be reduced while the number of intermediate keys held by the terminal device 122 is reduced. In the following, the characteristics and operational effects of this encryption key distribution method will be described together with the functional configurations of the key distribution server 102 and the terminal device 122 that realize the encryption key distribution method according to this embodiment.

[Configuration of Key Distribution Server 102]
First, the configuration of the key distribution server 102 according to the present embodiment will be described in detail with reference to FIG. FIG. 8 is a block diagram showing the configuration of the key distribution server 102 and the terminal device 122 according to this embodiment.

  As shown in FIG. 8, the key distribution server 102 includes a tree structure setting unit 104, a coordinate axis setting unit 106, a temporary directed graph generation unit 108, a directed graph generation unit 110, an initial intermediate key setting unit 112, and a key generation unit. 114, an encryption unit 116, a transmission unit 118, and a subset determination unit 120. In particular, the tree structure setting unit 104, the coordinate axis setting unit 106, the temporary directed graph generation unit 108, and the directed graph generation unit 110 are collectively referred to as a key generation logic building block. Similarly, the initial intermediate key setting unit 112 and the key generation unit 114 are collectively referred to as a key generation block.

  First, each component constituting the key generation logic building block will be described. This key generation logic building block executes processing corresponding to (tree structure setting) and (directed graph generation) in [Description of fundamental technology].

  The tree structure setting unit 104 includes n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node. Among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the leaf node number located at the left end is lv and the leaf node located at the right end Is set to rv. Further, the tree structure setting unit 104 assigns a set (1 → n) and a set (2 ← n) to the root node, and when an intermediate node v is located on the left side of the parent node, A set (lv + 1 ← rv) is assigned to an intermediate node, and if the intermediate node v is located on the right side of its parent node, a set (lv → rv−1) is assigned to the intermediate node.

  As described above, the tree structure setting unit 104 has a configuration capable of constructing an m-ary tree structure. For example, assuming the case of m = 2 (binary tree structure), the tree structure setting unit 104 is 2 according to the base scheme. A tree structure that matches the branch tree structure (FIG. 3) can be constructed. Therefore, the meaning of each node of the tree structure constructed by the tree structure setting unit 104 is substantially the same as the meaning of each node of the binary tree structure constructed by the above-described infrastructure method. Hereinafter, for convenience of explanation, the description is limited to the binary tree structure, but the present invention is not limited to this.

(Coordinate axis setting unit 106)
The coordinate axis setting unit 106 sets a first horizontal coordinate axis in which coordinate points corresponding to each subset included in the set (1 → n) are arranged so that the inclusion relation increases in the right direction. Next, the coordinate axis setting unit 106 sets a second horizontal coordinate axis in which coordinate points corresponding to each subset included in the set (2 ← n) are arranged so that the inclusion relation increases in the left direction. Then, for each intermediate node v, the coordinate axis setting unit 106 arranges the coordinate points corresponding to each subset included in the set (lv → rv−1) so that the inclusion relation increases in the right direction. Set 3 horizontal coordinate axes. Further, the coordinate axis setting unit 106 arranges the coordinate points corresponding to the respective subsets included in the set (lv + 1 ← rv) for each intermediate node v so as to increase the inclusive relation toward the left. Set the coordinate axes. Thereafter, the coordinate axis setting unit 106 has two temporary coordinates on the right side of the coordinate point located at the right end on the third horizontal coordinate axis and on the left side of the coordinate point located at the left end on the second and fourth horizontal coordinate axes. Place a point. Further, the coordinate axis setting unit 106 sets the coordinate point located at the right end on the first horizontal coordinate axis as the first temporary coordinate point, and arranges the second temporary coordinate point on the right side of the first temporary coordinate point. .

  As described above, the coordinate axis setting unit 106 sets coordinate axes for constructing a directed graph corresponding to each node of the tree structure set by the tree structure setting unit 104. The first horizontal coordinate axis is the coordinate axis corresponding to the set (1 → n), the second horizontal coordinate axis is the coordinate axis corresponding to the set (2 ← n), and the third horizontal coordinate axis is the set (lv → rv−1). The fourth horizontal coordinate axis indicates the coordinate axis corresponding to the set (lv + 1 ← rv). Of course, since the third horizontal coordinate axis and the fourth horizontal coordinate axis are set for each intermediate node v, a plurality of coordinate axes are respectively set. That is, the third horizontal coordinate axis and the fourth horizontal coordinate axis are set by the number of intermediate nodes.

(Temporary directed graph generation unit 108)
The provisional directed graph generation unit 108 sets a predetermined integer k, and calculates an integer x that satisfies n ^{(x−1) / k} <(rv−lv + 1) ≦ nx ^{/ k} . Then, the temporary digraph generation unit 108 connects the first and the plurality of directional branches facing the right direction having a length of n ^{i / k} for each of the integers i = 0 to x−1. Forming a directional path starting from the leftmost coordinate point on the third horizontal coordinate axis, and further connecting one or more directional branches facing the left direction having a length of ^{ni / k} A directed path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed. Next, the temporary digraph generation unit 108 excludes all directional branches having the temporary coordinate point as a start point or an end point for each of the first to fourth horizontal coordinate axes. Then, the temporary directed graph generation unit 108 excludes the directional branch other than the longest directional branch from the directional branches that reach the coordinate points on the first to fourth horizontal coordinate axes, and sets (1 → n− 1) A temporary directed graph relating to the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1) is generated. Thereafter, the temporary digraph generation unit 108 has a length 1 directional branch (rightward) with the first temporary coordinate point on the first horizontal coordinate axis as the end point for the temporary digraph related to the set (1 → n−1). To generate a temporary digraph for the set (1 → n).

  As described above, the temporary directed graph generation unit 108 generates a directed graph by a method similar to the base method. However, the temporary directed graph generation unit 108 can generate a directed graph composed of longer directional branches as compared to the basic directed graph. This reduces the amount of calculation required for each user to derive the set key, as will be described later. Therefore, a processing flow related to processing executed by the temporary digraph generation unit 108 will be described in detail with reference to FIG. FIG. 9 is a flowchart showing a processing flow related to the directed graph generation by the temporary directed graph generation unit 108.

