JP2009105853A - Sd method corresponding to optional tree structure, and program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To enable the SD method to be also applied to a message in an optional tree structure, and to reduce a broadcast message size. <P>SOLUTION: As preparation processing, client terminals are assigned to leaf nodes, a label of 1 bit is optionally assigned to each of all nodes in the optional tree structure, and labels are assigned to the client terminals. As encryption processing, a center server next generates a session key at random, and encrypts a message to obtain an encrypted message. The center server obtains a subset difference tree covering all regular client terminals, assigns a key to the obtained subset difference tree, encrypts it and distributes a broadcast message to all the client terminals. Further, as decryption processing, for the broadcast message received by each of the client terminals, an identifier of the subset difference tree to which the relevant client terminal belongs, is obtained, the key is drawn from the owned label to obtain a session key K, and obtains a message M. <P>COPYRIGHT: (C)2009,JPO&INPIT

Description

  The present invention relates to a technique for improving a conventional SD method and program to cope with an arbitrary tree structure.

  In the content distribution service, it is necessary to encrypt and distribute the content for copyright protection. As one of the methods, broadcast encryption is a technique for distributing a content key only to legitimate client terminals.

  Here, the content key is a key for encrypting the distributed content. Broadcast encryption is a technique for distributing the content key only to legitimate client terminals.

  In the broadcast encryption, a plurality of keys (key bundles) are stored in advance in each client terminal. This key ring is different for each client terminal and is not updated. The key management server encrypts the content key based on the revoked client terminal list and creates a broadcast key block. Then, the created broadcast key block is distributed to each client terminal.

  The client terminal that has received the broadcast key block attempts to decrypt the content key using a key ring stored in itself. At this time, a legitimate client terminal can correctly decrypt the content key from the broadcast key block. On the other hand, the disabled client terminal cannot decrypt the content key from the broadcast key block. FIG. 13 shows a conceptual diagram of broadcast encryption.

  By the way, as the most obvious method for realizing broadcast encryption, there is a method in which individual keys different for each client terminal are stored, and a content key encrypted with each individual key is used as a broadcast key block. However, this method has a problem that the broadcast key block increases in proportion to the total number of client terminals.

  Therefore, as shown in Non-Patent Document 1, a complete subtree method (CS method) has been proposed in which a key is hierarchized based on a tree structure and a broadcast key block is configured. This method has a feature that the size of the broadcast key block can be reduced as compared with the above method.

  However, this method has a problem that the size of the broadcast key block increases depending on the number of invalidated client terminals. That is, if the order of the tree structure is a, the total number of client terminals is N, the number of revoked client terminals is r, and the size of the content key K is | K | It has been shown.

Therefore, Non-Patent Document 1 proposes a Subset Difference Method (SD method) that configures a broadcast key block using a difference tree (subset difference tree). In this SD method, the maximum size of the broadcast block is (2r−1) | K |, and the average is 2log2 · r | K |.
Dalit Naor, Moni Naor, and Jeff Lotspiech, “Revocation and Tracing Schemes for Stateless Receivers,” Proc. of Crypt 2001, Lecture Notes in Computer Science 2139, pp. 41-62, 2001.

  However, the CS method targets the a-tree, whereas the conventional SD method targets only the binary tree. Therefore, the conventional SD method cannot cope with a multi-tree such as a-ary tree. However, if the target of the SD method can be expanded to a multi-tree, more flexible client terminal coverage can be realized and broadcast can be performed. The message size can be reduced. Further, even if the object of the SD method can be expanded to a multi-tree such as a-ary tree, there is a problem that the SD method using the tree structure as shown in FIG. 14 cannot be realized.

  Therefore, the present invention has been made in view of the above-described problems. For example, the SD method can be applied to an object having an arbitrary tree structure such as a binary tree and a quadtree, and broadcast. An object of the present invention is to provide an SD method and a program corresponding to an arbitrary tree structure capable of reducing the message size.

  The present invention proposes the following matters in order to solve the above problems.

