JP5637401B2 - Encryption key update method, encryption key update apparatus, and encryption key update program - Google Patents

Description

  The present invention relates to an encryption key management method necessary for implementing secure network communication in a network that uses an encryption key and performs communication using a plurality of communication devices, and particularly focuses on a key update method. The present invention relates to an encryption key update method, an encryption key update device, and an encryption key update program.

In network communication that uses an encryption key and performs communication using multiple communication devices, a network that uses a large number of sensor-equipped wireless communication devices (nodes) is generally called a sensor network and is located within the measurement target area. This is a system that collects information acquired by a node by wireless communication and uses the collected information in an application, and is attracting attention as a system that can be used for various purposes.
Hereinafter, in the present invention, in a network communication that uses an encryption key and performs communication using a plurality of communication devices, a network configured by a server and a node connected to the server as a configured communication device, In particular, a sensor network will be described as an example.

  In many aspects of sensor network use, it is considered that a group may be formed by a plurality of nodes, and information sharing and processing may be performed within the group. The group key is a key that is commonly owned only by the nodes belonging to the group, and it is possible to use various encryption technologies within the group by generating and using the encryption key and MAC key from the group key. Become. In that sense, safe and efficient management of group keys can be considered as an important basic technology in the construction of realistic sensor network applications. For example, consider a case where multicast distribution of secret data is performed for a certain group. In consideration of the presence of an unauthorized person who eavesdrops on the communication path and an out-of-group node that relays data, the data distributed by multicast needs to be encrypted. It is important to note that the ciphertext distributed by multicast must be the same for all nodes in the group. If it is necessary to construct different ciphertexts using different encryption keys for each node, there is no point in performing multicast distribution. The existence of a group key is indispensable in order to realize a mechanism in which the same ciphertext can be distributed to a network that can be accessed by an unspecified number and only members belonging to the group can decrypt it. I can say that.

  Group key management has a problem with difficulty different from one-to-one encryption key management. A major point that characterizes the management of group keys is that the group structure changes with time. For example, it should be noted that a new node may join a group or a node that has previously belonged to a group may leave the group for some reason. When there is a change in group membership, it is necessary to update the group key and distribute the updated key correctly. In particular, when a certain node is forcibly excluded from the group, it is necessary to appropriately control information so that the excluded node does not continue to have a valid group key.

  The most basic key update method with the sensor network in mind is, for example, as shown in Non-Patent Document 1, a key (link key) shared in a one-to-one relationship between any pair of nodes including a server. ) (Conventional method 1). For example, when one group key is shared by a group composed of a plurality of nodes, it is necessary to update the key when excluding a certain node. The representative node determines a new group key, encrypts the group key using the link key, and unicasts the encrypted group key to other nodes other than the excluded node.

  Further, in Patent Document 1, a plurality of keys are allocated to extended vertices of a tree structure rooted in a group key corresponding to a certain group, and then all nodes to be joined to the plurality of groups are arranged at each vertex of the tree structure. Corresponding to the key, each encryption key of the node is generated as a key string having a key from the root of the tree structure to the position associated with the node of the tree structure, and the generated encryption key is transferred to the corresponding node A distribution method is disclosed. (Conventional method 2). With this tree structure, when an excluded node comes out from a plurality of nodes, only the key related to the encryption key of the excluded node is changed, and only the node corresponding to the changed key is changed. The encrypted key can be encrypted and distributed with a key immediately below the key.

  In Patent Document 2, in a network system configured by grouping a plurality of nodes so that each node belongs to a plurality of groups, each node in the group is directly connected, and each node has its own node. A node connection means for broadcasting to all other nodes of the group to which the node belongs, and each node receives data received from another node of one group of the plurality of groups to which the node belongs; A system for relaying to other nodes of other groups among a plurality of groups by broadcast transmission is disclosed. (Conventional method 3). When using the conventional method 3, when transmitting common data to a certain set of nodes, data is transmitted to nodes (relay nodes) that straddle each group, and broadcast transmission is performed. Can be delivered efficiently.

  Patent Document 3 discloses a communication system that includes a center and a plurality of terminals, in which each terminal forms a group and shares the same secret key in the group. A method of updating is disclosed (conventional method 4). The conventional method 4 aims to reduce the burden of encryption processing on the center side, and can update the secret key on the basis of the secret sharing method, making it necessary to perform remainder calculation on the terminal side.

JP-A-11-187013 Japanese Patent No. 2852586 JP 2004-343816 A

Zigbee (registered trademark) sensor network pp. 118-120, Shiro Sakata et al., Hidekazu System, 2005

  However, in network communication with limited computational resources, such as communication devices that make up a network, where miniaturization of chips and memories is desired, the key is not only to perform secure communication and encryption key update. There is a need to reduce the amount of communication in updating and the amount of calculation by updating keys.

  On the other hand, in the conventional method 1, when the communication amount transmitted from the server to the network is N, the communication amount is O (N). That is, there is a problem that the communication amount for key update increases in proportion to the number of nodes. On the other hand, in the conventional method 2, the communication amount is O (log N). That is, there is a problem that the communication amount for key update increases in proportion to the logarithm of the number of nodes. Although it is more efficient than the conventional method 1, there is a possibility that the same problem may arise in that the amount of communication from the server for key update becomes a problem when the number of nodes increases. In particular, in an environment where the number of nodes such as sensor networks is expected to increase by an order of magnitude compared to conventional systems, this problem is expected to become apparent even if the traffic is proportional to the logarithm of the number of nodes. Is done.

  On the other hand, it is conceivable to use the conventional method 3 as a communication means for distributing the encryption key, but there is a problem that it cannot cope with the case where the relay node is excluded. Considering the possibility that the relay node is an out-of-group node, there is a risk that the encryption key information is leaked to the relay node.

  The conventional method 4 is a key update method based on the secret sharing method, and requires a large amount of calculation using a remainder calculation under a large prime number p or a large number of remainder calculations. Such a method for updating the key of the group key using the remainder calculation generally has a very large amount of calculation as in the public key method. However, especially in computing resources used for node-side communication equipment such as sensor networks, the amount of computation on the node side is limited in environments where there are restrictions on the computational capacity and storage capacity that can be implemented. A method that requires a large number of remainder calculations such as 4 cannot be used.

  Therefore, the present invention solves the above-described problem and provides for a case where the configuration of a group in a communication device changes as time progresses in network communication in which an encryption key is used and communication is performed using a plurality of communication devices. An object of the present invention is to provide a mechanism for updating a group key, which is an encryption key, and securely distributing the updated key within the group, and an object thereof is to reduce the communication amount and the calculation amount in the key update.