Referring to FIG. 9, the temporary directed graph generation unit 108 creates a directed graph through the following steps. However, here, a method for generating the temporary directed graph I ′ (lv → rv−1) corresponding to the set (lv → rv−1) will be described as an example.
(Step 1; S140) The temporary directed graph generation unit 108 arranges each subset included in the set (lv → rv−1) so that the inclusion relation increases from left to right on a horizontal straight line (horizontal coordinate axis). Deploy. More precisely, the temporary digraph generation unit 108 assigns a subset forming each element of the set (lv → rv−1) to each coordinate point on the horizontal coordinate axis, and the inclusion relation of the assigned subset is right. Coordinate points are arranged so as to increase in the direction. Then, the temporary digraph generation unit 108 arranges two temporary coordinate points on the right side of the coordinate point located at the rightmost position on the horizontal coordinate axis. At this time, the distance Lv from the leftmost coordinate point arranged on the coordinate axis to the rightmost coordinate point is Lv = rv−lv + 1. At this time, the temporary directed graph generation unit 108 calculates an integer x (1 ≦ x ≦ k) that satisfies n ^{(x−1) / k} <Lv ≦ n ^{x / k} .
(Step 2; S142) The temporary digraph generation unit 108 sets the integer value i as a counter, and repeats the following operation while changing the counter i from 0 to x-1. Starting from the starting point at the left end of the horizontal coordinate axis, jump setting a rightward directional branch extending from the coordinate point to n ^{i / k} apart coordinate point (from the coordinate point to n ^{i / k} apart coordinate points ) Until the end of the directed edge reaches the temporary coordinate point at the right end of the horizontal coordinate axis or to the left of the horizontal coordinate axis, or the end of the directed branch set next exceeds any of the temporary coordinate points Repeat until
(Step 3; S144) The temporary digraph generation unit 108 removes all the directional branches that reach the temporary coordinate point from the directional branches created in (Step 2).
(Step 4; S146) When there are a plurality of directed branches that reach a certain coordinate point, the temporary directed graph generation unit 108 removes all the directed branches other than the longest directed branch.

  Through the above steps, the temporary directed graph generation unit 108 can generate a directed graph formed by longer directional branches as compared to the base method. The temporary directed graph generation unit 108 generates each directed graph for all intermediate nodes and root nodes constituting the tree structure by the same method as the temporary directed graph I ′ (lv → rv−1). For example, the temporary digraph generation unit 108 generates a temporary digraph I ′ (lv + 1 ← rv) corresponding to a certain intermediate node v, and further, the temporary digraphs I ′ (1 → n) and I (2 ←) corresponding to the root node. n). At this time, the temporary digraphs I ′ (lv + 1 ← rv) and I (2 ← n) are horizontal in which the coordinate points are arranged so that the inclusion relation of the subsets included in each of the temporary directed graphs I ′ (lv + 1 ← rv) increases toward the “left direction”. Formed on coordinate axes. That is, the coordinate point arrangement rule on the horizontal coordinate axis set by the above (Step 1) is reversed. Further, the two temporary coordinate points for forming the temporary directed graphs I ′ (lv + 1 ← rv) and I (2 ← n) are arranged on the left side of the leftmost coordinate point on the horizontal coordinate axis. The directed graph I (1 → n) is generated by adding the directed edge E ([1, n−1], [1, n]) to the directed graph I (1 → n−1).

  When the above directed graph generation method is used, a temporary directed graph I ′ shown in FIG. 10 is generated. FIG. 10 is a temporary digraph I ′ formed when the parameter k = 6 is set based on the complete binary tree structure with the number of leaf nodes n = 64 shown in FIG.

(Directed Graph Generation Unit 110)
The directed graph generation unit 110 determines the longest directional path in which the number of directional branches constituting the directional path is the largest among the directional paths that are included in the temporary directed graph and formed by the connected directional branches. To do. Then, the directed graph generation unit 110 replaces the directional branch constituting each directional path with a set of shorter directional branches so as not to exceed the number of directional branches constituting the longest directional path. Each directed path is reconstructed, and a directed graph formed by the reconstructed directed path is generated.

  As described above, the directed graph generation unit 110 generates a desired directed graph I based on the temporary directed graph I ′ constructed by the temporary directed graph generation unit 108. That is, in the base method, only the directed graph H that is substantially the same as the temporary directed graph I ′ can be generated. However, the key distribution server 102 according to the present embodiment is more efficient by including the directed graph generation unit 110. It is possible to generate the directed graph I indicating the set key generation logic. Therefore, a processing flow relating to processing executed by the directed graph generation unit 110 will be described in detail.

  First, an outline of a directed graph generation method by the directed graph generation unit 110 will be briefly described with reference to FIG. FIG. 11 is a flowchart illustrating an example of a processing flow for generating a directed graph.

  First, the directed graph generation unit 110 uses the temporary directed graph I ′ generated by the temporary directed graph generation unit 108 in order to generate a desired directed graph I.

  Then, the directed graph generation unit 110 extracts the longest directional path LP (Longest Path) from the directional paths constituting all the generated temporary directed graphs I ′ (S150). Note that the step of extracting the directional path LP may be executed by, for example, the longest directional path generation unit included in the directed graph generation unit 110. Further, the longest directional path PLP (Partial Longest Path) is extracted for each of the generated temporary directed graphs I ′ that do not include the longest directional path LP (S152). That is, the directed path PLP is extracted for each temporary directed graph I ′. Thereafter, a predetermined directional branch is selected from the directional branches constituting the temporary directed graph I ′, and is replaced with a shorter directional branch (S154). At this time, the directed graph generation unit 110 performs directed edge replacement on the basis of the extracted directional path LP and the length of the directional path PLP under the condition that the worst value of the calculation amount does not increase. To do. Note that the predetermined directional branch selection step may be executed by, for example, a replacement directional branch selection unit included in the directed graph generation unit 110. Further, the directed edge replacement step may be executed by, for example, a directed edge replacement unit included in the directed graph generation unit 110.

  The outline of the directed graph generation process by the directed graph generation unit 110 has been described above. As described above, the directed graph generation unit 110 extracts the directed path LP and the directed path PLP from the temporary directed graph I ′ generated by the temporary directed graph generation unit 108, and performs predetermined processing based on the lengths of these directed paths. A desired directed graph can be generated by selecting and replacing the directed edge of. Hereinafter, a more detailed description corresponding to each of the above steps will be given.

First, the step of extracting the longest directional path LP (S160) will be described with reference to FIG. First, in describing the longest directional path LP, two expressions are defined below.
DDT: indicates the length of the longest directional path LP.
J (a, b): indicates that a directional branch having a length b exists continuously in a certain directional path.

The directed graph generation unit 110 can calculate J (a, b) for each of the directed paths constituting the temporary directed graph I ′. For example, considering a directed path P ([1, 1], [1, n]) from the coordinate point [1, 1] to [1, n] of the temporary directed graph I ′ (1 → n), The paths P ([1,1], [1, n]) are J (n1 ^{/ k−} 1, n ^{(k−1) / k} ), J (n1 ^{/ k−} 1, n ^{(k−2). ) / K} ),. . . , J (n ^{1 / k} , 1). In the case of the temporary generation graph I ′ generated by the temporary directed graph generation unit 108 described above, the directed path LP is a directed path P ([1, 1], [1] constituting the temporary directed graph I ′ (1 → n). , N]). The directed graph generation unit 110 may extract the longest directed path LP, or uniquely specify the directed path P ([1, 1], [1, n]) constituting the temporary directed graph I ′ (1 → n). In some cases, the directed graph generation unit 110 may calculate the lengths of all the directional paths constituting the temporary directed graph I ′, and select the longest directional path LP from among them. Good. At this time, the length DDT of the longest directional path LP is expressed by DDT = k * (n ^{1 / k} −1). Thereafter, the directed graph generation unit 110 sets an active mark indicating that it is valid for all the directional branches constituting the longest directional path LP.