(1) The present invention provides, as preparation processing, a first step (for example, corresponding to step S201 in FIG. 2) of assigning a client terminal to a terminal node (leaf node) of an arbitrary tree structure, and the arbitrary tree structure A second step (for example, corresponding to step S202 in FIG. 2) arbitrarily assigning l-bit labels to all nodes in FIG. 2 and a third step (for example, step in FIG. 2) assigning the labels to the client terminals And a fourth step (for example, FIG. 3) in which the center server randomly generates a session key K, encrypts the message M, and obtains the encrypted message F _k (M). and equivalent) in step S301 of the center server is, the difference tree _S i1 to cover all legitimate client _{terminal, S i2 ...,} a fifth step of obtaining a _{S im} (e.g., corresponding to step S302 of FIG. 3) assigned with respect to the difference tree _{S ij} obtained in the fifth step, the key _{L ij,} encrypts sixth step (e.g., corresponding to step S303 of FIG. 3) to the to all client terminals, the broadcast message _{<[i 1, i 2,} ···, i m, E L1 (K), E L2 (K),..., E _Lm (K)], F _k (M)> are distributed as a seventh step (for example, corresponding to step S304 in FIG. 3), receiving broadcast message _{<[i 1, i 2,} ···, i m, C 1, C 2, ···, C m], M'> respect, the identifier of the difference tree _{S ij} to which itself belongs eighth step of obtaining a i _j (eg , And equivalent) in step S401 in FIG. 4, a ninth step of deriving a key _{L ij} from the label held (e.g., the equivalent) to step S402 of FIG. _4, as _{K = D Lij (C j)} , the session key A tenth step for obtaining K (for example, equivalent to step S403 in FIG. 4), an eleventh step for obtaining the message M as M = D _k (M ′) (for example, equivalent to step S404 in FIG. 4), The SD method corresponding to an arbitrary tree structure characterized by comprising:

According to the present invention, as preparation processing, a client terminal is assigned to a terminal node (leaf node) of an arbitrary tree structure, an l-bit label is arbitrarily assigned to all nodes in the arbitrary tree structure, Assign a label. Next, as an encryption process, the center server randomly generates a session key K, encrypts the message M to obtain an encrypted message F _k (M), and the center server sends all legitimate client terminals. The difference trees S _i1 , S _i2 ,..., S _im to be covered are obtained, a key L _ij is assigned to the obtained difference tree S _ij and encrypted, and a broadcast message <[i _{1, i 2, ···, i} m, E L1 (K), E L2 (K), ···, E Lm (K)], to distribute the F k (M)>. Further, as a decryption process, for the broadcast message <[i ₁ , i ₂ ,..., I _m , C ₁ , C ₂ ,..., C _m ], M ′> received by the client terminal, The identifier i _j of the difference tree S _ij to which it belongs is obtained, the key L _ij is derived from the label held, the session key K is obtained as K = D _Lij (C _j ), and M = D _k (M ′ ) To obtain the message M. Therefore, the SD method can be applied to a tree having an arbitrary tree structure including a binary tree and a quadtree.

(2) The present invention relates to the client terminal in which the covering process in the fifth step is invalidated in the tree structure (binary tree) in the SD method for the SD method corresponding to the arbitrary tree structure in (1). And a sub-tree (ST (R)) consisting of the nodes associated with, and a higher-order node thereof as T, and a variable S for storing a set of difference trees used for covering as φ is a twelfth step ( For example, it corresponds to step S501 in FIG. 5) and the thirteenth step (for example, selecting nodes v ₁ , v ₂ ,..., V _k such that the node and the sibling nodes are all the leaf nodes) (Corresponding to step S502 in FIG. 5), and when the branching number n _p in the parent node of the nodes v ₁ , v ₂ ,..., V _k is a predetermined value k, the nodes v ₁ , v ₂ ,. , _{v k} or T Fourteenth step of deleting (e.g., corresponding to step S503 in FIG. 5) and, when k <n _p, looking from the node higher in the node, the lowest node with sibling nodes, which together with the v _a, 15th step of deleting all the nodes subordinate to v _a from T (e.g., corresponding to step S504 in FIG. 5) and, until T becomes a single said leaf node, Proposing a SD method corresponding to an arbitrary tree structure, comprising: a sixteenth step (for example, corresponding to step S505 in FIG. 5) that repeatedly executes the thirteenth to fifteenth steps. ing.