According to the present invention, in a network composed of a server and a large number of nodes, when a node has d types of attributes, the node is considered to belong to d groups at the same time. The group key is associated, the server shares the group key only with the nodes belonging to the group, and the encryption communication for each group is performed. A method for updating a group key and distributing the updated group key correctly so that when a node is forcibly excluded from the group, the excluded node will not continue to have a valid group key. Control the group key distribution, and if the node to be excluded is a group head node, the server By Group head node and the group head to exchange roles with other nodes in the belonging minimum group that, after the node that is not a group head node to node the exclusion, the group key after updating the by sending via the group head node to node other than the node to be excluded in the corresponding group, it has a Heidelberg loop head node elimination step to eliminate the node to be the exclusion, the minimum group, optionally for each attribute Is a product set of a plurality of groups obtained as a result of extracting groups each having the attribute value of one by one and is a group that is a non-empty minimal set, and the group head node is a product with an arbitrary minimal group is a node belonging to a group that contains exactly one of the nodes in the set, the encryption, characterized in that Update method is provided.
Further, according to the present invention, in a network composed of a server and a large number of nodes, when there are d types of attributes in a node, the node is considered to belong to d groups at the same time, and each group defined in this way If there is a change in the group members regarding the method of associating the group key with the server, sharing the group key only with the nodes belonging to the group, and performing cryptographic communication for each group, When the server updates the group key and distributes the updated key correctly, when a node is forcibly removed from the group, the excluded node does not continue to have a valid group key. as, and controls the group key distribution, an attribute and a division of the total node set N, (condition 1) Gi⊂N, (condition 2) i ≠ j if Gi∩Gj is It is a set, (condition 3) G1∪G2∪. . . Gm = N, a set family {G1, G2,. . . , Gm} as attributes, d attributes A1,. . . , Ad and Ai = {Gi, 1,. . . , Gi, mi} (mi is the number of elements in Ai), and Gi, j is a set of nodes having the jth attribute value for attribute i, k integers 1 ≦ i1,. . . , Ik, ≦ d and k groups Gi1, j1,. . . , Gik, jk (where Gia, jaεAia for 1 ≦ a ≦ k) and G = Gi1, j1∩. . . When the node set G to be ∩Gik, jk is a group of order k, the d attributes constituting the group C (minimum group) of order d which is a minimal set in the inclusion relationship between structured groups (Condition 4) For any minimal group C, C∩G0,1 contains exactly one node (group head). (Condition 5) A group other than G0,1 in any minimal group C, A0 Special attribute A0 = {G0,1,... Configured to satisfy two of C0G0, j including at most one node (group member) for G0, j. . . , G0, m0} (where m0> 0), d + 1 attribute sets A0, A1,. . . , Ad to update and manage the group key in the d-dimensional group structure composed of Ad,
Since a node belongs to exactly one minimal group and A0 is a division of a node set N, d + 1 integer sets j0, j1,. . . , Jd exist and G0, j0∩G1, j1∩. . . ∩Gd, jd = {n}, d + 1 character set (j0, j1,..., Jd) is treated as an identifier (ID) of node n,
A0, A1,. . . , Ad defines a d-dimensional group structure. At this time, the server assigns nodes and group keys ki, j ( 1) to groups Gi, j (0 ≦ i ≦ d, 1 ≦ j ≦ mi) of order 1. share is referred to as a cornerstone Motokagi) in advance, groups of order k G = Gi1, j1∩. . . ∩ Gik, jk (i1 <.. <ik), h (ki1, j1 || .. | kik, jk) (h is a hash function, || The information that can be calculated is G group key k (G),
Only the node belonging to G knows the group key k (G) of the group G of order k. At this time, the server or the node belonging to G encrypts data to be transmitted to G with k (G), The obtained ciphertext is distributed to the G node by multicast,
If the ID of the node n is (j0, j1,..., Jd), n is d + 1 element keys k0, j0,. . . , Kd, jd and using these d + 1 keys, n can calculate kn = h (k0, j0 || ... d | jd, jd), where the value kn is n Since the server is a value that can be calculated only by the server, the server encrypts data with each node key for each node, with kn being a key (node key) shared between n and the server. Unicast securely and
In order to enable a secure one-to-one exchange of messages between a group head and each group member of the minimal group to which the group head belongs, the server sends a message to each group head and each group member. The node key encrypts a unique key (member key) that is shared, and sends it in a unicast manner.
When the server wants to add the node n to the group Gi, j of order 1, if the ciphertext obtained by encrypting the data x with the key k is written as Ek (x), the node adding means for preparing the server is as follows: C = Eh (ki, j) (k′i, j) is calculated for nodes belonging to Gi, j from before, c is multicast to nodes belonging to Gi, j, and n The new key k′i, j is encrypted with a node key shared only by the server and its nodes in a unicast manner and transmitted from the server, thereby ensuring backward security and the new key k′i, j Is shared with the new group Gi, j,
When the server excludes the node n from the group Gi, j of order 1, when a set obtained by removing n from Gi, j is written as G′i, j, G′i, j remains in the group even after n is excluded. All nodes belonging to G′i, j must be able to obtain a new key k′i, j, and in order to ensure forward security, the excluded node n is Since k'i, j must not be known, the primary node exclusion means provided in the server cooperates with the secondary node exclusion means provided in the group head that always exists in the minimal group, thereby eliminating the node. The process of
When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not a group head and i ≠ 0 for the element group Gi, j that excludes n, the server's main node exclusion means First, when ki, j is an element key of Gi, j and k′i, j is an element key of new Gi, j, k = h (k0,1 || ki, j) is calculated, and x = Ek (k′i, j) is obtained, and the 4-character set (i, j, IDn, x) is multicast transmitted to the nodes (group heads) belonging to Gi, j ， G0,1 (IDn is excluded) Node n ID), and then the secondary node exclusion means of the node (group head) belonging to Gi, j∩G0,1 decrypts x to obtain a new key k′i, j of Gi, j, and finally And subnodes of nodes (group heads) belonging to Gi, j∩G0,1. When the minimal group C to which the node belongs does not include the exclusion node n, the node exclusion means encrypts k′i, j using k (C) (group key of the minimal group C to which the node belongs), and Ek ( C) When (k′i, j) is multicast-distributed to the group members of C, while the excluded node n is included in the minimal group C to which the group head belongs, the sub-node exclusion means of the group head C'i, j is encrypted and transmitted to the group member C by unicast using the member key,
When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i = 0 and j ≠ 1 for the element group Gi, j that excludes n, The main node exclusion means calculates x1 = Eh (k0, j) (k′0, j) and x2 = Eh (k0,1) (x1), and calculates the four character set (0, j, IDn, x2). Multicast distribution to the group head set G0,1 and the sub-node exclusion means of each group head decodes x2 to obtain x1 (since the group head does not know k0, j, x1 cannot be decoded) , G0, j and the minimal group C to which it belongs, if one node n ′ is included and n ≠ n ′, the sub-node exclusion means of the group head uses the member key for n ′. Encrypt x1 in a cast Send
When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server excludes n A process of exchanging the roles of the group head n of the group Gi, j and the node n ′ in the minimal group to which the group head belongs is performed, and the node exclusion process when the exclusion node is not the group head after the role exchange process ends An encryption key update method is provided that is characterized by enforcing.
Further, according to the present invention, in a network composed of a server and a large number of nodes, when there are d types of attributes in a node, the node is considered to belong to d groups simultaneously, and each group defined in this way When there is a change in group members regarding a system that associates a group key with the server, shares the group key only with nodes belonging to the group, and performs cryptographic communication for each group, A system in which a server updates a group key and correctly distributes the updated group key. When a node is forcibly excluded from the group, the excluded node continues to have a valid group key. Group key distribution is controlled so that the server eliminates the group head node if the node to be excluded is a group head node. By Group head node and the group head to exchange roles with other nodes in the belonging minimum group is to be nodes, after the node node that is not a group head nodes to be the exclusion, a group of the updated key and its corresponding group head node to node other than the node to be excluded in the group that by sending through, have a Heidelberg loop head node elimination means to eliminate the node to be the exclusion, the minimum group attributes The group head node is a group that is a product set of a plurality of groups obtained as a result of extracting groups each having an arbitrary attribute value for each one and is a non-empty minimum set, and the group head node is an arbitrary minimum group It is just a node belonging to a group such as those containing one node to the intersection between, characterized in that The encryption key update system that is provided.

