WO2008059673A1 - Dispositif de traitement d'informations - Google Patents
Dispositif de traitement d'informations Download PDFInfo
- Publication number
- WO2008059673A1 WO2008059673A1 PCT/JP2007/069388 JP2007069388W WO2008059673A1 WO 2008059673 A1 WO2008059673 A1 WO 2008059673A1 JP 2007069388 W JP2007069388 W JP 2007069388W WO 2008059673 A1 WO2008059673 A1 WO 2008059673A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- node
- key
- root
- directed graph
- coordinate
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/083—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
- H04L9/0833—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0819—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
- H04L9/0822—Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2209/00—Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
- H04L2209/60—Digital content management, e.g. content distribution
Definitions
- Information processing device terminal device, information processing method, key generation method, and program
- the present invention relates to an information processing device, a terminal device, an information processing method, a key generation method, and a program.
- a chain of sets is created, and an encryption key corresponding to each subset is derived along the chain.
- an encryption key corresponding to each subset is derived along the chain.
- Non-Patent Document 1 Nuttapong Attrapadung and Hideki Imai, 'subset Incre mental Chain Based Broadcast Encryption with Shorter and lphertext ", The 28th Symposium on Information Theory and Its Applications s (SITA2005)
- Non-Patent Document 1 includes the conventional CS method (Complete
- Subtree scheme Nya Scheme (There was a great advantage compared to feSi schemes such as Subset Difference scheme. However, from a practical perspective assuming implementation, if there are many recipients, the receiver side However, the number of keys to be held by the terminal device and the amount of calculation of the terminal device required for decryption using the encryption key are still large.
- the present invention has been made in view of the above problems, and an object of the present invention is to calculate the number of keys to be held in the terminal device and the amount of calculation required to decrypt the encrypted data. It is an object of the present invention to provide a new and improved information processing device, terminal device, information processing method, key generation method, and program capable of reducing the above.
- a bisection composed of n leaf nodes, a root node, and a plurality of intermediate nodes other than the root node and the leaf node.
- a set of leaf nodes located at is defined as Aw, and among the leaf nodes of the basic subtree, the leaf node located i pieces to the left of a certain leaf node V is v ( ⁇ ) and the leaf node located i pieces to the right is v (+ i), and the set (u ⁇ v) is defined as ( Au, AuU Au (+1) , ...
- the set (u—v) is defined as ⁇ Av, AvUAv (— ⁇ , ⁇ , AvU ⁇ U Au ⁇ and is located below node V of the basic subtree
- the leaf node located at the left end is defined as lv 'and the leaf node located at the right end is defined as rv' among the multiple leaf nodes, the set (1,, ⁇ r ') and set (1, +1 ) — r
- root Root or set (coordinate points corresponding to each subset included in lv ' ⁇ rv' are arranged on the horizontal coordinate axis from left to right so that the inclusive relation increases, and the coordinate points are Directed graph with directional branch connected to, and / or set (1 r ') or set root root
- an information processing apparatus comprising: a directed graph generation unit configured to generate a set directed graph.
- the directed graph generation unit includes a directional branch setting unit between subtrees that sets a directional branch of a directed graph corresponding to a basic subtree in an upper layer from a directed graph corresponding to a basic subtree in a lower layer. You may make it provide further.
- the directed sub-tree setting unit includes a first coordinate point in the directed graph corresponding to the basic subtree in the lower hierarchy, and a first graph in the directed graph corresponding to the basic subtree in the upper hierarchy.
- a directional branch of 2 coordinate points is set, and the subset corresponding to the 2nd coordinate point is the 1st coordinate point It may contain a subset corresponding to.
- the directed graph creation unit includes a coordinate axis setting unit and a directed edge setting unit, and the coordinate axis setting unit sets a set ⁇ root ' ⁇ r' for each of the root node and the intermediate node V of each basic subtree. ) Or coordinate points corresponding to each subset in the set ( ⁇ ' ⁇ rv' (_ ⁇ )
- Coordinate points are additionally set, and the directed edge setting unit sets a predetermined integer k (k is a divisor of log (n 1 / y )), and n (x— 1) / k ' y ⁇ (rv' -lv '+ l) ⁇ n x / k ' y
- n i / (k ' y) (i 0 to x— coordinate points that are separated by 1)
- a key generation unit that generates a set key for encrypting the content or the content key based on the directed graph may be further provided.
- the key generation unit in response to the input of the intermediate key t (Si) of the subset S corresponding to a certain coordinate point in the directed graph, the set key corresponding to the subset Si corresponding to the coordinate point k (Si) and the coordinate points SI, S2, ..., Sk of the end point of the directional branch starting from the coordinate point S, t (Sl), t (S2), ..., t ( Sk) may be output.
- the key generation unit in response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the end point of the directional branch starting from the coordinate point S
- the content key or the content key may be further encrypted using the set key.
- a transmission unit that transmits the content or content key encrypted by the encryption unit to a terminal device associated with each or all of the leaf nodes of! You may make it provide further.
- the subset determining unit determines the previous subsets Sl to Sm so that m is minimized.
- the transmission unit transmits information representing the set (N ⁇ R) or information representing the partial set S;! To Sm constituting the set (N ⁇ R) to the terminal device.
- the transmission unit may transmit the content or content key encrypted by the encryption unit with the set key corresponding to each of the subsets Sl to Sm, to the terminal device. .
- a key for generating a set key for decrypting a decrypted content or a content key based on a directed graph is configured to set up an entire tree structure of a binary tree composed of n leaf nodes, root nodes, and a plurality of intermediate nodes other than the root nodes and leaf nodes.