  Next, a step of calculating the longest directional path PLP for each temporary directed graph I ′ (excluding the graph including the longest directional path LP) corresponding to the root node and each intermediate node will be described with reference to FIG. To do. FIG. 13 is a flowchart showing the calculation process of the directed path PLP.

First, in describing the process of extracting the longest directional path PLP for each directed graph, the following two expressions are defined.
CP (Current Path): directed path under consideration (referred to as current path)
#JP (CP): Number of directional branches included in the directional path

The directed graph generation unit 110 extracts a directed path PLP based on the following algorithm.
(Step 1) The directed graph generation unit 110 determines the current path CP from the start point to the end point of the directed graph I ′. At this time, when the directed graph to be considered is the directed graph I ′ (a → b), the directed path P ([a, a], [a, b]) is set as the current path CP, and the directed graph I ′. If (a ← b), the directed path P ([b, b], [a, b]) is set as the current path CP (S162).
(Step 2) The directed graph generation unit 110 extracts the longest directional branch from the directional branches constituting the current path CP, and sets the length to J (S164).
(Step 3) The directed graph generation unit 110 determines whether or not J ≦ 1 (S166). If J ≦ 1, the current path CP is determined as the directed path PLP, and the directed path PLP is configured. An active mark is set to all the directed branches to be performed (S176).
(Step 4) When J> 1, the directed graph generation unit 110 determines whether or not #JP (CP) + n ^{1 / k} −1 ≦ DDT (S168), and #JP (CP) + n ^{1 / k} −. If 1 ≦ DDT is not satisfied, the current path CP is determined as the directed path PLP, and active marks are set in all the directed branches constituting the directed path PLP (S176).
(Step 5) When #JP (CP) + n ^{1 / k} −1 ≦ DDT, the directed graph generation unit 110 calculates a natural number j that satisfies J = n ^{j / k} (S170).
(Step 6) The directed graph generation unit 110 extracts a directional branch farthest from the start point of the current path CP among the directional branches having a length J constituting the current path CP (S172).
(Step 7) digraph generation unit 110 (step 6) of the ^{n 1 /} k -1 pieces extending from the start point of the directional branch extracted in length ^{n (j-1) / k} after the directed edge One directional branch having a length of n ^{(j−1) / k} is added to the directional branch, and the directional branch extracted in (Step 6) is removed (S174). Then, it transfers to (process 1) and repeats said each process.

  Note that the processing loop that occurs between the above (Step 1) to (Step 6) is such that the directional path from the start point to the end point of the directed graph I ′ is composed of directional branches having a length of 1, or When the number of effective branches constituting the directional path exceeds DDT by performing more directional branch replacement, the loop is terminated. With the above processing, the longest directional path PLP for each directed graph can be set.

  Next, a process for replacing a predetermined directional branch will be described with reference to FIG. This step constitutes an algorithm of processing for replacing a predetermined directional branch with a shorter directional branch under the condition that the number of effective branches constituting the directional path does not exceed DDT for each directed graph.

The directed graph generation unit 110 replaces the directed edge based on the following algorithm.
(Step 1) The directed graph generation unit 110 extracts the longest directional branch that is set to active among the directional branches constituting the directed graph I ′, has not been processed (done is not set), and To do. Furthermore, the directed graph generation unit 110 sets the length of the extracted directional branch as J ′. If there are a plurality of directed branches having a length J ′, the directed graph generation unit 110 selects the directed branch farthest from the starting point of the directed graph I ′ (S180). At this time, the selected directional branch is called WJ (Working Jump), the starting point of the directional branch WJ is called WJS, and the end point is called WJE. Further, the number of directional branches constituting the directional path that reaches the WJS from the starting point of the directed graph I ′ will be denoted as D.
(Step 2) The directed graph generation unit 110 determines whether or not the length J ′ of the directional branch WJ is J ′ ≦ 1 (S182), and when J ′ ≦ 1, the effective set as active A directed graph composed only of branches is set as a desired directed graph I (S202).
(Step 3) When the length J ′ of the directional branch WJ is greater than 1, the directed graph generation unit 110 sets the effective path that reaches from (WJS) to (WJE−1) as the current path CP (S184). However, (WJE-1) is a coordinate point immediately before WJE.
(Step 4) The directed graph generation unit 110 extracts the longest directional branch from the directional branches constituting the current path CP, and sets the length to J (S186).
(Step 5) The directed graph generation unit 110 determines whether the length J of the extracted directional branch is J ≦ 1 (S188). If J ≦ 1, the current path CP is configured. Active is set for all directional branches (S198), and done is set for the directional branch WJ (S200). Thereafter, the process of (Step 1) is started again.
(Step 6) When J> 1, the directed graph generation unit 110 determines whether or not #JP (CP) + n ^{1 / k} −1 ≦ DDT-D (S190), and #JP (CP) + n ^{If 1 / k-} 1> DDT-D, the active is set for all the directional branches constituting the current path CP (S198), and the done is set for the directional branch WJ (S200). Thereafter, the process of (Step 1) is started again.
(Step 7) If #JP (CP) + n ^{1 / k} −1 ≦ DDT-D, the directed graph generation unit 110 calculates a natural number j that satisfies J = n ^{j / k} (S192).
(Step 8) The directed graph generation unit 110 extracts a directional branch having a length J that constitutes the current path CP and is located farthest from the start point of the current path CP (S194).
(Step 9) The directed graph generation unit 110 is immediately after the n ^{1 / k} −1 length n ^{(j−1) / k} directional branch extending from the start point of the directional branch extracted in (Step 8). One directional branch having a length of n ^{(j−1) / k} is added to the directional branch, and the directional branch extracted in (Step 8) is removed (S196). Then, it returns to (process 3) and repeats said each process.

  Note that the processing loop that occurs between the above (Step 3) to (Step 9) is such that the directional path from WJS to WJE-1 is all composed of directional branches of length 1, or This loop is ended when the number of effective branches constituting the directional path from WJS to WJE-1 exceeds DDT by performing the above-described directional branch replacement. On the other hand, in the loop of processing that occurs between the above (Step 1) to (Step 5) or (Step 6), a done is not set in the effective branch constituting the directed graph I ′, and the processing loop is long. The process ends when all the directional branches having a length of 2 or more are eliminated. With the above processing, a desired directed graph I can be generated.

  Finally, an example of the directed graph I generated using the above directed graph generation method is shown. FIG. 15 shows a directed graph I when the parameter k = 6 is set based on the complete binary tree structure with the number of leaf nodes n = 64 shown in FIG.

  First, when the directed graph H (FIG. 4) generated based on the base method is compared with the directed graph I (FIG. 15) according to the present embodiment, the following two points can be easily understood. (1) In the directed graph I, the number of directed branches having a length of 2 or more is reduced compared to the directed graph H, and the number of directed branches extending from one coordinate point is reduced. (2) For many directed paths on the directed graph I, the number of directed branches is reduced. Therefore, it has been confirmed that the directed graph I that can reduce the worst value of the calculation amount necessary for generating the set key and reduce the number of intermediate keys to be held by the user is generated.