  According to the present invention, in network communication in which an encryption key is used and communication is performed using a plurality of communication devices, a group key that is an encryption key is updated in preparation for a case where the network configuration changes with time. It is possible to provide a mechanism for securely distributing the updated key. Further, it is possible to reduce the communication amount and calculation amount in key update.

It is a figure which shows the structure of one Embodiment for implementing this invention. It is a figure explaining the Example in this invention. It is a flowchart which shows the outline | summary operation | movement which excludes n from group Gi, j. It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i ≠ 0). It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i = 0 and j ≠ 1). It is a flowchart which shows the operation | movement which excludes n from the group Gi, j (i = 0 and j = 1). It is a figure which shows the example in the case of removing n from the group Gi, j (i ≠ 0). It is a figure which shows the example in the case of removing n from the group Gi, j (i = 0 and j ≠ 1). It is a figure which shows the example in the case of removing n from the group Gi, j (i = 0 and j = 1).

  The best mode for carrying out the present invention will be described below in detail with reference to the drawings.

  In general, one sensor node is considered to have a plurality of attributes. For example, the production lot number, firmware version, installation location, type of sensor to be equipped, etc. can all be attributes. A sensor node is considered to have some attribute value for each attribute.

  In the present invention, a group is composed of a set of nodes having the same attribute value for a certain attribute. A group key is associated with each group defined in this way, and the group key is assigned to the group key. This is an encryption key management method that is distributed only to nodes belonging to.

  Therefore, when there are d types of attributes, the node belongs to d groups at the same time. Assume that a group key is associated with each group defined in this way, and the group key is distributed only to nodes belonging to the group.

  The present invention is a method for updating a group key when a group member changes, and correctly distributing the updated key, particularly when a certain node is forcibly excluded from the group. This is an encryption key update method that appropriately controls group key distribution so that a given node does not continue to possess a valid group key.

  FIG. 1 shows the overall configuration of an embodiment of the encryption key management method of the present invention. Referring to FIG. 1, in the present embodiment, in a network represented by a sensor network, it is composed of a set N consisting of all nodes and a server 101 that does not belong to N. The server 101 operates under program control and adds a node. The node includes a means 103, a main node exclusion means 105, and a key storage means 107, and the node includes a secondary node exclusion means 109 and a key storage means 111. As a node, only node 1 is representatively shown. The difference between the key storage unit 107 of the server and the key storage unit 111 of the node is the difference of the key (secret information) stored and managed in the key storage unit. The server mainly manages the group keys of all groups, whereas the node Manages only a group key that is valid only in the group to which it belongs, and a processing key (member key to be described later) that is required when the node joins and removes the node.

  The node also operates by program control in the operation related to the key.

  Hereinafter, a data encryption operation using symmetric key encryption is used, but it is assumed that the network participant understands the algorithm used for encryption, and the server and each node can execute encryption and decryption. In particular, it is assumed that information encrypted with a key owned by the server and each node can be decrypted with a suitable key to obtain a decryption result.

Also, assume that the attribute is a partition of the set N consisting of the entire node, and in particular,
Gi⊂N. . . (Condition 1)
If i ≠ j then Gi∩Gj is an empty set. . . (Condition 2)
G1∪G2∪. . . Gm = N. . . (Condition 3)
A set family {G1, G2,. . . , Gm} are called attributes.

Also, d attributes A1,. . . , Ad, and Ai = {Gi, 1,. . . , Gi, mi} (where mi is the number of elements of Ai), and Gi, j is a set of nodes having the jth attribute value for attribute i, k integers 1 ≦ i1,. . . , Ik ≤ d and k groups Gi1, j1,. . . , Gik, jk (where Gia, jaεAia for 1 ≦ a ≦ k) and G = Gi1, j1∩. . . When the node set G to be ∩Gik, jk is a group of order k, the d attributes constituting the group C (minimum group) of order d which is a minimal set in the inclusion relationship between structured groups In addition to
For any minimal group C, C∩G0,1 contains exactly one node (group head) (condition 4),
C∩G0, j includes at most one node (group member) for any group G0, j other than G0,1 in any minimal group C, A0 (condition 5);
Special attributes A0 = {G0,1,. . . , G0, m0} (where m0> 0), d + 1 attribute sets A0, A1,. . . The group key is updated and managed in a d-dimensional group structure composed of Ad.

  Further, since a node belongs to exactly one minimal group and A0 is a division of all node sets N, d + 1 integer sets j0, j1,. . . , Jd and G0, j0 ∩G1, j1 ∩. . . ∩Gd, jd = {n}, and d + 1 character set (j0, j1,..., Jd) is treated as an identifier (ID) of node n.

