KR20060049340A - Method of managing a key of user for broadcast encryption - Google Patents

Abstract

A method of managing user keys for broadcast encryption is disclosed. The present invention provides a method of assigning a node path ID to each of the nodes sequentially arranged, and assigning a seed value key to each node according to the node path ID. By repeatedly applying the hash function to the key to generate key values, and sequentially giving the generated key value to each node. According to the present invention, the most important transmission amount in broadcast encryption can be reduced to less than r. In addition, embodiments of the present invention has the advantage that the amount of transmission can be significantly reduced compared to the SD known as the best method up to now.

Broadcast encryption, hash functions, seed keys, hash chains, hierarchies

Description

How to manage user keys for broadcast encryption {METHOD OF MANAGING A KEY OF USER FOR BROADCAST ENCRYPTION}

1 is a diagram illustrating a network structure of a data transmission system using general broadcast encryption;

2 illustrates a concept of broadcast encryption for allocating keys in a conventional tree structure;

3 is a flowchart illustrating a procedure of assigning a key value by mapping a one-way key chain to each node of a linear structure according to an embodiment of the present invention;

4 is a diagram illustrating a method of assigning an arbitrary seed key to each node of a linear structure according to an embodiment of the present invention;

5 is a diagram illustrating a method of mapping a one-way key chain to each node of a linear structure according to an embodiment of the present invention;

6 is a diagram illustrating a method of mapping a key value to each node of a linear structure according to an embodiment of the present invention;

7 is a view showing a result of a key value corresponding to each node of a linear structure according to an embodiment of the present invention;

8 is a flowchart illustrating a session key transfer procedure to an interval between illegal users according to an embodiment of the present invention;

9 is a view showing the definition of the interval in the linear structure according to an embodiment of the present invention,

10 is a view showing a method for transmitting a session key in a section of a linear structure according to an embodiment of the present invention;

11 is a flowchart illustrating a procedure of decrypting data by a session key received by a user of each node according to an embodiment of the present invention;

12 is a view showing the definition of a special node in the linear structure according to the first modified embodiment of the present invention;

FIG. 13 is a diagram showing a method for mapping a key value to each node in a linear structure according to a first modified embodiment of the present invention; FIG.

14 is a diagram illustrating a method for dividing a section for transmitting a session key according to a first modified embodiment of the present invention;

FIG. 15 is a diagram illustrating a method for transmitting a session key when divided into a plurality of sections according to a first modified embodiment of the present invention; FIG.

16 is a view showing a section setting method according to a second modified embodiment of the present invention;

FIG. 17 is a diagram showing a method of mapping a key value to each node in a linear structure according to a second modified embodiment of the present invention; and

18 illustrates a hierarchical structure of node groups having an annular structure according to an embodiment of the present invention.

Explanation of symbols on the main parts of the drawings

100: content producer 110: service provider

120: satellite 130: Internet network

140: network 141: set-top box

142: mobile communication terminal 150: smart home network

151, 152, 153, 154, 155: terminal 160: illegal user

The present invention relates to a broadcast encryption method, and more particularly to an efficient user key management method for broadcast encryption.

Broadcast encryption (hereinafter, referred to as 'BE') is a method of effectively transmitting information only to users who are desired by a sender (ie, a broadcast center) among all users. It must be able to be used effectively when the set of users is arbitrarily and dynamically changing. The most important property in a BE is the revocation or exclusion of unwanted users (eg, illegal users or expired users).

1 is a diagram illustrating a network structure of a data transmission system using general broadcast encryption. Referring to FIG. 1, the content producer 100 produces various useful data including audio or video data, and provides the produced data to the service provider 110. The service provider 110 may allow legitimate users (eg, mobile digital rights management (DRM) network 140, smart home, etc.) to pay for data corresponding to the data provided from the content producer 100 through various wired and wireless communication networks. The DRM network 150 is broadcasted.

That is, the service provider 110 may transmit data to a device of users such as a set-top box 141 equipped with various satellite receivers through the satellite 120, and may transmit data through a mobile communication network. 142 can also be sent. In addition, the terminal 130 may transmit to various terminals 150, 151, 152, 153, 154, and 155 of the smart home network 150 through the internet network 130.

In this case, the data is encrypted by broadcast encryption (BE) in order to prevent the illegal user 160 who does not pay a fair fee for the data from using the data.

The security of such an encryption and decryption system usually depends on the system that manages the encryption key. The most important thing in such an encryption key management system is how to generate an encryption key. In addition, it is also important to manage and update the generated encryption key (Key Update).

Since the concept of BE was first proposed in 1991, many changes have been made, and the current BE assumes a stateless receiver. This concept means that each session's private key is never changed or updated as the session changes. In this case, the term 'k-resilient' is used in terms of safety, which means that the k-resilient user cannot recover information even if a public attack is performed by k users. Since r usually represents the number of excluded users, 'r-resilient' means that all excluded users are safe to collaborate.

On the other hand, in BE, transmission overhead, storage overhead, and computation overhead are important, respectively, the amount of headers to be transmitted by the transmitting side, the amount of secret keys that the user must store, and the user. Means the amount of computation needed to obtain the session key. Among these, reducing the amount of transmission is a major problem. The amount of transmission initially decreased from the value of N, the total number of users, to the value of r, the number of users that are currently excluded. Reducing the transmission to less than r has become a big challenge for BE as technologies emerge that are proportional to r.

Based on these BE problems, the "Subset Difference (SD) Method" published by Naor-Naor-Lotspiech has shown the best results. , O and requires a transmission rate of the storage capacity and O (2r-1) of the (log ^3/2 n).

However, even the SD method has a problem in terms of being efficient for use by a large number of users.

As described above, various algorithms have been proposed to date since Berkovits first published a paper on BE in 1991. Among these important algorithms, a secret key sharing scheme, a subset cover-free system model scheme, a tree structure scheme, and the like have been proposed.

First, a model based on secret key sharing will be described. The private key sharing model was introduced in 1991 by S. First proposed by Berkovits, Noar 'and' B. More efficient improvements were made in Pinkas' article entitled "Efficient Trace and Revoke Schemes." In S Berkovits's "How to Broadcast a Secret", a method using polynomial interpolation and a method based on vector based secret sharing are presented.