- y is a divisor of log (n)
- the root node of the basic subtree of the lower hierarchy is the upper hierarchy It is configured to be a leaf node of the basic subtree, and the set of leaf nodes located below the node w of the whole tree structure is defined as Aw.
- the set (u ⁇ v) is defined as ⁇ Au, AuUAu (+1) , ⁇ , Au U ⁇ ⁇ 8 ⁇
- the set (11—) is defined as ⁇ 8, ⁇ (_ ⁇ , ⁇ , AvU ⁇ UAu ⁇ , and a plurality of leaf nodes located below node V of the basic subtree
- the leaf node located at the left end is defined as lv '
- the leaf node located at the right end is defined as rv'
- set (1 r ') A root (v ' ⁇ rv' ( _ ⁇ )) and a set ( ⁇ 'rv') are associated with a root node
- Coordinate point force s corresponding to the fractional set a directed graph in which the inclusive relation is arranged from the left to the right on the horizontal coordinate axis, and directed branches connecting the coordinate points are set, and / Or for each subset in the set (1 r ') or set (lv' (+1) — rv ')
- the corresponding coordinate points are arranged on the horizontal coordinate axis so that the inclusive relation increases from right to left, and a directed graph in which directed branches that connect the coordinate points are set is generated.
- a terminal device is provided.
- a directional branch from the directed graph corresponding to the basic subtree of the lower hierarchy to the directed graph corresponding to the basic subtree of the upper hierarchy may be set.
- the directional branch of the second coordinate point in the directed graph corresponding to the basic subtree in the upper hierarchy is set, and the second coordinate is set.
- the subset corresponding to the point should contain the subset corresponding to the first coordinate point.
- a decryption unit that decrypts the encrypted content or the content key using the set key generated by the key generation unit may be further provided.
- the key generation unit in response to the input of the intermediate key t (Si) of the subset S corresponding to a certain coordinate point in the directed graph, the set key corresponding to the subset S corresponding to the coordinate point k (Si) and the intermediate keys t (Sl), t (S2), ... of the subsets SI, S2, ..., Sk corresponding to the coordinate points of the end points of the directional branch starting from the relevant coordinate point ⁇ , T (Sk) may be output.
- the key generation unit in response to the input of the set key k (S) of the subset S corresponding to a certain coordinate point in the directed graph, the end point of the directional branch starting from the coordinate point S
- the decryption unit decrypts the encrypted content key using the set key, and The encrypted content may be decrypted using the decrypted content key.
- Sm is determined, information representing the set (N ⁇ R), or
- a receiving unit that receives information representing a subset Sl Sm that constitutes the set (N ⁇ R), and based on the received information, the terminal device belongs to the subset S;! Sm! /
- a determination unit for determining whether or not the decryption of the encrypted content is permitted based on the determination result! It may be.
- the decryption unit further includes a decryption unit that decrypts the encrypted content or the content key using the set key generated by the key generation unit. l If it is determined that Sm belongs to! /, or belongs to! /, it may be possible to decrypt the encoded content or content key using the set key.
- the configuration includes n leaf nodes, a root node, and a plurality of intermediate nodes other than the root node and the leaf node.
- Set the whole tree structure of the binary tree divide the whole tree structure into multiple basic subtrees with n 1 / y leaf nodes, and create a hierarchy in y hierarchy (y is a divisor of log (n))
- y is a divisor of log (n)
- the leaf node located i to the left of a certain leaf node V is defined as ⁇ ( _ ⁇ i the leaf node located to the right is v ( + i ).
- ⁇ ( _ ⁇ i the leaf node located to the right is v ( + i ).
- the set (lv ' ⁇ rv' ⁇ ) and the set ( ⁇ ' (+1 ) —rv') When the intermediate node V of the branch tree is located on the left side of its parent node, the intermediate node V is associated with the set ( ⁇ 'rv'), and each intermediate node V of the basic subtree is If the node is located on the right side of the node, the step of associating the set (lv ′ ⁇ rv ′ ( _ ⁇ ) with the intermediate node V, and the set ( 1 ' ⁇ r') or a set of coordinates (lv ' ⁇ rv' 1 ))
- a processing method is provided.
- a binary tree comprising n leaf nodes, a root node, and a plurality of intermediate nodes other than the root node and the leaf nodes.
- Set the whole tree structure of divide the whole tree structure into multiple basic subtrees with n 1 / y leaf nodes and stratify them into y hierarchy (y is a divisor of log (n))
- the root node of the basic subtree of the hierarchy is configured to be a leaf node of the basic subtree of the upper hierarchy, and the set of leaf nodes located below the node w of the whole tree structure is defined as Aw.
- a leaf node located i to the left of a certain leaf node V is defined as ⁇ ( _ ⁇ ⁇ , and a leaf node located to the right is defined as v (+ i), and two leaf nodes u, v (v Is on the right of u), the set (u ⁇ v) is ⁇ Au, AuUAu (+1) , ..., AuU ⁇ UAv ⁇ and the set (u—v) is ⁇ Av, AvUAv (— ⁇ , ..., AvU • ⁇ U Au ⁇ , and among the leaf nodes located below node V of the basic subtree, the leaf node located at the left end is defined as lv ', and the leaf node located at the right end is defined as rv'
- ⁇ rv ' are arranged so that the coordinate points corresponding to each subset included in the horizontal coordinate axis increase from left to right on the horizontal coordinate axis, and directional branches that connect the coordinate points are set. Directed graph and / or set (1 r ') or set (lv' (+1) — rv root root
- Coordinate points corresponding to each subset included in ') are arranged on the horizontal coordinate axis from right to left so that the inclusive relation increases, and directed branches that connect the coordinate points are set.
