JPH11187010A - Method and system for delivering key in cryptographic communication - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a key delivering method which is effective for conspiracy attack while shortening the length of key delivery data for sharing a key even when there are many recipients. SOLUTION: Equipment 100 on the side of a key preparing person prepares a finite set S composed of the secret information of the key preparing person and a finite set P composed of disclosed information. A step is provided for preparing and delivering key information Kx of an entry (x) corresponding to a partial set Sx in the finite set S. Equipment 200 on the entity side of a transmitter prepares a finite set W from the element and random number of the finite set P and transmits this set to the equipment 200 on the entity side of a recipient as transmission data. The equipment on the entity side of the recipient (x) extracts a partial set Wx of the relevant set W corresponding to a set predetermined by the key preparing person from the finite set W, calculates a peculiar value Ix of the recipient from each element and calculates a common key K with the transmitter based on this peculiar value Ix and key information Kx.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to cryptographic communication in which a sender and a receiver share a common key for encrypting and decrypting transmission data for the purpose of performing cryptographic communication. , A key distribution method and a key distribution system.

[0002]

2. Description of the Related Art Conventionally, several methods have been proposed for a broadcast encryption communication (key management) method.

[0003] For example, the document "SJKent: Security requ
irement and protocols for a broadcast scenario, IEE
E Trans. Commun., COM-29, 6, pp. 778-786 (1981) "is basic.

[0004] The copy key method is a simple extension of the conventional one-to-one encrypted individual communication to a broadcast communication. One copy of the key is delivered to the sender and a plurality of authorized recipients. The sender encrypts using the copy key and transmits. A legitimate recipient decrypts using the same copy key.

[0005] In addition, the document "Koyama: Encryption method of broadcast communication using master key, IEICE (D), J65-D, 9, pp. 11
51-1158 (1982) ”, a broadcast encryption communication method using an RSA individual key substitution master key, and a literature“ Li, Tokiwa et al .: Broadcast communication using multiplexing / demultiplexing method, 1986 ” A key distribution method based on the multiplexing and demultiplexing of information sequences using the Chinese remainder theorem described in "Cryptography and Information Security Symposium," or the document "Mitsuho et al .: Efficient Broadcast Encryption Communication System, Technique ISEC93-34 (1993-10) ".

First, a description will be given of a method of performing a multiplexing / demultiplexing method of an information sequence using the Chinese remainder theorem.

(1) Key generation processing: recipient i (1 ≦ i ≦
s), s integers g ₁ , g ₂ ,.
, G _S (r ≦ s), and distributes g _i to the receiver i in advance as secret information of the receiver i.

[0008] (2) the encryption process: M ₁ the s pieces of information sequence to be multiplexed, M _2, ···, and M _S. The sender writes the multiplexed transmission message F,

[0009]

[Equation 99]

And F is broadcast. However, G, G _i, A _i is,

[0011]

[Equation 100]

Where A _i is the smallest integer satisfying the above equation.

(3) Decoding process: The receiver i is from F to g
_{Using i} ,

[0014]

[Equation 101]

By this, M _i is separated.

Next, the system described in the document "Mitsuho et al .: Efficient Broadcast Encryption Communication System, IEICE 93-34 (1993-10)" will be described.

(1) Key generation processing: A reliable center
As confidential information,

[0018]

[Equation 102]

Is created, and as public information,

[0020]

[Equation 103]

Is created.

Next, the center calculates, for σ∈S,

[0023]

[Equation 104]

Sσ that satisfies is calculated and distributed as secret information of the receiver Uσ. Here, the set S = {f | one-to-one mapping f: A = {1, 2,..., K} → B = {1, 2,.
Let m｝ and k <m｝.

(2) Key distribution processing: The sender randomly selects an integer r,

[0026]

[Equation 105]

For the purpose of sharing the common key K with the receiver,

[0028]

[Equation 106]

Calculating z _i that satisfies z _i (1 ≦ i ≦ m)
Broadcast.

The receiver Uσ is

[0031]

[Equation 107]

Is used to calculate a common key K.

[0033]

In the above-described conventional key distribution using a multiplexing method using the Chinese remainder theorem, the length of key distribution data increases in proportion to the number of recipients. This poses a problem in terms of efficiency when targeting a large number of recipients of several millions or more, such as a satellite broadcasting service.

On the other hand, the above-mentioned conventional document "Mitsuho et al .: Efficient broadcast encryption communication system, IEICE 93-34 (1993-1)
0)), the length of key distribution data can be shortened even when the number of recipients is large. However, this method has a problem that the confidential information of another receiver can be calculated by collaborating with an appropriate receiver (for this point, see "Nishioka: Consideration on the key distribution method in broadcast encryption communication"). , IEICE 96-48 (1996-
11) ”. ). Another problem is that key sharing cannot be performed only with recipients belonging to an arbitrary set of recipients.

The present invention has been made in view of the above circumstances, and has as its main object to provide a key distribution method and a key distribution system for cryptographic communication having the following features.

(1) Each receiver has individual key information and shares a key.

(2) Even if the number of recipients is large,
The length of key distribution data can be shortened.

(3) Even if the receivers collude and exchange each other's secret information, it is difficult to calculate the key information of the other receivers and the secret information of the key creator.

(4) Key sharing can be performed only with recipients belonging to an arbitrary set of recipients.

[0040]

In order to solve the above problems, the present invention employs the following constitution.

(1) In the key creator's apparatus, first, a finite set S consisting of secret information of the key creator and a finite set P consisting of public information are created.

Next, key information Kx of the entity x is created and distributed in correspondence with the subset Sx of the finite set S.

(2) In the device of the entity which is the sender, a finite set W is created from the elements of the finite set P and random numbers, and the (finite element) of the finite set W is transmitted as transmission data.

(3) In the device of the entity x as the receiver, a subset Wx of the finite set W corresponding to the set predetermined by the key creator is extracted from the finite set W as the transmission information, and the subset Wx , A unique value Ix of the entity x is calculated. Then, based on the unique value Ix and the key information Kx, the common key K between the sender and the entity is calculated.

In the present invention, when key sharing is performed only with recipients belonging to an arbitrary set of recipients (in this case,
The broadcast station is the key creator and the sender. (1) In the apparatus of the broadcasting station, in addition to the above-described processing in the apparatus of the key creator and the transmitter, the entity x that is the receiver performing key sharing is identified using the key information Kx of the entity x. Create information Qx and send it to entity x.

(2) At the device of the entity x, the receiver, the common key K between the entity and the sender,
Is calculated based on the unique value Ix, the key information Kx, and the identification information Qx.