In order to understand the effect of reducing the number of keys according to the present embodiment more quantitatively, a comparison result between the basic scheme and the present embodiment is shown in a table format in FIG. Referring to FIG. 16, the total number of keys (total number of keys) to be held by the user and the average number of keys to be held by each user are reduced. The above results are implemented with a small number of users n = 64, so the absolute value of the number of keys to be reduced may not seem so large, but in the implementation environment, Since the number of users is an order of magnitude, the reduction effect is expected to appear as a very significant difference. In addition, the worst value of the amount of calculation necessary for generating the set key is represented by the number of directional branches constituting the longest directional path. 2k−1) * (n ^{1 / k} −1), whereas in the directed graph I according to this embodiment, k * (n ^{1 / k} −1) is approximately halved.

  The logic for generating a directed graph that can reduce the number of intermediate keys to be held by the user while reducing the worst value of the amount of calculation necessary to generate the set key has been described above. The construction of the key generation logic (directed graph) is mainly executed by the key generation logic construction block that constitutes the key distribution server 102. However, in order to execute encryption key distribution based on the above key generation logic, other components are required. Therefore, another component will be described with reference to FIG. 8 again.

  Referring to FIG. 8 again, the key distribution server 102 includes an initial intermediate key setting unit 112, a key generation unit 114, an encryption unit 116, a transmission unit 118, a part, in addition to the key generation logic building block described above. And a set determining unit 120.

(Initial intermediate key setting unit 112)
The initial intermediate key setting unit 112 generates an intermediate key corresponding to the head coordinate point of the directed graph I for each directed graph I corresponding to each intermediate node of the tree structure. For example, the initial intermediate key setting unit 112 may set a random number for each intermediate key corresponding to the top coordinate point (root) by generating a random number using a pseudo random number generator, A numerical value may be set for each intermediate key.

(Key generation unit 114)
When a predetermined intermediate key assigned to the coordinate point indicated by the starting point of the directional branch is input for a certain directional branch constituting the directed graph I, the key generation unit 114 indicates the coordinates indicated by the starting point of the directional branch. A set key corresponding to the point and intermediate keys corresponding to the end points of all the directional branches extending from the start point of the directional branch are output. That is, the key generation unit 114 corresponds to the basic PRSG. However, the key generation unit 114 is different from the basic PRSG in that the intermediate key is output based on the directed graph I generated by the directed graph generation unit 110. If the key generation unit 114 is expressed as the same PRSG, when an intermediate key t (S0) corresponding to a coordinate point S0 in the directed graph I is input, a directed point having a coordinate point (corresponding to the subset S0) as a starting point is input. Intermediate keys t (S1), t (S2),. . . , T (Sm) and set key k (S0). Here, m represents the number of directional branches starting from a certain coordinate point S0.

(Encryption unit 116)
The encryption unit 116 encrypts the content key using the set key. There is one content key, but there are as many set keys as there are subsets constituting the set system Φ. The encryption unit 116 encrypts the content key using each set key corresponding to the subset selected by the subset determination unit 120 described later, from among all the subsets constituting the set system Φ. That is, the encryption key 116 generates an encrypted content key corresponding to each set key. Therefore, if the number of selected subsets is m, m encrypted content keys are also created. Note that the encryption unit 116 may encrypt the content itself. For example, the encryption unit 116 may encrypt the content itself using the content key, or may encrypt the content itself using the above set keys. However, the configuration in which the content itself is encrypted using the set key is a modification of the present embodiment.

(Transmitter 118)
The transmission unit 118 distributes the content key encrypted by the encryption unit 116 to all users corresponding to the leaf nodes. The transmission unit 118 may distribute the intermediate key to each user while referring to the directed graph I. At this time, the transmission unit 118 may distribute the minimum necessary intermediate key so that each user can derive all the intermediate keys corresponding to the subset to which the user belongs. That is, the transmission unit 118 extracts the subset to which the intermediate key distribution destination user belongs from the subsets configuring the set system Φ (see the above formula (1)), and corresponds to the extracted subsets. Among the coordinate points of the directed graph I, a coordinate point that does not include the delivery destination user in the subset corresponding to the starting point of the directional branch that reaches the coordinate point is selected, and the selected coordinate point Only the corresponding intermediate key may be distributed to the distribution destination user. However, if the subset to which the intermediate key distribution destination user belongs corresponds to the first coordinate point of the directed graph I, the transmission unit 118 distributes only the intermediate key corresponding to the first coordinate point to the distribution destination user. May be. Moreover, the transmission part 118 may function as a directed graph information delivery part which delivers the information of the directed graph I to each user. That is, the transmission unit 118 distributes information (for example, a key generation program) on a PRSG key generation algorithm that outputs a predetermined intermediate key and a set key based on the directed graph I by inputting each intermediate key. Also good.

  The distribution of the intermediate key may be performed using a communication path different from the content distribution prior to the content distribution. For example, in a factory where the key distribution server 102 outputs an intermediate key for each terminal device to the recording medium and manufactures the terminal device, the intermediate for each terminal device read from the recording medium when the terminal device is manufactured. The key may be stored in each terminal device.

(Subset determination unit 120)
The subset determination unit 120 determines a set (R) of excluded users whose contents or content keys should not be decrypted, and selects a predetermined subset selected from the subsets corresponding to the coordinate points of the directed graph I. A subset constituting the authorized user set (N \ R) after defining the authorized user set (N \ R) by excluding the excluded user set (R) from the user set (N) by union The set of subsets constituting the set of authorized users (N \ R) is determined so that the number of licenses is minimized. The subset determination unit 120 includes a licensed user set determination unit that determines a set of licensed users (N \ R) and a licensed user part that determines a set of subsets that constitutes the set of licensed users (N \ R). And a set determining unit.

  As described above, the subset (S1, S2,..., Sm) constituting the set of authorized users (N \ R = S1∪S2∪... Sm; m is a natural number) by the subset determination unit 120. Is determined, the transmission unit 118 transmits information indicating a set of licensed users (N \ R) or a subset (S1, S2, ..., Sm) constituting the set of licensed users (N \ R). Deliver to each user. The encryption unit 116 encrypts the content or the content key using the set key corresponding to the subset (S1, S2,..., Sm) determined by the subset determination unit 120, and the transmission unit 118 distributes the encrypted content or content key to each user.

  The configuration of the key distribution server 102 according to the preferred embodiment of the present invention has been described above. Thus, the feature of the present embodiment is mainly in the configuration of the key generation logic building block. In particular, the configuration of the directed graph generation unit 110 for generating a directed graph for determining the key generation logic is characteristic. The directed graph generation unit 110 according to the present embodiment can reduce the number of intermediate keys that each user should hold without increasing the amount of calculation required for each user to generate a set key. Logic (directed graph) can be generated. As a result, it is possible to reduce the amount of memory required for each user to hold the intermediate key and the amount of calculation related to key generation, and at the same time reduce the distribution cost for distributing the intermediate key to each user. Become.

[Configuration of Terminal Device 122]
Next, the configuration of the terminal device 122 according to the present embodiment will be described with reference to FIG. FIG. 8 is a block diagram illustrating a configuration of the terminal device 122.

  Referring to FIG. 8, the terminal device 122 includes a reception unit 124, a determination unit 126, a key generation unit 128, and a decryption unit 130. The terminal device 122 corresponds to the above user.