According to the present invention, in the tree structure (binary tree) in the SD method, the covering process is a node associated with the invalidated client terminal, and a subtree (ST (R)) composed of these higher nodes. Is T, and a variable S for storing a set of difference trees used for covering is φ. Then, himself, and the brother of the node are all nodes _v 1, such as a leaf _node, v _2, Select ..., and _{v k,} node _{v 1, v 2, ···,} v k parent node of when branching number _{n p} is a predetermined value k at the node _{v 1,} v 2, · · ·, a _{v k} deleted from T, when k _{<n p,} from among the node higher in the node , looking for the lowest node with the brother of the node, which together with a v _a, to delete all of the nodes in the lower v _a from T. The above processing is repeatedly executed until T becomes a single leaf node. Therefore, the broadcast message size can be reduced by grouping users by the above covering process.

(3) The present invention provides a first step (for example, equivalent to step S201 in FIG. 2) of assigning a client terminal to a terminal node (leaf node) of an arbitrary tree structure as a preparation process in the computer; A second step (for example, corresponding to step S202 of FIG. 2) arbitrarily assigning l-bit labels to all nodes in the tree structure, and a third step (for example, FIG. 2) for assigning the labels to the client terminals. And the fourth step (for example, the encryption process), the center server randomly generates a session key K, encrypts the message M, and obtains the encrypted message F _k (M). , Corresponding to step S301 in FIG. 3), and the center server covers all valid client terminals. _{i1, S} i2, · · _·, a fifth step of obtaining the _{S im} (e.g., corresponding to step S302 of FIG. 3), with respect to the difference tree _{S ij} obtained in the fifth step, the key _{L ij} allocated, a sixth step of encrypting (e.g., corresponding to step S303 in FIG. 3) and, on the all the client terminals, the broadcast message _{<[i 1, i 2,} ···, i m, E L1 ( K), E _L2 (K),..., E _Lm (K)], F _k (M)> are distributed as a seventh step (for example, corresponding to step S304 in FIG. 3), , the broadcast message by the client terminal receives _{<[i 1, i 2,} ···, i m, C 1, C 2, ···, C m], M'> respect, the difference itself belongs eighth to determine the identifier _{i j} of the tree _{S ij} Step (e.g., corresponding to step S401 in FIG. 4) and the ninth step of deriving a key _{L ij} from the label held (e.g., corresponding to step S402 in FIG. 4) _and, as _{K = D} Lij _{(C j)} The tenth step of obtaining the session key K (for example, equivalent to step S403 in FIG. 4) and the eleventh step of obtaining the message M as M = D _k (M ′) (for example, equivalent to step S404 in FIG. 4). ), And a program to execute.

According to the present invention, as preparation processing, a client terminal is assigned to a terminal node (leaf node) of an arbitrary tree structure, an l-bit label is arbitrarily assigned to all nodes in the arbitrary tree structure, Assign a label. Next, as an encryption process, the center server randomly generates a session key K, encrypts the message M to obtain an encrypted message F _k (M), and the center server sends all legitimate client terminals. The difference trees S _i1 , S _i2 ,..., S _im to be covered are obtained, a key L _ij is assigned to the obtained difference tree S _ij and encrypted, and a broadcast message <[i _{1, i 2, ···, i} m, E L1 (K), E L2 (K), ···, E Lm (K)], to distribute the F k (M)>. Further, as a decryption process, for the broadcast message <[i ₁ , i ₂ ,..., I _m , C ₁ , C ₂ ,..., C _m ], M ′> received by the client terminal, The identifier i _j of the difference tree S _ij to which it belongs is obtained, the key L _ij is derived from the label held, the session key K is obtained as K = D _Lij (C _j ), and M = D _k (M ′ ) To obtain the message M. Therefore, the SD method can be applied to a tree having an arbitrary tree structure including a binary tree and a quadtree.

