JP4576824B2 - Information processing apparatus and information processing method - Google Patents

Description

The present invention relates to an information processing equipment you and information processing how. More specifically, the broadcast cipher system based on the generalized Diffie-Hellman assumption enables efficient ciphertext transmission / reception and analysis, reduction of generated ciphertext, user device that receives and decrypts ciphertext, and receiver It relates to information processing equipment Contact and information how to achieve a reduction in the calculation amount in the information processing apparatus and the like.

  Recently, various software data (hereinafter referred to as content) such as audio data such as music, image data such as movies, game programs, various application programs, etc. are transmitted via a network such as the Internet or It is distributed through information recording media (media) such as CD (Compact Disc), DVD (Digital Versatile Disk), MD (Mini Disk). These distributed contents are played back and used in playback devices such as PCs (Personal Computers), CD players, DVD players, and MD players owned by users, or various information processing devices such as game machines.

  Many contents, such as music data and image data, generally have distribution rights or the like held by the creator or seller. Therefore, when distributing these contents, it is common to adopt a configuration that restricts the use of the contents, that is, permits the use of the contents only to authorized users and prevents unauthorized copying or the like. It is the target.

  In particular, in recent years, recording devices and storage media for digitally recording information are becoming widespread. According to such a digital recording apparatus and storage medium, for example, recording and reproduction can be repeated without degrading images and sound, distribution of illegally copied content via the Internet, recording of CD-R, etc. There is a problem of unauthorized copying of media.

  As one method for preventing such unauthorized use of content, there is a system that provides an encrypted key for decrypting content or encrypted content. For example, an encrypted data providing configuration to which a hierarchical tree structure, which is an aspect of the broadcast encryption method, is applied, by appropriately changing the setting of the ciphertext included in the provided encrypted data. This is a system that provides ciphertext that can be decrypted only by a selected authorized user or authorized device.

  For example, Japanese Patent Application Laid-Open No. H10-228688 describes details of the process for providing encrypted data such as an encryption key to which a hierarchical tree structure is applied.

  Using the broadcast channel, confidential information such as a content key is securely sent to a recipient of a ciphertext arbitrarily selected by a transmitter (sender) as a ciphertext provider, that is, a group of receivers (receivers). The method of transmitting is generally referred to as a revocation scheme or a broadcast encryption scheme.

As a main item to evaluate the efficiency of each scheme that realizes revocation schemes and broadcast encryption,
(1) Number of keys (size) that information devices such as user devices and receivers that receive and process ciphertext must securely store
(2) Number of broadcast messages (size),
(3) There are three evaluation items for the amount of calculation required by information processing devices such as user devices and receivers that receive and process ciphertexts.

  A method of reducing all of the above three evaluation items, or a method of reducing at least one or two of the above items is considered to be a better method. In the system, there is a problem that one of the evaluation items becomes large depending on the total number N of receivers or the number r of excluded receivers (revoke receivers) other than the ciphertext decryption allowable receiver.

  Among the methods known so far, in the method described in Non-Patent Document 1, it is assumed that there is a cryptographic n-multilinear map that satisfies the Diffie-Hellman inversion assumption. Basically, a broadcast encryption method has been proposed in which the evaluation items (1) and (2) are both constants. The details of the multi-linear map (n-multilinear map) will be described in [Best Mode for Carrying Out the Invention] of this specification.

However, the validity of the Diffie-Hellman inversion assumption assumed by this method has not been studied so far, and it may be inappropriate to make this assumption in the near future. For example, an algorithm that solves the Diffie-Hellman inversion problem in a realistic time may be found. For this reason, it is an issue to construct a broadcast encryption scheme that is more efficient than the above based on another assumption instead of this assumption.
JP 2001-352322 A D. Boneh and A.M. Silverberg's paper "Applications of Multiformal Forms to Cryptography" (This paper was published in http://eprint.iacr.org/2002/080/ as a technical report of a website managed by the International Association for Cryptographic Research. And is listed on the website managed by Prof. Boneh, one of the authors, as http://crypto.stanford.edu/~dabo./papers/mlearear.pdf)

  The present invention has been made in view of such circumstances, and is as efficient as the method of the above-mentioned paper “D. An object of the present invention is to provide an information processing apparatus, an information recording medium, an information processing method, and a computer program that realize a system with a good number and message amount.

  In the present invention, a broadcast encryption scheme based on a generalized Diffie-Hellman assumption, which is used for another application in the above paper, is proposed instead of the Diffie-Hellman inversion assumption. In the above paper, the generalized Diffie-Hellman assumption is used for the unique digital signature method. By applying this to the broadcast encryption method in the present invention, efficient ciphertext transmission / reception and analysis can be performed and generated. Information processing apparatus, information recording medium, information processing method, and computer program that realize reduction of the amount of ciphertext to be performed, reduction in the amount of calculation in a user device that receives and decrypts ciphertext, and an information processing apparatus such as a receiver The purpose is to do.

The first aspect of the present invention is:
Using a secret key stored in the ciphertext decryption permitted device, n multilinear map (where, n is an integer of 2 or more) to generate the encryption key by applying, by encrypting the output information by encryption key A ciphertext generator for generating ciphertext;
An information output unit for transmitting or recording the ciphertext generated by the ciphertext generation unit and information representing the set of ciphertext decryption-permitted devices;
In an information processing apparatus.

ただし、
Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄＤｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
Ｎは暗号文受領機器としての情報処理装置総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
｜Ｓ｜は、暗号文復号許容機器集合Ｓの要素数、
ｘ_ｊは、ランダムな整数ｘ_ｊ∈［１，ｐ−１］（ただし、ｊ＝１，・・・，２Ｎ−１）であり、ｈ_ｊ＝ｇ^ｘｊが公開値、ｐは群Ｇ_１，Ｇ_２の位数、ｇは群Ｇ_１の生成元、ｘ_ｉは、各暗号文受領機器としての情報処理装置ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して付与される秘密鍵である。
In the information processing apparatus of the present invention, the ciphertext generating unit, as the encryption key to be generated by applying the n multi-linear map, by the following equation, that generates a session key Ks.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the generalized Diffie-Hellman assumption.
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key .