- a key generation method characterized by generating a set key for decrypting encrypted content or a content key based on the directed graph obtained by generating the directed graph is provided.
- a binary tree comprising n leaf nodes, a root node, and a plurality of intermediate nodes other than the root node and the leaf nodes.
- Set the whole tree structure of divide the whole tree structure into multiple basic subtrees with n 1 / y leaf nodes and stratify them into y hierarchy (y is a divisor of log (n))
- a step that configures the root node of the basic subtree of the hierarchy to be a leaf node of the basic subtree of the upper hierarchy, and a set of leaf nodes that are positioned below the node w of the whole tree structure is defined as Aw
- the leaf node of the basic subtree Among them, the leaf node located i to the left of a certain leaf node V is defined as ⁇ ( _ ⁇ i the leaf node located to the right is v ( + i ), and the two leaf nodes u, For v (v is to the right of u
- a set V is associated with a set (lv ' ⁇ rv' ⁇ ) and a set ( ⁇ ' (+1 ) -rv'), and an intermediate node V of each basic subtree is placed on the left side of its parent node.
- a set ( ⁇ 'rv ') is associated with the intermediate node V, and if the intermediate node V of each basic subtree is located on the right side of its parent node, the intermediate node For each step of associating a set (lv ' ⁇ rv' ( _ ⁇ ) with V) and each root node and intermediate node V of each basic subtree, set (1 ' ⁇ r') or set (l V ' ⁇ r
- the coordinate points corresponding to each subset contained in V ′ (— ⁇ ) A directed graph and / or set ⁇ 'r root ro that is arranged so that the inclusive relation increases from left to right on the horizontal coordinate axis, and that has directed branches that connect the coordinate points to each other.
- a binary tree comprising n leaf nodes, a root node, and a plurality of intermediate nodes other than the root node and the leaf nodes.
- Set the whole tree structure of divide the whole tree structure into multiple basic subtrees with n 1 / y leaf nodes and stratify them into y hierarchy (y is a divisor of log (n))
- the root node of the basic subtree of the hierarchy is configured to be a leaf node of the basic subtree of the upper hierarchy, and the set of leaf nodes located below the node w of the whole tree structure is defined as Aw.
- a leaf node located i to the left of a certain leaf node V is defined as ⁇ ( _ ⁇ , a leaf node located to the right of ⁇ is defined as v (+ i), and two leaf nodes u, v ( v is to the right of u), the set (u ⁇ v) is ⁇ Au, Au U Au (+1) ,..., Au U... U Av ⁇ , and the set (u—v) is ⁇ Av, Av U Av (— ⁇ , ⁇ ⁇ ⁇ , Av U • ⁇ ⁇ ⁇ U Au ⁇ , and among the multiple leaf nodes located below node V of the basic subtree, the leftmost leaf node is lv 'and the rightmost leaf node is When rv 'is defined, a set (1 root, ⁇ r)
- root ' root '
- set ⁇ root r' root node V of the basic subtree of the hierarchy other than the highest hierarchy
- a temporary directed graph composed of a plurality of directed edges is selected from a plurality of directed edges constituting the temporary directed graph.
- a directed graph acquisition unit that acquires a directed graph generated by leaving a longer directional branch, and a set key for encrypting or decrypting content or content keys based on the directed graph acquired by the directed graph acquisition unit
- An information processing apparatus is provided that includes a key generation unit.
- n leaf nodes associated with numbers To n (n is a natural number), a root node, It is located at the left end of multiple intermediate nodes other than the root node and leaf node, and multiple leaf nodes arranged below a certain intermediate node V or root node V with respect to the binary tree structure composed of force.
- the number of leaf nodes is defined as lv
- the number of leaf nodes located at the right end is defined as rv.
- the set (i ⁇ j) is ⁇ i ⁇ , ⁇ i, i + 1 ⁇ , ..., ⁇ i, i + 1,..., j 1, j ⁇
- the set (i) is ⁇ j, J-1 ⁇ , ... ⁇ , ⁇ J,..., I + 1, i ⁇
- the coordinate points associated with each subset included in the set (l ⁇ n) are on the horizontal coordinate axis. From left to right.
- the first horizontal coordinate axis associated with the root node is set, and the coordinate points associated with each sub-set included in the set (2-n) are included on the horizontal coordinate axis from right to left.
- An information processing apparatus for processing a temporary directed graph formed and arranged above, a temporary directed graph acquisition unit for acquiring a temporary directed graph, and a plurality of directed branches constituting the temporary directed graph acquired by the temporary directed graph acquisition unit
- a directed graph generation unit that generates a directed graph while leaving a longer directional branch, and a key generation unit that generates a set key for encrypting a content or content key based on the directed graph.
- a binary tree structure consisting of multiple intermediate nodes other than leaf nodes is set, and the set (i ⁇ j) is set to ⁇ i ⁇ , ⁇ i, i + 1) for natural numbers i and j (i). ⁇ , ..., ⁇ i, i + 1,..., J—1, j ⁇ , and set (i) into ⁇ j ⁇ , ⁇ j,..., ⁇ J,. +1, i ⁇ to define an intermediate node V or root node
- a tree structure setting unit that sets the number of the leaf node located at the left end among the plurality of leaf nodes arranged below V as lv and the number of the leaf node located at the right end as rv;
- the coordinate point force associated with each subset included in the set (lv ⁇ rv-1) has an inclusive relationship from left to right on the horizontal coordinate axis.