Hereinafter, an example of a specific implementation method of the present invention will be described.

(1) In the apparatus of the broadcasting station, as preparation processing, first, as secret information of the broadcasting station,

[0049]

[Equation 108]

(Where ord _N (g) is

[0051]

(Equation 109)

Represents the smallest positive integer x. ), And as public information,

[0053]

[Equation 110]

Is created.

Next, for σ _X ∈S (k, m),

[0056]

(Equation 111)

S (i, x, σ _X ), t (i,
x, σ _X ) (where i = 1, 2).

Also,

[0059]

[Equation 112]

On the other hand,

[0061]

[Equation 113]

S (x, σ _X ) that satisfies

[0063]

[Equation 114]

And the set S (k, m) = ｛f | one-to-one mapping f: A = {1, 2,..., K} → B = {1, 2,.
, M}, k <m｝. ).

Next, integers t (x, π _X ), π _X εS (k,
m), integer r', against beta _X,

[0066]

[Equation 115]

(However, for the constant c,

[0068]

[Equation 116]

Assume that ) To calculate the r (x, π _{X) satisfying, s (x, σ X)} , to distribute t a (x, [pi _X) as the key information of the receiver x.

As key distribution processing, integers λ _i and μ _i are randomly selected,

[0071]

[Formula 117]

In order to share the common key K only with a limited recipient,

[0073]

[Equation 118]

[0074] to calculate the u _i, v _i to meet the. Then, the obtained u _i and v _i (1 ≦ i ≦ m) are broadcast.

Also, the limited recipient entity x
And transmits the obtained r (x, π _X ).

(2) In the device of the entity x of the receiver, its own key information s (x, σ) distributed by the broadcast station
_{X), t (x, π} X), r (x, π X) and multicast transmission data u _i, based on the v _i,

[0077]

[Equation 119]

Thus, the common key K is calculated.

[0079]

Embodiments of the present invention will be described below.

In each of the embodiments described below, Z represents a set of whole integers. For a positive integer N and a positive integer g, ord _N (g) = m is

[0081]

[Equation 120]

Represents that the minimum positive integer x is m.

First, as a first embodiment of the present invention, a key distribution method for a sender and a plurality of receivers (hereinafter also referred to as entities) to share common key information for performing broadcast encryption communication Will be described.

FIG. 1 shows a schematic configuration of a key distribution system to which the first embodiment of the present invention is applied. As shown in FIG. 1, the system according to the present embodiment includes a key creator-side device 10.
0 and a plurality of entity-side devices 200. The key creator device 100 and the plurality of entity devices 200 are connected to each other by a communication line 300.

FIG. 2 shows the key creator-side device 100 shown in FIG.
1 shows a schematic configuration of the embodiment. As shown in FIG. 2, the key creator-side device 100 includes a random number generator 101, a prime number generator 10
2. Arithmetic unit 103, power multiplier 104, remainder arithmetic unit 1
05, memory 106, and public information database 1
07. Here, the random number generator 101, the prime number generator 102, the arithmetic unit 103, the power multiplier 104, and the remainder arithmetic unit 105 may be provided as hardware, or in an information processing apparatus having a communication function, It may be realized by executing a predetermined program. The predetermined program is a CD-ROM
It can be stored in a storage medium such as.

FIG. 3 shows the entity-side device 2 shown in FIG.
00 shows a schematic configuration. As shown in FIG. 3, the entity-side device 200 includes a random number generator 201, a power multiplier 202, an arithmetic device 203, a remainder arithmetic device 204, a memory 205, a communication device 206, and an IC card connection device 207. . Here, the random number generator 201, the power multiplier 202, the arithmetic unit 203, and the remainder arithmetic unit 20
4 may be provided as hardware, or
The information processing apparatus having the communication function may be realized by executing a predetermined program. This predetermined program can be stored in a storage medium such as a CD-ROM.

The operation of the key distribution system to which the present embodiment having the above configuration is applied will be described with reference to FIG. FIG. 4 is a diagram for explaining a flow of information in the key distribution system shown in FIG.

1. Preparation process In the key creator side device 100, the random number generation device 101,
Prime number generator 102, arithmetic unit 103, power multiplier 10
4, and the remainder arithmetic unit 105 creates the following information according to the instruction of the trusted key creator.

Secret information:

[0090]

[Equation 121]

Public information:

[0092]

[Equation 122]

[0093] The created secret information is stored in the memory 106. On the other hand, the public information is stored in the public information database 10.
7 and published.

Next, the arithmetic unit 103 and the remainder arithmetic unit 105 determine that σ _X ∈S (k, m)

[0095]

[Equation 123]

S (i, x, σ _X ), t (i,
x, σ _X ) (where i = 1, 2).

Then,

[0098]

[Equation 124]

On the other hand,

[0100]

[Equation 125]

S (x, σ _X ) calculation that satisfies

[0102]

[Equation 126]

And the set S (k, m) = {f | one-to-one mapping f: A = {1,2, ..., k} → B = {1,2, ..., m}, k
<M｝. ). Then, the obtained s (x, σ _X )
As the key information of the entity x, the entity x
Distribute to

2. Key Distribution Processing (1) In the entity-side device 200 of the entity that is the sender, the communication device 206 communicates with the key creator-side device 10 via the communication line 300 according to the instruction of the sender.
The public information of the key creator is obtained from the public information database 107 of No. 0.

Next, the random number generation device 201 calculates the integer r
_i (1 ≦ i ≦ m + 1) is randomly generated. then,
The power multiplier 202, the arithmetic unit 203, and the remainder arithmetic unit 204

[0106]

[Equation 127]

The common key K that satisfies is calculated. The obtained common key K is stored in the memory 205.

Next, the power multiplier 202 and the arithmetic unit 20
3, and the remainder arithmetic unit 204, for the purpose of sharing the obtained common key K with the entity that is the receiver,

[0109]

[Equation 128]

Compute u _i that satisfies.

The determined u _i (1 ≦ i ≦ m) is
At 06, it is multiplexed (such as by the multiplexing method using the Chinese Remainder Theorem described in "Prior Art"). Thereafter, it is broadcasted as transmission data W via the communication line 300.

(2) In the entity-side device 200 of the entity x as the receiver, the communication device 206 receives the transmission data W broadcast from the entity-side device 200 of the entity as the sender, and from there, U _i (1 ≦ i ≦ m) that are multiplexed in the same manner.