Referring to the polynomial interpolation method, a center (ie, a broadcasting center or a transmitting side) transmits a point (x _i , y _i ) to a secret channel to each user. In this case, x _i is a different value and (x _i , y _i ) are each user's private key. Then, to broadcast the secret information S to legitimate users t of each session, a polynomial P having a random integer j and order t + j + 1 is selected. The polynomial P is a polynomial that passes through t random users' private keys (x _i , y _i ) and any j points (x, y) and (O, S) that are not the secret keys of any other user. The center transmits points different from the t + j points on the polynomial P. Then, since t legitimate users know one point (own secret key) in addition to t + j points, they can recover polynomial P of order t + j + 1 and also obtain secret information S. However, the excluded user never knows t + j points, so he never recovers the polynomial P.

In this method, the transmission amount is O (t + j + 1), the storage amount is O (1), and the calculation amount is approximately t ³ multiplications. In addition, there is an advantage that easy revocation can be prevented, competition tracing is also possible. However, for a large number of users, there is a problem that can not be used practically because it is inefficient and unsafe to write repeatedly.

M. Noar and B. Pinkas's "Efficient Trace and Revoke Schemes" uses a threshold secret sharing scheme using Lagrange's interpolation formula. The Noar-Pinkas method uses the property that an order-order polynomial can be recovered by knowing the points above r + 1 polynomials, but cannot be recovered with one or fewer r points. That is, the center selects a random t-order polynomial P and provides each user with different points as a secret key. When r users are excluded, the center broadcasts information on the total of t points by adding the excluded r secret keys and t-r points randomly selected. As a result, the excluded user still knows only t points even though their secret information is summed, but the non-excluded user knows t + 1 points to recover the polynomial P. This polynomial is used to find the session key P (0).

These methods are also easy to dispose of, prevent collusion and track collusion. In particular, there is a big advantage in that it is possible to add new users, and the transmission amount is O (t) and the storage amount is quite efficient as O (1). However, this method has a problem that it is impossible to exclude more than t users initially defined. In addition, the number of points to be transmitted or the amount of computation required to compute the polynomial depends on t, which is inefficient in many cases. In addition, as t increases, the calculation time increases greatly, and thus it is difficult to use when a large number of users is included.

Secondly, the subset cover-free system model defines the concept of a subset cover-free system in a set that takes subsets of S as elements when the set of entire users is S. If you can find such a system, you can use it to perform BE. However, there is a disadvantage in that the storage amount and the transmission amount are about O (r log n) and are not efficient. We also introduced a way to extend the 1-resilient model to create a k-resilient model. An effective 1-resilient technique is relatively easy to devise, which makes sense for such an extension, but the proposed method has greatly reduced the efficiency of the expansion.

Third, recently, methods using a tree structure have been attracting attention. In 1998, C. K. Wong, M. Gouda, and G. S. Lam proposed the Logical-tree-hierarchy (LTH) method, but it was difficult to exclude a large number of users in one session. In addition, the user's private key is a model that changes over the course of the session, which is far from a modern BE that assumes a stateless receiver. Then, in 2001, D. Naor, M. Naor, and J. Lotspiech proposed "Complete Subset (CS) Cover Scheme" and "Subset Difference (SD) Scheme". Both methods assume that the number of users is n and the number of excluded users is r, and the center creates a binary tree of log n height and assigns the corresponding private key to every node. . Then assign users one by one to the leaf node.

First, the CS Cover method shows that each user receives and stores the secret key of all nodes located in the path from the root node to his leaf node. Here, a complete subtree that does not include any excluded users of the subtrees is called a "Complete Subtree (CS)". If the CS is in the proper mode, all non-excluded users may be included. At this time, if the session key is encrypted and transmitted with the secret key corresponding to the root nodes of the used CSs, legitimate users can recover the session key, but the excluded users are not included in any CS used above. It becomes impossible.

2 is a diagram illustrating the concept of broadcast encryption for allocating keys in a conventional tree structure. Referring to FIG. 2, each user 220 provided with data through broadcast encryption has its own key value (numbers 32 to 47), and at the same time, each node connected to itself in a tree structure. It will have a key value.

For example, user 34 has his own key value 34 along with the key value of node 17 (209), the key value of node 8 (204), the key value of node 4 (202), and node 2 (201). Will have a key value of. At this time, the key value of the node 17 (209) having the user 34 is also shared with the user 35. Similarly, the key value of node 204 of user 34 has the same 32, 33, and 35 users.

On the other hand, if all users 32 to 47 are legitimate users, it is preferable to transmit the same data to all users by including the node 201 key value in the header portion of the data to be transmitted. Transmission is possible.

However, if the user who has the user's key of user 221 is not a legitimate user, but is a revoked user, other users share key values of the node associated with user 36's 221, It is necessary to update the key values. That is, key values of the node 210, the node 205, the node 4, the node 202, and the node 201 need to be updated. At this time, the key value is updated in the order of the lower node to the upper node.

First, since the key value of node 210 is shared by user No. 37, the updated key value of node 210 of No. 19 from the server is encrypted with the key value of user No. 37 and transmitted to user No. 37. do. Then, since the key value of node 9 205 is shared with user 37, user 38 and user 39 under node 19 211, the updated value of node 9 205 is updated. The key value is encrypted and transmitted to user 37 with the key value of node 210 which is already updated, and the user 38 and 39 are encrypted and transmitted with key value of node 19 211.

Similarly, the key value of node 4 202 is numbered 37, 38, 39 under node 9 205, with user 32, 33, 34, 35 under node 8 204. Since the users are shared together, the updated key value of the node 4 (202) is encrypted and transmitted to the user 32 to 35 with the key value of the node 8 (204), and the user has already updated to the 37, 38, 39 The key 9 of the node 205 is encrypted and transmitted.

Finally, the key value of node 201 is shared by users other than user 221 of user 32-39 under node 4-204, and under node 5 (203). 40 to 47 users share the same, the updated key value of node 201 to 32, 33, 34, 35, 37, 38, 39 users of node 4 (202) has already been updated Encrypted and transmitted with the key value, and the user 40 to 47 is encrypted and transmitted with the key value of the node 203. This key renewal process can block access to illegal (or revoked) users.

In the above-described method (i.e., CS model), the transmission amount is O (r log (n / r)), which is the number of CSs including all non-excluded users, and the storage overhead is O (log n). )to be.