- the third horizontal coordinate axis corresponding to a certain intermediate node V and the coordinate point associated with each subset included in the set (lv + 1—rv) are arranged on the horizontal coordinate axis. From the left to the left, which is arranged in such a way that the inclusive relation increases.
- Two temporary coordinate points are placed on each, and the coordinate point located at the right end on the first horizontal coordinate axis is set as the first temporary coordinate point, and the second temporary coordinate point is set to the right of the first temporary coordinate point.
- the left and right coordinate points on the second and fourth horizontal coordinate axes are connected as a starting point by connecting one or more directional branches with a length of n i / k facing left.
- a direction path is formed, and for each of the 1st to 4th horizontal coordinate axes, all directional branches starting from the temporary coordinate point as the start point or the end point are excluded, and each coordinate point on the 1st to 4th horizontal coordinate axes is reached.
- a directed graph generator for generating a directed graph for the set (l ⁇ n) by adding a directed branch of length 1 that ends at the first temporary coordinate point on the first horizontal coordinate axis to the directed graph An information processing apparatus is provided.
- the distribution of the intermediate key based on the above directed graph or the generation of the set key becomes possible.
- the worst value of the amount of computation required for each user (terminal device) to generate a decryption key without increasing the number of keys that each user should hold must be reduced. Is possible.
- the information processing apparatus may include a key generation unit that generates a set key for encrypting content or a content key based on a directed graph.
- the key generation unit described above in response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the set key corresponding to the subset S corresponding to the coordinate point k (S) and the coordinate points SI, S2, ..., Sk of the end point of the directional branch starting from the coordinate point S, t (Sl), t (S2), ..., t ( Sk) may be output.
- the key generation unit described above receives the end point of the directional branch starting from the coordinate point S in response to the input of the set key k (S) of the subset S corresponding to the coordinate point in the directed graph.
- the information processing apparatus includes an initial intermediate key setting unit that sets a predetermined random number as an intermediate key corresponding to the start point of each directed graph! [0042] Furthermore, the information processing apparatus includes an encryption unit that encrypts content or a content key using a set key.
- the information processing apparatus described above may be configured such that the content encrypted by the encryption unit or the terminal device associated with some or all of the leaf nodes constituting the tree structure; Equipped with a transmitter that transmits the content key! /!
- the information processing apparatus described above permits decryption of content encoded with a set key or a content key when a subset of leaf nodes constituting a tree structure;! -N is defined as Si.
- a set (N ⁇ R) of terminal devices to be processed, and a subset determination unit that determines m subsets SI to Sm satisfying the set (N ⁇ R) S 1 U S2 U You may have.
- the subset determining unit may determine the subsets S1 to Sm so that m is minimized.
- the information processing apparatus described above includes a transmission unit that transmits information representing a set (N ⁇ R) or information representing subsets Sl to Sm constituting the set (N ⁇ R) to a terminal device May be provided.
- the information processing apparatus includes a decryption unit that decrypts the content or the content key using the set key.
- the information processing apparatus is associated with one or more leaf nodes constituting a predetermined binary tree structure;! To n (n is a natural number) and encrypted using the set key.
- n is a natural number
- the encrypted content or content key received by the receiving unit is the leaf associated with itself in the set Si defined as a subset of the leaf nodes;!
- One or more information processing devices associated with the leaf node that is an element of the set S including the nodes may be decodable! /.
- a key generation unit that generates a set key for decrypting content or a content key based on a directed graph.
- a terminal device is provided.
- the above directed graph is composed of n leaf nodes with numbers;! To n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and leaf nodes.
- a tree structure is set and the natural numbers i and j (i , ⁇ I ⁇ , ⁇ i, i + i ⁇ , ..., ⁇ i, i + i,..., J— l, j ⁇ , set (i) To ⁇
- the leaf node number at the left end of the leaf node is set to lv
- the leaf node number at the right end is set to rv
- the coordinates associated with each sub-set included in the set (l ⁇ n) Point force Corresponds to the first horizontal coordinate axis corresponding to the root node, arranged so that the inclusive relation increases from left to right on the horizontal coordinate axis, and each subset included in the set (2-n)
- the set (lv ⁇ rv— 1 Coordinate point force associated with each subset included in) is arranged on the horizontal coordinate axis so that the inclusive relation increases from left to right.
- the third horizontal coordinate axis corresponding to a certain intermediate node V and the coordinate points associated with each subset included in the set (lv + 1—rv) are included in the horizontal coordinate axis from right to left.
- the first and third directional branches are connected by connecting one or more directional branches with a length of n i / k facing rightward.
- Horizontal seat The coordinate points located in the top left of the axis to form a directed path that starts, by connecting one or more directional branches facing leftward to have a length of n i / k the second and Forms a directional path starting from the rightmost coordinate point on the 4th horizontal coordinate axis, excluding all directional branches starting from each temporary coordinate point and ending point for each of the 1st to 4th horizontal coordinate axes.
- the terminal device includes a decryption unit that decrypts the encrypted content or the content key using the set key.
- the key generation unit described above in response to the input of the intermediate key t (S) of the subset S corresponding to a certain coordinate point in the directed graph, the set key corresponding to the subset S corresponding to the coordinate point k (S) and the intermediate keys t (Sl), t (S2), ... of the subsets S1, S2, ..., Sk corresponding to the coordinate points of the end points of the directional branch starting from the coordinate point ⁇ , T (Sk) may be output.
- the key generation unit described above receives an end point of a directional branch starting from the coordinate point S in response to an input of the set key k (S) of the subset S corresponding to the coordinate point in the directed graph.
- the decrypting unit may decrypt the encrypted content key using the set key, and decrypt the encrypted content using the decrypted content key.