(4) In the program of (3), the present invention relates to a node in which the covering process in the fifth step is associated with the invalidated client terminal in the tree structure (binary tree) in the SD method, and A twelfth step (for example, in step S501 in FIG. 5), where T is a subtree (ST (R)) composed of these upper nodes and T is a variable S for storing a set of difference trees used for covering. And the thirteenth step of selecting nodes v ₁ , v ₂ ,..., V _{k in} which all of the nodes of the node itself and the siblings are the leaf nodes (for example, corresponding to step S502 in FIG. 5). when it is removed when node _{v 1, v 2, ···,} v branching factor _{n p} in the parent node of the _k is a predetermined value k, the node _{v 1,} v 2, · · ·, a _{v k} from T 14th Step (e.g., corresponding to step S503 in FIG. 5), when k <n _p, from among the node higher in the node, find the lowest node with sibling nodes, and which v _a In addition, _a fifteenth step (for example, corresponding to step S504 in FIG. 5) of deleting all nodes subordinate to va from T, and the thirteenth step until T becomes a single leaf node. To a fifteenth step (for example, corresponding to step S505 in FIG. 5) that repeatedly executes the fifteenth step is proposed.

According to the present invention, in the tree structure (binary tree) in the SD method, the covering process is a node associated with the invalidated client terminal, and a subtree (ST (R)) composed of these higher nodes. Is T, and a variable S for storing a set of difference trees used for covering is φ. Then, himself, and the brother of the node are all nodes _v 1, such as a leaf _node, v _2, Select ..., and _{v k,} node _{v 1, v 2, ···,} v k parent node of when branching number _{n p} is a predetermined value k at the node _{v 1,} v 2, · · ·, a _{v k} deleted from T, when k _{<n p,} from among the node higher in the node , looking for the lowest node with the brother of the node, which together with a v _a, to delete all of the nodes in the lower v _a from T. The above processing is repeatedly executed until T becomes a single leaf node. Therefore, the broadcast message size can be reduced by grouping users by the above covering process.

  According to the present invention, for example, the SD method can also be applied to a tree having an arbitrary tree structure such as a binary tree and a quadtree. Therefore, broadcast message size is reduced by grouping users. There is an effect that can be done.

Hereinafter, embodiments of the present invention will be described in detail with reference to the drawings.
Note that the constituent elements in the present embodiment can be appropriately replaced with existing constituent elements, and various variations including combinations with other existing constituent elements are possible. Therefore, the description of the present embodiment does not limit the contents of the invention described in the claims.

<SD method using arbitrary tree structure>
Before detailed explanation, the following items are defined.
1)
A function for encrypting the message M using the session key K (1 bit) is assumed to be F _k : {0, 1} ^* → {0, 1} ^* .
2) A function for encrypting the session key K is set to E: {0, 1} ^l → {0, 1} ^l .
3) Let the pseudo-random number generator be G: {0, 1} ^l → {0, 1} ^{(nmax + 1) l} .
Here, n _max is the maximum order in the tree structure. Here, those extracted l bits from the head of _{G (S), G 1 (} S), what those extracted next l bits extracted with G _{2 (S),} and i-th l bits , G _i (S). Also, G _key (S) is obtained by extracting the last l bits. G ₁ (), G ₂ (),..., G _nmax () are used to derive other labels from the labels. G _key () is used to derive a key from the label.

  As shown in FIG. 1, the SD method processing corresponding to an arbitrary tree structure according to the present embodiment includes a preparation process, an encryption process, and a decryption process. Hereinafter, the details will be described in order.

<Preparation process>
A preparation process according to the present embodiment will be described with reference to FIG.
First, a client terminal is assigned to an end node (leaf node) of an arbitrary tree structure (step S201). Next, l-bit labels are arbitrarily assigned to all nodes in the tree structure (step S202). Here, the label assigned to the label _x is expressed as Label _{x, x} .

A label is assigned to the client terminal (step S203). Here, a set of labels held by the client terminal assigned to the leaf node x is expressed by Equation 2.
Note that Path (u, v) is a set of nodes (including u and v) on the path from the node u to the node v, and Sibling (u) has the same parent node as the node u. A set of nodes (not including u). Here, the label Label _x, label from _x Label _{x, y} (node y, the upper node of the node x) to derive the uses pseudo-random number generator G.

<Encryption processing>
The encryption process according to the present embodiment will be described with reference to FIG.
The center server generates a broadcast message for the message M according to the following procedure.
Specifically, the center server randomly generates a session key K, encrypts the message M, and obtains an encrypted message F _k (M) (step S301).

Next, difference trees S _i1 , S _i2 ,..., S _im covering all valid client terminals are obtained (step S302). The covering algorithm used here will be described later. Further, the differential trees in this manner, node _{v a} a subtree whose vertices, node _{v 1,} v 2 is a descendant node of the node _{v a,} · · ·, _{v k (however, v} 1, v ₂ ,..., V _k are assumed to have the same parent node).