  Also, A0, A1,. . . , Ad defines a d-dimensional group structure, and at this time, the server assigns nodes and group keys ki, j (1) to groups Gi, j (0 ≦ i ≦ d, 1 ≦ j ≦ mi) of order 1. In particular, an element key) is shared in advance and a group of order k G = Gi1, j1 ∩. . . （Gik, jk (i1 <... <ik), h (ki1, j1 || ... kik, jk) (h is used to set the length of a concatenated key such as a hash function to a predetermined value. The information that can be calculated by the server and the node as || is a key concatenation) is a G group key k (G).

  Further, only the node belonging to G knows the group key k (G) of the group G of order k. At this time, the server or the node belonging to G encrypts data to be transmitted to G using k (G). The obtained ciphertext is multicast-distributed to the G node.

  If the ID of the node n is (j0, j1,..., Jd), n is d + 1 element keys k0, j0,. . . , Kd, jd and using these d + 1 keys, n can calculate kn = h (k0, j0 || ... || d, jd), where the value kn is n Since only the server is a value that can be calculated, the server uses kn as a key shared between n and the server (referred to as a node key), and the server stores data with each node key for each node. Encrypt and send in unicast.

  In addition, in order to enable secure one-to-one message exchange between the group head and each group member of the minimal group to which the group head belongs, the server A unique key (member key) common to each node key is encrypted and transmitted in a unicast manner.

  Means for adding the node n to the group Gi, j of order 1 (node addition means) are as follows. For example, such a case may occur when it is desired to add a new node to an active sensor network or when an attribute value of an existing node is changed for some reason. In any case, the node n newly joining the group does not have the right to know the key used as the group key of Gi, j before joining itself. Conversely, in the process of adding n as a member of a group, n must not know the previous group key. This property is called backward security in the group key.

  Further, when the server wants to add the node n to the group Gi, j of order 1, if the ciphertext obtained by encrypting the data x with the key k is written as Ek (x), the node adding means provided in the server Computes c = Eh (ki, j) (k′i, j) for nodes that previously belong to Gi, j, multicasts c to nodes belonging to Gi, j, and sets n to On the other hand, a new key k′i, j is encrypted in a unicast manner using a node key that is shared only by the server and its node, and transmitted from the server, thereby ensuring backward security and ensuring a new key k′i, Share j with the new group Gi, j.

  Means (node exclusion means) for excluding nodes that belonged to the group Gi, j from Gi, j until that time are as follows. Cases where a node is excluded from the group include when the attribute value of the node changes, when a node stopped due to a failure, etc. is excluded from the network, and when a certain node may be hijacked by an unauthorized person. Conceivable. Especially in the last case, secret information may leak through the hijacked node, or the hijacked information may cause further attacks against other nodes and communication infrastructure, so eliminate the node as soon as possible. Is strongly demanded. At this time, it should be noted that a node excluded from the group may continue to hold the group key by unauthorized means. In the protocol for excluding a node, a new key k′i, j is surely distributed to nodes that continue to be in Gi, j, and k′i, j (and subsequently used for excluded users). Group key) must not be passed. This property is called forward security in the group key.

  Ensuring forward safety is more technically difficult than ensuring backward safety. In fact, there is no essential difference between the node remaining in Gi, j and the excluded node n regarding the knowledge about the key. For example, both the node remaining in Gi, j and n itself know the group key ki, j used so far in Gi, j. Therefore, it is difficult to secure forward security by a simple method of distributing a new key k′i, j using an old group key ki, j as in the case of adding a node in the previous section.

  Further, when the server excludes the node n from the group Gi, j of order 1, when a set obtained by removing n from Gi, j is written as G′i, j, G′i, j Is a set of nodes that remain in the group, and all nodes belonging to G′i, j must be able to obtain a new key k′i, j and are excluded in order to ensure forward security. Since n must not know k'i, j, the primary node exclusion means provided in the server cooperates with the secondary node exclusion means provided in the group head that is always present in the minimal group, thereby eliminating the node. Perform the process.

  When the server excludes the node n from the group Gi, j of order 1, the main node exclusion means provided in the server is for the group Gi, j of order 1 that excludes n when the excluded node n is not a group head. , When i ≠ 0, and when i = 0 (in the latter case, n is not a group head, so j ≠ 1 is automatically set), and the sub-node exclusion means included in the node that becomes the group head Branches the process.

  When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i ≠ 0 for the group Gi, j of order 1 that excludes n, the order 1 Group Gi, j is divided into several minimum groups, and the excluded node n belongs to one of the minimum groups. Therefore, as a basic idea, Gi, j∩G0,1 A new key k′i, j is delivered to the node to which it belongs (group head belonging to Gi, j), and the key k′i, j is transferred from each group head to the group member.

  That is, when the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i ≠ 0 for the element group Gi, j that excludes n, the main node of the server The excluding means first calculates k = h (k0,1 || ki, j) where ki, j is the element key of Gi, j and k'i, j is the new element key of Gi, j. X = Ek (k′i, j) is obtained, and the four-letter set (i, j, IDn, x) is multicast-transmitted to the nodes (group heads) belonging to Gi, j１G0,1 (IDn is excluded) ID of the node n), and then the secondary node exclusion means of the node (group head) belonging to Gi, jｊG0,1 decrypts x to obtain a new key k′i, j of Gi, j Finally, Gi, j belongs to ∩G0,1 The node (group head) sub-node exclusion means uses k (C) (group key of the local minimum group C to which the node belongs) when the local node C to which the local node belongs does not include the excluded node n. , J are encrypted, and Ek (C) (k′i, j) is multicast-distributed to the group members of C, while the minimal group C to which the group head belongs includes the excluded node n, the sub-group head The node exclusion means encrypts k′i, j in a unicast manner and transmits to all group members of C other than n using the member key.

  When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not a group head and i = 0 and j ≠ 1 for the element group Gi, j that excludes n, Gi, j = G0, j, and the group Gi, j cannot be divided into minimal groups. Also, since the group head sets G0,1 and Gi, j are relatively prime (no common set), the new element key k'i, j must not be exposed to the group head.

  That is, when the server excludes the node n from the group Gi, j of order 1, when the excluded node n is not a group head and the element group Gi, j excluding n is i = 0 and j ≠ 1. The main node exclusion means of the server calculates x1 = Eh (k0, j) (k′0, j) and x2 = Eh (k0,1) (x1) and calculates the four character set (0, j, IDn, x2) is multicast-distributed to the set G0,1 of the group heads, and the sub-node exclusion means of each group head decodes x2 to obtain x1 (the group head does not know k0, j, so x1 is decoded) If a node n ′ is included in the product set of G0, j and the minimal group C to which it belongs, and n ≠ n ′, the sub-node exclusion means of the group head is a member of n ′ With key Nikyasuto to be sent encrypted to x1.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server A process of exchanging the roles of the group head n of the group Gi, j to be excluded and the node n ′ in the minimal group to which the group head belongs is performed, and the node is excluded when the excluded node is not a group head after the role exchange process ends Enforce processing.

