KR100975038B1 - System of Broadcast Encryption and Method thereof - Google Patents

Abstract

The present invention relates to a broadcast encryption system capable of efficiency in terms of transmission amount, storage amount and size of a public key used as a broadcast encryption parameter.

The broadcast encryption system disclosed herein divides all users in the broadcast encryption system into a plurality of groups and generates random numbers as many as the number of groups and as many random numbers as the number of users belonging to each of the divided groups. A key generator for generating a public key for use in encrypting and broadcasting a message to a user who has a legitimate reception right in the terminal, and generating a secret key for decrypting the encrypted message, and transmitting the secret key to all users in the group. A key distribution unit for distribution (broadcasting), and a message encryption / transmission unit for encrypting the broadcasted message and transmitting it to message receivers solve the problems of the present invention.

Description

Broadcast Encryption System and Method thereof

The present invention relates to a broadcast encryption system and a method thereof, and more particularly, to a broadcast encryption system and method capable of achieving efficiency in terms of transmission amount, storage amount and size of a public key used as a broadcast encryption parameter. .

Broadcast Encryption is a method of encrypting and delivering a message to only the users (recipients) desired by the sender of the message among all users. Only one legitimate user can encrypt the encryption key through a single password broadcasting. ) Can be efficiently used for satellite TV reception services of paid channels or for transmission of copyright-protected content.

Broadcast encryption should be able to be effectively used when the set of users to receive information varies randomly and dynamically. The most important thing in broadcast encryption is that message senders effectively revocation unwanted users (eg, illegal users or expired users).

According to broadcast encryption, when a message sender encrypts a message and transmits it to a large number of users (recipients) (when encrypting transmission, the user set S, a header, and an encryption key K are added to the ciphertext and transmitted). Only the belonging user extracts the message encryption key K and then decrypts and views the message C _M encrypted with the extracted key.

In this case, the users belonging to user set S are called permitted users.By default, the broadcast encryption technique requires that only those legitimate users should be able to get messages, and users who do not belong to S should not be able to get messages. A response mechanism should be provided for cases in which the authority of Revoked is revoked. In other words, the broadcast cryptography must be secure against the collusion attack of the revoked recipients because the revoked recipients can collocate and attack.

Broadcast encryption methods include symmetric (private) key setting and public key setting (public key setting). According to the symmetric key-based scheme, only a trusted sender first generates and distributes a user's private key and transmits a broadcast message to the user. The user decrypts and confirms the transmitted message using the distributed private key. In a symmetric key-based approach, the trusted sender takes full responsibility for the encryption, and if the encryption system is inoperable, the entire broadcast cryptosystem is paralyzed. In addition, there is a disadvantage in that a complicated key renewal process is required for joining and leaving a member.

In contrast, the public key-based method can overcome the disadvantages of the symmetric key-based method by allowing anyone in the group (user) to transmit a broadcast message using a public key that is commonly used, and does not require a complicated key update process. . In addition, the public key-based broadcast encryption method has the superiority that can be easily converted to the symmetric key-based method. Therefore, current broadcast encryption is almost always implemented in a public key based manner.

Several schemes have been proposed for the implementation of the broadcast encryption scheme. The representative schemes include the schemes proposed by Boneh, Gentry, and Water (BGW).

This technique can be an effective solution when the total number of users is large or the number of users excluded from legitimate users is small, but it is very inefficient in terms of ciphertext transmission, public key storage, and public key size.

The problem to be solved by the present invention is to propose a public key broadcast encryption technique that is completely secure against collusion attacks, as in the above techniques, but to provide a broadcast encryption technique that has advantages in terms of ciphertext transmission, public key storage and public key size I would suggest.

In order to solve the above problems, the broadcast encryption system disclosed herein divides all the users in the broadcast encryption system into a plurality of groups, the number of random numbers and the number of users belonging to each divided group. A key generator for generating a random number, generating a public key for encrypting and broadcasting a message to a user who has a legitimate receiving authority in a group, and generating a secret key for decrypting the encrypted message, the secret The present invention solves the problems of the present invention including a key distribution unit for distributing (broadcasting) a key to all users in a group, and a message encryption / transmitter for encrypting the broadcasted message and transmitting the message to a message receiver.

delete

The key generation unit solves the problem of the present invention by generating only the number of all users when generating the public key. The key generation unit also obtains the unique index for each user among the entire users, and calculates the index. It solves the problem of the present invention by generating a secret key.