ただし、
Ｇ _２ は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ _１ ^ｎ →Ｇ _２ を定義する群であり、
Ｎは暗号文受領機器としての情報処理装置総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
｜Ｓ｜は、暗号文復号許容機器集合Ｓの要素数、
ｘ _ｊ は、ランダムな整数ｘ _ｊ ∈［１，ｐ−１］（ただし、ｊ＝１，・・・，２Ｎ−１）であり、ｈ _ｊ ＝ｇ ^ｘｊ が公開値、ｐは群Ｇ _１ ，Ｇ _２ の位数、ｇは群Ｇ _１ の生成元、ｘ _ｉ は、各暗号文受領機器としての情報処理装置ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して付与される秘密鍵である。
Furthermore, the second aspect of the present invention provides
An information acquisition unit that receives and reproduces information representing a set of ciphertext decryption permitted devices and ciphertext from a recording medium; and
A storage unit storing a secret key;
A determination unit that determines whether the own device is included in the set of ciphertext decryption allowable devices based on information representing the set of ciphertext allowable devices acquired by the information acquisition unit;
When the determination unit determines that the own device is included in the set of ciphertext decryption permitted devices, the secret key stored in the storage unit is used, and n multi-linear maps (where n is 2 or more) An encryption key calculation unit that calculates an encryption key generated by applying (integer) ,
A ciphertext decryption unit that obtains information by decrypting the ciphertext acquired by the information acquisition unit based on the encryption key calculated by the encryption key calculation unit;
In an information processing apparatus.
Furthermore, in an embodiment of the information processing apparatus of the present invention, the encryption key calculation unit calculates a session key Ks as an encryption key by the following equation.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption .
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key.

Furthermore, the third aspect of the present invention provides
Using a secret key stored in the ciphertext decryption permitted device, n multilinear map (where, n is an integer of 2 or more) to generate the encryption key by applying, by encrypting the output information by encryption key A ciphertext generation step for generating ciphertext;
An information output step of transmitting or recording information representing a set of ciphertext decryption permitted devices and the ciphertext generated in the ciphertext generation step on a recording medium;
There is an information processing method.

ただし、
Ｇ_２は、ｇｅｎｅｒａｌｉｚｅｄＤｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ_１ ^ｎ→Ｇ_２を定義する群であり、
Ｎは暗号文受領機器としての情報処理装置総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
｜Ｓ｜は、暗号文復号許容機器集合Ｓの要素数、
ｘ_ｊは、ランダムな整数ｘ_ｊ∈［１，ｐ−１］（ただし、ｊ＝１，・・・，２Ｎ−１）であり、ｈ_ｊ＝ｇ^ｘｊが公開値、ｐは群Ｇ_１，Ｇ_２の位数、ｇは群Ｇ_１の生成元、ｘ_ｉは、各暗号文受領機器としての情報処理装置ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して付与される秘密鍵である。
In the information processing method of the present invention, in the ciphertext generation step, as the encryption key to be generated by applying the n multi-linear map, by the following equation, that generates a session key Ks.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the generalized Diffie-Hellman assumption.
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key .

ただし、
Ｇ _２ は、ｇｅｎｅｒａｌｉｚｅｄ Ｄｉｆｆｉｅ−Ｈｅｌｌｍａｎ ａｓｓｕｍｐｔｉｏｎを満たすｎマルチリニアマップｅ：Ｇ _１ ^ｎ →Ｇ _２ を定義する群であり、
Ｎは暗号文受領機器としての情報処理装置総数、
ｎは、ｎマルチリニアマップの規定数ｎであり２以上の整数、
｜Ｓ｜は、暗号文復号許容機器集合Ｓの要素数、
ｘ _ｊ は、ランダムな整数ｘ _ｊ ∈［１，ｐ−１］（ただし、ｊ＝１，・・・，２Ｎ−１）であり、ｈ _ｊ ＝ｇ ^ｘｊ が公開値、ｐは群Ｇ _１ ，Ｇ _２ の位数、ｇは群Ｇ _１ の生成元、ｘ _ｉ は、各暗号文受領機器としての情報処理装置ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して付与される秘密鍵である。
Furthermore, the fourth aspect of the present invention provides
An information acquisition step for receiving and reproducing the information representing the set of ciphertext decryption permitted devices and the ciphertext from a recording medium; and
A determination step of determining whether or not the own device is included in the set of ciphertext decryption allowable devices based on the information representing the set of ciphertext allowable devices acquired in the information acquisition step;
When it is determined in the determining step that the own device is included in the set of ciphertext decryption permitted devices, the secret key stored in the storage unit is used, and n multi-linear map (where n is an integer of 2 or more) ) and the encryption key calculation step of calculating an encryption key generated by applying,
A ciphertext decryption step of obtaining information by decrypting the ciphertext acquired in the information acquisition step based on the encryption key calculated in the encryption key calculation step;
There is an information processing method.
Furthermore, in an embodiment of the information processing method of the present invention, in the encryption key calculation step, a session key Ks as an encryption key is calculated by the following equation.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies a generalized Diffie-Hellman assumption .
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of the present invention, a configuration in which a ciphertext that can be decrypted based only on a storage key of a specific ciphertext decryption-permitted device selected from a plurality of information processing apparatuses is transmitted in a multilinear manner that satisfies the generalized Diffie-Hellman assumption By building on the basis of a broadcast encryption method based on a map (multilinear map), the number of ciphertexts to be transmitted and the number of keys stored in each information processing device are reduced, and efficient ciphertext broadcast processing is realized. It becomes possible.