(Receiver 124)
The reception unit 124 receives information transmitted from the transmission unit 118 included in the key distribution server 102. For example, the receiving unit 124 receives content distributed from the key distribution server 102, an encrypted content key, a predetermined intermediate key, information about the directed graph I, information about a licensed user, or the like. The receiving unit 124 may collect information from a plurality of information sources as well as receiving information from one information source. For example, the receiving unit 124 includes a plurality of information sources (for example, the key distribution server 102) connected to a wired or wireless network, or an information source (for example, an optical disc) connected directly or indirectly without going through the network. Information may be acquired from an information medium such as a device, a magnetic disk device, or a portable terminal device. Of course, since the receiving unit 124 may receive information from the other terminal devices 122, for example, the information of the directed graph I may be shared with other terminal devices 122 belonging to the same distribution destination group. It may be configured. In this case, the same distribution destination group means a group authorized as a viewer user of content distributed from the same or a plurality of key distribution servers 102, and a set of users corresponding to the leaf nodes of the tree structure described above Corresponding to The intermediate key may be given to the terminal device in advance and held by the terminal device.

(Judgment unit 126)
The determination unit 126 determines whether or not itself is included as an element in any of the subsets corresponding to the set key. Since the terminal device 122 holds only an intermediate key for generating a set key corresponding to a subset to which the terminal device 122 belongs, the terminal device 122 uses the set key used for encrypting the content or the content key by the key distribution server 102. From the information, it is necessary to determine in advance whether or not the subset to which the user belongs is included in the subset corresponding to the set key. The determination unit 126 makes this determination. The set key information is distributed from the key distribution server 102 at the same time as the content key or at a different timing, and is received by the receiving unit 124. If it is determined that the set key used for encryption does not include the set key corresponding to the subset to which it belongs, the set key is generated from the intermediate key held by itself. The content key decryption process is terminated without executing the process. Conversely, when a set key corresponding to the subset to which the terminal device 122 belongs is found, the terminal device 122 generates the set key from the intermediate key held by the terminal device 122 using the PRSG.

(Key generation unit 128)
When a predetermined intermediate key assigned to the coordinate point indicated by the starting point of the directional branch is input for a certain directional branch constituting the directed graph I, the key generating unit 128 displays the coordinates indicated by the starting point of the directional branch. A set key corresponding to the point and intermediate keys corresponding to the end points of all the directional branches extending from the start point of the directional branch are output. That is, the key generation unit 128 corresponds to the key generation unit 114 included in the key distribution server 102. If the key generation unit 128 is expressed as PRSG, when an intermediate key t (S0) corresponding to a coordinate point S0 of the directed graph I is input, an intermediate corresponding to the end point of the directional branch starting from the coordinate point S0. The keys t (S1), t (S2),. . . , T (Sm) and set key k (S0). Here, m represents the number of directional branches starting from a certain coordinate point S0. The information of the directed graph I may be acquired from the key distribution server 102 or may be stored in a storage unit (not shown) included in the terminal device 122.

(Decoding unit 130)
The decryption unit 130 decrypts the content key using the set key. Specifically, the decryption unit 130 extracts a subset including itself as an element from the subset corresponding to the set key, and decrypts the content or the content key using the set key corresponding to the subset. To do.

  The configuration of the terminal device 122 according to the present embodiment has been described above. As described above, the terminal device 122 can generate a desired set key based on the special key generation logic (directed graph I) generated by the directed graph generation unit 110 included in the key distribution server 102 described above. As a result, the terminal device 122 can suppress the number of intermediate keys to be held necessary for generating a set key used for decrypting the content key.

[Application example of encryption key distribution system 100]
Finally, an application example of the encryption key distribution system 100 will be shown.

(Application 1)
First, as an application example 1, a configuration of a broadcast encryption system 300 is shown in FIG.
FIG. 17 is a block diagram showing a configuration of a broadcast encryption system using a broadcast satellite. The broadcast encryption system 300 transmits the encrypted data (so-called cipher text) to the receiver 310 via the broadcast channel. Here, the broadcast channel in the broadcast encryption system 300 is a satellite broadcast distribution channel. The data transmitted as cipher text is, for example, content including an encryption key, audio data, video data, or text data. A management center (broadcast trusted center) 304 in the satellite broadcasting station 302 transmits data to the broadcasting satellite 306. The broadcast management center 304 selects, for example, an encryption key, and controls data encryption and data distribution. The broadcast satellite 306 broadcasts data. The receiver 310 installed in the residence 308 includes, for example, a satellite broadcast receiver, and receives broadcast data. A plurality of other receivers 310 can also receive the broadcast data. In this manner, the management center 304 can transmit data to each receiver 310 in the receiver group including the receivers 310. As will be described later, the management center 304 encrypts the broadcast data so that only the authenticated receiver 310 can decrypt the broadcast data. Although FIG. 17 shows a broadcasting system using the broadcasting satellite 306, other broadcasting channels such as a cable television and a computer network may be used.

  The configuration of the broadcast encryption system 300, which is an application example of the encryption key distribution system 100, has been described above. If the relationship with the encryption key distribution system 100 is simply arranged, the management center 304 corresponds to the key distribution server 102 and the receiver 310 corresponds to the receiver 122. The broadcast satellite 306 mediates the network connecting them.

(Application example 2)
Next, as an application example 2, the configuration of the broadcast encryption system 400 is shown in FIG.
FIG. 18 is a block diagram showing a configuration of a broadcast encryption system 400 using a data medium. In the broadcast encryption system 400, a broadcast channel is distribution of a data medium. The management center 404 in the medium manufacturer 402 is a medium 406 such as a read-only medium (for example, CD-ROM, DVD-ROM, etc.) or a rewritable medium (for example, CD-RW, DVD-RW, etc.). Data is stored in each individual (article of data media). For a read-only medium, the management center 404 records the encrypted content key and the encrypted content, and only the authenticated user decrypts the data, and the encrypted content (eg, audio, video) Or text etc.). On the other hand, for the rewritable medium, the management center 404 records the encrypted content key so that only the authenticated recording apparatus can record the corresponding data on the recording medium. The media manufacturer 402 sends the media 406 to a distribution outlet 408, such as a retail store. Distribution intermediary 408 provides media 410 to receiver 414 in residence 412. For example, the distribution intermediary 408 sells the media 410 to an individual who takes the media 410 back to the residence 412 and inserts the media 410 into the receiver 414. For example, the receiver 414 may be a device that reads and reproduces data recorded on the medium 410, such as a CD player, a DVD player, or a computer. As another specific example, the receiver 414 may be a disk device that can record data on the medium 410 and read data from the medium 410, such as a DVD-RW drive. The management center 404 encrypts the data so that only the authenticated receiver 414 can decrypt the encrypted data.

  The configuration of the broadcast encryption system 400, which is an application example of the encryption key distribution system 100, has been described above. If the relationship with the encryption key distribution system 100 is simply arranged, the management center 404 corresponds to the key distribution server 102 and the receiver 414 corresponds to the receiver 122. A distribution mediator 408 for distributing the media 406 and 410 is interposed instead of the network connecting them.