The power multiplier 202, the arithmetic unit 203, and the remainder arithmetic unit 204 form the separated u _i (1 ≦ i ≦
m) and key information s of the entity x distributed by the key creator side apparatus 100 and stored in the memory 205 in advance.
(X, σ _X ) and the public information N,

[0114]

[Equation 129]

The common key K that satisfies is calculated. The obtained common key K is stored in the memory 205.

As described in the prior art, the document "Mitsuho et al .: Efficient Broadcast Encryption Communication System, IEICE 93-34 (1)
993-10) ”, the paper“ Nishioka: Consideration of Key Distribution Method in Broadcast Encryption Communication ”, IEICE Tech.
8 (1996-11) ”, an appropriate number of recipients collude and share their secret information with each other,
By solving a predetermined simultaneous equation, secret information of other recipients can be calculated.

On the other hand, according to the present embodiment, even if an appropriate number of recipients collaborate and share their own secret information (key information) with each other, the secret information of the other recipients can be obtained from these information. Cannot be calculated. That is, according to the present embodiment, a key can be shared between a sender and a receiver without notifying the entity of information that makes the collusion attack effective as described above. Therefore, it is possible to efficiently prevent the confidential information of the receiver from leaking to a third party.

As described above, the first embodiment of the present invention has been described.

Next, a second embodiment of the present invention will be described.

In the present embodiment, in the first embodiment described above, the entity x, which is the receiver, uses the IC card storing the key information s (x, σ _X ) of the entity itself, thereby obtaining the key information of the entity x. A description will be given of a method of calculating a common key K shared with an entity as a sender while more efficiently preventing s (x, σ _X ) from leaking to a third party.

FIG. 5 is a diagram showing an I-mode used in the second embodiment of the present invention.
2 shows a schematic configuration of a C card 400.

As shown in FIG. 5, the IC card 400
A power multiplier 401, an arithmetic unit 402, a memory 403, a remainder arithmetic unit 404, and an input / output device 405 are provided. Here, the power multiplier 401, the arithmetic unit 402, and the remainder arithmetic unit 404 may be provided as hardware, or in a CPU provided in an IC card,
It may be realized by executing a predetermined program.

The operation of the present embodiment is basically the same as that of the first embodiment except that the process of calculating the common key K performed on the receiver side is different.

In the present embodiment, the second embodiment of the first embodiment described above. In (2) of the key distribution process, the IC card 40
When 0 is inserted into the IC card connection device 207 of the entity-side device 200 of the entity x that is the recipient,
Power multiplier 401 and arithmetic unit 40 in IC card 400
3, and the remainder arithmetic unit 404 stores the key information s (x, σ _X ) of the entity x stored in the memory 403 in advance and the u _i separated from the transmission data W by the communication device 206 of the entity-side device 200. (1 ≦ i ≦ m) and public information N stored in advance in the memory 205 of the entity-side apparatus 200,

[0125]

[Equation 130]

Calculate K ′ that satisfies (where u _x is

[0127]

[Equation 131]

Represents one of the following. ).

The obtained K ′ is calculated by the input / output device 405.
IC card connection device 207 of entity-side device 200
Is stored in the memory 205 of the device.

Next, the power multiplier 202, the arithmetic unit 203, and the remainder arithmetic unit 204 of the entity-side device 200
Is u _i (1 ≦ i ≦ m) separated from the transmission data W by the communication device 206 and the entity-side device 200
Based on K ′ and N stored in the memory 205 of

[0131]

(Equation 132)

The common key K that satisfies is calculated.

As described above, the second embodiment of the present invention has been described.

Next, a third embodiment of the present invention will be described.

In the present embodiment, a case will be described in which the limited broadcast encryption communication method based on the key distribution method of the first embodiment described above is applied to an information distribution service system using satellite broadcasting. In the information distribution service system, only the receivers who are eligible for viewing (or the receivers who have agreed to pay the price) are required to transmit information (paid data, such as multimedia information) broadcasted and encrypted by the broadcasting station using satellites. ) Can be decoded.

FIG. 6 shows a schematic configuration of a key distribution system to which the third embodiment of the present invention is applied. As shown in FIG. 6, the system according to the present embodiment includes a broadcast station side device 500.
And a receiver device 600 and a server 700.

Here, the set R of receivers is a group of the subset.

[0138]

[Equation 133]

In contrast,

[0140]

[Equation 134]

[0141] a a, it is assumed that the server S _a corresponding to each subset R _a is installed.

FIG. 7 shows a schematic configuration of the broadcasting station side apparatus 500 shown in FIG. As shown in FIG. 7, the broadcast station side device 500 includes a random number generator 501, a prime number generator 502, an arithmetic unit 503, an exponentiation multiplier 504, a remainder arithmetic unit 505,
Key generator 506, encryption / decryption device 507, communication device 50
8 and a memory 509. Here, the random number generator 501, the prime number generator 502, the arithmetic unit 503, the exponentiation multiplier 504, and the remainder arithmetic unit 505 may be provided as hardware, or in an information processing apparatus having a communication function, It may be realized by executing a predetermined program. This predetermined program can be stored in a storage medium such as a CD-ROM.

FIG. 8 shows a schematic configuration of the receiver apparatus 600 shown in FIG. As shown in FIG. 8, the receiver device 600 includes a memory 601, a power multiplier 602, a remainder calculator 603, a calculation device 604, an authentication device 605, a communication device 606, a key generator 607, an encryption / decryption device 608, Further, an IC card connecting device 609 is provided. here,
Power multiplier 602, remainder arithmetic unit 603, arithmetic unit 60
4. The authentication device 605, the key generation device 607, and the encryption / decryption device 608 may be provided as hardware,
Alternatively, the information processing device having a communication function may be realized by executing a predetermined program. This predetermined program can be stored in a storage medium such as a CD-ROM.

FIG. 9 shows a schematic configuration of the server 700 shown in FIG. As shown in FIG. 9, the server 700
Communication device 701, encryption / decryption device 702, memory 703,
An authentication device 704 and a billing device 705 are provided. Here, the encryption / decryption device 702, the authentication device 704, and the charging device 705 may be provided as hardware, or may be realized by executing a predetermined program in an information processing device having a communication function. You may make it. The predetermined program is a CD-ROM
It can be stored in a storage medium such as.

The operation of the information distribution service system to which the present embodiment having the above configuration is applied will be described with reference to FIG. FIG. 10 is a diagram for explaining the flow of information in the information distribution service system shown in FIG.

1. Preparation Processing In the broadcast station side device 500, the random number generation device 501, the prime number generation device 502, the arithmetic device 503, the power multiplier 50
4, and the remainder arithmetic unit 505 creates the following information.