  The details of the information processing apparatus, information recording medium, information processing method, and computer program of the present invention will be described below with reference to the drawings.

  The present invention is a broadcast encryption method using a multilinear map that satisfies the generalized Diffie-Hellman assumption, and enables efficient ciphertext transmission / reception and analysis.

  First, based on the non-patent document “D. Boneh and A. Silverberg's“ Applications of Multilinear Forms to Cryptography ”described in the background section above, a cryptographic n-multilinear map (n-multilinear map) is used. Will be described.

The n multi-linear map e: G ₁ ⁿ → G ₂ satisfies the following conditions (1), (2), and (3).
(1) G ₁ and G ₂ are groups having the same prime order.
(2) The following conditions are satisfied.

(3) If gεG ₁ is a generator of G ₁ , e (g,... G) is a generator of G ₂ .

And the cryptographic n-multilinear map (n-multilinear map) is
(1) computation of the group on _{G 1} and _{G 2} can be performed efficiently.
(2) The n multi-linear map e can be calculated efficiently.
(3) there is no efficient algorithm to solve the discrete logarithm problem on G _1.
It is an n multi-linear map that satisfies the following three conditions.

  As will be described later, and as described in the above-mentioned non-patent document, up to the present time, for n = 2, a cryptographic n multi-linear map is used using a technique called Tate paring or Weil paring. It is considered configurable.

In the description of this embodiment, a specific ciphertext distribution configuration will be described in the order of the following modes (a) and (b).
(A) Assuming that there is a cryptographic n-multilinear map for an arbitrary number n (n> 1), a broadcast encryption scheme using such a map n-multilinear map e (b) n = Broadcast encryption method using a cryptographic 2 multi-linear map

  In this embodiment, the sender who executes the ciphertext distribution process selects a specific selected ciphertext decryption allowable receiver set S from the total number N of receivers, and revokes other receivers ( Exclude) Set as receiver. That is, the ciphertext provider generates and transmits a decipherable ciphertext only in the ciphertext decryption-accepting receiver.

  The ciphertext is provided through communication via a network or an information recording medium such as a CD or DVD. This ciphertext can be acquired by all receivers (users). However, the provided ciphertext cannot be decrypted using a key stored in the revoked device, and can be decrypted only by a key stored in a device other than the revoked device, that is, a ciphertext decryption permitted device.

  (A) Broadcast encryption scheme using an arbitrary number n (n> 1) of n multi-linear maps e

  First, a broadcast encryption scheme using an arbitrary number n (n> 1) of n multi-linear maps e will be described.

The broadcast encryption method described in this embodiment is
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
It is divided into three phases. The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

The entities that make up the broadcast encryption scheme are:
(A) a sender (transmitter) as an information processing device that performs ciphertext generation and provision processing;
(B) Receiver or receiver (user) such as a user device as an information processing apparatus for receiving and decrypting ciphertext
(C) A management center that manages the broadcast encryption system.

  Let N be the total number of information processing devices or users that receive and decrypt ciphertext. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or a transmitter, and an entity or information processing apparatus that receives a ciphertext will be described as a receiver or a receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  Referring to FIG. 1, a configuration example of an information processing apparatus such as a transmission apparatus that generates and provides a ciphertext, and a reception apparatus such as a reception apparatus that receives ciphertext and selects and decrypts the ciphertext. Will be described. In this system, when ciphertext and key designation code are stored and provided on a recording medium such as a disc, the transmitting device is constituted by a disc writing device or disc manufacturing device, and the receiver is constituted by an information processing device such as a disc reproducing device. Is done.

  As illustrated in FIG. 1, the information processing apparatus as an example includes a controller 101, an arithmetic unit 102, an input / output interface 103, a secure storage unit 104, a main storage unit 105, and a large capacity storage unit 106.

  The controller 101 is configured by a CPU having a function as a control unit that executes data processing according to a computer program, for example. The arithmetic unit 102 provides a dedicated arithmetic function for generating cryptographic keys, random numbers, and cryptographic processing, for example. The input / output interface 103 is an interface corresponding to data input from an input means such as a keyboard and a mouse, data output to an external output device, and data transmission / reception processing via a network.

  The secure storage unit 104 is a storage unit that stores data that should be held safely or secretly, such as a unique key as an encryption key and various IDs. The main storage unit 105 is a memory area used for, for example, a data processing program executed in the controller 101, a temporary storage processing parameter, a work area for program execution, and the like. The secure storage unit 104 and the main storage unit 105 are memories configured by, for example, RAM, ROM, and the like. The large-capacity storage unit 106 is a storage unit that can record and read large-capacity data such as a hard disk, CD, DVD, and MD, and records encrypted content and the like.

  In the following description, in order to facilitate understanding, an information processing apparatus that provides ciphertext is referred to as a transmitter, and an information processing apparatus that receives ciphertext is referred to as a receiver. However, the provision of ciphertext to the user can be provided via a network or stored in an information recording medium as described above, and the data transmission / reception configuration is not necessarily provided on the ciphertext providing side and the receiving side. Not a required configuration.

  The setup process will be described in detail. The sender defines an n-multilinear map that satisfies the generalized Diffie-Hellman assumption and publishes it to the receiver. However, n is determined as n = N−1 with respect to the total number N of receivers.

と、
ｎ個の受信機｛１，・・・，ｎ｝のうちの部分集合、情報復号許容受信機集合Ｓ⊂｛１，・・・，ｎ｝に対する

が与えられたときに、

を求めることが困難であることを言う。ここでｇは群Ｇ_１の生成元である。 Here, satisfying the generalized Diffie-Hellman assumption:

When,
a subset of n receivers {1,..., n}, information decoding allowable receiver set S⊂ {1,.

Is given,

Saying that it is difficult to seek. Where g is the generator of the group G _1.