- the terminal device described above is a terminal device that permits decryption of content encrypted with a set key or a content key when a subset of leaf nodes of tree structure;! To n is defined as Si.
- the terminal device belongs to any of the subsets Sl to Sm based on the received information. V, even if it has a determination unit that determines whether or not the decryption of the encrypted content is permitted based on the determination result.
- the decryption unit uses the set key corresponding to the subset to which the terminal device belongs to Or you can decrypt the content key! /.
- a plurality of directed A directed graph acquisition step for acquiring a directed graph generated by leaving a longer directed branch out of a plurality of directed branches constituting the temporary directed graph, and the directed graph
- a key generation step of generating a set key for encrypting or decrypting the content or content key based on the directed graph acquired by the acquisition unit.
- n leaf nodes associated with numbers To n (n is a natural number), a root node, a root node, and For a plurality of intermediate nodes other than leaf nodes and a binary tree structure composed of forces, a leaf node located at the left end among a plurality of leaf nodes arranged below a certain intermediate node V or root node V The number of the leaf node located at the right end is defined as rv, and the set (i ⁇ j) is ⁇ i ⁇ , ⁇ i, for natural numbers i and j (i).
- ⁇ i, i + 1,..., j ⁇ and the set (i) is ⁇ j ⁇ , ⁇ j, ..., ⁇ j,. , i + 1, i ⁇ and the coordinate points associated with each subset contained in the set (l ⁇ n) are included from left to right on the horizontal coordinate axis.
- the first horizontal coordinate axis attached is set, and the coordinate point associated with each subset included in the set (2-n) is such that the inclusion relation increases toward the left side of the right force on the horizontal coordinate axis.
- a second horizontal coordinate axis that is arranged and associated with the root node is set, and for each intermediate node, the coordinate point associated with each sub-set included in the set (lv ⁇ rv— 1).
- the third horizontal coordinate axis associated with a certain intermediate node V is set, and the set (lv + 1—rv)
- the fourth horizontal coordinate axis associated with a certain intermediate node V is arranged such that the coordinate points associated with each included subset are arranged on the horizontal coordinate axis so that the force of inclusion is increased from right to left, and the inclusive relation increases.
- An information processing method for processing a temporary directed graph formed on a horizontal coordinate axis, the temporary directed graph acquisition step for acquiring the temporary directed graph, and a plurality of the temporary directed graphs acquired by the temporary directed graph acquisition unit A directed graph generation step for generating a directed graph from a directed edge while leaving a longer directed edge; And a key generation step of generating a set key for encrypting the content or the content key based on the graph.
- n leaf nodes associated with numbers To n (where n is a natural number), a root node, a root node, and A binary tree structure consisting of multiple intermediate nodes other than leaf nodes is set, and the set (i ⁇ j) is set to ⁇ i ⁇ , ⁇ i for natural numbers i and j (i ⁇ j).
- the tree structure setting step to set the number as rv, and the coordinate points associated with each subset included in the set (l ⁇ n) so that the inclusive relation increases from left to right on the horizontal coordinate axis
- the coordinate points associated with the horizontal coordinate axis and each subset included in the set (2-n) are arranged on the horizontal coordinate axis so that the directional force from right to left is increased and the inclusive relation is increased.
- the coordinate point force associated with each subset included in the set (lv ⁇ rv-1) Included from left to right on the horizontal coordinate axis
- a third horizontal coordinate axis corresponding to a certain intermediate node V and a coordinate point corresponding to each subset included in the set (lv + 1-rv) arranged so as to increase the relationship are on the horizontal coordinate axis.
- a path is formed, and for each of the first to fourth horizontal coordinate axes, all directional branches having the temporary coordinate point as the start point or the end point are excluded, and each coordinate point on the first to fourth horizontal coordinate axes is reached.
- the set (l ⁇ n— 1), set (2— n), set (lv + 1—rv), set (lv ⁇ rv — Generate directed graphs for 1), and add a directional branch of length 1 with the first temporary coordinate point on the first horizontal coordinate axis as the end point to the directed graph for the set (l ⁇ n— 1).
- a directed graph generation step for generating a directed graph relating to the set (l ⁇ n) is provided.
- the worst value of the amount of computation required for each user (terminal device) to generate a decryption key without increasing the number of keys that each user should hold is reduced. And become possible.
- a key generation for generating a set key for decrypting a content or a content key based on a directed graph A key generation method including steps is provided.
- the above directed graph is composed of n leaf nodes with numbers l to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node.
- the coordinate points associated with the set are arranged on the horizontal coordinate axis so that the inclusive relation increases from left to right, and the first horizontal coordinate axis corresponding to the root node and the set (2-n)
- the coordinate points associated with each included subset are arranged on the horizontal coordinate axis so that the inclusive relation increases from right to left, and the second horizontal coordinate axis corresponding to the root node and the intermediate node
- the coordinate point force S associated with each subset contained in the set (lv ⁇ rv-1) arranged in such a way that the inclusive relation increases from left to right on the horizontal coordinate axis.
- the coordinate point force associated with the set is set to the fourth horizontal coordinate axis corresponding to a certain intermediate node V, arranged so that the inclusive relation increases from right to left on the horizontal coordinate axis, and the third horizontal Two temporary coordinate points are placed on the right side of the coordinate point located at the right end of the coordinate axis and the left side of the coordinate point located at the left end of the second and fourth horizontal coordinate axes, respectively, on the first horizontal coordinate axis.
- the distribution of the intermediate key based on the above directed graph or the generation of the set key becomes possible.