  Further, when the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the node role exchange processing is performed by the group head n, And the node n′εG0, j (j ≠ 1) belong to the same minimal group, the main node exclusion means of the server first updates the element key of G0,1 to obtain a new element key k′0, 1 is distributed to the node set G′0,1 = G0,1 \ {n} obtained by subtracting n from G0,1 and then the element key of G0, j is updated, and the new element key k′0, j is Deliver to node set G′0, j = G0, j \ {n ′} excluding n ′ from G0, j, and finally send k′0,1, k′0, j to n ′ and n respectively It consists of three processes.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, when the excluded node n is a group head, the main node exclusion means provided in the server first starts with G0. , 1 and G′0 to distribute the new element key k′0,1 to the node set G′0,1 = G0,1 \ {n} obtained by subtracting n from G0,1 , 1, the keys k ′ 0, 1 are cryptographically distributed from the server to each node belonging to 1.

  Here, G0,1 may be structured by a method like the conventional method 2, and k'0,1 may be distributed to each node belonging to G'0,1.

  Further, when the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server includes G0, In order to update the element key of j and distribute the new element key k′0, j to the node set G′0, j = G0, j \ {n ′} obtained by subtracting n ′ from G0, j, x1 = Ek0, j (k′0, j) and x2 = Ek′0,1 (x1) are calculated, x2 is multicast-distributed to the nodes of G′0,1, and nodes belonging to G′0,1 ( The sub-node exclusion means of (group head) decodes x2 to obtain x1, and if there is a node of G'0, j in the minimal group to which the node (group head) belonging to G'0,1 belongs, The sub-node exclusion means of the head is G'0, j no Encrypting and transmitting x1 unicast manner member key of node elimination means.

  For the node n ′ that leaves G0, j with the role exchange, the element key of G0,1 is updated, and the node set G′0,1 is obtained by removing the new element key k′0,1 from G0,1 to n. Since there is no corresponding group head (holding the valid key k′0,1) at the time of distribution to G0,1 \ {n}, receiving a new key k′0, j Can not. As a result, the element key of G0, j is updated, and the new element key k′0, j is distributed to the node set G′0, j = G0, j \ {n ′} obtained by subtracting n ′ from G0, j. The process is realized correctly.

  When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server is k ′ In order to transmit 0, 1, k′0, j to n ′, n, respectively, k′0, 1, k′0, j is encrypted with the node key in a unicast manner. .

  Next, embodiments of the present invention will be described in detail with reference to the drawings. Assume that the nodes constitute a cluster tree topology network as shown in FIG. Here, the cluster tree topology refers to a tree in which a server is a root node and all internal nodes other than the root node have at most one internal node among its children. In the cluster tree, one cluster is constituted by a node set composed of one internal node and a leaf node among the children of the internal node. On the cluster tree topology, as an attribute of each node, it is possible to define information as to which trunk in the cluster tree belongs, depth from the root node, and order information as to which node in the cluster. Considering the order information in the cluster as a special attribute A0 = {G0,1, G0,2, G0,3, G0,4}, the trunk attribute A1 = {G1,1, G1,2, G1,3} , Depth attribute A2 = {G2,1, G2,2} can be defined as a two-dimensional group structure that can be specified. The cluster becomes a minimal group in the two-dimensional group structure.

  At this time, the flowchart for excluding the node n from the group Gi, j is as shown in FIG. When i ≠ 0 in S31 of FIG. 3, from the set of nodes having any attribute value of G1, 1, G1, 2, G1, 3, G2, 1, G2, 2 among the attributes of A1 and A2. A process of eliminating node n is performed. At this time, since the node to be excluded is not the group head, the new key k′i, j is delivered to the node belonging to Gi, j∩G0,1 (the group head of Gi, j), and each group head sends it to the group member. In contrast, k′i, j is transferred (S32). A specific processing flow is shown in FIG. First, the server calculates Eh (k0,1 || ki, j) (k'i, j) and multicasts the calculation result (S311). Thereafter, only the group head in Gi, j can decode the calculation result, and k′i, j is obtained by decoding (S312). Finally, k'i, j is encrypted with a member key shared with the group members and unicasted only to the node whose group head is G'i, j = Gi, j \ {n} (S313). ) Finish the process.

  Next, when i = 0 in S31 of FIG. 3, if j ≠ 1 in S33, a node from a set of nodes having attribute values of G0, 2 or G0, 3 or G0, 4 among the attributes of A0 A process of eliminating n is performed. At this time, Gi, j = G0, j, and the group head sets G0,1 and Gi, j have no prime (common set), so that each group is not exposed to k′i, j. K′i, j is transferred from the head to the group member (S34). A specific processing flow is shown in FIG. First, the server calculates x1 = Eh (k0, j) (k′0, j) (j ≠ 1), and multicasts x2 = Eh (k0,1) (x1) (S341). Only the group head in G0, j can decode x2, and obtains x1 by decoding (S342). The group head cannot decode x1. After that, the group head encrypts x1 with the member key only to nodes belonging to the node set G'0, j = G0, j \ {n}, in which n is removed from G0, j, and unicasts (S343). Finally, the node of G′0, j decodes x1 using k0, j (S344), and the process ends.

  Finally, when i = 0 in S31 of FIG. 3, if j = 1 in S33, a process of excluding node n from the set of nodes having attribute values of G0 and 1 among the attributes of A0 is performed. . At this time, n is a group head, and the process of exchanging the roles of the group head n and the group member n′εG0, j (j ≠ 1) in the minimal group to which the group head belongs is executed, and then the above-mentioned A key update (when the excluded node is not a group head) is executed (S35). A specific processing flow is shown in FIG. First, the server encrypts k′0,1 with the node key unique to the server and each node, and all of the nodes included in the node set G′0,1 = G0,1 \ {n} excluding n from G0,1 Are unicast to the node (S351). Then, the server calculates x1 = Eh (k0, j) (k′0, j) (j ≠ 1), and multicasts x2 = Eh (k′0,1) (x1) (S352). Then, the group head belonging to G′0,1 decrypts x2 to obtain x1 (S353), encrypts x1 to the node of G′0, j = G0, j \ {n ′}, and performs unicast. (S354). After that, the node of G′0, j decodes x1 using k0, j (S355). Finally, the server encrypts k′0,1, k′0, j to n ′, n with the node key and performs unicast (S356), and ends the role exchange processing. At this point, the group head n changes its role with the group member n 'and becomes a group member (the group head set G0,1 no longer owns the key). Thereafter, node exclusion processing is performed when the exclusion node shown in FIG. 5 is not a cluster head, n is excluded (S357), and the processing ends.