On the other hand, the SD (Subset Difference) method significantly improves the transmission amount by requiring the storage amount of O (log ² n) and the transmission amount of O (2r-1) by the above-described modification of the CS model. The SD model considers a subtree subtracting a subtree rooted at one node v from a subtree rooted at another node w included in the subtree. Branch nodes under this subtree are valid users, and branch nodes under a subtree rooted by w are excluded users. This method may cover the CS model as one subset, in which case, if there is an excluded user among a suitable number of legitimate users, the two or more subsets are necessary. The SD method obtains a hash value starting with the hash value of the key assigned to the node v and up to the node w, and sets a value corresponding to the value as the session key. Each user has a private key with hash values for sibling nodes for each node on the path from the root node to his branch node. Thus, the one-way hash function allows only legitimate users to recover the session key. At this time, the transmission amount of the SD model is O (2r-1), the storage amount is O (log ² n), the calculation amount is only a hash of the maximum O (log n).

Then, in 2002, the LSD model was proposed, which improved the SD model. LSD model was a double of the sub with a layer (layer) on the tree but have an accumulation volume to O (log ^3/2 n) a transmission rate SD model instead.

The best efficiency among the above-described BE models is a model using a tree structure such as LSD or SD. However, in the case of using the tree structure, it is difficult to expect any further improvement since the number of subsets required for broadcasting is highly dependent on the location of users. In addition, the tree structure has a disadvantage in that a considerable cost is required for maintenance. Therefore, there is a demand for more efficient BE technology than the tree structure described above.

Accordingly, an object of the present invention is to provide a user key management method for broadcast encryption in which a one-way key chain is sequentially formed for each node using a linear structure and distributes key values.

It is also an object of the present invention to select a c-th node among the nodes on a straight line using a linear structure as a special node, and user key management method for broadcast encryption to create a special node chain starting from the special node key. In providing.

It is also an object of the present invention to provide a user key management method for broadcast encryption that can reduce the amount of transmission by setting a transmission interval by adding a section including one excluded user.

The key management method according to the present invention for achieving the above object, the step of giving a node path ID (Node Path ID) to each of the nodes arranged sequentially, A random seed key according to the node path ID to each node ( Assigning a Seed Value Key), repeatedly applying a hash function to the given seed key, generating key values, and sequentially assigning the generated key values to the nodes.

Preferably, the encryption key for the section consisting of N nodes among the sequentially arranged nodes, a key value generated by repeatedly applying the hash function N-1 times to the seed key given to the first node in the section. It is characterized by.

In addition, the section is characterized in that the continuous section consisting of the authenticated nodes.

In addition, the interval includes one or more excluded nodes, and each of the excluded nodes is characterized by applying an independent hash function.

On the other hand, the key management method according to the present invention is to give a seed value (Seed Value Key) to sequentially arranged nodes, iteratively applying a first hash function to the given seed key to generate key values And sequentially assigning the generated key values to the nodes, setting a special node according to a predetermined interval among the sequentially arranged nodes, and assigning a special seed key to each special node. Assigning a Seed Value Key), repeatedly applying a second hash function to the given special seed key, generating key values, and sequentially assigning the generated key values to each special node. Include.

Preferably, if a special node key of K is assigned to a first special node among the special nodes, a key value of applying the second hash function to the second special node away from the first special node by the predetermined interval is applied to the K. It is characterized by being given.

The encryption key for the section consisting of N nodes among the sequentially arranged nodes is a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the section. It is characterized by.

In addition, the section is characterized in that the continuous section consisting of the authenticated nodes.

In addition, the interval includes one or more excluded nodes, and each of the excluded nodes is characterized by applying new independent hash functions.

Meanwhile, in the key management method according to the present invention, a node path ID is assigned to each node forming an annular group, and a seed value is assigned to each node according to the node path ID. And generating a key value by repeatedly applying a hash function to the given seed key, and sequentially assigning the generated key values to each node forming the annular group. .

Preferably, the encryption key for the recursive section consisting of N nodes in the annular group is a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the recursive section. Characterized in that.

In addition, the circular section is characterized in that the continuous section consisting of the authenticated nodes.

In addition, by linking the nodes forming the new annular group under each node forming the annular group to the substructure, thereby forming a hierarchy of annular groups.

In addition, the hierarchical structure is characterized in that the 16 layers.

In addition, the number of each node forming each annular group is the same.

In addition, the circular section consisting of N nodes in the annular group includes one or more excluded nodes, and each of the excluded nodes applies an independent hash function.

In addition, the number of nodes forming the annular group is N, characterized in that '0' to 'N-1' is given as the node path ID.

In addition, a node having at least one excluded child node in the hierarchy may be regarded as an excluded node.

On the other hand, in the key management method according to the present invention, by applying a seed value (Seed Value Key) to each node forming the annular group, by repeatedly applying a first hash function to the given seed key Generating key values, sequentially assigning the generated key values to each of the nodes forming the annular group, setting a special node according to a predetermined interval among the nodes forming the annular group, wherein each special Granting a random special seed key to a node, repeatedly applying a second hash function to the given special seed key, generating key values, and generating the generated key values. And sequentially giving special nodes.

Preferably, if a special node key of K is assigned to a first special node among the special nodes, a key value of applying the second hash function to the second special node away from the first special node by the predetermined interval is applied to the K. It is characterized by being given.

The encryption key for the recursive section consisting of N nodes in the annular group is a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the recursive section. It features.

In addition, the circular interval is characterized in that the continuous interval consisting of the authenticated nodes.

In addition, the cyclic interval includes one or more excluded nodes, and each of the excluded nodes applies a new hash function that is independent of each other.

Hereinafter, with reference to the drawings will be described the present invention in more detail.

<Basic Example>

3 is a flowchart illustrating a procedure of assigning a key value by mapping a one-way key chain to each node of a linear structure according to an embodiment of the present invention. Referring to FIG. 3, first, a node path ID is assigned to each node (S301). Here, the node path ID is an ID required to distinguish users corresponding to each node.

Next, an arbitrary seed key is assigned to each node of the linear structure according to the node path ID (S302). In the practice of the present invention, any seed key may be determined randomly independently of each other.