Secret information:

[0148]

[Equation 135]

Public information:

[0150]

[Equation 136]

The created secret information is stored in the memory 509. On the other hand, public information is made public. In this embodiment, since the broadcasting station is the key creator and the sender, the public information N includes the key information s (x, σ _X ), t of the receiver described later.
The data may be distributed along with (x, π _X ) or may be disclosed to the recipient by including it in the broadcast data.

Next, the arithmetic unit 503 and the remainder arithmetic unit 505 determine that σ _X ∈S (k, m)

[0153]

137

S (i, x, σ _X ), t (i,
x, σ _X ) (where i = 1, 2). However,
Set S (k, m) = ｛f | one-to-one mapping f: A = ｛1,2,
.., K} → B = {1, 2,..., M}, k <m}.

Then,

[0156]

138

On the other hand,

[0158]

139

S (x, σ _X ) that satisfies

[0160]

[Equation 140]

Is as follows. ).

Next, with respect to the integers t (x, π _X ), π _X ｋS (k, m), and the integers r ′, β _X generated by the random number generation device 501,

[0163]

[Equation 141]

Calculate r (x, π _X ) that satisfies (however, for a constant c,

[0165]

[Equation 142]

It is assumed that ).

Next, the obtained s (x, σ _X ) and t
(X, π _X ) is distributed as key information of the receiver x. Further, the obtained r (x, π _X ) is converted to the receiver-side device 6 of the receiver x.
00 is distributed to the server 700 in the area to which 00 belongs.

[0168] 2. Encryption / Decryption Processing (1) In the broadcast station side device 500, the random number generation device 50
1 randomly generates integers λ _i and μ _i . Next, the arithmetic unit 503, the power multiplier 504, and the remainder arithmetic unit 50
5 is

[0169]

[Equation 143]

The common key K that satisfies is calculated. After that, the key generator 506 creates a data encryption key DK = f (K) (where f is a public key generation function of a secret key cryptosystem). The encryption / decryption device 507 encrypts the data P using the data encryption key DK, and obtains a ciphertext C = E (D
K: P).

The arithmetic unit 503 and the power multiplier 50
4, and the remainder arithmetic unit 505, for the purpose of sharing the common key K with the receiver,

[0172]

[Equation 144]

U _i, v _i is calculated to meet the [0173].

The determined u _i and v _i (1 ≦ i ≦ m) are multiplexed in the communication device 508 (by a multiplexing method using the Chinese remainder theorem described in “Prior Art”). You. Thereafter, it is broadcasted as transmission data W together with the ciphertext C via a satellite.

The arithmetic unit 503 and the remainder arithmetic unit 5
05 is for each x∈X

[0176]

[Equation 145]

[0177] to calculate the V _a satisfied. Encryption / decryption device 5
07, the obtained Va is _compared with the broadcast station and the server 700.
Encrypted with (S _a) key in advance shared between K (S _a), the ciphertext _{C a = E (K (S} a): V a) generating a.

The communication device 508 transmits the ciphertext C _a to the server 700 (S _a ) via a satellite.

(2) In the receiver device 600 of the receiver x, the communication device 606 follows the instruction of the receiver x,
To view the data P, the receiver device 600 of the receiver x
Accesses the server 700 in the area to which the user belongs.
Next, the authentication device 605 determines that the recipient x has secret information s (x,
σ _x ) and t (x, π _x ) are communicated by the communication device 60.
6, the server 700 is notified.

(3) In the server 700 in the area to which the receiver device 600 of the receiver x belongs, the authentication device 7
04 performs an authentication process of the recipient x. If the authentication is successful, the server 700 stores the r (x, σ _X ) stored in the memory 703 in advance, via the communication device 701, as the recipient x
Is transmitted to the receiver-side device 600.

Here, when the data P is charged, the charging device 705 performs a charging process for the receiver x. For example, the usage fee is calculated according to the data amount of the data P and the reception time.

(4) In the receiver device 600 of the receiver x, the communication device 606 receives the transmission data W broadcasted from the broadcasting station device 500, and u is multiplexed with the data. _i and v _i (1 ≦ i ≦ m) are separated.

Next, the power multiplier 602 and the remainder arithmetic unit 6
03, and the computing device 203, demultiplexes been u _i, v _i
(1 ≦ i ≦ m) and r (x, x) sent from the server 700 in the area to which the receiver's device 600 belongs.
σ _X ), the secret information s (x, σ _X ), t (x, π _X ) and the public information N of the receiver x stored in the memory 601 in advance.

[0184]

[Equation 146]

The common key K that satisfies is calculated. Next, the key generator 606 calculates a data encryption key DK = f (K) using the obtained common key K.

The encryption / decryption device 608 decrypts the data P from the ciphertext C using the obtained data encryption key DK.

According to this embodiment, a set of recipients sharing a key is identified by distributing r (x, π _X ) only to a limited number of recipients. Key distribution for communication becomes possible.

It should be noted that 2. of the present embodiment. In the encryption / decryption process, the receiver device 600 of the receiver x and the device 6
The authentication process performed between the servers 700 in the area to which 00 belongs is conventionally used as long as the authentication method is not established unless s (x, σ _x ) and t (x, π _x ) are known. Authentication method may be used.

Hereinafter, as an example of the authentication method performed by the recipient x with respect to the server, RSA (document “RLRivest, A.Sha
mir, L. Adleman .: A method for obtaining digital sig
natures and public key cryptosystems, Communicatio
ns of the ACM, Vol. 21, No. 2, pp. 120-126, 1978 ”).

(1) In the broadcast station apparatus 500, for the receiver x,

[0191]

147

(However, for the published function τ, s ′
_{Let x} = τ (s (x, σ _x ), t (x, π _x )). ) Is satisfied (y _X ,
n _X) is calculated, and distribute this to the server 700 in the area where the recipient x belongs.

(2) In the receiver device 600 of the receiver x, the authentication device 604 uses the broadcast data W and the one-way hash function h, which is public information, to obtain h (W)
(0 <h (W) <n _x ) is calculated. And h (W)
Signature, using a secret key _s'X for,

[0194]

[Equation 148]

Created by The communication device 605 transmits the created signature sgn _X (h (W)) to the server 700 together with the data name desired to be viewed.

(3) In the server 700, the authentication device 7
04 is

[0197]

149

It is checked whether or not the condition is satisfied. Communication device 701
Is the value of r in memory 703 if the above equation holds.
(X, π _X ) is transmitted to the receiver device 600 of the receiver x.

The third embodiment of the present invention has been described.

Next, a fourth embodiment of the present invention will be described.