- the worst value of the amount of computation required for each user (terminal device) to generate a decryption key without increasing the number of keys that each user should hold is reduced. And become possible.
- the tree structure setting function that sets the number lv and the number of the leaf node located at the right end as rv, and the coordinate points associated with each subset included in the set (l ⁇ n) from the left on the horizontal
- each of the intermediate nodes is included in the set (lv ⁇ rv-1).
- the coordinate point force associated with the subset The third horizontal coordinate axis corresponding to an intermediate node V, arranged so that the inclusive relation increases from left to right on the horizontal coordinate axis, and the set (lv + 1-rv ) Are coordinate points associated with each subset included in the horizontal coordinate axis.
- a path is formed, and for each of the first to fourth horizontal coordinate axes, all directional branches having the temporary coordinate point as the start point or the end point are excluded, and each coordinate point on the first to fourth horizontal coordinate axes is reached.
- Functions and programs for realizing the functions on a computer are provided In this way, in the ⁇ key distribution method using the intermediate key and the set key, the distribution of the intermediate key based on the above directed graph or the generation of the set key becomes possible.
- a key generation function for generating a set key for decrypting content or a content key is realized in a computer based on a directed graph.
- a program is provided.
- the above directed graph consists of n leaf nodes with numbers l to n (n is a natural number), a root node, and a root node and a plurality of intermediate nodes other than leaf nodes.
- Set up a tree structure, and for the natural numbers i and j (i), the set (i ⁇ j) is ⁇ i ⁇ , ⁇ i, i + 1 ⁇ , ..., ⁇ i, i + 1,.
- each of the intermediate nodes is included in the set (lv ⁇ rv-1).
- a third horizontal coordinate axis corresponding to a certain intermediate node V in which coordinate points associated with the subset are arranged so that the inclusive relation increases from left to right on the horizontal coordinate axis, and a set (lv + 1—rv), the coordinate points associated with each subset are arranged on the horizontal coordinate axis so that the inclusive relation increases from right to left, and the fourth corresponding to an intermediate node V Horizontal coordinate axes, and two temporary coordinates for the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located at the left end on the second and fourth horizontal coordinate axes.
- Each coordinate point on the 1st to 4th horizontal coordinate axes is formed by forming a directional path and excluding all directional branches starting from or ending with each temporary coordinate point for each of the 1st to 4th horizontal coordinate axes.
- Each directed graph for (lv ⁇ rv-l) is generated, and with respect to the directed graph for the set (l ⁇ n-1), the length 1 with the first temporary coordinate point on the first horizontal coordinate axis as the end point Add directional branch Te, it is obtained by generating a directed graph for a set (l ⁇ n).
- the distribution of the intermediate key based on the above directed graph or the generation of the set key becomes possible.
- the worst value of the amount of computation required for each user (terminal device) to generate a decryption key without increasing the number of keys that each user should hold is reduced. And become possible.
- the number of keys to be held in the terminal device on the receiver side and the amount of calculation required for decrypting the encrypted data can be reduced.
- FIG. 1 is an explanatory diagram showing an encryption key distribution system according to an embodiment of the present invention.
- FIG. 2 is a block diagram showing a hardware configuration of a key distribution server and a terminal device according to the embodiment.
- FIG. 3 is an explanatory diagram showing a binary tree structure related to the base scheme.
- FIG. 4 is an explanatory diagram showing a directed graph related to the base system.
- FIG. 5 is a flowchart showing a directed graph calculation method according to the infrastructure method.
- FIG. 6 is a flowchart showing a content key distribution method according to the infrastructure method.
- FIG. 7 is a flowchart showing a set key generation method according to the infrastructure scheme.
- FIG. 8 shows a functional configuration of a key distribution server and a terminal device according to the first embodiment of the present invention. It is a block diagram.
- FIG. 9 is an explanatory diagram showing an entire tree structure of a binary tree according to the embodiment.
- 13] is a comparison table showing a comparison between the basic scheme and the key distribution scheme according to the embodiment.
- 14] It is an explanatory view showing an application example of the encryption key distribution system according to the embodiment.
- FIG. 15 is an explanatory diagram showing an application example of the encryption key distribution system according to the embodiment.
- 16 A block diagram showing a configuration of an information processing device and a terminal device according to a second embodiment of the present invention.
- FIG. 17 is a flowchart showing a directed graph generation method according to the embodiment.
- FIG. 1 is an explanatory diagram showing the configuration of an encryption key distribution system 100 that focuses on the present embodiment.
- an encryption key distribution system 100 includes a key distribution server 10 configured as an example of the information processing apparatus according to the present embodiment, a plurality of terminal devices 20 respectively owned by a plurality of users, The key distribution server 10 and the network 5 that connects the terminal device 20 are configured.
- the network 5 is a communication line network that connects the key distribution server 10 and the terminal device 20 so as to be capable of bidirectional communication or one-way communication.
- This network 5 includes, for example, the Internet, a telephone line network, a satellite communication network, a public line network such as a broadcast channel, a WAN (Wide Area Network), a LAN (Local Area Network), an IP—VPN (Internet Protocol— Virtual
- Private network Private network
- private LAN such as wireless LAN, etc., regardless of wired / wireless.
- the key distribution server 10 is configured by a computer device or the like having a server function, and can send various types of information to an external device via the network 5.
- the key distribution server 10 can generate a broadcast encryption scheme method key and distribute the key to the terminal device 20.
- the key distribution server 10 that is effective in the present embodiment has a function as a content distribution server that provides a content distribution service such as a video distribution service or an electronic music distribution service. Can be delivered.
- the key distribution server 10 and the content distribution server can be configured as separate devices.