Next, a key value generated as a result of substituting an arbitrary seed key assigned to each node into the one-way hash function is generated. In addition, the generated key value is repeatedly substituted into the one-way hash function to generate key values continuously, thereby generating each predetermined key chain according to each arbitrary seed key (S303).

The one-way hash function here is a function that compresses an input value of an arbitrary length into an output value of a predetermined length, and has a property as follows. On a one-way hash function, it is impossible to calculate the input value for a given output value, and it is impossible to find another input value that produces the same output value for a given input value. Also, it is not computationally possible to find any two different inputs that produce the same output on a one-way hash function.

The hash function that satisfies the aforementioned properties is one of important functions applied to data integrity, authentication, nonrepudiation, etc. In the present invention, the one-way hash function may be “HBES SHA-1”.

Next, key values generated for each seed key in step S303 are sequentially assigned from the next node of the node to which each seed key is assigned (S304). In practicing the present invention, the direction in which the key values are given should be constant for each node.

Hereinafter, a procedure of assigning the aforementioned key value to each node will be described in more detail with reference to FIGS. 4 to 6.

4 is a diagram illustrating a method of assigning an arbitrary seed key to each node of a linear structure according to an embodiment of the present invention. Referring to FIG. 4, any seed key for each node may be sequentially mapped to each node on a straight line from the front.

For example, assuming that N nodes are arranged in the same space, K ₁ , K ₂ , ..., K _N values, which are randomly selected seed key values, may correspond to each node. That is, the first node 401, the K ₁ value, the second node 402, the value K _2, the third node 403, the value K _3, the fourth node 404, the value K _4, ..., the N-1 node 405, the response will include a seed key value selected at random of the value K _N K _{N -1} values, the node N 406.

At this time, as described above, the one-way key chain is generated from each seed key by using the one-way hash function. Here's how to create a one-way keychain:

If h is a one-way hash function with (0,1) ¹²⁸ → (0,1) ¹²⁸ , then the one-way keychain with length c from K is (K, h (K), h (h (K)) = h ⁽²⁾ (K), ..., h ^(c-1) (K)}. The generated one-way key chain values correspond to each node on a straight line sequentially from the front.

5 is a diagram illustrating a method of mapping a one-way key chain to each node of a linear structure according to an embodiment of the present invention. Referring to FIG. 5, a one-way key chain having a length c starting at each node is generated and mapped using the one-way hash function h. In this case, c means a chain size.

That is, a value of K _i , which is a seed key value, is mapped to the i th node 501, a h (K _i ) value is mapped to an i + 1 node 502, and h (h) is mapped to an i + 2 node 503. The (K _i )) value is mapped, and the h ^(c-1) (K _i ) value is mapped to the i + c-1 (504) node.

Meanwhile, in the practice of the present invention, the value of c is set in advance as a value for determining the length of the one-way key chain, and the number of keys to be stored by each user will be determined according to the value of c. Therefore, it is possible to generate a one-way key chain having a length of c from all seed keys assigned to each node, and to give each node the generated one-way key chain value.

As a result, each node can be assigned c key values. However, fewer nodes may be assigned to some nodes at the beginning and the end of the straight line.

6 is a diagram illustrating a method of mapping key values to respective nodes of a linear structure according to an embodiment of the present invention. 6, the i-th node 601 will be granted their seed key K _i, the i + 1 node 602 has an assigned group and the value of h (K _i) a one-way hash function computes a K _i It is given its key value K _{i +1} . Further, the i + 2th node 603 is given a value obtained by performing a one-way function calculation on the key value assigned to the i + 1th node 602 and its own key value.

In other words, the value computed one-way hash function is a two K _i h (h (Ki) and, K _{i +1} the one-way function value calculated by h (K _{i +1),} and their seed key value K _{i +2} is assigned By the same method, the c-th node i + c-1 node 605 is h ^(c-1) (K _i ), h ^(c-2) (K _{i +1} ), h ^{(c-3). )} (K _{i +2} ), ..., K _{i + c-1} .

Therefore, the user corresponding to each node is given c keys assigned to the node as the user's secret key.

In this case, if K _i = K _{i , i} , and i≤j to define K _{i , j} = h ^(ji) (K _{i , j} ), the key set stored by the user u _i is represented by Equation 1 below. Can be represented.

In addition, key values assigned to each node according to Equation 1 are as shown in the table shown in FIG. 7. 7 is a diagram illustrating a result of a key value corresponding to each node of the linear structure according to the embodiment of the present invention.

Referring to FIG. 7, it can be seen that the key values 701 of the user u _c are assigned c key values as shown. In addition, the present invention may use a method of dividing the entire user into one or more small subsets, and transmitting a session key to each of the divided subsets using one message.

8 is a flowchart illustrating a session key transfer procedure to an interval between illegal users according to an embodiment of the present invention. Referring to FIG. 8, first, a continuous array of legitimate users located between two revoked users is defined as a section, and a section between the excluded users for session key delivery is set (S801). )do. Thereafter, the set session is transmitted as a subset and the session key is transmitted (S802).

At this time, one section is created between two excluded users except when the excluded users are continuously located. Therefore, the session key can be delivered using a maximum of r + 1 intervals. However, when the maximum length of one section is limited to c according to an embodiment of the present invention, a larger amount of transmission is required for a section whose length is greater than c.

9 is a view showing the definition of the interval in the linear structure according to an embodiment of the present invention. Referring to FIG. 9, a collection of consecutive authorized users located between two revoked users 901 and 903 is defined as an interval 902.

On the other hand, after setting the section as described above, check the one-way key chain starting from the node key K _i corresponding to U _i (S803), using the value of h ^(s) (K _i ) as a key session key ( SK) is encrypted and transmitted (S804). As a result, the encrypted message is transmitted (S805).

More specifically described as follows. For the interval {u _i , u _{i + 1} , u _{i + 2} , ..., u _{i + s} } (where s is a value less than c), to pass the session key (SK), The center uses a one-way key chain starting from the node key K _i corresponding to u _i . The session key is encrypted by using a value of h ^(s) (K _i ), which is a key value corresponding to u _{i + s} , as a key among the values of the one-way key chain. That is, when E (K, M) is a secret key cryptographic algorithm whose key is K, the message of E (h ^(s) (K _i ), SK) is transmitted to all users.