The message encryption / transmitter generates an encryption key generator for generating an encryption key of a message to be broadcast, a header generator for generating headers reflecting the two indexes, and a ciphertext for encrypting a message to be broadcast with an encryption key. The present invention solves the problems of the present invention by including an encrypted message writing / broadcasting unit broadcasting the message receiver by adding a header to the header.

On the other hand, the decryption of the encrypted message eliminates the need for the public key, thereby solving the problem of the present invention.

In order to solve the above problems, the broadcast encryption method disclosed herein
(a) dividing the entire users in the broadcast encryption system into a plurality of groups, generating random numbers as many as the number of groups and as many random numbers as the users belonging to each divided group, so that users with legitimate reception rights in the group Generating a public key for use in encrypting and broadcasting the message to the client,
(b) generating a secret key for decrypting the encrypted message;
(c) distributing (broadcasting) the public and private keys to all users in the group, and

(d) solving the problems of the present invention, including the step of encrypting the broadcasted message and transmitting it to message recipients.

Step (a) solves the problems of the present invention by generating only the number of public keys for all users.
Step (b) solves the problem of the present invention by obtaining a unique index for each user among all the users, and generating a secret key using the index.

delete

In step (d), an encryption key of a message to be broadcast is generated, a header is generated by reflecting two indexes, a cipher text is encrypted by encrypting the message to be broadcast with the encryption key, and a header is added to the encryption text. Addressing the subject of the present invention includes broadcasting to the recipients.

The broadcast encryption scheme according to the present invention exhibits superior performance in terms of ciphertext transmission amount, public key storage amount, and public key size, compared to the conventionally proposed techniques.

Prior to the description of the specific contents of the present invention, for the convenience of understanding, an outline of a solution of the problem to be solved by the present invention is first presented.

The broadcast encryption scheme according to the present invention, like the BGW scheme, seeks a trade-off between the ciphertext transmission and the public key storage. A user group (subset) with the same size of total n (= a * b) users S ₁ ,. Divide by, S _a (each subset has b users), and the number of revoked users in each subset r ₁ ,… , r _a When the minimum number is r ', the encryption scheme according to the present invention has a ciphertext transmission amount of (a + 1) G + rlog ₂ n and a public key storage amount of (b + 1-r'). The larger the number of users established, the smaller the amount of public key storage. Where r is the total number of revoked users in the user group, where r ₁ +… + r _a .

The starting point of the encryption scheme according to the present invention is a private key generation method using BHG Hierarchical Identity Based Encryption (BBG HIBE) of Boneh, Boyen, Goh. In the b-stage BBG HIBE, the key generation algorithm, briefly mentioned, is a private key (d _ID) for ID = I ₁ at depth 1 for any random number r belonging to group Z _p whose prime order is p. ) Is generated as follows.

d _ID = (g ₂ , (g ₃ h ₁ ^I1 ) ^r , g ^r , h ₂ ^r , ..., h _b ^r ).

with the exception of g ₃ , each S ₁ ,. You must add a public key corresponding to, S _a . Next, i = (u-1) b + v is satisfied and {1,… , n} of the user i's private key (d _ID ) (g ₂ (x _u h _v ) ^r , g ^r , h ₁ ^r ,…, h _{v -1} ^r , h _{v +1} ^r ,…, h _b ^r ).

This conversion allows the encryption scheme according to the present invention to handle a total of n (= ab) users. Under the assumption of Bilinear Diffie-Hellman Exponent (BDHE), the security of the encryption scheme according to the present invention can be demonstrated.

Hereinafter, the configuration of the invention for clarifying the solution of the technical problem of the present invention will be described in detail with reference to the accompanying drawings based on the preferred embodiment of the present invention, the same configuration in the reference numerals to the components of the drawings The elements have been given the same reference numerals even though they are in different drawings, and it is noted that in the description of the drawings, components of other drawings may be cited if necessary.

First, notations used for explanation of the present invention are defined as follows.

G: Multiplication cycle group with rank p.

G _T : Multiplication cycle group with rank p.

e (,): Pairing function defined in group G.

Z _p : A group with rank p.

g: generator of group G.