In the present embodiment, in the third embodiment, the receiver x has its own key information s (x, σ _X ), t
By using the IC card storing (x, π _X ), it is possible to prevent the key information s (x, σ _X ) and t (x, π _X ) of the own key from leaking to a third party more efficiently. A method for calculating a common key K shared with a broadcasting station will be described.

FIG. 11 is a diagram showing an example of the I used in the fourth embodiment of the present invention.
3 shows a schematic configuration of a C card 800.

[0203] As shown in FIG.
Is a memory 801, a power multiplier 802, a remainder arithmetic unit 80
3, and an authentication information creation device 804. Here, the power multiplier 802, the remainder arithmetic unit 803, and the authentication information creation device 804 may be provided as hardware, or may be realized by executing a predetermined program in a CPU included in an IC card. You may do so.

The operation of this embodiment is basically the same as that of the third embodiment except that the process of calculating the common key K performed on the receiver side is different.

In the present embodiment, the second embodiment of the third embodiment described above. In (3) of the encryption / decryption processing, the IC card 8
00 is inserted into the IC card connection device 609 of the receiver device 600 of the receiver x, the power multiplier 802 and the remainder operator 803 in the IC card 800 store the receiver x stored in the memory 801 in advance. Key information s (x, σ _X ),
t (x, π _X ) and the communication device 606 of the receiver device 600
U _i , v _i (1 ≦
i ≦ m) and the public information N stored in advance in the memory 601 of the receiver-side device 600,

[0206]

[Equation 150]

And

[0208]

[Equation 151]

(However, u _X is

[0210]

[Equation 152]

Represents any one of the above. ) Is calculated.

[0212] The result obtained is the IC of the receiver device 600.
The memory 60 of the device is connected via the card connection device 609.
1 is stored.

Next, the power multiplier 6 of the receiver device 600
02, the remainder arithmetic unit 603, and the arithmetic unit 604 have u separated from the transmission data W by the communication device 606.
_i , v _i (1 ≦ i ≦ m), the calculation result of the IC card 800 stored in the memory 301 of the receiver-side device 600, and the public information N,

[0214]

[Equation 153]

A common key K that satisfies is calculated.

In the authentication process, the IC card 8
Sgn using the authentication information creation apparatus 804
_X (h (W)) is calculated and output to the receiver-side device 600. Then, the processing is performed in the same manner as in the third embodiment described above.

As described above, the fourth embodiment of the present invention has been described.

Next, a fifth embodiment of the present invention will be described.

In this embodiment, a method in which the broadcast station identifies the transmission data using the data encryption key and a method in which the data encryption key is changed in the third embodiment described above will be described.

In the case of performing the identification by the data encryption key for each transmission data, in the third embodiment, the broadcast station side apparatus 500 uses the random number generator 501 to set the integer r ′ or β _{X for} each transmission data, or Change the value of c. As a result, transmission data can be identified.

The data encryption key is changed by changing the values of λ _i and μ _i generated by the random number generator 501 of the broadcast station side device 500 in the third embodiment. This can be done by updating the value.

The change of the common key K can be realized also in the first embodiment. That is, in the first embodiment, the integer r _i (1 ≦ i ≦ m +) generated by the random number generation device 201 of the entity device 200 that is the sender.
This can be achieved by updating the value of the common key K by changing the value of 1).

[0223]

As described above, according to the present invention,
Even in the case where the number of recipients is large in broadcast encryption communication, the length of key distribution data can be shortened (constant).

[0224] It is also possible to make it difficult for a fraudulent entity (recipient) to transmit secret information to each other and calculate key information of a key creator (broadcasting station) or another entity (recipient). it can.

Therefore, highly efficient and reliable key distribution can be realized.

[Brief description of the drawings]

FIG. 1 is a schematic configuration diagram of a key distribution system to which a first embodiment of the present invention has been applied.

FIG. 2 is a schematic configuration diagram of the key creator-side apparatus 100 shown in FIG.

FIG. 3 is a schematic configuration diagram of an entity-side device 200 shown in FIG. 1;

FIG. 4 is a diagram for explaining a flow of information in the key distribution system shown in FIG.

FIG. 5 is an IC card 40 used in the second embodiment of the present invention.
0 is a schematic configuration diagram.

FIG. 6 is a schematic configuration diagram of a key distribution system to which a third embodiment of the present invention has been applied.

FIG. 7 is a schematic configuration diagram of a broadcast station side device 500 shown in FIG. 6;

8 is a schematic configuration diagram of the receiver-side device 600 shown in FIG.

9 is a schematic configuration diagram of a server 700 shown in FIG.

10 is a diagram for explaining a flow of information in the information distribution service system shown in FIG.

FIG. 11 is an IC used in a fourth embodiment of the present invention.
FIG. 3 is a schematic configuration diagram of a card 800.

[Explanation of symbols]

100 Key creator's side device 101, 201, 501 Random number generator 102, 502 Prime number generator 103, 203, 403, 503, 604 Arithmetic unit 104, 202, 401, 504, 602, 802 Power multiplier 105, 204, 404 , 505, 603, 803 Remainder arithmetic units 106, 205, 402, 508, 601, 703, 8
01 Memory 107 Public information database 200 Entity side device 206, 508, 606, 701 Communication device 207, 609 IC card connection device, 300 Communication line 400, 800 IC card 405 Input / output device 500 Broadcast station side device 506, 607 Key generator 507, 608, 702 Encryption / decryption device 600 Receiver side device 605, 704 Authentication device 700 Server 705 Billing device 804 Authentication information creation device,

Claims (33)