Meanwhile, as described above, the only user who can decrypt the transmitted message by the donated key values is the user who can obtain a key h ^(s) (K _i ). Therefore, only the users included in the intervals {u _i , u _{i + 1} , u _{i + 2} , ..., u _{i + s} } can obtain the corresponding key values.

That is, the user included in the interval knows the value of one of the one-way keychains starting from K _i , and since the value is located to the left of h ^(s) (K _i ), the one-way function h is assigned to its value. By applying h ^(s) (K _i ) can be obtained.

On the other hand, among users who are not included in the section, users located to the left of the section cannot obtain a value related to K _i , and thus cannot obtain h ^(s) (K _i ). In addition, a user located on the right side of the interval may not be able to obtain the value of the left side of the one-way key chain because of the one-way function's one-way function, although it may be able to obtain some value of the one-way key chain.

Therefore, even if any of the users not included in the corresponding section collude, it is impossible to obtain h ^(s) (K _i ), and thus, the session key cannot be recovered.

10 is a diagram illustrating a method of transmitting a session key in a section of a linear structure according to an embodiment of the present invention. Referring to FIG. 10, as described above, the session key SK may be simultaneously delivered to users included in one interval according to an embodiment of the present invention.

That is, it is assumed that an excluded user is located at the i th node 1001 and an i + t + i node 1005, and there are t + 1 authorized users 1002, 1003, 1004 between the two excluded users. In this case, one private key may be transmitted only for the authorized user. That is, when E (K, m) is a secret key encryption method using K as a key, the header of the session key for the users u _i , ..., u _{i + t} is expressed by Equation 2 below. Can be represented.

11 is a flowchart illustrating a procedure of decrypting data by a session key received by a user of each node according to an embodiment of the present invention. Referring to Fig. 11, only users authorized by the key value transmitted by the above method can decode the received data. That is, each user who receives the message including the encrypted header (S1101) is a user within a corresponding interval (S1102) and decrypts by calculating the h ^(s) (K _i ) with the key value of the user (S1103). On the other hand, if the user is not in the corresponding section, the operation h ^(s) (K _i ) can not be calculated, so it is impossible to decode the received data (S1104).

More specifically, the user 1002 before the i-th node cannot know the value of K _i , and thus cannot obtain the key value, and the users after i + t know the latter part of the one-way key chain of K _i . It is possible to calculate h ^(s) (K _i ) because of the unidirectional nature of the hash function.

On the other hand, all legitimate users included in the interval can obtain the value of h ^(s) (K _i ) by repeatedly applying h to a value generated from K _i among their own key values.

Meanwhile, in the above-described embodiment of the present invention, the amount of transmission is calculated for the case where r excluded users are included among all N users.

First of all, each user should store up to c key values. At this time, the transmission amount is the worst case r + (N-2r) / c, which occurs when all excluded users are gathered on one side of the straight line and the remaining parts are gathered by legitimate users.

In addition, when two or more excluded users appear consecutively, the amount of transmission is reduced. Therefore, a case in which the excluded users and legitimate users are alternately positioned is considered. In this case, the reason why N / c is additionally necessary is because the maximum length of a section that can transmit a key in one transmission is set to c.

In addition, the user's computation amount can be thought of as one c-way function calculation and a secret key cryptographic algorithm at maximum c times. .

c (storage) Worst case Ratio 50 50,000 + 18,000 1.36r 100 50,000 + 9,000 1.18r 200 (about 3K) 50,000 + 4,500 1.09r

Hereinafter, modified embodiments of the above-described embodiment of the present invention will be described. First, the modified first embodiment is a method in which the key value can be transmitted by only one transmission over a long section in order to compensate for the transmission amount being larger than r by setting the length of the section to c in the above-described embodiment.

In addition, the modified second embodiment is a method of applying a new one-way function from the position of the excluded user in order to reduce the transmission amount than r. In addition, the modified third embodiment is a method combining the modified first embodiment and the modified second embodiment.

Modified First Embodiment

The reason why the transmission amount becomes larger than r in the above-described embodiment is that the length of the interval is limited to c. Therefore, in order to make the transmission amount closer to r, it is necessary to reduce the required transmission amount according to the above section limitation. Therefore, we propose an extended embodiment in which the key can be transmitted in one transmission for such a long period by extension of the above-described basic concept.

The modified first embodiment of the present invention sets a special node according to a predetermined interval (for example, every c-th node) among nodes on a straight line.

Then, for each special node, a special seed key (Special Seed Value Key) independent of the existing seed key is randomly selected and corresponded again, and a special node chain starting from the special node key is generated.

12 is a diagram showing the definition of a special node in the linear structure according to the modified first embodiment of the present invention. Referring to FIG. 12, special nodes 1201, 1202, and 1203 are set for every c th node (1204, 1205). A special seed key is assigned to the special nodes 1201, 1202, and 1203, which are set at every c-th node, and a one-way key chain having a length of c × c ₂ is formed from the key.

More specifically, for each of the special nodes 1201, 1202, and 1203, the special seed keys independent of the existing seed keys are randomly selected and corresponded again, and each special seed key is made using a new one-way hash function. Stars form a special node chain starting from the special seed key.

In this case, when c ₂ is a new constant, the special node chain has a length of c × c ₂ , as described above. Hereinafter, a method of associating a special node chain with a special node will be described with reference to FIG. 13.

FIG. 13 is a diagram showing a method of mapping a key value to each node in a linear structure according to the first modified embodiment of the present invention. The method of forming the chain in the first modified embodiment basically uses the same method as in the basic embodiment described above. However, when the next section {u _i , u _{i + 1} , u _{i + 2} , ..., u _{i + s} } is a section whose length starting at the special node exceeds c, the key transmission for the section is This is done by a special chain of nodes starting at u _i . At this time, the method of encrypting SK is the same as in the above-described basic embodiment. That is, by using a value corresponding to the chain of u _{i +} u _{i s} started from and transmits to encrypt SK.

Referring to FIG. 13, if a special node key of K is assigned to a first special node 1301, which is a c node, the second special node 1302, which is a second c node having a length c and above, is given with a new one-way function h. The special node key 1305 of h ₂ (K), which is a one-way function operation, is assigned to ₂ (1304). Similarly Claim 3c node of the third special node 1303 is the one-way function computed twice the K to a new one-way function h ₂ (1304) ^{_{(i.e., h 2 (2) (1306}} )) by h ₂ ⁽²⁾ (K) Is given.