A key L _ij is assigned to each difference tree S _ij created in step S302 and encrypted (step S303). Here, the key shown in Equation 5 is assigned to the difference tree shown in Equation 4 as shown in Equation 6.
And encryption function E, using these keys, encrypts the session key, the encrypted session key _{E Li1 (K), E Li2} (K), obtained · · _{·, E Lik} a (K).

Then, all the client terminals, the broadcast message _{<[i 1, i 2,} ···, i m, E L1 (K), E L2 (K), ···, E Lm (K)], F K (M)> is distributed (step S304).

<Decryption process>
A decoding process according to the present embodiment will be described with reference to FIG.
Client terminal, the received broadcast message _{<[i 1, i 2,} ···, i m, C 1, C 2, ···, C m], M'> respect, the following processing is performed.

First, the identifier i _j of the difference tree S _ij to which the client terminal belongs is obtained (step S401). When the client terminal is invalidated, the difference tree identifier cannot be obtained.

Next, the client terminal derives the key L _ij from the label it holds (step 402). Then, a session key K is obtained as K = D _Lij (C _j ) (step S403), and a message M is obtained as M = Dk (M ′) (step S404).

<Coating treatment>
The covering algorithm used in the encryption process will be described with reference to FIG.
First, T = ST (R) and S = φ are set (step S501). Here, ST (R) is a subtree made up of nodes associated with invalidated client terminals and higher-order nodes in the tree structure (binary tree) in the SD method.
An example is shown in FIG. S is a variable for storing a set of difference trees used for covering.

Next, nodes v ₁ , v ₂ ,..., V _k are selected such that the client terminal itself and all sibling nodes are leaf nodes (step S502). If k = n _p , the nodes v ₁ , v ₂ ,..., V _k are deleted from T (step S503). Here, the _{n p,} is a node _{v 1,} v 2, · · ·, branching number of the parent node of _{v k.} An example is shown in FIG.

Next, in the case of k <n _p , the lowest node having a sibling node is searched for among the nodes higher than the node. Then, the found node and _{v a.} Next, the number 7 a set S, deletes all nodes from T subordinate to _{v a} (step S504). An example is shown in FIG. If there is no upper node having sibling nodes, the difference tree is added to the set S, and all nodes other than root are deleted from T. An example is shown in FIG. Then, the processes from step S502 to step S504 are repeated until T becomes a single leaf node.

  Therefore, according to the present embodiment, for example, the SD method can be applied to a tree having an arbitrary tree structure such as a binary tree and a quadtree. The size can be reduced.

<Example>
Examples will be described with reference to FIGS. 10 to 12.
In this embodiment, in the extended SD method using the tree structure of FIG. 10, the clients d ₁ , d ₆ , d ₇ , d ₁₀ and d ₁₃ associated with the nodes 8, 13, 14, 17 and 20 are Assume that it has been disabled. ST (R) is a subtree composed of nodes 8, 13, 14, 17, 20 and upper nodes of these nodes.

Each client terminal has the label shown in FIG. In this example, as shown in FIG. 12, a valid client terminal is covered with four difference trees. Since the legitimate client terminals d ₁ , d ₂ and d ₃ have labels Labels ₄ and ₈ , the keys L ₄ and ₈ are _assigned L ₄ and ₈ = G using a one-way function from the labels. Derived as _key (Label _{4, 8} ), the session key K can be decrypted.

Since the legitimate client terminals d ₅ and d ₈ have both the labels Label ₃ and ₁₃ and the labels Label ₃ and ₁₄ , the key shown in _{Expression 8} is obtained using a one-way function from these labels. , And the session key K can be decrypted.

Since the legitimate client terminals d ₉ , d ₁₁ , and d ₁₂ have labels Labels ₆ and ₁₇ , the keys L ₆ and ₁₇ are _assigned L ₆ and ₁₇ = G _key (Label ₆ using a one-way function. ₁₇ ) and the session key K can be decrypted.

Since legitimate client terminals d ₁₄ , d ₁₅ and d ₁₆ have labels Labels ₇ and ₂₀ , the keys L ₇ and ₂₀ are derived from these labels using a one-way function, and the session key K is obtained. Can be decrypted.