[Claims] 1. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. Creating a finite set S of secret information of the key creator and a finite set P of public information in the device of the key creator. Generating and distributing key information Kx of the entity x in correspondence with the subset Sx of the set S. In the device of the entity as the sender, a finite set W is generated from the element of the finite set P and a random number. And transmitting the finite set W as transmission data to the device of the entity as the recipient. Extracting a subset Wx of the finite set W corresponding to a set predetermined by the key creator from the finite set W, and calculating a unique value Ix of the entity x from each element of the subset Wx And a step of calculating a common key K between the sender and the entity based on the unique value Ix and the key information Kx. 2. A key distribution method for cipher communication according to claim 1, wherein when the key creator and the sender match, the sender can perform cipher communication with an arbitrary receiver. A key distribution method in cryptographic communication for sharing key information of the following, wherein in a device of an entity that is a sender and a key creator, for an entity x that is a receiver that performs key sharing,
Identification information Qx using key information Kx of the entity x
And transmitting the identification information Qx to the device of the entity x. In the device of the entity x as the recipient, the common key K between the entity and the sender is A key distribution method in cryptographic communication, wherein the key distribution method is calculated based on a unique value Ix, the key information Kx, and the identification information Qx. 3. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A key distribution method in cryptographic communication for performing Creating a set KS of secret information and a set KP of public information of the key creator; and σ _X ∈S (k, m): Calculating s (i, x, σ _x ) and t (i, x, σ _x ) (where i = 1, 2) that satisfies For: Calculating a s (x, sigma _X) satisfying, in step (where distributing obtained s (x, sigma _X) as the key information of an entity x, G is a finite Abelian (multiplicative) group, the set KP includes elements that determine G, and And And ord _G (g) is given by: And the set S (k, m) = ｛f
| One-to-one mapping f: A = {1, 2,..., K} → B = {1,
2,..., M}, k <m｝. ), And randomly select integers r ₁ ,..., Rm _{+ 1} in the device of the entity that is the sender. In order to share the key K with the entity that is the receiver, the public key of the key creator is used as broadcast data as follows: Calculating u _i that satisfies the following condition _; and broadcasting the calculated u _i (where 1 ≦ i ≦ m). _{Based on i} and its own key information s (x, σ _X ) distributed by the key creator's device, Calculating a common key K that satisfies the following condition: 4. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A key distribution method in cryptographic communication for performing the following: in a key creator's device, secret information of the key creator: , And as public information of the key creator, And, for σ _X ∈S (k, m), Calculating s (i, x, σ _X ) and t (i, x, σ _X ) (where i = 1, 2), ## EQU14 ## That satisfies s (x, sigma _X) computing a, obtained s (x, sigma _X) Step (here to distribute as the key information of an entity x, Equation 15] And And ord _N (g) is given by: And the set S (k, m) = ｛f
| One-to-one mapping f: A = {1, 2,..., K} → B = {1,
2,..., M}, k <m｝. ), And randomly select integers r ₁ ,..., Rm _{+ 1} in the device of the entity that is the sender. In order to share the key K with the entity that is the recipient, the public key information of the key creator is used as broadcast data as follows: Calculating u _i that satisfies the following condition _; and broadcasting the calculated u _i (where 1 ≦ i ≦ m). _{Based on i} and its own key information s (x, σ _X ) distributed by the key creator, Calculating a common key K that satisfies the following condition: 5. A key distribution method in a cryptographic communication according to claim 3 or 4, in the apparatus of the sender, the integer r _1, · · ·, by changing the value of r m + _1, the common A key distribution method in cryptographic communication, further comprising a step of changing a value of a key K. 6. A key distribution method in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates only with a limited receiver among a plurality of receivers. In the apparatus of the broadcasting station, as preparation processing, , A step of creating a set KS of secret information and a set KP of public information of the broadcast station (where G is a finite abel (multiplicative) group, and the set KP includes an element that determines G. And ord _G (g) is given by: Represents the minimum positive integer x. ) And σ _X ∈S (k, m), Calculating s (i, x, σ _x ) and t (i, x, σ _x ) (where i = 1, 2), ## EQU24 ## A step of calculating s (x, σ _X ) that satisfies And the set S (k, m) = ｛f | one-to-one mapping f: A =
{1,2, ..., k} → B = {1,2, ..., m}, k
<M｝. ), Integers t (x, π _X ), π _X ∈S (k, m), integers r ′, β
_{For X} , The step of calculating r (x, π _X ) that satisfies
For a constant c, And ) And a step of distributing the obtained s (x, σ _X ) and t (x, π _X ) as key information of the receiver x, and as key distribution processing, integers λ _i , μ _i Is selected at random, and In order to share the key K only with a limited recipient, Calculating a u _i, v _i satisfying, obtained u _i, v _i (however, 1 ≦ i ≦ m) the steps of the broadcast transmission, the apparatus of limited recipient x, determined R (x,
π _X ) at the device of the receiver x, wherein the key information s (x, x) of the receiver x is distributed by the device of the broadcasting station.
_{σ X), t (x,} π X), r (x, π X) and the multicast transmission data u _i, based on the v _i, Equation 30] Calculating a common key K that satisfies the following condition: 7. A key distribution method in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates only with a limited receiver among a plurality of receivers. In the apparatus of the broadcasting station, as preparation processing, as secret information of the broadcasting station, (Where ord _N (g) is given by: Represents the minimum positive integer x. ), And as public information of the broadcasting station, And, for σ _X ∈S (k, m), Calculating s (i, x, σ _x ) and t (i, x, σ _x ) (where i = 1, 2), , A step of calculating s (x, σ _X ) that satisfies And the set S (k, m) = ｛f | one-to-one mapping f: A =
{1,2, ..., k} → B = {1,2, ..., m}, k <
m｝. ) And integers t (x, π _X ), π _X ∈S (k, m), integers r ′, β _X
, The step of calculating r (x, π _X ) that satisfies
For a constant c, And ) And a step of distributing the obtained s (x, σ _X ) and t (x, π _X ) as key information of the receiver x, and as key distribution processing, integers λ _i , μ _i Is selected at random, and In order to share the key K with only a limited recipient, Get u _i, v _i that satisfies (where, 1 ≦ i ≦ m) a step of the steps of u _i, v _i broadcast transmission determined, for a limited recipient x, obtained r Transmitting (x, π _X ) at the device of the receiver x, wherein the key information s (x, σ _X ), t of its own distributed by the broadcasting station is provided.
(X, π _x ), r (x, π _x ) and broadcast transmission data u _i ,
Based on v _i , Calculating a common key K that satisfies the following condition: 8. The key distribution method in cryptographic communication according to claim 6, wherein the broadcast station apparatus changes the values of the integers λ _i and μ _i to obtain the common key K.
A key distribution method in cryptographic communication, further comprising the step of changing the value of. 9. A key distribution method in cryptographic communication according to claim 6, wherein the broadcast station apparatus encrypts and decrypts the value of the integer β _X or r ′ or c with the common key K. A key distribution method in cryptographic communication, further comprising a step of changing the value of r (x, π _X ) to identify transmission data by changing the value in correspondence with data. 10. A key distribution method in cryptographic communication according to claim 6 or 7, wherein in a receiver's device, access to transmission data P encrypted with a common key K is restricted. The method further comprises the step of: performing an authentication process for possessing its own key information with respect to the broadcast station. In the apparatus of the broadcast station, the step of transmitting r (x, π _X ) is performed after the authentication is established. A key distribution method in cryptographic communication characterized by being transmitted. 11. A key distribution method in cryptographic communication according to claim 10, wherein in the broadcasting station apparatus, if the transmission data P encrypted with the common key K is charged, after the authentication is established, or A key distribution method in cryptographic communication, further comprising the step of charging after transmitting r (x, π _X ). 12. A sender and a plurality of receivers (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A storage medium storing a program for a key distribution method in cryptographic communication, the program being stored in an information processing apparatus.