Therefore, h (K), which is a one-way function calculation of the special seed key K of node c, is given to node c + 1, and the special seed key K of node c is given to node c + 2, by h. The two-way function operation h ⁽²⁾ (K) is given. Similarly, the _second c + 1 node is given h (h ₂ (K)) of one-way function calculation of h ₂ (K) given to the second c node, and the third c + 1 node is given to the third c node. a ^{_{h 2 (2) (K)}} h (h 2 (2) (K)) calculated by the one-way function h to a is given.

At this time, for 1≤t <c, the c + t-th user stores his seed key and h ₂ (K) together. Therefore, a total of c ₂ keys are additionally stored for each node.

As described above, in the modified first embodiment of the present invention, the number of key values stored for each node is increased, but the size of the session key to be transmitted is reduced.

14 is a diagram illustrating a method of dividing a section for transmitting a session key according to a first modified embodiment of the present invention. Referring to FIG. 14, when many authorized users are gathered as shown in FIG. 14, the session key may be transmitted by dividing into only two intervals 1401 and 1402.

FIG. 15 is a diagram illustrating a method for transmitting a session key when divided into a plurality of sections according to a first modified embodiment of the present invention. Referring to FIG. 15, when divided into four sections 1501, 1502, 1503, and 1504, a session key is assigned as E (h ⁽²⁾ h ₂ ⁽²⁾ (K), SK). By constructing and transmitting, only authorized users can implement decryption.

Thus, by using the h ₂ function according to the first modified embodiment of the present invention, the amount of calculation is reduced. That is, at this time, calculation of a maximum of c + c _two one-way function operations is required.

According to the modified first embodiment described above, the storage amount of the user is slightly increased compared to the basic embodiment, but when the number of excluded users is small, the transmission amount can be greatly reduced.

Second Modified Embodiment

As a result of the modified first embodiment described above, a result of approximating the transmission amount to r can be obtained. This shows a considerably improved result compared to 2r-1 in case of SD among the known methods. In the second modified embodiment described below, a method of reducing the transmission amount than r is proposed.

The basic concept of the modified second embodiment is as follows. If the interval is a set of users located between two revoked users, the total number of intervals can never be less than r when considering the worst case. At this time, since one transmission is required for each section, when only such a section is considered, the transmission amount cannot be smaller than r. Therefore, it is necessary to add various shapes of sections to the basic sections.

Therefore, in the second modified embodiment of the present invention, a transmission section is set by adding a section including one or more excluded users. In the following description, a section including one excluded user is added as an example, and may be extended to a case in which a section including two or more excluded users is added by the same method. For example, since one section is made by a total of three excluded users, the transmission amount can be reduced to r / 2 in an ideal case.

16 is a diagram illustrating a section setting method according to a second modified embodiment of the present invention. In the second modified embodiment of the present invention, by setting the section to include the excluded users in the section, the amount of transmission is reduced and the amount of storage is increased. In other words, two revoked users can be sent at once.

At this time, the form in which one excluded user is added may occur only in two cases as shown in FIG. 16. In case of (1), the solution can be solved as the above-described basic embodiment, and in case of (2), more effective solution is possible according to the modified second embodiment which will be described later.

The transmission of the session key for the section as (2) is performed as follows. At this time, according to the second modified embodiment of the present invention, a new one-way hash function g function is required. That is, when the interval including the user u _{i + j} excluding the interval {u _i , u _{i + 1} , u _{i + 2} , ..., u _{i + s} } (where the length of the entire interval is c In the center, we encrypt SK using h ^(sj) gh ^(j-2) (K _i ).

In FIG. 16, a form in which one excluded user is added has been described, but the present invention may be equally applicable to the case where a plurality of excluded users are added as described above.

FIG. 17 is a diagram illustrating a method of mapping a key value to each node in a linear structure according to a second modified embodiment of the present invention. Referring to FIG. 17, until a revoked user comes out (1701, 1702, 1703, 1704), the hash function 'h' is applied to the right direction along the one-way key chain as in the basic embodiment, and then excluded. In the position 1705 of the user u _{i + j} , the one-way key chain is transformed by using another one-way hash function 'g' instead of the one-way hash function 'h'.

Then, after passing the excluded user (1706, 1707), the one-way hash function 'h' is used again to generate key values and to create a one-way key chain. When the session key is transmitted, SK is encrypted with a value corresponding to the location of the last user.

In this case, since the two-way functions h and g are public functions, the users located to the left of the excluded user can easily calculate the key used for encryption. However, for the excluded user u _{i + j,} the value of gh ^(j-1) (K _i ) must be known before the value can be calculated, so the center can determine the value of hg ^(j-1) (K _i ). It is kept secret.

On the other hand, in the case of users located on the right side of the excluded user, each of the chains must additionally store a value corresponding to their position. At this time, if the length of the interval is set to c, the number is 1 + 2 + 3 + ... + (c-2). That is, each user must additionally store the key of (c-1) (c-2) / 2.

Looking at the second modified embodiment of the present invention described above, the total storage amount is c + (c-1) (c-2) / 2, that is, O (c ² ), but the transmission amount is r / 2 + (N-2r) You can see that / r is reduced to r / 2 with / c. Also, the amount of calculation is a calculation of up to c one-way function operations as in the basic embodiment.

If the above calculation is made for the case of N = 1,000,000 and r = 50,000, the result as shown in Table 2 can be obtained.

c Storage Worst case Ratio 64 1,955 25,000 + 14,000 0.78r 100 4,951 25,000 + 9,000 0.68r

Referring to <Table 2>, it can be seen that the former portion of r has been greatly reduced to r / 2, but the (N-2r) / c added later is larger.

On the other hand, the above-described modified second embodiment can be extended to the general case. That is, as the storage amount increases to O (c ³ ), it is possible to implement to transmit a key in one transmission in a section including three excluded users. Therefore, as described above, it is possible to apply not only to one but also to a section including a plurality of excluded users.

Modified Third Embodiment

As a final embodiment, the modified third embodiment of the present invention is an embodiment in which the modified first and second embodiments described above are applied simultaneously. In this case, the worst case occurs when one user is excluded from a section of length c. This is because when two or more excluded users are included in the section whose length is smaller than c, the two excluded users can be solved by one transmission using the modified second embodiment. The worst case transmission amount is r / 2 + (N-2r) / 2 (c-2) and the storage amount is c + c ₂ + (c-1) (c-2) / 2.