- the content is, for example, a movie, a television program, a video program, a video (Video) content such as a diagram or a still image, a music (Audio) content such as a lecture, a radio program, or the like.
- Arbitrary content data such as game content, document content, and software may be used.
- Video content may include not only video data but also audio data.
- the terminal device 20 is an information processing device capable of data communication with an external device via the network 5, and is owned by each user.
- the terminal device 20 is configured by a computer device (whether a notebook computer or a desktop computer) such as a personal computer (hereinafter referred to as “PC”! /) As shown in the figure.
- PC personal computer
- the present invention is not limited to such an example, and if it is a device having a communication function via the network 5, for example, a PDA (Personal Digital Assistant), a home game machine, a DVD / HDD recorder, an information home appliance such as a television receiver, It can be composed of a tuner or decoder for television broadcasting.
- the terminal device 20 may be a portable device (Portaale Device) that can be carried by the user, for example, a portable game machine, a cellular phone, a portable video / audio player, a PDA, a PHS, or the like.
- the terminal device 20 can receive various information from the key distribution server 10.
- the terminal device 20 can receive content distributed from the key distribution server 10.
- the key distribution server 10 can encrypt and distribute various electronic data.
- the key distribution server 10 can generate and distribute a content key that encrypts content.
- This content key may be expressed by, for example, a random number (pseudorandom number) calculated by a pseudorandom number generator, a predetermined character string, a number sequence, or the like.
- the key distribution server 10 can encrypt the content using a predetermined decryption logic using the content key.
- the key distribution server 10 can distribute this content key or a decryption key corresponding to the content key to any terminal device 20.
- the terminal device 20 can decrypt the encrypted content using the content key received from the key distribution server 10 or the decryption key corresponding to the content key.
- the pseudo random number generator used to generate the content key is an apparatus or program capable of outputting a long-period pseudo random number sequence by inputting a predetermined seed value, In general, it is realized using logic such as linear congruential method or Mersenne Twister method.
- the pseudo-random number generator applicable to this embodiment may generate pseudo-random numbers using other logics that are not limited to this, or include special information or conditions.
- the key distribution server 10 which is effective in this embodiment encrypts and distributes not only the content itself but also the content key. Certainly, a certain level of security can be ensured by encrypting and distributing the content itself. However, in order to respond flexibly when adding or deleting users who are authorized to use content (hereinafter referred to as “licensed users”) from among many users, the content key itself is encrypted and distributed.
- the scheme is advantageous.
- the key distribution server 10 generates a plurality of set keys for encrypting and decrypting the content key. As will be described in detail later, each of the plurality of set keys is associated with a subset group of a plurality of authorized users extracted from a large number of users.
- the key distribution server 10 encrypts the content key with a set key that is set so that only a set of authorized users can decrypt the content key, and encrypts the content key for all user terminal devices 20. Is delivered. With this configuration, only the terminal device 20 of the licensed user can decrypt the encrypted content key, decrypt the encrypted content using this content key, and view the content. You will be able to If the set of authorized users is changed, the key distribution server 10 can respond by changing the set key used for encrypting the content key. In order for the above-described encryption key distribution logic to be established, it is necessary to configure the key distribution server 10 and the like so as to implement algorithms related to the generation and distribution of set keys.
- FIG. Figure 2 shows the key distribution service according to this embodiment.
- This is an example of a hardware configuration capable of realizing the functions of the node 10 or the terminal device 20.
- the key distribution server 10 and the terminal device 20 include, for example, the controller 202, the arithmetic unit 204, the input / output interface 206, the secure storage unit 208, the main storage unit 210, the network interface 212, and the media. And an interface 216.
- the controller 202 is connected to other components via a bus, and mainly plays a role of controlling each unit in the apparatus based on a program and data stored in the main storage unit 210.
- the controller 202 is composed of an arithmetic processing unit such as a CPU (Central Processing Unit).
- the arithmetic unit 204 included in the key distribution server 10 can execute, for example, content encryption, content key encryption, set key generation, and derivation of an intermediate key used for generating the set key. Therefore, the arithmetic unit 204 can function as a pseudo-random number generator that generates pseudo-random numbers based on predetermined data (seed value, etc.), and at the same time, encrypts content or a content key based on a predetermined algorithm. Is possible.
- the predetermined algorithm may be stored in the main storage unit 210 as a program that can be read by the arithmetic unit 204. Further, the predetermined information may be stored in the main storage unit 210 or the secure storage unit 208.
- the arithmetic unit 204 can record the output result of executing the above various arithmetic processes in the main storage unit 210 or the secure storage unit 208.
- the arithmetic unit 204 may be configured integrally with the controller 202 described above, which may be configured by an arithmetic processing device such as a CPU.
- the arithmetic unit 204 included in the terminal device 20 can execute, for example, content decryption, content key decryption, set key generation, and generation of an intermediate key used to generate a set key. Therefore, the arithmetic unit 204 is configured to store predetermined data (seed value etc.
- the predetermined algorithm may be stored in the main storage unit 210 as a program that can be read by the arithmetic unit 204. Further, the predetermined information may be stored in the main storage unit 210 or the secure storage unit 208. Note that the arithmetic unit 204 can record the output result of executing the above various arithmetic processes in the main storage unit 210 or the secure storage unit 208.
- the arithmetic unit 204 may be configured integrally with the controller 202 described above, which may be configured by an arithmetic processing device such as a CPU.
- the input / output interface 206 is mainly connected to an input device for a user to input information and an output device for outputting a calculation result or content contents.
- the input device may be connected to the input / output interface 206, which may be a keyboard, mouse, trackball, touch pen, keypad, touch panel, or the like, by wire or wirelessly.