  FIG. 7 shows an example of the key update process 1 shown in FIG. 4, among all the nodes in the groups G2 and G2, a certain node other than the group head node (groups G2 and 2 and groups 0 and i (i ≠ 0) , I = 4) and groups 1, j (for example, nodes of j = 3) are excluded from groups G2, 2.

  Referring to FIG. 7, first, a new key k′2,2 is encrypted with a hash value of a key obtained by concatenating the keys k0,1 and keys 2,2, and this is multicast (see FIG. 4). Step 311). Information that the key of the node n (the nodes belonging to the groups 0 and 4 and the groups G1 and 3 and the groups 2 and 2) is not updated is added to the multicast key.

  Then, the group head nodes of the groups 2 and 2 that hold the keys k0 and 1 and the keys 2 and 2 receive it to obtain the keys k'2 and 2 (step 312 in FIG. 4). Next, the group head node transfers the keys k′2 and 2 to the nodes under its control, but does not transfer the keys k′2 and 2 to the node specified by the additional information described above as an exception. (Step S313 in FIG. 4).

  The processing for removing a node from groups 2 and 1 and the processing for removing a node from groups 1 and j (j = 1 to 3) are the same as the processing in FIG. 7 (nodes from groups 2 and 2). The processing is the same as the processing in the case of excluding the key (the key updating processing 1), and the description thereof is omitted.

  FIG. 8 shows an example of the key update process 2 shown in FIG. 5 in which a certain node of groups G0, 3 (for example, a node belonging to group G0,3 and group G1,1 and group G2,1) is assigned to group G0, FIG.

  Referring to FIG. 8, first, new key k'0,3 is encrypted with the hash value of key k0,3 to obtain x1 (the first half of step S341 in FIG. 5). Next, x1 is encrypted with the hash value of the key k0,1 to obtain x2. Then, x2 is multicast (second half of step S341 in FIG. 5). Information indicating that the key of the node n (nodes belonging to the group G0,3 and the group G1,1 and the group G2,1) is not updated is added to x2 to be multicast.

  Then, the group head node holding the key k0,1 receives this and obtains x1 (step S342 in FIG. 5).

  Next, the group head multicasts x1 to a node under its control. However, multicasting is not performed to the node specified by the additional information (step S343).

  Then, the node of the group G0,3 holding the keys k0,3 receives x1 and acquires k'0,3 (step S344 in FIG. 5). However, the node specified by the additional information belongs to the groups G0 and G3, but is excluded from multicast targets, so k'0 and 3 cannot be acquired.

  The processing for removing a node from the group G0,2 and the processing for deleting a node from the group G0,4 are the same as the processing operation in FIG. 8 (key update processing 2). Description is omitted.

  FIG. 9 shows a group head node n of the group G1, 3 and the group G2, 2 as an example of the key update process 3 shown in FIG. 6 (an example of excluding the group head node (node belonging to the group G0, 1)). It is a figure which shows the example which excludes (the node which belongs to the group G1, 3 and the group G2, 2 and the group 0, 1).

  Referring to FIG. 9, first, the group head node n of the group G1, 3 and the group G2, 2 is exchanged with another node n 'of the group (for example, a node belonging to the group G0, 3). This exchange process includes steps S351, S352, S353, S355, and S356.

  First, new keys k'0, 1 are encrypted and unicasted to the group head nodes of five groups other than the groups G1, 3 and G2, 2, respectively (step S351 in FIG. 6).

  Next, x1 is generated by encrypting the new key k′0,3 with the hash value of the key k0,3 (the first half of S352 in FIG. 6), and x1 is the hash of k′0,1. By encrypting with the value, x2 is generated, and x2 is multicast (second half of S352 in FIG. 6).

  Then, since the group head nodes of the five groups other than the groups G1 and G3 and G2 and G2 have the keys k′0 and 1, x1 can be decrypted (step S353 in FIG. 6). ). On the other hand, since the group heads of the groups G1, 3 and G2, 2 do not have the keys k'0, 1, x1 cannot be decrypted.

  The group head nodes of the five groups other than the group G1, 3 and the group G2, 2 that were able to decrypt x1 transmit x1 to the subordinate nodes (step S354 in FIG. 6), but the key 0 , 3 (nodes belonging to G0, 3) can decode x1 to obtain k′0, 3 (step S355 in FIG. 6). On the other hand, in group G1,3 and group G2,2, the group head node cannot decode x1, so the nodes in this group cannot obtain k'0,3.

  Next, the keys k′0 and 1 are unicast to the node n ′ that has become the group head node d, and the keys k′0 and 3 are unicast to the node n that is no longer the group head node d (step in FIG. 6). S356).

  Thereafter, in order to exclude the node n, the method shown in FIG. 8 is performed (step S357 in FIG. 6).

  Therefore, according to the present invention, it is possible to greatly reduce the communication amount at the time of key update at the time of node exclusion as compared with the conventional method. For example, in the group key update process, the communication from the server is only one multicast distribution addressed to the group head, and the unicast communication is at most (number of nodes in the minimal group to which the group head belongs) -1 from the group head. The key can be renewed. Since the minimal group is minimal in the inclusive relation of the node set, the processing can be performed very efficiently.

  Further, according to the present invention, by using the role exchange process, it is possible to update the key by eliminating the node corresponding to the group head.

  Further, according to the present invention, it is possible to perform key update with a smaller amount of calculation than in the conventional method. Therefore, for example, even in an environment where computational resources are limited, such as a sensor network, it is possible to reduce the amount of calculation associated with key updating and perform key updating safely.

  As described above, the present invention relates to a network configured by a server and a node connected to the server as a communication device to be configured in network communication in which an encryption key is used and communication is performed using a plurality of communication devices. Although the sensor network has been described as an example, it is needless to say that the present invention is not limited to such a network and can be applied to various network communications.