The formula for the transmission amount can be applied when r is greater than N / c. If r is less than N / c, you get a different result. For example, assuming that r = 0, the required transmission amount is N / (c × c ₂ ). At this time, as r gradually increases, one transmission is required for a section of length c including an excluded user, and in the remaining couple, the method of the modified first embodiment is applied, so that r + (N-cr) / (c It can be seen that a transmission amount of × c ₂ ) is required.

That is, a straight line having a slope of 2 is formed by setting N / (c × c ₂ ) as an initial value. In the same way, the increased transmission amount is changed to r / 2 + (N-2r) / 2 (c-2) using the point of time when r is N / c.

According to the third modified embodiment described above, the storage amount of the user is slightly increased compared to the basic embodiment, but when the number of excluded users is small, the transmission amount can be greatly reduced.

Modified Embodiment 4

The modified fourth embodiment of the present invention proposes a method of applying the basic embodiment in the above-described linear structure and the modified first to modified third embodiments in the annular structure.

First, the straight line structure in the above-described embodiments can be easily reconfigured into a circular structure. That is, considering a straight line L having N users from u ₁ to u _N , when the two end points of the L are connected, the straight line has an annular structure.

In the annular structure, all one-way keychain methods as in the above-described basic embodiment can be applied to the predetermined section. For example, one-way key chain can be constructed starting from user u _N node.

In the basic embodiment having the above-described linear structure, the one-way key chain starting at the user u _N node has one key of K _{N, N.} Meanwhile, in the annular structure according to the fourth modified embodiment of the present invention, since the u _N and u ₁ are continuously connected to form a one-way key chain, the one-way key chain starting from the user u _N node is represented by the following equation. It will have c key values like 3>.

Generalizing this, the one-way key chain starting from the node u _i can be expressed as Equation 4 below.

Accordingly, in the annular structure, the key value can be transmitted by only one transmission over the long section to compensate for the transmission amount being larger than r by setting the length of the section in the above-described modified first embodiment to c. Will be applicable,

In addition, in the annular structure, a method of applying a new one-way function from the position of the excluded user to reduce the amount of transmission in the above-described second modified embodiment may be applicable, and also in the above-described modified third embodiment A method combining the modified first embodiment and modified second embodiment will be applicable.

 Modified Fifth Embodiment

The fifth modified embodiment of the present invention proposes an annular structure having a hierarchical structure.

18 shows a hierarchical structure of node groups of an annular structure according to an embodiment of the present invention.

Referring to Fig. 18, the node group of each annular structure in the hierarchical structure is composed of c nodes. In this case, each user corresponds to each point in all branch nodes (ie, annular structures) of the hierarchy. If the hierarchical structure consists of 16 hierarchies except for a root node, the hierarchical structure can correspond to users of c ¹⁶ .

Accordingly, it is possible to configure an annular structure having the above-described key chains for each group node in each layer, wherein users corresponding to each node have all key values assigned to their parent nodes.

Each node having a child node that includes at least one excluded user in the structure is considered a excluded node. Therefore, when encrypting, the center first displays the excluded nodes. The center then displays the parent nodes of the excluded nodes along the hierarchy.

This process is completed up to the root node, and if there is at least one excluded node, the root node will be the excluded node.

After identifying the excluded nodes, the center sets sections in each layer. As shown, only one node is included above the zeroth layer.

First, the center sets the cycle sections in the annular group of the 0th layer, and encrypts the session key as the interval key for each of the cycles. The center then considers only the annular group corresponding to the children of the excluded nodes in the 0 layer for the first layer. The above process proceeds to the fifteenth layer.

For example, in the case of having one excluded user, one excluded node is generated in all hierarchies in the displaying process. In addition, in the encryption step, since there is one excluded node in the 0th layer, the center encrypts the session key as the interval key for the cyclic interval except for one node. On the other hand, for the first layer, the center considers only one annular group corresponding to the child of the excluded node in the 0 layer.

Each node constituting the annular group corresponding to the child of the authenticated nodes can obtain the session key granted to the parent node. Therefore, as a result, the center can process encryption for the entire hierarchy by encrypting 16 times.

The modified fourth embodiment described above can handle encryption for more users than the previous embodiments, and as a result, more keys are needed. On the other hand, the transmission overhead TO can be significantly reduced than in the above-described second embodiment.

That is, if the hierarchy in the fourth modified embodiment is called k-layer and the number of nodes included in each annular group is c, respectively, the storage overhead of each user in the modified fourth embodiment is described. ) Is kc + (c-1) (c-2) / 2, where (k-1) c keys are incremented.

On the other hand, the transmission overhead is about r / 2 + 3N / 4c when c ^k-1 / 2 <r. It can be seen that when r <N / 6, the modified fourth embodiment has less transmission overhead than in the modified second embodiment described above.

In addition, in the above description, although it is applied to a section (1-punctured) including one excluded user, the section including a plurality of excluded users as described above in the modified second embodiment (p-punctured) Applicable to also is obvious. In addition, even more hierarchies of the above-described hierarchical structure may use interval setting and transmission methods for the excluded user.

The embodiments of the present invention have been described above. On the other hand, in actual application of the above-described embodiments to broadcast encryption, it is difficult to think of all users joining the system at the same time. In other words, the center must set keys in advance for users to be added in the future, and these keys must be left out by default. If not, the newly subscribed user can recover the messages delivered in the past.

In the case of the majority of broadcast encryption, considering the amount of transmission depends on r, this can be a heavy burden on the center.

Therefore, the ability to add new users later without creating a key is very important. The proposed embodiments are easily solved by adding a new node to the right of the straight line whenever a new user is added at any time. At this time, the amount of computation is added to select a new random value and a number of one-way function operations can be added very efficiently. Of course, this will not affect other users' keys.

On the other hand, in terms of user alternatives, this relates to maintenance after the system has been in use for a long time. When the system is maintained for a long time, permanently excluded users are always left out, which is a big factor in increasing the throughput in most methods where the throughput depends on r.