を求める。
ここでｐは群Ｇ_１，Ｇ_２の位数であり、ｇはＧ_１の生成元である。各ｈ_ｊは、公開し、また、受信機ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して、ｘ_ｉを秘密鍵として与える。受信機はｘ_ｉを安全に保管する。ｘ_ｉは、各受信機ｉの秘密鍵として設定される。 Further, a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1) is determined,

Ask for.
Here, p is the order of the groups G ₁ and G ₂ , and g is a generator of G ₁ . Each h _j is made public and x _i is given as a secret key to the receiver i (where i = 1,..., N). The receiver stores _xi securely. x _i is set as a secret key of each receiver i.

Assuming that the number of transceivers N = 4, n = N−1 = 3.
The sender, a random integer _x 1, ···, _{x 7} and _h 1, ···, to create a _{h 7, h 1, ···,} to publish the _{h 7,} x to the receiver 1 ₁ , x ₂ is given to the receiver ₂ , and similarly the key x _i is given to the receiver _i as a secret key.

(2) Encryption and transmission The sender selects a set of receivers that decrypt information in the communication among N receivers, that is, an information decryption allowable receiver set S⊆ {1,..., N}. select. Next, the session key Ks is derived as follows, the transmission information is encrypted using the session key Ks, and the information indicating the information decryption allowable receiver set S⊆ {1,. Broadcast transmission.

Here, if there is no receiver to be excluded, that is, no revoke receiver not included in the information decoding allowable receiver set S and | S | = N, x _{N + 1} x _{N + 2} ... X _{2N + n−} Note that the _{| S |} part is not used.

  Further, the information indicating the information decoding allowable receiver set S can be expressed using, for example, a list of receiver numbers. Furthermore, the information encryption may use the session key Ks as it is, or may use a value obtained by inputting the session key Ks into a hash function such as SHA-1 or MD5 and converting it to a desired size. .

となる。 For example, in the case of the above setting, that is, when the number of transceivers N = 4 and n = N−1 = 3, and the information decoding allowable receiver set S = {1, 2}, the session key Ks is

It becomes.

  For example, in the case of a broadcast application, after transmitting information representing the information decryption allowable receiver set S, the broadcast content may be transmitted after being encrypted with the session key Ks. After transmitting the ciphertext obtained by encrypting the content key Kc using the session key Ks, the content encrypted with the content key Kc may be transmitted. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

By the way, when the sender derives the session key Ks, another method may be used. That is, | S | j with j∈S is picked up, and N− | S | j from N to 2N− | S | is picked up. The output of the map e is obtained by inputting h _j corresponding to n = N−1 of the total N picked up as _j, and the remaining j with respect to the output is the x _j power (G ₂ To obtain a session key Ks equal to the above. This method of obtaining is the same as the method of obtaining the session key Ks by the receiver i described later.

(3) Reception and decoding Is receiver i included in a set of receivers that receive information transmitted from the broadcast channel and that decode the information in the communication, that is, information decoding allowable receiver set S? Find out. If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If oneself is included in the information decryption allowable receiver set S, the session key Ks is obtained by the following process, and the transmitted information is decrypted using this.

1. Counters j and k are prepared, and j = 1 and k = 1 are set.
2. While the counter k is N or less, the following processing is repeated. (A) It is checked whether k = i and whether k is included in S.
i. If k is included in S and k ≠ i, h _k is set as H _j and j and k are incremented by one.
ii. Otherwise, increase k by one.
3. If the counter j is n or less, the following processing is repeated while the relationship is established. (B) h _k is set as H _j , and j and k are incremented by one.
4). The session key Ks is obtained by the following formula.

として求めることができる。 For example, in the above setting, that is, when the number of transmitters / receivers N = 4 and n = N−1 = 3 and the information decoding allowable receiver set S = {1, 2}, Key Ks

Can be obtained as

With the above configuration, there is only one key (x _i ) that the receiver must securely store, and there is only one message that is broadcast for key distribution. That is, transmission information using the session key Ks, for example, a ciphertext obtained by encrypting the content key Kc,
E (Ks, Kc)
It becomes only. E (A, B) indicates the encrypted data of B by the key A.
In addition, when the content is directly encrypted with the session key Ks, the receiver calculates the session key using the secret information stored in its own device when decrypting the encrypted content encrypted with the session key. The new transmission information becomes unnecessary (zero).

  In the above-described processing example, that is, in the broadcast encryption method based on the multilinear map that satisfies the generalized Diffie-Hellman assumption, the ciphertext is generated and the processing sequence executed in the information processing apparatus that provides the ciphertext is received. A processing sequence in an information processing apparatus such as a receiver that performs decoding processing will be described with reference to a flowchart.

  First, a processing sequence executed in an information processing apparatus that generates and provides a ciphertext will be described with reference to FIG.

  In step S101, the information processing apparatus on the ciphertext transmission side first selects a set S⊆ {1,..., N} of receivers to decrypt information in the communication among the N receivers.

として計算する。 In step S102, a session key Ks is set based on the set S of receivers that decrypt information excluding the revoke device. Session key Ks

Calculate as

In step S103
The content key Kc is encrypted with the session key Ks, and the encrypted content key Enc (Ks, Kc)
Is calculated.

In step S104,
a. Information decoding allowable receiver set S (for example, list of receiver numbers)
b. Encrypted content key Enc (Ks, Kc)
c. Encrypted content Enc (Kc, Con)
Is transmitted via a communication path. Or it writes in an information recording medium and provides.

An example of information stored in the information recording medium is shown in FIG. The information recording medium 200 is an information recording medium such as a CD or a DVD. here,
a. Information decoding allowable receiver set S information 201, for example, list of receiver numbers b. Encrypted content key Enc (Ks, Kc) 202
c. Encrypted content Enc (Kc, Con) 203
Store and serve.