α: Used to generate a user's secret key with a random number chosen from group Z _p ^* .

h: Used to generate public, secret and encryption keys with random numbers selected from G group.

x _u : Used to generate public and private keys with random numbers selected from G group. u has a value from 1 to a.

y _v : Used to generate public and private keys with random numbers selected from G group. v has a value from 1 to b.

i: Integer value representing an individual user, with a value from 1 to n.

S: Group of legitimate users out of n total users.

r: Random number selected from Z _p group. Used to randomly generate a user's private key.

s: Random number chosen from Z _p group. Used to randomly generate a message encryption key.

1 to 2 is a view showing the configuration of a preferred embodiment of the present invention, Figure 3 is a view showing a preferred flow of the present invention.

The key generation unit 11 generates a public key PK to be used as an encryption parameter of the message and a secret key d _i of each user i (i ∈ {1, ..., n}) (S11). (12) distributes the generated public and private keys to each user i (S12), and the generation and distribution of the public and private keys is performed as follows.

The key generation unit 11 first sets two groups G and G _T having a rank p and sets a pairing function e (,) between the two groups (S111). The pairing function is set to generate an encryption key K necessary for encrypting a message to be transmitted to the user and to use to extract from the encrypted message the key K necessary for the user (message recipient) to decrypt the encrypted message.

The key generation unit 11 next arbitrarily selects the generation source g of the group G, selects a random number α, and sets g ₁ = g ^α . And random number h, x ₁ ,... , x _a , y ₁ ,... , y _b Where a and b are the same as the notations mentioned above. The key generation unit 11 generates a public key PK using the generation source and random numbers as described above (S112).

PK = (g, g ₁ (= g ^α ), h, x ₁ ,…, x _a , y ₁ ,…, y _b ).

Where h and g ₁ are inserted for use in generating the encryption key K needed to generate a ciphertext (C _M ) to be sent to users, and g is for generating a header (Hdr) to append to the ciphertext (C _M ). Is inserted.

Meanwhile, the number of public key PKs according to the present invention requires only the number of users, that is, n, which is different from the BGW technique. The BGW technique requires 2n public keys for n users.

The reason why the number of public keys in the technique according to the present invention and the BGW technique is the same is different because the algebraic structure for generating the encryption key K is different.

The encryption key K by the BGW technique is generated as follows.

--- 식 (1).

--- Equation (1).

Looking at this equation, g ^(αi) and g ^{(αn + 1-j)} are multiplied exponentially by the nature of pairing in the molecule. Thus, an exponent with an order of n + 1-j + i is produced, if j = 1 and i = n, then n + 1-j + i = 2n. In addition, when j = n and i = 1, n + 1-j + i = 2. Therefore, to match this to the denominator, g ₂ ,.. Almost 2n elements of, g _2n are needed. Where g _i = g ^{(α i)} .

On the other hand, in the encryption scheme according to the present invention, the decryption key K is generated as follows.

--- 식 (2).

--- Equation (2).

인데(여기서 ki,j = y_j ^r이다), 저장된 n개의 k_{i ,j} 값들을 가지고 복호를 수행할 수 있다.Where k _{i , j} is the secret key

Inde (where the ^{_{ki, j = y j r)}} , it is possible to perform the decoding with the stored n of k _{i, j} values.

As can be seen from this equation, in the encryption method according to the present invention, the order of the numerator and the denominator are not made equal by multiplying the exponents as in the BGW method, but simply setting the numerator and the denominator to have the same order. Therefore, the public key PK implementation only needs n elements, not 2n.

The key generation unit 11 generates the public key PK as described above, and then generates a secret key d _i necessary for later decrypting the encrypted message received by each user i (S113).

To generate the secret key d _i , we first compute two values u, v that satisfy i = (u-1) b + v and then select a random number r that belongs to the group Z _p . Where u is the index of each group of recipients (i.e., a subset of S _u of S) formed by dividing the message receivers, and v is the index of a subset S _u of each user i. Therefore u takes values from 1 to a and v takes values from 1 to b.

After u and v are calculated, the private key d _i of user i is obtained as follows.

d _i = (h ^α * (x _u * y _v ) ^r , g ^r , y ₁ ^r ,…, y _{v −1} ^r , y _{v +1} ^r ,…, y _b ^r ).

The key distribution unit 12 broadcasts (distributes) the public key PK and the generated secret key d _i to each user i (S12).

The method according to the present invention for generating a public key PK to be used as a parameter of broadcast encryption and a secret key d _i of each user has the following differences from the BGW scheme that is the background of the present invention.