101 Server 103 Node addition means 105 Primary node exclusion means 107 Key storage means 109 Secondary node exclusion means 111 Key storage means

Claims (9)

In a network composed of a server and a large number of nodes, if a node has d types of attributes, the node is considered to belong to d groups simultaneously, and a group key is associated with each group defined in this way. The server shares the group key only with the nodes belonging to the group and performs cryptographic communication for each group, and when the group member changes, the server updates the group key, This is a method to distribute the updated group key correctly. When a node is forcibly removed from the group, the group key distribution is controlled so that the excluded node does not continue to have a valid group key. And
When the node to be excluded is a group head node, the server exchanges roles between the group head node that is to be excluded and other nodes in the minimal group to which the group head belongs, thereby The node to be excluded is sent to a node other than the node to be excluded in the corresponding group via the group head node after making the node to be excluded a node that is not a group head node. have a tolyl loop head node elimination step to eliminate,
The minimal group is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute, and is a group that is a minimal set that is not empty, and the group head node Is a node belonging to a group that contains exactly one node in the intersection set with any minimal group,
An encryption key update method characterized by the above. The encryption key update method according to claim 1,
The group head node exclusion step includes:
The server individually unicasts a new first group key of a group head node to a group head node of a minimal group other than a minimal group having a node to be excluded;
The server generates a new second group key for a node having the same group attribute and the same group attribute value as the node whose role has been exchanged with the node to be excluded at the group head node position;
The server is the current group key of the node having the same group attribute and the same group attribute values and the nodes and role exchange nodes to be eliminated at the location of the group head node a second group key the new a step to encrypt further by encrypting the new first group key that is unicast to the group head node, to generate a new second group key encrypted doubly,
The server multicasts the double-encrypted new second group key to the group head node of each minimal group;
Each minimal group that has received the multicast and the group head node of each minimal group other than the minimal group exchanging the roles of the nodes uses the new second group key that has been double-encrypted as the first group key. Using and decoding halfway,
The group head node of the minimal group that received the multicast receives the new second group key decrypted halfway, the same group attribute and the same as the node whose role is exchanged with the node to be excluded at the position of the group head node Sending to a node in the group having a group attribute value;
The node receiving the transmission decrypts the new second group key;
The server unicasts the new first group key to a node that comes to the position of the group head node by the role exchange;
The server unicasts the new second group key to a node to be excluded that is a node whose role is exchanged with a node that is in the position of a group head node by the role exchange;
An encryption key update method characterized by comprising: In a network composed of a server and a large number of nodes, if a node has d types of attributes, the node is considered to belong to d groups simultaneously, and a group key is associated with each group defined in this way. The server shares the group key only with the nodes belonging to the group and performs cryptographic communication for each group, and when the group member changes, the server updates the group key, This is a method for distributing the updated key correctly, and when a node is forcibly excluded from the group, control of group key distribution is controlled so that the excluded node does not continue to have a valid group key. Done
If the attribute is a division of all node sets N , ( Condition 1) Gi） N, (Condition 2) If i ≠ j, Gi∩Gj is an empty set, (Condition 3) G1∪G2∪. . . Gm = N, a set family {G1, G2,. . . , Gm} as attributes, d attributes A1,. . . , Ad and Ai = {Gi, 1,. . . , Gi, mi} (mi is the number of elements in Ai), and Gi, j is a set of nodes having the jth attribute value for attribute i, k integers 1 ≦ i1,. . . , Ik, ≦ d and k groups Gi1, j1,. . . , Gik, jk (where Gia, jaεAia for 1 ≦ a ≦ k) and G = Gi1, j1∩. . . When the node set G to be ∩Gik, jk is a group of order k, the d attributes constituting the group C (minimum group) of order d which is a minimal set in the inclusion relationship between structured groups (Condition 4) For any minimal group C, C∩G0,1 contains exactly one node (group head). (Condition 5) A group other than G0,1 in any minimal group C, A0 Special attribute A0 = {G0,1,... Configured to satisfy two of C0G0, j including at most one node (group member) for G0, j. . . , G0, m0} (where m0> 0), d + 1 attribute sets A0, A1,. . . , Ad to update and manage the group key in the d-dimensional group structure composed of Ad,
Since a node belongs to exactly one minimal group and A0 is a division of a node set N, d + 1 integer sets j0, j1,. . . , Jd exist and G0, j0∩G1, j1∩. . . ∩Gd, jd = {n}, d + 1 character set (j0, j1,..., Jd) is treated as an identifier (ID) of node n,
A0, A1,. . . , Ad defines a d-dimensional group structure. At this time, the server assigns nodes and group keys ki, j ( 1) to groups Gi, j (0 ≦ i ≦ d, 1 ≦ j ≦ mi) of order 1. share is referred to as a cornerstone Motokagi) in advance, groups of order k G = Gi1, j1∩. . . ∩ Gik, jk (i1 <.. <ik), h (ki1, j1 || .. | kik, jk) (h is a hash function, || The information that can be calculated is G group key k (G),
Only the node belonging to G knows the group key k (G) of the group G of order k. At this time, the server or the node belonging to G encrypts data to be transmitted to G with k (G), The obtained ciphertext is distributed to the G node by multicast,
If the ID of the node n is (j0, j1,..., Jd), n is d + 1 element keys k0, j0,. . . , Kd, jd and using these d + 1 keys, n can calculate kn = h (k0, j0 || ... d | jd, jd), where the value kn is n Since the server is a value that can be calculated only by the server, the server encrypts data with each node key for each node, with kn being a key (node key) shared between n and the server. Unicast securely and
In order to enable a secure one-to-one exchange of messages between a group head and each group member of the minimal group to which the group head belongs, the server sends a message to each group head and each group member. The node key encrypts a unique key (member key) that is shared, and sends it in a unicast manner.
When the server wants to add the node n to the group Gi, j of order 1, if the ciphertext obtained by encrypting the data x with the key k is written as Ek (x), the node adding means for preparing the server is as follows: C = Eh (ki, j) (k′i, j) is calculated for nodes belonging to Gi, j from before, c is multicast to nodes belonging to Gi, j, and n The new key k′i, j is encrypted with a node key shared only by the server and its nodes in a unicast manner and transmitted from the server, thereby ensuring backward security and the new key k′i, j Is shared with the new group Gi, j,
When the server excludes the node n from the group Gi, j of order 1, when a set obtained by removing n from Gi, j is written as G′i, j, G′i, j remains in the group even after n is excluded. All nodes belonging to G′i, j must be able to obtain a new key k′i, j, and in order to ensure forward security, the excluded node n is Since k'i, j must not be known, the primary node exclusion means provided in the server cooperates with the secondary node exclusion means provided in the group head that always exists in the minimal group, thereby eliminating the node. The process of