  Any information processing apparatus as user equipment can receive such information via a broadcast communication path or an information recording medium. However, only the devices included in the set S of receivers that decrypt information in the communication can calculate the session key Ks applied to the ciphertext Enc (Ks, Kc) 202 based on their own key, and the revocation device Since the session key Ks applied to the ciphertext Enc (Ks, Kc) 202 cannot be calculated, only the device included in the receiver set S decrypts the ciphertext Enc (Ks, Kc) 202 to obtain the content. The key Kc can be acquired, and the encrypted content Enc (Kc, Con) 203 can be decrypted based on the acquired content key Kc to acquire the content (Con).

Next, referring to FIG.
a. Information decoding allowable receiver set S information 201, for example, list of receiver numbers b. Encrypted content key Enc (Ks, Kc) 202
c. Encrypted content Enc (Kc, Con) 203
A processing procedure in the information processing apparatus as the user equipment that has received the information items a to c will be described.

  First, in step S201, information indicating the information decoding allowable receiver set S (for example, a list of receiver numbers) is read.

  In step S202, it is determined whether or not its own device is included in a set of receivers that decode information in the communication, that is, an information decoding allowable receiver set S. If it is not included in the information decoding allowable receiver set S, the communication cannot be decoded and the process is terminated.

  If it is included in the information decoding permission receiver set S, the process proceeds to step S203, and the session key Ks is derived.

A specific calculation example of the session key Ks is shown in FIG. The process shown in FIG. 5 is the following process as described above.
1. Counters j and k are prepared, and j = 1 and k = 1 are set.
2. While the counter k is N or less, the following processing is repeated. (A) It is checked whether k = i and whether k is included in S.
i. If k is included in S and k ≠ i, h _k is set as H _j and j and k are incremented by one.
ii. Otherwise, increase k by one.
3. If the counter j is n or less, the following processing is repeated while the relationship is established. (B) h _k is set as H _j , and j and k are incremented by one.
4). The session key Ks is obtained by the following formula.

  In step S204, the ciphertext Enc (Ks, Kc) is decrypted by applying the session key Ks to acquire the content key Kc, and the encrypted content Enc (Kc, Con) is decrypted based on the acquired content key Kc. To acquire the content (Con).

  (B) Broadcast encryption method using a cryptographic two-multilinear map with n = 2

  In the above-described embodiment, it is assumed that there is a cryptographic n-multilinear map for an arbitrary n (n> 1). Hereinafter, n = 2 that has already been demonstrated. A specific example in which the cryptographic n multi-linear map, i.e., the two multi-linear map is applied will be described. For the cryptographic n multi-linear map with n = 2, see D.C. Boneh and M.M. Franklin's paper "Identity-Based Encryption from the Wel Paring" (This article can be found on the website managed by Prof. .Published as .pdf)

In the following, the broadcast encryption method applying the 2 multi-linear map with n = 2 is similar to the above example.
(1) Setup,
(2) Encryption and transmission,
(3) reception and decoding,
These will be described in the following three phases.

  The setup phase is performed only once at system startup. The encryption, transmission, reception, and decryption phases are repeated each time information is transmitted.

  Entities constituting the broadcast encryption method include a sender (transmitter) as an information processing apparatus that performs ciphertext generation and provision processing, a user device as an information processing apparatus that performs ciphertext reception and decryption processing, and the like. And N is the total number of information processing apparatuses or users who receive and decrypt ciphertexts. A management center for managing the system is also provided. The (1) setup process is executed by the sender or the management center.

(1) Setup Hereinafter, an entity or information processing apparatus that performs ciphertext generation and provision processing will be described as a sender or a transmitter, and an entity or information processing apparatus that receives a ciphertext will be described as a receiver or a receiver. The setup process is executed by the sender or the system administrator. In the following description, it is assumed that the setup process is performed by the sender.

  The sender defines an n-multilinear map that satisfies the generalized Diffie-Hellman assumption and publishes it to the receiver. However, n = 2.

を求める。ここでｐは群Ｇ_１，Ｇ_２の位数であり、ｇはＧ_１の生成元である。また、Ｎは総受信機数である。各ｈ_ｊは、公開し、また、受信機ｉ（ただし、ｉ＝１，・・・，Ｎ）に対して、ｘ_ｉを秘密鍵として与える。受信機はｘ_ｉを安全に保管する。ｘ_ｉは、各受信機ｉの秘密鍵として設定される。また、実在しないダミーの受信機Ｎ＋１およびＮ＋２を仮想的に想定し、それぞれにｘ_Ｎ＋１およびｘ_Ｎ＋２が与えられているものと想定する。 Further, a random integer x _j ∈ [1, p−1] (where j = 1,..., N + 2) is determined,

Ask for. Here, p is the order of the groups G ₁ and G ₂ , and g is a generator of G ₁ . N is the total number of receivers. Each h _j is made public and x _i is given as a secret key to the receiver i (where i = 1,..., N). The receiver stores _xi securely. x _i is set as a secret key of each receiver i. Further, it is assumed that dummy receivers N + 1 and N + 2 that do not actually exist are assumed to be given xN _{+ 1} and xN _{+ 2} respectively.

Assuming that the number of transceivers N = 10,
Sender, a random integer _x 1, · · _{·, x 12} and _h 1, · · _·, to create a _{h 12,} h 1, · · _·, exposes _{h 12,} x to the receiver 1 ₁ , x ₂ is given to the receiver ₂ , and similarly the key x _i is given to the receiver _i as a secret key.

(2) Encryption and transmission The sender selects a set of receivers to decrypt information in the communication among N receivers, that is, an information decryption allowable receiver set S⊆ {1,..., N}. To do. For example, when the number of transmitters / receivers N = 10 and 2, 6 and 7 out of 10 receivers 1,..., 10 are revoke receivers, the information decoding allowable receiver set S１ ， {1, 3 , 4, 5, 8, 9, 10}.