A storage medium storing a program for a key distribution method in cryptographic communication, wherein the program executes the key distribution method in cryptographic communication according to 3, 4, or 5. 13. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication using individual key information created in advance by a key creator. A storage medium storing a program for a key distribution method in cryptographic communication, the program being stored in an information processing apparatus.
The key distribution method in the cryptographic communication described in 3, 4, or 5,
A storage medium storing a program for a key distribution method in cryptographic communication, wherein the program executes a step in a device of a key creator. 14. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A storage medium storing a program for a key distribution method in cryptographic communication, the program being stored in an information processing apparatus.
The key distribution method in the cryptographic communication described in 3, 4, or 5,
A storage medium storing a program for a key distribution method in cryptographic communication, wherein the program executes a step in a sender device. 15. A sender and a plurality of receivers (hereinafter, also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A storage medium storing a program for a key distribution method in cryptographic communication, the program being stored in an information processing apparatus.
The key distribution method in the cryptographic communication described in 3, 4, or 5,
A storage medium storing a program for a key distribution method in cryptographic communication, wherein the program executes a step in a receiver device. 16. A key distribution method in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates only with a limited receiver among a plurality of receivers. Is a storage medium storing a program for the information processing apparatus, wherein the program is stored in an information processing apparatus.
A storage medium storing a program for a key distribution method in cryptographic communication, wherein the program executes a key distribution method in cryptographic communication according to 8, 9, 10 or 11. 17. A key distribution method in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates only with a limited receiver among a plurality of receivers. A storage medium storing a program for the key distribution method in the cryptographic communication according to claim 6, 7, 8, 9, 10 or 11 in a broadcasting station. And a storage medium storing a program for a key distribution method in cryptographic communication. 18. A key distribution method in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates only with a limited receiver among a plurality of receivers. A storage medium storing a program for the key distribution method in a cryptographic communication according to claim 6, 7, 8, 9, 10, or 11 in a receiving apparatus. And a storage medium storing a program for a key distribution method in cryptographic communication. 19. A sender and a plurality of recipients (hereinafter also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. Means for creating a finite set S consisting of secret information of a key creator and a finite set P consisting of public information, and corresponding to a subset Sx of the finite set S. Means for generating and distributing key information Kx of the entity x; and a means for generating a finite set W from the elements of the finite set P and random numbers, and transmitting the finite set W. And a communication unit for transmitting the data as data; and a subset Wx of the finite set W corresponding to the set predetermined by the key creator from the finite set W as transmission data. Means for calculating a unique value Ix of the entity x from each element of the subset Wx; and a common unit between the entity that is the sender based on the unique value Ix and the key information Kx. A key distribution system in cryptographic communication, comprising: means for calculating a key K; 20. A key distribution system for cryptographic communication according to claim 19, wherein when the key creator and the sender match, the sender can perform a cryptographic communication with an arbitrary receiver. A key distribution system in cryptographic communication for sharing key information of the key creator device, wherein the key creator device and the sender device are configured as one device, and the one device is a key device. For the entity x, the sharing recipient,
Identification information Qx using key information Kx of the entity x
And a means for transmitting the identification information Qx to the device of the entity x. In the receiver device, the means for calculating the common key K includes the unique value Ix and the key Information Kx and the identification information Qx
A key distribution system in cryptographic communication, wherein a common key K between the sender and the entity is calculated based on the following. 21. A sender and a plurality of recipients (hereinafter, also referred to as entities) share common key information for performing cryptographic communication using individual key information created by a key creator. A key distribution system in cryptographic communication for: Means for generating a set KS of secret information of the key creator and a set KP of public information, and σ _X εS (k, m): Means for calculating s (i, x, σ _X ) and t (i, x, σ _X ) (where i = 1, 2) which satisfies For, A means for calculating s (x, σ _X ) that satisfies and a means for distributing the obtained s (x, σ _X ) as key information of entity x (where G is a finite abel (multiplicative) group, and a set KP includes an element that determines G, and And And ord _G (g) is given by And the set S (k, m) = ｛f
| One-to-one mapping f: A = {1, 2,..., K} → B = {1,
2,..., M}, k <m｝. ), And a key creator-side device having: and randomly selected integers r ₁ ,..., Rm _{+ 1.} For the purpose of sharing the key K with the entity that is the receiver, from the public information of the key creator, as broadcast data, Means for calculating a u _i satisfying, obtained u _i (however, 1 ≦ i ≦ m) means for transmitting broadcasts, and the sender apparatus wherein the creation broadcast data u _i and the key Based on its own key information s (x, σ _X ) distributed by the person, And a means for calculating a common key K that satisfies the following. A key distribution system in cryptographic communication, comprising: 22. A sender and a plurality of receivers (hereinafter also referred to as entities) share common key information for performing cryptographic communication by using individual key information created in advance by a key creator. A key distribution system in cryptographic communication for performing the following: as secret information of a key creator, And the public information of the key creator: And σ _X ∈S (k, m): Means for calculating (where i = 1, 2) s (i, x, σ _x ) and t (i, x, σ _x ) satisfying: For: Means for calculating s (x, σ _X ) that satisfies And And ord _N (g) is: And the set S (k, m) = ｛f
| One-to-one mapping f: A = {1, 2,..., K} → B = {1,