When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not a group head and i ≠ 0 for the element group Gi, j that excludes n, the server's main node exclusion means First, when ki, j is an element key of Gi, j and k′i, j is an element key of new Gi, j, k = h (k0,1 || ki, j) is calculated, and x = Ek (k′i, j) is obtained, and the 4-character set (i, j, IDn, x) is multicast transmitted to the nodes (group heads) belonging to Gi, j ， G0,1 (IDn is excluded) Node n ID), and then the secondary node exclusion means of the node (group head) belonging to Gi, j∩G0,1 decrypts x to obtain a new key k′i, j of Gi, j, and finally And subnodes of nodes (group heads) belonging to Gi, j∩G0,1. When the minimal group C to which the node belongs does not include the exclusion node n, the node exclusion means encrypts k′i, j using k (C) (group key of the minimal group C to which the node belongs), and Ek ( C) When (k′i, j) is multicast-distributed to the group members of C, while the excluded node n is included in the minimal group C to which the group head belongs, the sub-node exclusion means of the group head C'i, j is encrypted and transmitted to the group member C by unicast using the member key,
When the server excludes the node n from the group Gi, j of order 1, if the excluded node n is not the group head and i = 0 and j ≠ 1 for the element group Gi, j that excludes n, The main node exclusion means calculates x1 = Eh (k0, j) (k′0, j) and x2 = Eh (k0,1) (x1), and calculates the four character set (0, j, IDn, x2). Multicast distribution to the group head set G0,1 and the sub-node exclusion means of each group head decodes x2 to obtain x1 (since the group head does not know k0, j, x1 cannot be decoded) , G0, j and the minimal group C to which it belongs, if one node n ′ is included and n ≠ n ′, the sub-node exclusion means of the group head uses the member key for n ′. Encrypt x1 in a cast Send
When the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, the main node exclusion means provided in the server excludes n A process of exchanging the roles of the group head n of the group Gi, j and the node n ′ in the minimal group to which the group head belongs is performed, and the node exclusion process when the exclusion node is not the group head after the role exchange process ends An encryption key update method characterized by enforcing.   4. The encryption key updating method according to claim 3, wherein when the server excludes the node n from the group Gi, j of order 1, when i = 0 and j = 1, that is, the excluded node n is a group head, In the role exchanging process, the group head n and the node n′εG0, j (j ≠ 1) are assumed to belong to the same minimal group, and the main node exclusion means of the server first uses the element keys of G0,1. Update and distribute the new element key k′0,1 to the node set G′0,1 = G0,1 \ {n} obtained by subtracting n from G0,1 and then update the element key of G0, j , Distribute the new element key k′0, j to the node set G′0, j = G0, j \ {n ′} obtained by subtracting n ′ from G0, j, and finally k′0,1, k′0. , J each consisting of three processes for transmitting to n ′ and n respectively Law.   5. The encryption key updating method according to claim 4, wherein when the server excludes the node n from the group Gi, j of order 1, i = 0 and j = 1, that is, when the excluded node n is a group head. The primary node exclusion means for preparing first updates the element key of G0,1 and sets the node set G′0,1 = G0,1 \ {n by subtracting n from G0,1 for the new element key k′0,1 }, The key k′0,1 is cryptographically distributed from the server to each node belonging to G′0,1 in a unicast manner.   6. The encryption key updating method according to claim 5, wherein when the server excludes the node n from the group Gi, j of order 1, i = 0 and j = 1, that is, when the excluded node n is a group head. The main node exclusion means for updating the element key of G0, j, and the node set G′0, j = G0, j \ {n by subtracting n ′ from G0, j for the new element key k′0, j X1 = Ek0, j (k′0, j) and x2 = Ek′0,1 (x1) are calculated to distribute to '}, and x2 is distributed to the node of G′0,1 by multicast. , G'0,1 sub-node exclusion means decodes x2 to obtain x1, and G'0 is included in the minimal group to which the node (group head) belonging to G'0,1 belongs. , J nodes exist, the secondary node of the group head De exclusion means, G'0, encryption key update method characterized by encrypting and transmitting x1 unicast manner member key node elimination means nodes j.   7. The encryption key updating method according to claim 6, wherein when the server excludes the node n from the group Gi, j of order 1, i = 0 and j = 1, that is, when the excluded node n is a group head. The main node exclusion means for providing k′0, 1, k′0, j to n ′, n respectively unicast to k′0, 1, k′0, A method of updating an encryption key, wherein j is encrypted with a node key and transmitted. In a network composed of a server and a large number of nodes, if a node has d types of attributes, the node is considered to belong to d groups simultaneously, and a group key is associated with each group defined in this way. In the system where the server shares the group key only with the nodes belonging to the group and performs cryptographic communication for each group, the server updates the group key when the group member changes, A system that distributes the updated group key correctly and controls group key distribution so that when a node is forcibly excluded from the group, the excluded node does not continue to have a valid group key. And
When the node to be excluded is a group head node, the server exchanges roles between the group head node that is to be excluded and other nodes in the minimal group to which the group head belongs, thereby The node to be excluded is sent to a node other than the node to be excluded in the corresponding group via the group head node after making the node to be excluded a node that is not a group head node. have a tolyl loop head node elimination means to eliminate,
The minimal group is a product set of a plurality of groups obtained as a result of extracting one group having an arbitrary attribute value for each attribute, and is a group that is a minimal set that is not empty, and the group head node Is a node belonging to a group that contains exactly one node in the intersection set with any minimal group,
An encryption key update system characterized by that. The encryption key update system according to claim 8,
The group head node exclusion means includes:
Means for individually unicasting the new first group key of the group head node to a group head node of a minimal group other than the minimal group having a node to be excluded;
Means for generating a new second group key of the node having the same group attribute and the same group attribute value as the node whose role is exchanged with the node to be excluded at the position of the group head node;
The server is the current group key of the node having the same group attribute and the same group attribute values and the nodes and role exchange nodes to be eliminated at the location of the group head node a second group key the new encrypted further by encrypting the new first group key that is unicast to the group head nodes, means for generating a new second group key encrypted doubly,
Means for the server to multicast the double-encrypted new second group key to a group head node of each minimal group;
Each minimal group that has received the multicast and the group head node of each minimal group other than the minimal group exchanging the roles of the nodes uses the new second group key that has been double-encrypted as the first group key. Means to use and decrypt halfway,
The group head node of the minimal group that received the multicast receives the new second group key decrypted halfway, the same group attribute and the same as the node whose role is exchanged with the node to be excluded at the position of the group head node Means for transmitting to a node in a group having a group attribute value;
Means for the node receiving the transmission to decrypt the new second group key;
Means for unicasting the new first group key to a node at which the server comes to the position of the group head node by the role exchange;
Means for unicasting the new second group key to a node to be excluded, wherein the server is a node whose role is exchanged with a node that is in the position of a group head node by the role exchange;
An encryption key update system comprising:

Images