In terms of the size of the public key, in the case of the technique according to the present invention, the public key PK is implemented using only (a + b + 3) elements belonging to the group G as described above.

On the contrary, since the public keys of the BGW-1 and BGW-2 schemes are implemented using (a + 2b) elements belonging to group G, there are about b more public keys than the encryption scheme of the present invention. Element is required Therefore, the encryption scheme according to the present invention has an advantage over the BGW scheme in terms of public key size.

For example, suppose that the total number of users (n) is 1 million and a and b are 1,000 each. In this case, since the amount of data required to represent an element of one group G is approximately 160 bits, the size of the public key is at least 480 Kbit in the BGW scheme. However, in the case of the present invention is 320 Kbit. As a result, the size of the public key is reduced by 33% compared to the conventional scheme.

On the other hand, according to the BGW technique, the user's private key must be stored in the storage device of the user terminal and the public key must be stored in order to decrypt the encrypted message. However, in the present invention, the user's secret key d _i is composed of approximately (b + 1) (previously (b + 1-r ')) elements of group G as described above, and additionally uses the public key for decryption. You do not need to save it.

That is, in the BGW scheme, since the public key PK is required for decryption of the encrypted message, the receiver must store the public key in his terminal to decrypt the encrypted message. In the encryption scheme employing the PKBE (Public Key Based Encryption) technique, the public key is generally stored separately at the receiver (user) terminal for speed of decryption.

However, according to the encryption scheme of the present invention, the decryption of the encrypted message can be performed using only the secret key without the need for the public key. According to the encryption scheme according to the present invention, a public key is necessary only when a message sender encrypts and transmits a message to users. Therefore, there is no need to store the public key separately, and the technique of the present invention can reduce the total storage amount than the BGW technique.

On the other hand, in the BGW-1 scheme, since the ciphertext must be included in the ciphertext, which is necessary for decryption, the size of the ciphertext is greatly increased and thus the amount of public key storage is greatly increased.

On the other hand, in the BGW-2 scheme, since the public key required for decryption is stored in a storage device of the user terminal, the amount of public key storage is approximately (2b + 1) group G elements. Therefore, in the case of the present invention, it is possible to obtain a gain in terms of ciphertext transmission compared to the BGW scheme, and to reduce b elements in terms of public key storage.

When the public key PK and the secret key d _i of each user i are generated and distributed, the message encryption / transmitter 13 receives a message transmission request from the receivers and transmits the message to the receivers (users) belonging to the set S. The M is encrypted and transmitted to the user (S13). The encryption of the message M is performed as follows.

First, the encryption key generation unit 131 selects a random number s from the Z _p group and generates a message encryption key K as follows (S131). K = e (h, g ^w ) ^s . Here, e (,) means the pairing function set above.

Next, the header generation unit 132 sets the set of recipient users S ₁ ,... Assuming that it is divided into a subset of S _a , _a header Hdr of the encrypted message is generated as follows (S132).

.

.

The encrypted message creation / broadcasting unit 133 encrypts the message M with the encryption key K using a symmetric key algorithm to create a ciphertext C _M (S133), and the user group (S) and the header (Hdr) in the ciphertext C _M. Creates an encrypted message added to the broadcast to the recipient (user) (S134). That is, C _M = E _K (M), and broadcasts (transmits) (S, Hdr, C _M ) to the user.

The encryption of a message by the scheme provided by the present invention has the following advantages over the BGW scheme. In the present invention, the ciphertext can be generated using only the elements of (a + 1) group G (since Hdr is implemented with (a + 1) elements).

On the other hand, in the BGW-1 scheme, as mentioned above, the header is implemented because the public key necessary for decryption of the ciphertext is included in the ciphertext every time the ciphertext is transmitted. Is needed.

In the case of the BGW-2 technique, the ciphertext can be generated using only (a + 1) group G elements as in the case of the present invention, but the amount of public key storage uses more b elements than the present invention (of the present invention). In this case, if the number of canceled users is large, the amount of storage can be further reduced). Therefore, the technique of the present invention has the same or more advantages as the BGW technique in terms of encryption text transmission or public key storage.

The decryption module in the terminal of each user i decrypts the ciphertext C _M received by the receiver (user) belonging to the legitimate user set S, and the decryption is performed as follows (S14).