On the other hand, since the disabled client terminal d ₁ does not hold the labels Label ₄ and ₈ , the keys L ₄ and ₈ cannot be derived.
Also, since none of the labels Label _{5, *} , Label _{6, *} , Label _{7, and *} (* is an arbitrary integer) are held, the keys shown in _Expression 10, the keys L _{6, 17} and the keys L ₇ , 20 Neither can be derived.
Therefore, the session key K cannot be decrypted.

Since the revoked client terminals d ₆ and d ₇ have only one of the labels Label ₅ , ₁₃ and Label ₅ , ₁₄ , the key represented by the number 11 that requires both labels for derivation is derived. Can not.
Also, the label _Label 4, *, Label _{6, *} and _{Label 7,} since * (* is an arbitrary integer) does not possess any of the key _{L 4, 8,} one of the key _{L 6, 17} and the key _{L 7,20} Cannot be derived.
Therefore, the session key K cannot be decrypted.

The revoked client terminal d ₁₇ does not have the labels Labels ₆ and ₁₇ and therefore cannot derive the keys L ₆ and ₁₇ .
Also, since none of the labels Label _{4, *} , Label _{5, *,} and Label _{7, *} (* is an arbitrary integer) are held, the keys L ₄ and ₈ and the keys indicated by _Equation 12 and the keys L ₇ and 20 Neither can be derived. Therefore, the session key K cannot be decrypted.

Since the disabled client terminal d ₁₃ does not have the labels Label ₇ and ₂₀ , the keys L ₇ and 20 cannot be derived. Also, the label _{Label 4, *, Label 5,} * and so _{Label 6,} * (* is an arbitrary integer) does not possess any of the key _{L 4, 8,} indicated by the number 13 key and the key _{L 6, 17} Neither can be derived. Therefore, the session key K cannot be decrypted.

  As described above, according to the present invention, for example, the SD method can be applied to a tree having an arbitrary tree structure such as a binary tree and a quadtree as shown in FIG. Grouping can be performed to reduce the broadcast message size.

  The SD method using an arbitrary tree structure is recorded on a computer-readable recording medium, and the program recorded on the recording medium is read by the apparatus and executed to use the arbitrary tree structure of the present invention. The SD method can be realized. The computer system here includes an OS and hardware such as peripheral devices.

  Further, the “computer system” includes a homepage providing environment (or display environment) if a WWW (World Wide Web) system is used. The program may be transmitted from a computer system storing the program in a storage device or the like to another computer system via a transmission medium or by a transmission wave in the transmission medium. Here, the “transmission medium” for transmitting the program refers to a medium having a function of transmitting information, such as a network (communication network) such as the Internet or a communication line (communication line) such as a telephone line.

  The program may be for realizing a part of the functions described above. Furthermore, what can implement | achieve the function mentioned above in combination with the program already recorded on the computer system, and what is called a difference file (difference program) may be sufficient.

  The embodiments of the present invention have been described in detail with reference to the drawings. However, the specific configuration is not limited to the embodiments, and includes designs and the like that do not depart from the gist of the present invention.

It is a flow which shows the process of this embodiment. It is a flow of the preparation process which concerns on this embodiment. It is the flow of the encryption process which concerns on this embodiment. It is a flow of the decoding process which concerns on this embodiment. It is the flow of the coating process which concerns on this embodiment. It is a figure which shows the tree structure example of ST (R). It is a figure which shows the process example in case of k = _np . It is the figure which illustrated the case where one of the upper nodes has a sibling node in the case of k <n _p . It is the figure which illustrated the case where k < _np , and there is no upper node having sibling nodes. It is a figure which shows the specific example of the extended SD method. It is the table | surface which showed the label which each client terminal has. It is a figure which shows the mode of the covering by the difference tree regarding an Example. It is a conceptual diagram of the broadcast encryption which concerns on a prior art example. It is the figure which illustrated the tree structure which cannot apply a branch tree type | mold extended SD method.