個のサブグループＳＧ_ｋに分割する。 Next, three elements of S in the order of the number i,

Divide into subgroups SG _k .

である。 However,

It is.

は、｜Ｓ｜／３以上である最小の整数を表す。 In addition,
| S | indicates the number of elements of the information decoding allowable receiver set S,

Represents the smallest integer greater than or equal to | S | / 3.

にＳの要素が１つしか入らない場合には、ダミー受信機Ｎ＋１とＮ＋２もサブグループの要素であるとし、また、

に、Ｓの要素が２つだけ入る場合には、ダミーの受信機Ｎ＋１もこのサブグループの要素であるとする。 However, the last subgroup

, The dummy receivers N + 1 and N + 2 are also subgroup elements, and

If only two S elements are included, the dummy receiver N + 1 is also an element of this subgroup.

In the above example, that is, when the number of transceivers N = 10 and 2, 6 and 7 out of 10 receivers 1,..., 10 are revoke receivers, the information decoding allowable receiver set S⊆ {1, 3, 4, 5, 8, 9, 10}, and the subgroup is
SG ₁ = {1, 3, 4}
SG ₂ = {5, 8, 9}
SG ₃ = {10, 11, 12}
It becomes. However, the receivers 11 and 12 are dummy receivers.

として定める。 Then, the sub-group key _{K SGk} for the sub-group SG _k in its communication,

Determine as

In the above example, a subgroup key subgroup SG ₁ and subgroup SG ₂ and subgroup SG ₃ is shown as follows.

  Next, the entire session key Ks in the communication is determined randomly. The session key Ks is a key for encrypting the contents of communication (for example, content such as a movie). For example, when the 128-bit version of the American standard AES is used for the encryption algorithm, the session key Ks is 128 bits.

を、暗号文
ＣＴ_ｋ＝Ｅ（Ｈ（Ｋ_ＳＧｋ），Ｋｓ）として設定する。
ただし、Ｅ（Ａ，Ｂ）は鍵Ａを用いた平文Ｂの暗号化を示す。 Next, ciphertext obtained by encrypting the session key Ks using each subgroup key

_Is set as ciphertext CT _k = E (H (K _SGk ), Ks).
Here, E (A, B) indicates encryption of plaintext B using the key A.

As an encryption algorithm, for example, a 128-bit version of AES of American standard is used. Function H, any element of G _2, a condensation promises hash function to the key length of the encryption algorithm (e.g. 128bit) to be used. The encryption algorithm E and the hash function H are predetermined by the system (may be determined by the sender) and are made public.

とを、ともに同報通信路で受信機に送信する。 The sender encrypts information to be transmitted by using the session key K _s , information (for example, a list of receiver numbers) representing the information decryption allowable receiver set S, the above ciphertext,

Are transmitted to the receiver via a broadcast channel.

を送信し、その後に放送コンテンツをセッションキーＫｓで暗号化して送信してもよいし、通信において情報を復号させる受信機の集合、すなわち情報復号許容受信機集合Ｓを表す情報と、暗号文

と、セッションキーＫｓで暗号化したコンテンツキーＫｃを送信した後に、コンテンツキーＫｃで暗号化されたコンテンツを送信してもよい。ＣＤなどの記録メディアのアプリケーションの場合には、放送アプリケーションにおいて放送していた情報をディスクに記録して配布すればよい。 For example, in the case of a broadcast application, after transmitting information representing the information decryption allowable receiver set S, ciphertext,

And then the broadcast content may be transmitted after being encrypted with the session key Ks, or a set of receivers for decrypting information in communication, that is, information indicating an information decryption allowable receiver set S, and ciphertext

Then, after transmitting the content key Kc encrypted with the session key Ks, the content encrypted with the content key Kc may be transmitted. In the case of an application for a recording medium such as a CD, the information broadcast in the broadcast application may be recorded on a disk and distributed.

(3) Reception and decoding Is receiver i included in a set of receivers that receive information transmitted from the broadcast channel and that decode the information in the communication, that is, information decoding allowable receiver set S? Find out.

If it is not included in the information decoding permission receiver set S, the communication is not able to be decoded, and the process is terminated. If it is included in the information decryption allowable receiver set S, it is checked which subgroup ciphertext should be decrypted by itself. This can be obtained by searching for the number of elements when the elements of the information decoding permission receiver set S are divided into three elements. The receiver i obtains a sub-group key of the sub-group SG _k that they belong in the following manner.

ここで、ｈ_ｊ１、ｈ_ｊ２は、サブグループＳＧ_ｋのｉ以外の要素の受信機番号ｊ_１，ｊ_２に対応する公開情報であり、ｊ_１＜ｊ_２とする。

Here, h _j1 and h _j2 are public information corresponding to the receiver numbers j ₁ and j ₂ of elements other than i of the subgroup SG _k , and j ₁ <j ₂ .

For example the receiver 5 in the above example, based on the secret information x ₅ a self-owned,
K _SG2 = e (h ₈ , h ₉ ) ^{x 5}
It can be determined subgroup key _{K SG2} subgroup SG ₂ as.

Next, the receiver i calculates the hash value H (K _SGk ) from the subgroup key K _SGk obtained above, and uses this to decrypt the ciphertext CTk to obtain the session key Ks. Decode the transmitted information.

となる。 With the configuration as described above, it is possible to configure a system that can securely distribute a key (session key Ks) to N receivers using two multi-linear maps. In the above configuration, the receiver has only one key (x _i ) that must be securely stored. For example, when the session key Ks is directly used for content encryption, it is broadcast for key distribution. The number of messages

It becomes.