Each user (recipient) i is the user with the v-th index of the subset S _u , whose secret key is d _i = (d _{i , 1} , d _{i , 2} , k _{i , 1} ,…, k _{i , v -1} , k _{i , v + 1} ,..., K _{i , b} ), and Hdr = (A ₁ , ..., A _a , B) of the encrypted message received from the sender. Where d _{i, 1} is the above h * (x _u * y _v ) ^r , d _{i, 2} is the above g ^r , k _{i, 1} is the above y ₁ ^r , and k _{i, v-1} is the above In one y _v-1 ^r , k _{i, v + 1 corresponds} to y _{v + 1} ^r and k _{i, b} corresponds to y _b ^r . And A ₁ of Hdr corresponds to (x ₁ * ∏ _{j ∈ S1} y _j ) ^s , A _{a corresponds} to (x _a * ∏ _{j ∈ Sa} y _j ) ^s and B corresponds to g ^s , respectively. do.

The decryption module in the terminal of each user i first extracts an encryption key K for each user i from the encrypted message received from the message encryption / transmitter 13 (S141), and the secret received from the key distribution unit 12. Extracted from the header received from the key d _i and the message encryption / transmission unit 13, specifically through the following equation.

.

.

This equation for K is the same as Equation (2) given above.

Where e (,) is the pairing function set above. The decryption module in the terminal of each user i decodes the ciphertext C _M using the extracted encryption key K by using a symmetric key algorithm (S142). That is, M = D _K (C _M ).

As described above, it can be seen that the encryption scheme according to the present invention does not use the PK to decrypt the message M, unlike the BGW technique.

Referring to the broadcasting encryption scheme according to the present invention using a simple embodiment as follows.

Assuming that the total number of users (recipients) is set to 25, 25 total users are divided into 5 small groups (a = 5). That is, small group S ₁ ,. , S ₅ and each group contains 5 people (b = 5).

The key generation unit 11 generates a public key PK using the generation source and random numbers of the group G as follows.

PK = (g, g ₁ , h, x ₁ , x ₂ , x ₃ , x ₄ , x ₅ , y ₁ , y ₂ , y ₃ , y ₄ , y ₅ ).

The key generation unit 11 generates a secret key d _i for each user i (i ∈ {1, ..., 25}) after generating the PK. First, the key generation unit 11 obtains u and v corresponding to each user i. For example, in the case of i = 24, according to the above equation for obtaining u and v, since b = 5, u = 5 and v = 4. Therefore, the secret key d ₂₄ for i = 24 is generated as follows.

d ₂₄ = (h ^α * (x ₅ * y ₄ ) ^r , g ^r , y ₁ ^r , y ₂ ^r , y ₃ ^r , y ₅ ^r ).

The generated public key PK and secret key d _i are distributed to each user by the key distribution unit 12.

The message encryption / transmitter 13 encrypts the message M to be transmitted to the receiver users belonging to the set S and transmits the message M to the user. The encryption key setting unit 131 of the transmitter selects a random number s from the Z _p group Set the message encryption key K as follows. K = e (h, g ^w ) ^s .

Header generation unit 132 is a set of users S is S ₁ ,. Since it is divided into a subset of S ₅ , the header Hdr of the encrypted message is generated as follows.

Encrypting the message creation / broadcasting unit 133 creates a cipher text C _M encrypts the message M with the encryption key K by using a symmetric key algorithm, and the cipher text C _M user sets the (S) and the encrypted message added to said header Create and broadcast to recipients (users).

The decryption module in the terminal of each user i decrypts the cipher text C _M received by the receiver (user) belonging to the legitimate user set S.

)^s 에, A₅는 상기한 (x₅ *

)^s 에, B는 상기한 g^s에 각각 해당한다.Each user (receiver) i is the user with the v th index of the subset S _u , and if i = 24, the secret key is d ₂₄ = (d _{24 , 1} , d _{24 , 2} , k _{24 , 1} , k _{24,2 ,} k _{24 , 3} , k _{24 , 5} ), and Hdr = (A ₁ ,..., A ₅ , B) of the encrypted message received from the sender. Where d _24,1 is the above h * (x ₅ * y ₄ ) ^r , d _24,2 is the above g ^r , k _24,1 is the above y ₁ ^r , and k _24,3 is y above _{In 3} ^r , k _{24 , 5} correspond to y ₅ ^r described above, respectively. And A ₁ of Hdr is the above (x ₁ *

) ^s , A ₅ is the above (x ₅ *

) ^s , B corresponds to g ^s described above, respectively.