2,..., M}, k <m｝. A) obtained s (x, means for distributing the sigma _X) as the key information of an entity x, a key creator side apparatus equipped with the integer r _1, · · ·, randomly selects r m + ₁ , In order to share the key K with the entity that is the receiver, the public key of the key creator is used as broadcast data as follows: Means for calculating u _i that satisfies the following, and means for broadcasting the obtained u _i (where 1 ≦ i ≦ m), and the broadcast data u _i and key generation Based on its own key information s (x, σ _X ) distributed by the person, And a means for calculating a common key K that satisfies the following. 23. A key distribution system in the encryption communication according to claim 21 or 22, wherein said transmitting side apparatus is an integer r _1, · · ·, by changing the value of r m + _1, the common A key distribution system in cryptographic communication, further comprising means for changing a value of a key K. 24. A key distribution in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates with only a limited one of a plurality of receivers. A system comprising: Means for generating a set KS of secret information of the broadcast station and a set KP of public information (where G is a finite abel (multiplicative) group, and the set KP includes an element for determining G; , Ord _G (g) is given by Represents the minimum positive integer x. ) And σ _X ∈S (k, m), Means for calculating s (i, x, σ _X ) and t (i, x, σ _X ) (where i = 1, 2), For: Means (where: And the set S (k, m) = ｛f | 1-to-1 mapping f: A =
{1,2, ..., k} → B = {1,2, ..., m}, k <
m｝. ), And integers t (x, π _X ), π _X ∈S (k, m), integers r ′, β _X
For: Means for calculating r (x, π _X ) that satisfies
For, And A) obtained s (x, sigma _X) and t (x, a [pi _X), means for distributing the key information of the receiver x, comprising a preparation process means consisting of, and, integral lambda _i, mu _i Is selected at random, and In order to share the key K only with a limited recipient, Means for calculating a u _i, v _i satisfying, obtained u _i, v _i (however, 1 ≦ i ≦ m) with respect to the means for transmitting broadcast, limited recipients x, r (x , [pi means for transmitting _X), with a key distribution processing means comprising in a broadcast station apparatus, the broadcast data u _i, v _i and its distributed by broadcast station key information s (x , Σ _X ), t (x, π _X ), r (x,
π _X ) and And a means for calculating a common key K that satisfies the following. A key distribution system in cryptographic communication, comprising: 25. A key distribution in cipher communication for sharing common key information in a limited broadcast cipher communication in which a broadcasting station as a sender communicates with only a limited one of a plurality of receivers. In the system, as secret information of the broadcasting station, (Where ord _N (g) is given by Represents the minimum positive integer x. ) And as public information of the broadcasting station, And σ _X ∈S (k, m): Means for calculating (where i = 1, 2) s (i, x, σ _X ) and t (i, x, σ _X ) satisfying: For, Means for calculating s (x, σ _X ) that satisfies And the set S (k, m) = ｛f | one-to-one mapping f: A =
{1,2, ..., k} → B = {1,2, ..., m}, k <
m｝. ), Integers t (x, π _X ), π _X ∈S (k, m), integers r ′, β
_{For X} , Means for calculating r (x, π _X ) that satisfies s (x, σ _X ) and t (x, π _X )
Means for distributing as key information of the following (however, for a constant c, And ), And preparation processing means of: and randomly selecting integers λ _i and μ _i , In order to share the key K with only a limited recipient, Means for calculating a u _i, v _i satisfying, obtained u _i, v _i the calculation (where, 1 ≦ i ≦ m) with respect to the means for transmitting broadcast, limited recipients x, determined and r (x, π _X) and means for transmitting, with a key distribution means comprising at the broadcast station apparatus, wherein the broadcast transmission data u _i, v _i and its key information distributed by the broadcast station s (x, σ _X ), t (x, π _X ), r (x, π
_X ) and And a means for calculating a common key K that satisfies the following. A key distribution system in cryptographic communication, comprising: 26. The key distribution system according to claim 24 or 25, wherein the broadcast station side device changes a value of a common key K by changing values of integers λ _i and μ _i. A key distribution system in cryptographic communication, further comprising: 27. The key distribution system according to claim 24 or 25, wherein the broadcast station performs encryption / decryption of the value of the integer β _X, r ′ or c with the common key K. A key distribution system in cryptographic communication, further comprising: means for changing the value of r (x, π _X ) to identify transmission data by changing the value in correspondence with data. 28. The key distribution system according to claim 24 or 25, wherein the receiver side device is configured to restrict access to the transmission data P encrypted with the common key K. Further comprising means for performing an authentication process on possession of its own key information with respect to the broadcast station, wherein the means for transmitting r (x, π _X ) of the broadcast station side device, after the authentication is established, A key distribution system for cryptographic communication, wherein r (x, π _X ) is transmitted. 29. The key distribution system in encrypted communication according to claim 28, wherein the broadcast station side device, if the transmission data P encrypted with the common key K is charged, after the authentication is established, Or r
A key distribution system in cryptographic communication, further comprising means for charging after transmitting (x, π _X ). 30. An information processing apparatus wherein a receiver calculates common key information for performing cryptographic communication with a sender using key information created in advance by a key creator, a device body with a means for receiving the u _i of claim 21 which is transmitted from the sender, which is detachably attached to the apparatus main body, the key information s (x according to claim 21, sigma _X )
And an IC card having means for storing the key information s (x,
σ _X ) and u _i received by the device body, Means for calculating K ′ that satisfies (where u _X is Represents any of the following. ), Wherein the apparatus main body is based on the calculation result of the IC card. An information processing apparatus further comprising means for calculating a key K satisfying the following. 31. An information processing apparatus in which a receiver calculates common key information for performing cryptographic communication with a sender using key information created in advance by a key creator, a device body with a means for receiving the u _i of claim 22 which is transmitted from the sender, which is detachably attached to the apparatus main body, the key information s (x according to claim 22, sigma _X )
And an IC card having means for storing the key information s (x,
σ _X ) and u _i received by the device body, Means for calculating K ′ that satisfies (where u _X is given by: Represents any of the following. The apparatus main body further comprises: (90) based on the calculation result of the IC card. An information processing apparatus further comprising means for calculating a key K satisfying the following. 32. An information processing apparatus in which a receiver calculates common key information for performing encrypted communication with a broadcasting station using key information created in advance by a broadcasting station as a sender. a is, u _i of claim 24 which is transmitted from a broadcast station, v _i and r (x, π _X) and device body with a means for receiving, detachably configured on the device body 25. An IC card comprising means for storing key information s (x, σ _X ) and t (x, π _X ) according to claim 24, wherein the IC card has the key information s stored therein. (X,
σ _x ), t (x, π _x ) and the information u _i , v _i received by the device body, And (Where u _X is given by: Represents any of the following. ), Wherein the apparatus main body is based on the calculation result of the IC card. An information processing apparatus further comprising means for calculating a key K satisfying the following. 33. An information processing apparatus in which a receiver calculates common key information for performing encrypted communication with a broadcasting station by using key information created in advance by a broadcasting station as a sender. a is, u _i of claim 25 which is transmitted from a broadcast station, v _i and r (x, π _X) and device body with a means for receiving, detachably configured on the device body 26. An IC card comprising means for storing key information s (x, σ _X ) and t (x, π _X ) according to claim 25, wherein the IC card has the key information s stored therein. (X,
σ _X), t (x, a [pi _X), based on said device information u _i the unit is received, and v _i, Equation 95] And (Where u _X is given by: Represents any of the following. ), Wherein the apparatus main body is based on the calculation result of the IC card. An information processing apparatus further comprising means for calculating a key K satisfying the following.