となり、上記のｎ＝２の場合に比べてこの面での効率がよくなる。 The above has described in detail the method using two multi-linear maps. However, as described above, this method can be directly extended to a method using n multi-linear maps for an arbitrary integer n> 1. As n increases, the number of keys stored by the receiver remains one, whereas the number of broadcast messages is

Therefore, the efficiency in this aspect is improved as compared with the case of n = 2.

  In the above-described processing example, that is, in the configuration example in which the calculation amount required by each receiver can be reduced by the broadcast encryption method using two multi-linear maps satisfying the generalized Diffie-Hellman assumption, A processing sequence executed in an information processing apparatus that generates and provides a sentence, and a processing sequence in an information processing apparatus such as a receiver that receives a ciphertext and performs decryption processing will be described with reference to flowcharts.

  First, a processing sequence executed in an information processing apparatus that generates and provides a ciphertext will be described with reference to FIG.

  First, in step S301, the information processing apparatus on the ciphertext transmission side selects a set S⊆ {1,..., N} of receivers to decrypt information in the communication among the N receivers.

として定める。 In step S302, the elements of S in order of the number i, one by three dividing Set subgroup, the subgroup key _{K SGk} for subgroup SG _k,

Determine as

  In step S303, the entire session key Ks in the communication is randomly determined. The session key Ks is a key for encrypting the contents of communication (for example, content such as a movie). For example, when the 128-bit version of the American standard AES is used for the encryption algorithm, the session key Ks is 128 bits.

Next, in step S304, a ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting the session key Ks using each subgroup key is derived.

In step S305, the content key Kc is encrypted with the session key Ks, and the encrypted content key Enc (Ks, Kc) is encrypted.
Is calculated.

In step S306,
a. Information representing information decoding allowable receiver set S (for example, list of receiver numbers)
b. _Ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting session key Ks using each subgroup key
c. Encrypted content key Enc (Ks, Kc)
d. Encrypted content Enc (Kc, Con)
Is transmitted via a communication path. Or it writes in an information recording medium and provides.

An example of information stored in the information recording medium is shown in FIG. The information recording medium 300 is an information recording medium such as a CD or a DVD. here,
Information (for example, a list of receiver numbers) 301 representing the information decoding allowable receiver set S
_Ciphertext CT _k = E (H (K _SGk ), Ks) 302 _obtained by encrypting session key Ks using individual subgroup keys
Encrypted content key Enc (Ks, Kc) 303
Encrypted content Enc (Kc, Con) 304
Store and serve.

Any information processing apparatus as user equipment can receive such information via a broadcast communication path or an information recording medium. However, only the devices included in the set S of receivers that decrypt the information in the communication can encrypt the ciphertext CT _k = E (H (K _SGk ), Ks with the session key Ks encrypted using the individual subgroup keys. ) 302 can be calculated, and the revoke device cannot calculate the subgroup key applied to the ciphertext CT _k = E (H (K _SGk ), Ks) 3502. Only the device included in the set S decrypts the ciphertext CT _k = E (H (K _SGk ), Ks) 302 to obtain the session key Ks, and further _uses the obtained session key Ks to encrypt the encrypted content key Enc ( Ks, Kc) is decrypted to obtain the content key Kc, and the encrypted content Enc (Kc, Con) is obtained based on the obtained content key Kc. 03 by decoding the can acquire the content (Con).

Referring to FIG.
a. Information representing information decoding allowable receiver set S (for example, list of receiver numbers)
b. _Ciphertext CT _k = E (H (K _SGk ), Ks) _obtained by encrypting session key Ks using each subgroup key
c. Encrypted content key Enc (Ks, Kc)
d. Encrypted content Enc (Kc, Con)
A processing procedure in the information processing apparatus as the user equipment that has received the information items a to d will be described.

  First, in step S401, information (for example, a list of receiver numbers) indicating the information decoding allowable receiver set S is read.

  In step S402, it is determined whether or not its own device is included in a set of receivers that decode information in the communication, that is, an information decoding allowable receiver set S. This is obtained by searching for the number of elements when the elements of the information decoding permission receiver set S are divided into three elements. If it is not included in the information decoding allowable receiver set S, the communication cannot be decoded and the process is terminated.

If included in his information decoding acceptable receiver set S, the process proceeds to step S403, the subgroup key subgroup SG _k which they belong, as described above, obtained as follows.

Next, in step S404, a hash value H (K _SGk ) is calculated from the subgroup key K _SGk , and using this, the ciphertext CT _k = E (H (K _SGk ), Ks, which is the encrypted data of the session key. ) To obtain the session key Ks.

  In step S405, the ciphertext Enc (Ks, Kc) is decrypted by applying the session key Ks to obtain the content key Kc. In step S406, the encrypted content Enc (Kc, Con is based on the obtained content key Kc. ) To obtain the content (Con).

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims section described at the beginning should be considered.

  The series of processes described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, or a semiconductor memory. It can be stored (recorded). Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the removable recording medium as described above, or is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet. The computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  As described above, according to the configuration of the present invention, a configuration in which a decrypted ciphertext is transmitted based only on a storage key of a specific ciphertext decryption permitted device selected from a plurality of information processing apparatuses is generated. -By constructing based on a broadcast encryption scheme based on a multi-linear map that satisfies the Hellman assumption, the number of transmitted ciphertexts and the number of keys stored in each information processing device are reduced, which is efficient Secure ciphertext broadcast processing can be realized. Therefore, the present invention can be used in ciphertext providing processing with restricted usage rights. Specifically, an information processing device that performs ciphertext generation, provision, and transmission, and a user that performs decryption and reproduction of ciphertext The present invention can be applied to information processing apparatuses as devices, information recording media storing encrypted contents, and the like.