  As mentioned above, although preferred embodiment of this invention was described referring an accompanying drawing, it cannot be overemphasized that this invention is not limited to the example which concerns. It will be apparent to those skilled in the art that various changes and modifications can be made within the scope of the claims, and these are naturally within the technical scope of the present invention. Understood.

  For example, the tree structure setting unit 104 is assumed to form a tree structure with branches extending from top to bottom. However, the present invention is not limited to this, and is not necessarily limited to this, from bottom to top, from left to right, or from right. It may have a tree structure with branches extending toward the left. In this case, the definition of the subset associated with each intermediate node must be changed to match this. However, this change only rotates and arranges the tree structure set by the tree structure setting unit 104, and the meaning in any case is completely the same. In addition, the temporary directed graph generation unit 108 and the directed graph generation unit 110 described above construct the directed graphs I ′ and I by setting the coordinate axes from left to right or from right to left. is there. In other words, in the above description, various parameters are defined based on the vertical direction or the horizontal direction for convenience. However, in the light of common sense that general people or those skilled in the art should have, a tree structure or Even if the directed graph is rotated or reversed to change the vertical / horizontal relationship, it is understood that they belong to the same technical scope.

  For example, the temporary digraph generation unit 108 according to the embodiment of the present invention may not only generate a temporary digraph according to the above basic technology, but may generate a temporary digraph based on another method. For example, the temporary directed graph may be a directed graph in which longer directional branches are arranged toward the direction closer to or farther from the starting point of the directed path. Of course, it may be a temporary directed graph generated based on logic more complicated than the above-mentioned basic scheme. As described above, the range in which the basic concept of the present invention can be applied is not limited to the above-described basic technology, but extends to directed graphs generated by various methods. In addition, the information processing apparatus according to the present embodiment may include an acquisition unit that acquires an arbitrary directed graph. In this case, the information processing apparatus can generate a set key based on the acquired directed graph.

It is explanatory drawing which shows the encryption key distribution system which concerns on suitable embodiment of this invention. It is a block diagram which shows the structure of the information processing apparatus and receiver which concern on the embodiment. It is explanatory drawing which shows the binary tree structure which concerns on a foundation system. It is explanatory drawing which shows the directed graph which concerns on a base system. It is a flowchart which shows the directed graph calculation method which concerns on a foundation system. It is a flowchart which shows the intermediate key distribution method which concerns on a foundation system. It is a flowchart which shows the set key generation method which concerns on a foundation system. It is a block diagram which shows the structure of the information processing apparatus which concerns on suitable embodiment of this invention, and a terminal device. It is a flowchart which shows the temporary directed graph production | generation method which concerns on the embodiment. It is explanatory drawing which shows an example of the temporary directed graph (k = 6) which concerns on the same embodiment. It is a flowchart which shows the outline | summary of the directed graph production | generation method concerning the embodiment. It is a flowchart which shows the directed graph production | generation method (LP determination) based on the embodiment. It is a flowchart which shows the directed graph production | generation method (PLP determination) which concerns on the embodiment. It is a flowchart which shows the directed graph production | generation method which concerns on the same embodiment. It is explanatory drawing which shows an example of the directed graph (k = 6) which concerns on the same embodiment. It is the comparison table which showed the comparison with the base system and the key distribution system which concerns on the embodiment. It is explanatory drawing which showed the example of 1 application of the encryption key distribution system which concerns on the embodiment. It is explanatory drawing which showed the example of 1 application of the encryption key distribution system which concerns on the embodiment.

Explanation of symbols

DESCRIPTION OF SYMBOLS 100 Encryption key distribution system 102 Key distribution server 104 Tree structure setting part 106 Coordinate axis setting part 108 Temporary directed graph generation part 110 Directed graph generation part 112 Initial intermediate key setting part 114 Key generation part 116 Encryption part 118 Transmission part 120 Subset determination part 122 Terminal device 124 Reception unit 126 Judgment unit 128 Key generation unit 130 Decoding unit 202 Controller 204 Arithmetic unit 206 Input / output interface 208 Secure storage unit 210 Main storage unit 212 Network interface 216 Media interface 218 Information media

Claims (25)