Claims (4)

As preparation process,
A first step of assigning a client terminal to a terminal node (leaf node) of an arbitrary tree structure;
A second step of arbitrarily assigning l-bit labels to all nodes in the arbitrary tree structure;
A third step of assigning the label to the client terminal;
As an encryption process,
A fourth step in which the center server randomly generates a session key K, encrypts the message M, and obtains an encrypted message F _k (M);
A fifth step in which the center server obtains difference trees S _i1 , S _i2 ,..., S _im covering all valid client terminals;
A sixth step of assigning and encrypting a key L _ij to the difference tree S _ij obtained in the fifth step;
Wherein all of the client terminals, the broadcast message _{<[i 1, i 2,} ···, i m, E L1 (K), E L2 (K), ···, E Lm (K)], F k ( A seventh step of distributing M)>;
As a decryption process, for the broadcast message <[i ₁ , i ₂ ,..., I _m , C ₁ , C ₂ , ..., C _m ], M ′> received by the client terminal,
An eighth step of obtaining the identifier i _j of the difference tree S _ij to which itself belongs,
A ninth step of deriving the key L _ij from the label held;
A tenth step of obtaining a session key K as K = D _Lij (C _j );
An eleventh step of obtaining the message M as M = D _k (M ′);
An SD method corresponding to an arbitrary tree structure characterized by comprising: The covering process in the fifth step is
In the tree structure (binary tree) in the SD method, T is a node associated with the invalidated client terminal and a subtree (ST (R)) composed of these higher-order nodes, and a difference tree used for covering A twelfth step in which a variable S for storing a set of
A thirteenth step of selecting nodes v ₁ , v ₂ ,..., V _k such that all of them and their sibling nodes are said leaf nodes;
When node _{v 1, v 2, ···,} v branching factor _{n p} in the parent node of the _k is a predetermined value k, 14 to remove a node _{v 1, v 2, ···,} the _{v k} from T And the steps
when k <n _p, from among the nodes that are on top of the node, looking for the lowest node with the brother of the node, which together with a v _a, all of the nodes in the lower v _a from T A fifteenth step to delete;
A sixteenth step of repeatedly executing the thirteenth through fifteenth steps until T becomes a single leaf node;
The SD method corresponding to an arbitrary tree structure according to claim 1, comprising: On the computer,
As preparation process,
A first step of assigning a client terminal to a terminal node (leaf node) of an arbitrary tree structure;
A second step of arbitrarily assigning l-bit labels to all nodes in the arbitrary tree structure;
A third step of assigning the label to the client terminal;
As an encryption process,
A fourth step in which the center server randomly generates a session key K, encrypts the message M, and obtains an encrypted message F _k (M);
A fifth step in which the center server obtains difference trees S _i1 , S _i2 ,..., S _im covering all valid client terminals;
A sixth step of assigning and encrypting a key L _ij to the difference tree S _ij obtained in the fifth step;
Wherein all of the client terminals, the broadcast message _{<[i 1, i 2,} ···, i m, E L1 (K), E L2 (K), ···, E Lm (K)], F k ( A seventh step of distributing M)>;
As a decryption process, for the broadcast message <[i ₁ , i ₂ ,..., I _m , C ₁ , C ₂ , ..., C _m ], M ′> received by the client terminal,
An eighth step of obtaining the identifier i _j of the difference tree S _ij to which itself belongs,
A ninth step of deriving the key L _ij from the label held;
A tenth step of obtaining a session key K as K = D _Lij (C _j );
An eleventh step of obtaining the message M as M = D _k (M ′);
A program for running The covering process in the fifth step is
In the tree structure (binary tree) in the SD method, T is a node associated with the invalidated client terminal and a subtree (ST (R)) composed of these higher-order nodes, and a difference tree used for covering A twelfth step in which a variable S for storing a set of
A thirteenth step of selecting nodes v ₁ , v ₂ ,..., V _k such that all of them and their sibling nodes are said leaf nodes;
When node _{v 1, v 2, ···,} v branching factor _{n p} in the parent node of the _k is a predetermined value k, 14 to remove a node _{v 1, v 2, ···,} the _{v k} from T And the steps
when k <n _p, from among the nodes that are on top of the node, looking for the lowest node with the brother of the node, which together with a v _a, all of the nodes in the lower v _a from T A fifteenth step to delete;
A sixteenth step of repeatedly executing the thirteenth through fifteenth steps until T becomes a single leaf node;
The program according to claim 3, further comprising:

Images