It is a figure which shows the structural example of information processing apparatuses, such as a transmitter which produces | generates and provides a ciphertext, and information processing apparatuses, such as a receiver which receives a ciphertext and acquires information. It is a flowchart explaining the process sequence performed in the information processing apparatus which produces | generates and provides a ciphertext. It is a figure which shows the example of information recording medium storage of the information produced | generated in the information processing apparatus which produces | generates and provides a ciphertext. It is a flowchart explaining the process sequence performed in the information processing apparatus which receives and decrypts a ciphertext. It is a figure explaining the specific calculation example of the session key Ks performed in the information processing apparatus which receives and decrypts a ciphertext. It is a flowchart explaining the process sequence performed in the information processing apparatus which produces | generates and provides a ciphertext at the time of application of the multi-linear map of n = 2. It is a figure which shows the example of information recording medium storage of the information produced | generated in the information processing apparatus which produces | generates and provides a ciphertext at the time of application of the multi-linear map of n = 2. It is a flowchart explaining the process sequence performed in the information processing apparatus which receives and decrypts a ciphertext at the time of application of the multi-linear map of n = 2.

Explanation of symbols

DESCRIPTION OF SYMBOLS 101 Controller 102 Arithmetic unit 103 Input / output interface 104 Secure memory | storage part 105 Main memory | storage part 106 Mass storage part 200 Information recording medium 201 Ciphertext compounding permissible receiver set S information 202 Encrypted content key Enc (Ks, Kc)
203 Encrypted content Enc (Kc, Con)
300 Information recording medium 301 _Ciphertext composite allowable receiver set S information 302 _Ciphertext CT _k = E (H (K _SGk ), Ks)
303 Encrypted content key Enc (Ks, Kc)
304 Encrypted content Enc (Kc, Con)

Claims (8)

Using a secret key stored in the ciphertext decryption permitted device, n multilinear map (where, n is an integer of 2 or more) by applying the generated encryption key, encrypts the information by encryption key cryptography A ciphertext generation unit for generating a sentence;
An information output unit for transmitting or recording the ciphertext generated by the ciphertext generation unit and information representing the set of ciphertext decryption-permitted devices;
An information processing apparatus comprising: The ciphertext generation unit
Examples encryption key generated by applying the n multi-linear map, by the following equation, the information processing apparatus according to claim 1 that generates a session key Ks.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the generalized Diffie-Hellman assumption.
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key . An information acquisition unit that receives and reproduces information representing a set of ciphertext decryption permitted devices and ciphertext from a recording medium; and
A storage unit storing a secret key;
A determination unit that determines whether the own device is included in the set of ciphertext decryption allowable devices based on information representing the set of ciphertext allowable devices acquired by the information acquisition unit;
When the determination unit determines that the own device is included in the set of ciphertext decryption permitted devices, the secret key stored in the storage unit is used, and n multi-linear maps (where n is 2 or more) An encryption key calculation unit that calculates an encryption key generated by applying (integer) ,
A ciphertext decryption unit that obtains information by decrypting the ciphertext acquired by the information acquisition unit based on the encryption key calculated by the encryption key calculation unit;
An information processing apparatus comprising: The encryption key calculation unit calculates a session key Ks as an encryption key by the following formula:
  The information processing apparatus according to claim 3.

However,
G ₂ Is a multi-linear map e: G satisfying generalized Diffie-Hellman assumption ₁ ⁿ → G ₂ Is a group that defines
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j Is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = G ^xj Is the public value, p is the group G ₁ , G ₂ , G is the group G ₁ Generator of x _i Is a secret key assigned to the information processing apparatus i (where i = 1,..., N) as each ciphertext receiving device. Using a secret key stored in the ciphertext decryption permitted device, n multilinear map (where, n is an integer of 2 or more) by applying the generated encryption key, encrypts the information by encryption key cryptography A ciphertext generation step for generating a sentence;
An information output step of transmitting or recording the information representing the set of ciphertext decryption permitted devices and the ciphertext generated in the ciphertext generation step on a recording medium;
An information processing method comprising: In the ciphertext generation step,
Examples encryption key generated by applying the n multi-linear map, by the following equation, information processing method according to claim 5 that generates a session key Ks.

However,
G ₂ is a group that defines an n multi-linear map e: G ₁ ⁿ → G ₂ that satisfies the generalized Diffie-Hellman assumption.
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = g ^xj is a public value, and p is a group G ₁ , G of order _2, secret g is generator of the group _{G 1, x i} is the information processing apparatus i as the ciphertext receiving apparatuses (where, i = 1, · · ·, N) is given to Is the key . An information acquisition step for receiving and reproducing the information representing the set of ciphertext decryption permitted devices and the ciphertext from a recording medium; and
A determination step of determining whether or not the own device is included in the set of ciphertext decryption allowable devices based on the information representing the set of ciphertext allowable devices acquired in the information acquisition step;
When it is determined in the determining step that the own device is included in the set of ciphertext decryption permitted devices, the secret key stored in the storage unit is used, and n multi-linear map (where n is an integer of 2 or more) ) and the encryption key calculation step of calculating an encryption key generated by applying,
A ciphertext decryption step of obtaining information by decrypting the ciphertext acquired in the information acquisition step based on the encryption key calculated in the encryption key calculation step;
An information processing method comprising: In the encryption key calculation step, a session key Ks as an encryption key is calculated by the following equation.
  The information processing method according to claim 7.

However,
G ₂ Is a multi-linear map e: G satisfying the generalized Diffie-Hellman assumption ₁ ⁿ → G ₂ Is a group that defines
N is the total number of information processing devices as ciphertext receiving devices,
n is the specified number n of the n multi-linear map and is an integer greater than or equal to 2,
| S | is the number of elements of the ciphertext decryption permitted device set S,
x _j Is a random integer x _j ∈ [1, p−1] (where j = 1,..., 2N−1), h _j = G ^xj Is the public value, p is the group G ₁ , G ₂ , G is the group G ₁ Generator of x _i Is a secret key assigned to the information processing apparatus i (where i = 1,..., N) as each ciphertext receiving device.

Images