For a temporary directed graph composed of a plurality of directed edges, after leaving the longer directed branch from among the plurality of directed branches constituting the temporary directed graph, from among the remaining directed branches A directed graph acquisition unit that acquires a directed graph generated by replacing at least one of the directed edges with a shorter directed edge;
A key generation unit that generates a set key for encrypting or decrypting a content or a content key based on the directed graph acquired by the directed graph acquisition unit;
An information processing apparatus comprising: The key generation unit
In response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the set key k (S) corresponding to the subset S corresponding to the coordinate point and the coordinate point S , Sk, the intermediate keys t (S1), t (S2),..., T (Sk) of the directional branch end points. The information processing apparatus according to claim 1, wherein the information processing apparatus is characterized. The key generation unit
In response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the coordinate points S1, S2,. The information processing apparatus according to claim 1, wherein the set key k (S 1), k (S 2),..., K (S k) of Sk is output.   The information processing apparatus according to claim 1, further comprising an encryption unit that encrypts content or a content key using the set key.   The content or the content key encrypted by the encryption unit for each terminal device associated with some or all of the leaf nodes 1 to n (n is a natural number) constituting a predetermined binary tree structure The information processing apparatus according to claim 4, further comprising a transmission unit that transmits the information. The directed graph acquisition unit
The directed graph in which the directional branch is replaced so that a shorter directional branch is arranged toward the end point direction of each directional path constituted by the continuous directional branches is obtained. The information processing apparatus according to claim 1.   A subset of the leaf nodes 1 to n is defined as Si, and a set (N \ R) of the terminal devices that permits decryption of the content encrypted with the set key or the content key is determined, It further includes a subset determining unit that determines m subsets S1 to Sm satisfying the set (N \ R) = S1∪S2∪... ∪Sm so that m is minimized. The information processing apparatus according to claim 5.   The information processing apparatus further includes a transmission unit that transmits information representing the set (N \ R) or information representing the subsets S1 to Sm constituting the set (N \ R) to the terminal device. The information processing apparatus according to claim 7.   The information processing apparatus according to claim 1, further comprising a decrypting unit that decrypts the content or the content key using the set key.   It further includes a receiving unit that is associated with one or more leaf nodes 1 to n (n is a natural number) constituting a predetermined binary tree structure and that receives content encrypted using the set key or a content key. The information processing apparatus according to claim 9.   The encrypted content or content key received by the receiving unit is included in the set S including the leaf node associated with itself in the set Si defined as a subset of the leaf nodes 1 to n. The information processing apparatus according to claim 10, wherein one or more information processing apparatuses associated with the leaf node that is an element can be decoded. For a binary tree structure composed of n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is defined as lv, and the number of the leaf node located at the right end is defined as rv. And
Further, for natural numbers i and j (i ≦ j), the set (i → j) is {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}} and the set (i ← j) is {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}},
The coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relationship increases from left to right, and the first corresponding to the root node. The horizontal coordinate axis is set,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and is associated with the root node. The second horizontal coordinate axis is set,
Further, for each of the intermediate nodes,
The coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and is associated with a certain intermediate node v. The third horizontal coordinate axis is set,
Also, coordinate points associated with each subset included in the set (lv + 1 ← rv) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and is associated with a certain intermediate node v. After the fourth horizontal coordinate axis is set,
For a given integer k, the length n ^{i / k} (i = 0, 1,... X depending on the natural number x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} -1), an information processing apparatus for processing a temporary directed graph formed by arranging a plurality of directed branches on the first to fourth horizontal coordinate axes,
A temporary directed graph acquisition unit for acquiring the temporary directed graph;
A directed graph generation unit that generates a directed graph while leaving the longer directed branch out of a plurality of directed branches that constitute the temporary directed graph acquired by the temporary directed graph acquisition unit;
A longest directional path determination unit that determines the maximum number of consecutive directional branches among the plurality of directional branches constituting the directed graph;
A directional branch replacement unit configured to replace the at least one directional branch constituting the directed graph with a shorter directional branch so as not to exceed the maximum number of continuous directional branches, and to reconstruct the directed graph;
A key generation unit that generates a set key for encrypting content or a content key based on the directed graph reconstructed by the directed edge replacement unit;
An information processing apparatus comprising: Sets a binary tree structure composed of n leaf nodes with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Then, with respect to natural numbers i and j (i ≦ j), a set (i → j) is converted into {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below an intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the number located at the right end is A tree structure setting unit for setting the leaf node number as rv;
The coordinate points associated with the respective subsets included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and the first corresponding to the root node. A horizontal coordinate axis,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the second corresponding to the root node. A horizontal coordinate axis,
For each of the intermediate nodes
Corresponding to a certain intermediate node v in which coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. A third horizontal coordinate axis to
The coordinate points associated with the respective subsets included in the set (lv + 1 ← rv) are arranged in such a way that the coordinate points corresponding to a certain intermediate node v are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left. Set 4 horizontal coordinate axes,
Two temporary coordinate points are arranged on the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located on the left end on the second and fourth horizontal coordinate axes,
A coordinate axis setting unit that sets a coordinate point located at the right end on the first horizontal coordinate axis as a first temporary coordinate point and arranges a second temporary coordinate point on the right side of the first temporary coordinate point;
Set a predetermined integer k
After calculating an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ,
For each of the integers i = 0 to x−1,
A directional path starting from the leftmost coordinate point on the first and third horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the right direction having a length of ^{ni / k.} And
A directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} And
For each of the first to fourth horizontal coordinate axes, excluding all the directional branches having the temporary coordinate points as start points or end points,
By excluding the directional branch other than the longest directional branch among the directional branches reaching the coordinate points on the first to fourth horizontal coordinate axes,
Generate temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1), respectively.
A directional branch having a length of 1 whose end point is the first temporary coordinate point on the first horizontal coordinate axis is added to the temporary directed graph relating to the set (1 → n−1), and the set (1 → a temporary digraph generation unit for generating a temporary digraph for n);
A longest directional path determination unit that determines a longest directional path that has the maximum number of directional branches constituting the directional path from among the directional paths formed by the continuous directional branches;
The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. A directed graph generation unit for generating a directed graph by;
An information processing apparatus comprising:   The information processing apparatus according to claim 13, further comprising a key generation unit that generates a set key for encrypting content or a content key based on the directed graph. The key generation unit
In response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the set key k (S) corresponding to the subset S corresponding to the coordinate point and the coordinate point S , Sk, the intermediate keys t (S1), t (S2),..., T (Sk) of the directional branch end points. The information processing apparatus according to claim 14, wherein the information processing apparatus is characterized. The key generation unit
In response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the coordinate points S1, S2,. The information processing apparatus according to claim 14, wherein the set key k (S1), k (S2), ..., k (Sk) of Sk is output. A key generation unit for generating a set key for decrypting the content or the content key based on the directed graph;
The directed graph is
Sets a binary tree structure composed of n leaf nodes with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Then, with respect to natural numbers i and j (i ≦ j), a set (i → j) is represented as {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the number located at the right end is lv Set the leaf node number to rv,
The coordinate points associated with the respective subsets included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and the first corresponding to the root node. A horizontal coordinate axis,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the second corresponding to the root node. A horizontal coordinate axis,
For each of the intermediate nodes
Corresponding to a certain intermediate node v in which coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. A third horizontal coordinate axis to
The coordinate points associated with the respective subsets included in the set (lv + 1 ← rv) are arranged so that the inclusion relation increases from the right to the left on the horizontal coordinate axis. Set 4 horizontal coordinate axes,
Two temporary coordinate points are arranged on the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located on the left end on the second and fourth horizontal coordinate axes,
A coordinate point located at the right end on the first horizontal coordinate axis is set as a first temporary coordinate point, and a second temporary coordinate point is arranged on the right side of the first temporary coordinate point;
Set a predetermined integer k
After calculating an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ,
For each of the integers i = 0 to x−1,
A directional path starting from the leftmost coordinate point on the first and third horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the right direction having a length of ^{ni / k.} And
A directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} And
For each of the first to fourth horizontal coordinate axes, excluding all the directional branches having the temporary coordinate points as start points or end points,
By excluding the directional branch other than the longest directional branch among the directional branches reaching the coordinate points on the first to fourth horizontal coordinate axes,
Generate temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1), respectively.