The decryption module in the terminal of each user i extracts an encryption key K for each user i from the encrypted message received from the message encryption / transmitter 12. The encryption key for i = 24 is extracted as follows.

.

.

Where e (,) is the pairing function set above. The decryption module in the terminal of each user i decrypts the ciphertext C _M using the extracted encryption key K using a symmetric key algorithm to decrypt the message M. That is, M = D _K (C _M ).

The following table compares the performance of the present invention with BGW scheme in terms of throughput, storage, computation and public key size. The total number of users is n (= a * b). First, the symbols shown in the table are explained as follows.

G: elements of group G, r '= min (r ₁ , ..., r _a ), r: total number of leavers in the user group.

BGW-1 and BGW-2 are two versions of the BGW technique described above. As shown in the above table, it can be seen that the encrypted text transmission amount, public key storage amount and public key size by the encryption method of the present invention are the same or further improved by the BGW method.

The present invention can also be embodied as computer readable code on a computer readable recording medium. The computer-readable recording medium includes all kinds of recording devices in which data that can be read by a computer system is stored.

Examples of the computer-readable recording medium include a ROM, a RAM, a CD-ROM, a magnetic tape, a floppy disk, an optical data storage device, and the like, and may be implemented in the form of a carrier wave (for example, transmission via the Internet) . The computer readable recording medium can also be distributed over network coupled computer systems so that the computer readable code is stored and executed in a distributed fashion.

The present invention has been described above with reference to preferred embodiments thereof. Those skilled in the art will appreciate that the present invention can be implemented in a modified form without departing from the essential features of the present invention.

Therefore, the disclosed embodiments should be considered in descriptive sense only and not for purposes of limitation. The scope of the present invention is shown in the claims rather than the foregoing description, and all differences within the equivalent scope will be construed as being included in the present invention.

1 and 2 show the configuration of a preferred embodiment of the present invention.

3 is a view showing a preferred flow of the present invention.

Claims (11)

By dividing the entire users in the broadcast encryption system into a plurality of groups and generating a random number as many as the number of groups and as many as the number of users belonging to each divided group, a message is sent to a user who has a legitimate reception right in the group. A key generator for generating a public key for use in broadcasting by encrypting and generating a secret key for decrypting an encrypted message; A key distribution unit for distributing (broadcasting) the public and private keys to all users in the group; And And a message encryption / transmitter for encrypting the broadcast message and transmitting the encrypted message to message recipients. The method of claim 1, wherein the key generation unit And generating only the total number of users when generating the public key. The method of claim 2, wherein the key generation unit And obtaining a unique index for each user among the entire users from the secret key, and generating a secret key using the index. The method of claim 3, wherein the message encryption / transmission unit An encryption key generation unit for generating an encryption key of the broadcasting message; A header generator for generating a header by reflecting the two indexes; And Broadcast encryption, characterized in that it comprises an encrypted message creation / broadcast unit for creating a cipher text encrypting the message to be broadcast with the encryption key, and adds the header to the cipher text to broadcast to the message recipients system. The method of claim 1, And the public key is not required to decrypt the encrypted message. (a) dividing the entire users in the broadcast encryption system into a plurality of groups, generating random numbers as many as the number of groups and as many random numbers as the users belonging to each divided group, so that users with legitimate reception rights in the group Generating a public key for encrypting the message to use when broadcasting the message; (b) generating a secret key for decrypting the encrypted message; (c) distributing (broadcasting) the public and private keys to all users in the group; And (d) encrypting the broadcasted message and transmitting the encrypted message to message receivers. The method of claim 6, wherein step (a) And generating the public key only as many as the total number of users. The method of claim 7, wherein step (b) And obtaining a unique index for each user among all the users, and generating a secret key using the index. The method of claim 8, wherein step (d) (d1) generating an encryption key of the message to be broadcast; (d2) generating a header by reflecting the two indexes; (d3) creating a cipher text encrypting the message to be broadcast using the encryption key; And and (d4) adding the header to the cipher text to broadcast the message to the receivers. The method of claim 9, And the public key is not required to decrypt the encrypted message. A computer readable recording medium having recorded thereon a program for executing the method of claim 6 on a computer.

Images