In this case, after removing the keys of permanently excluded users, it is necessary to add new users to the location to reduce the number of excluded users. In the conventional method such as interpolation, such user substitution can be executed relatively freely, but it is a very difficult task in the method using a structure such as hierarchy. In the case of SD, the root node's key must be changed to replace one user, so all the user's keys must be updated.

On the other hand, in the embodiments according to the present invention described above can be applied relatively easily than in the method using the tree, such as the SD. That is, in order to replace one user, in the basic embodiment, a total of 2c users' keys are updated.

A Trader is a user who leaks his private key from legitimate users and helps illegal users to view the message. Trader tracking is an algorithm that, when there are such illegal users, finds the user who has leaked a key from their key.

Such various results of the tracer are known, and it is known that the tracer is basically possible when it is impossible to generate a new key from each user's keys and it is impossible to generate a new key from the keys of the multiple users. On the other hand, the above-described proposed embodiments of the present invention satisfy these properties, so that tracer tracking is possible.

In addition, the basic embodiment can be modified in a manner using a public key to reduce the secret key of each user to two. In this case, the required public key is O (c ² ). This variant can be of great help in applications where the size of the public key is not limited.

In conclusion, the most effective CS and SC method among various broadcast encryption methods and the present invention are shown in Table 3 below. In this case, N = 1,000,000 and r = 50,000 as in the above-described results.

c c2 Storage Worst case Basic embodiment 200 - 200 (2K) 50,000 + 4,500 (1.1r) Modified Second Embodiment 64 - 1,955 25,000 + 14,000 (0.78r) Modified Third Embodiment 64 20 1,995 25,000 + 7,260 (0.64r) Modified fourth embodiment 100 100 5,151 25,000 + 4,500 (0.59r) CS - - 20 r * (log (N / r)) (4r) SD - - 200 100,000 (2r)

Referring to Table 3, in the embodiments of the present invention, the most important transmission amount in broadcast encryption can be reduced to less than r. That is, in the embodiments of the present invention, it can be seen that the transmission amount is greatly reduced compared to the SD known as the best method. In addition, it will include various properties necessary for the practical application described above.

As described above, according to the present invention, the most important transmission amount in broadcast encryption can be reduced to less than r. In addition, embodiments of the present invention has the advantage that the amount of transmission can be significantly reduced compared to the SD known as the best method up to now.

In addition, according to the present invention, it is not only possible to generate a new key even if several users collude, but also when the illegal decoder is made, the key of the collaborating user is used as it is, so it can be tracked. You can also add as many users as you want later in the sequence.

Claims (23)

Assigning a node path ID to each node arranged sequentially; Assigning a seed value to each node according to the node path ID; Generating key values by repeatedly applying a hash function to the given seed key; And And sequentially assigning the generated key values to each of the nodes.  The method of claim 1, The encryption key for the section consisting of N nodes of the sequentially arranged nodes, And a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the interval. The method of claim 2, The interval is a user key management method for broadcast encryption, characterized in that the continuous interval consisting of the authenticated nodes. The method of claim 2, The interval includes at least one excluded node, and the excluded node applies a separate hash function to each user key management method for broadcast encryption. Assigning a seed value (Seed Value Key) to sequentially arranged nodes; Iteratively applying a first hash function to the given seed key to generate key values; Sequentially assigning the generated key values to the nodes; Setting a special node according to a predetermined interval among the sequentially arranged nodes; Assigning a special seed key to each special node; Iteratively applying a second hash function to the given special seed key to generate key values; And And sequentially assigning the generated key values to each special node. The method of claim 5, If a special node key of K is assigned to a first special node among the special nodes, a key value obtained by applying the second hash function to K is assigned to a second special node that is separated from the first special node by the predetermined interval. A user key management method for broadcast encryption. The method of claim 5, The encryption key for the section consisting of N nodes among the sequentially arranged nodes is a key value generated by repeatedly applying the hash function N-1 times to the seed key given to the first node in the section. User key management method for broadcast encryption. The method of claim 7, wherein The interval is a user key management method for broadcast encryption, characterized in that the continuous interval consisting of the authenticated nodes. The method of claim 7, wherein The interval includes one or more excluded nodes, wherein the excluded nodes each apply a new hash function that is independent of each other. Assigning a Node Path ID to each node forming the annular group; Assigning a seed value to each node according to the node path ID; Generating key values by repeatedly applying a hash function to the given seed key; And And sequentially assigning the generated key values to each of the nodes forming the annular group. The method of claim 10, The encryption key for the recursive section consisting of N nodes in the annular group, And a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the circulation section. The method of claim 11, The circular interval is a user key management method for broadcast encryption, characterized in that the continuous interval consisting of the authenticated nodes. The method of claim 10, Linking nodes forming a new annular group under each node forming the annular group into a substructure to form a hierarchy of annular groups. The method of claim 13, The hierarchical structure is a user layer management method for broadcast encryption, characterized in that the 16 layers. The method of claim 13, And the number of each node forming each annular group is the same. The method of claim 10, The recursive section consisting of N nodes in the annular group includes one or more excluded nodes, and each of the excluded nodes applies an independent hash function. The method of claim 10, The number of nodes forming the annular group is N, the user key management method for broadcast encryption, characterized in that '0' to 'N-1' is given as the node path ID. The method of claim 13, And a node having at least one excluded child node in the hierarchy is considered an excluded node. Assigning a seed value to each node forming the annular group; Iteratively applying a first hash function to the given seed key to generate key values; Sequentially assigning the generated key values to the nodes forming the annular group; Setting a special node according to a predetermined interval among the nodes forming the annular group; Assigning a special seed key to each special node; Iteratively applying a second hash function to the given special seed key to generate key values; And And sequentially assigning the generated key values to each special node. The method of claim 19, If a special node key of K is assigned to a first special node among the special nodes, a key value obtained by applying the second hash function to K is assigned to a second special node that is separated from the first special node by the predetermined interval. A user key management method for broadcast encryption. The method of claim 19, The encryption key for the recursive section consisting of N nodes in the annular group, And a key value generated by repeatedly applying the hash function N-1 times to the seed key assigned to the first node in the circulation section. The method of claim 21, The circular interval is a user key management method for broadcast encryption, characterized in that the continuous interval consisting of the authenticated nodes. The method of claim 21, The recursive section includes one or more excluded nodes, wherein the excluded nodes each apply a new hash function that is independent of each other.

Images