A directional branch having a length of 1 with the first temporary coordinate point on the first horizontal coordinate axis as an end point is added to the temporary directed graph related to the set (1 → n−1), and the set (1 → generate a temporary directed graph for n),
Determining the longest directional path in which the number of directional branches constituting the directional path is the largest among the directional paths formed by successive directional branches;
The directional branch constituting each directional path is replaced with a shorter directional branch so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. A terminal device obtained by The key generation unit
In response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the set key k (S) corresponding to the subset S corresponding to the coordinate point and the coordinate point are The intermediate keys t (S1), t (S2),..., T (Sk) of the subsets S1, S2,. The terminal device according to claim 17, wherein the terminal device outputs the terminal device. The key generation unit
In response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the coordinate points S1, S2,. The terminal device according to claim 17, wherein the set key k (S1), k (S2), ..., k (Sk) of Sk is output.   The decryption unit further includes a decryption unit that decrypts the encrypted content key using the set key and decrypts the encrypted content using the decrypted content key. The terminal device according to 18. When a subset of leaf nodes 1 to n of the tree structure is defined as Si,
A set (N \ R) of the terminal devices that permits the decryption of the content encrypted with the set key or the content key is determined, and the set (N \ R) = S1∪S2∪ ... ∪Sm When m subsets S1 to Sm satisfying the above are determined and information representing the set (N \ R) or information representing the subsets S1 to Sm constituting the set (N \ R) is received In addition,
The terminal device determines whether the terminal device belongs to any one of the subsets S1 to Sm based on the received information, and decrypts the encrypted content based on the determination result. A determination unit for determining whether or not is permitted,
The decoding unit
When it is determined that the terminal device belongs to any one of the subsets S1 to Sm, the content or the content key is decrypted using the set key corresponding to the subset to which the terminal device belongs. The terminal device according to claim 20, wherein: For a temporary directed graph composed of a plurality of directed edges, after leaving the longer directed branch from among the plurality of directed branches constituting the temporary directed graph, from among the remaining directed branches A directed graph acquisition step of acquiring a directed graph generated by replacing at least one of the directed edges with a shorter directed edge;
A key generation step of generating a set key for encrypting or decrypting the content or the content key based on the directed graph acquired by the directed graph acquisition unit;
An information processing method comprising: For a binary tree structure composed of n leaf nodes associated with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is defined as lv, and the number of the leaf node located at the right end is defined as rv. And
Further, for natural numbers i and j (i ≦ j), the set (i → j) is {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}} and the set (i ← j) is {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}},
The coordinate points associated with each subset included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relationship increases from left to right, and the first corresponding to the root node. The horizontal coordinate axis is set,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and is associated with the root node. The second horizontal coordinate axis is set,
Further, for each of the intermediate nodes,
The coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and is associated with a certain intermediate node v. The third horizontal coordinate axis is set,
Also, coordinate points associated with each subset included in the set (lv + 1 ← rv) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and is associated with a certain intermediate node v. After the fourth horizontal coordinate axis is set,
For a given integer k, the length n ^{i / k} (i = 0, 1,... X depending on the natural number x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} -1) is an information processing method for processing a temporary directed graph formed by arranging a plurality of directed branches on the first to fourth horizontal coordinate axes,
A temporary directed graph acquisition step of acquiring the temporary directed graph;
A directed graph generation step of generating a directed graph while leaving the longer directed branch out of a plurality of directed branches constituting the temporary directed graph acquired by the temporary directed graph acquisition unit;
A longest directional path determining step for determining a maximum number of consecutive directional branches among the plurality of directional branches constituting the directed graph;
A directed edge replacement step of reconstructing the directed graph by replacing at least one directed edge constituting the directed graph with a shorter directed edge so as not to exceed the maximum number of consecutive directed edges;
A key generation step of generating a set key for encrypting content or a content key based on the directed graph reconstructed by the directed edge replacement unit;
An information processing method comprising: Sets a binary tree structure composed of n leaf nodes with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Then, with respect to natural numbers i and j (i ≦ j), a set (i → j) is represented as {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below an intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the number located at the right end is A tree structure setting step for setting the leaf node number as rv;
The coordinate points associated with the respective subsets included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and the first corresponding to the root node. A horizontal coordinate axis,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the second corresponding to the root node. A horizontal coordinate axis,
For each of the intermediate nodes
Corresponding to a certain intermediate node v in which coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. A third horizontal coordinate axis to
The coordinate points associated with the respective subsets included in the set (lv + 1 ← rv) are arranged so that the inclusion relation increases from the right to the left on the horizontal coordinate axis. Set 4 horizontal coordinate axes,
Two temporary coordinate points are arranged on the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located on the left end on the second and fourth horizontal coordinate axes,
A coordinate axis setting step in which a coordinate point located at the right end on the first horizontal coordinate axis is set as a first temporary coordinate point, and a second temporary coordinate point is arranged on the right side of the first temporary coordinate point;
Set a predetermined integer k
After calculating an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ,
For each of the integers i = 0 to x−1,
A directional path starting from the leftmost coordinate point on the first and third horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the right direction having a length of ^{ni / k.} And
A directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} And
For each of the first to fourth horizontal coordinate axes, excluding all the directional branches having the temporary coordinate points as start points or end points,
By excluding the directional branch other than the longest directional branch among the directional branches reaching the coordinate points on the first to fourth horizontal coordinate axes,
Generate temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1), respectively.
A directional branch having a length of 1 whose end point is the first temporary coordinate point on the first horizontal coordinate axis is added to the temporary directed graph relating to the set (1 → n−1), and the set (1 → a temporary digraph generation step for generating a temporary digraph for n);
A longest directional path determination step for determining a longest directional path in which the number of directional branches constituting the directional path is maximum from among the directional paths formed by the continuous directional branches;
The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. A directed graph generation step for generating a directed graph by;
An information processing method comprising: A key generation step of generating a set key for decrypting the content or the content key based on the directed graph;
The directed graph is
Sets a binary tree structure composed of n leaf nodes with numbers 1 to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node Then, with respect to natural numbers i and j (i ≦ j), a set (i → j) is represented as {{i}, {i, i + 1},. . . , {I, i + 1,. . . , J−1, j}}, and the set (i ← j) is represented by {{j}, {j, j−1},. . . , {J, j-1,. . . , I + 1, i}}, and among the plurality of leaf nodes arranged below a certain intermediate node v or root node v, the number of the leaf node located at the left end is lv, and the number located at the right end is lv Set the leaf node number to rv,
The coordinate points associated with the respective subsets included in the set (1 → n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right, and the first corresponding to the root node. A horizontal coordinate axis,
The coordinate points associated with each subset included in the set (2 ← n) are arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left, and the second corresponding to the root node. A horizontal coordinate axis,
For each of the intermediate nodes
Corresponding to a certain intermediate node v in which coordinate points associated with each subset included in the set (lv → rv−1) are arranged on the horizontal coordinate axis so that the inclusion relation increases from left to right. A third horizontal coordinate axis to
The coordinate points associated with the respective subsets included in the set (lv + 1 ← rv) are arranged so that the inclusion relation increases from the right to the left on the horizontal coordinate axis. Set 4 horizontal coordinate axes,
Two temporary coordinate points are arranged on the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located on the left end on the second and fourth horizontal coordinate axes,
A coordinate point located at the right end on the first horizontal coordinate axis is set as a first temporary coordinate point, and a second temporary coordinate point is arranged on the right side of the first temporary coordinate point;
Set a predetermined integer k
After calculating an integer x satisfying n ^{(x−1) / k} <(rv−lv + 1) ≦ n ^{x / k} ,
For each of the integers i = 0 to x−1,
A directional path starting from the leftmost coordinate point on the first and third horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the right direction having a length of ^{ni / k.} And
A directional path starting from the rightmost coordinate point on the second and fourth horizontal coordinate axes is formed by connecting one or a plurality of directional branches facing the left direction having a length of ^{ni / k.} And
For each of the first to fourth horizontal coordinate axes, excluding all the directional branches having the temporary coordinate points as start points or end points,
By excluding the directional branch other than the longest directional branch among the directional branches reaching the coordinate points on the first to fourth horizontal coordinate axes,
Generate temporary directed graphs for the set (1 → n−1), the set (2 ← n), the set (lv + 1 ← rv), and the set (lv → rv−1), respectively.
A directional branch having a length of 1 with the first temporary coordinate point on the first horizontal coordinate axis as an end point is added to the temporary directed graph related to the set (1 → n−1), and the set (1 → generate a temporary directed graph for n),
Determining the longest directional path in which the number of directional branches constituting the directional path is the largest among the directional paths formed by successive directional branches;
The directional branches constituting each directional path are replaced with shorter directional branches so that the number of directional branches of each directional path does not exceed the number of directional branches of the longest directional path. A key generation method characterized in that the key generation method is obtained.

Images