- the input device may be a portable electronic device such as a mobile phone or PDA (Personal Digiral Assistant) connected by wire or wirelessly.
- the output device may be connected to the input / output interface 206, which may be, for example, a display device such as a display or a sound output device such as a speaker, by wire or wirelessly.
- the input / output device is built in or integrated with the key distribution server 10 or the terminal device 20! /, Or may be! /.
- the input / output interface 206 is connected to other components via a bus, and can input information input via the input / output interface 206 to the main storage unit 210 and the like. .
- the input / output interface 206 is obtained by information stored in the main storage unit 210 or the like, information input via the network interface 212 or the like, or the operation unit 204 obtained by calculating these information. The results can be output to the output device.
- the secure storage unit 208 securely stores mainly information that needs to be concealed, such as a content key, a set key, and an intermediate key.
- the secure storage unit 208 is, for example, a magnetic storage device such as a hard disk, an optical storage device such as an optical disk, a magneto-optical storage device, or a semiconductor storage device Or the like. Further, the secure storage unit 208 is constituted by a storage device having tamper resistance, for example.
- the main storage unit 210 decrypts, for example, a control program for controlling other components, an encryption program for encrypting a content or content key, a decrypted content or content key, etc.
- a decryption program for generating a key or a key generation program for generating a set key or an intermediate key may be stored.
- the main storage unit 210 temporarily or permanently stores the calculation result output from the arithmetic unit 204, or information input from the input / output interface 206, the network interface 212, the media interface 216, or the like. May be stored.
- the main storage unit 210 may be configured by, for example, a magnetic storage device such as a hard disk, an optical storage device such as an optical disk, a magneto-optical storage device, or a semiconductor storage device. Also, the main storage unit 210 is configured integrally with the secure storage unit 208! /!
- the network interface 212 is connected to, for example, another communication device on the network 5, and includes, for example, encrypted content or content key, set key, intermediate key information, encryption parameter information, And interface means for sending and receiving information about the set of authorized users.
- the network interface 212 is connected to other components via a bus, and transmits information received from an external device on the network 5 to other components, or information held by other components on the network 5 Can be transmitted to other external devices.
- the media interface 216 is an interface for attaching / detaching the information medium 218 to read / write information, and is connected to other components via a bus.
- the media interface 216 can read out information from the mounted information medium 218 and transmit the information to another component, or write information supplied from the other component into the information medium 218.
- the information medium 218 may be a portable storage medium (detachable storage medium) such as an optical disk, a magnetic disk, or a semiconductor memory, for example. May be a storage medium or the like of an information terminal that is wired / wirelessly connected at a relatively short distance without going through the network 5.
- the hardware configuration capable of realizing the functions of the key distribution server 10 and the terminal device 20 according to the present embodiment.
- Each of the above components may be configured using general-purpose hardware, or may be configured with hardware specialized for the function of each component. Therefore, the hardware configuration to be used can be changed as appropriate according to the technical level at the time of carrying out the present embodiment.
- the above-described hard door configuration is merely an example, and it goes without saying that the present invention is not limited to this.
- the controller 202 and the arithmetic unit 204 may be configured by the same arithmetic device
- the secure storage unit 208 and the main storage unit 210 may be configured by the same storage device.
- An encryption key distribution method related to the basic technology described below is referred to as a basic method.
- This basic scheme is a scheme in which a set of user terminal devices to which content is distributed is divided into a plurality of subsets, and the content key is encrypted by a set key assigned to each subset and distributed.
- This infrastructure method reduces the amount of communication associated with encryption key distribution, the number of decryption keys that each user should hold, or the amount of calculation required for each user to generate a decryption key.
- This basic method will be described with reference to FIGS.
- the set of terminal devices (users) that are the targets of content distribution is divided into multiple subsets. Therefore, with reference to Fig. 3, the method of dividing the sub-group related to the basic method will be explained.
- the basic method adopts the method of dividing the subset using a binary tree structure.
- the basic method is to assign a predetermined subset to each node (node) constituting the binary tree structure in consideration of the positional relationship between the nodes.
- a subset of users having a predetermined combination is comprehensively selected.
- the peculiarity of this selection method can be understood more clearly from the specific example of the binary tree structure shown in Fig. 3. Therefore, a method for constructing a binary tree structure is described with reference to FIG.
- N ⁇ 1, 2, ..., n ⁇ (n is a power of 2)
- the node located at the end of the binary tree is a leaf node
- the node located at the apex is the root node
- each node located between the root node and the leaf node is This is called an intermediate node.
- a leaf node corresponds to each terminal device.
- the terminal device and the user have a 1: 1 correspondence, and the “terminal device” associated with the leaf node may be described as “user”.
- Figure 3 shows an example of the number of leaf nodes n64 in BT.
- indexes lv and rv for defining a subset to be assigned to a certain intermediate node V are defined.
- the leftmost leaf node number is defined as 1 v
- the rightmost leaf node number is defined as rv.
- V may be considered as a consecutive number assigned to each intermediate node.
- intermediate node V indicates an intermediate node on BT with V as an index.
- the intermediate nodes on BT are classified into two sets and defined.
- the set of intermediate nodes located on the left side of the parent node is defined as BTL
- the set of intermediate nodes located on the right side of the parent node is defined as BTR.
- the parent-child relationship means a vertical relationship between nodes connected on the BT, and indicates a relationship in which the parent node is positioned higher and the child node is positioned lower.
- a subset of the user set associated with each leaf node is associated with the root node on the BT.
- the set (l ⁇ n) and the set (2-n) are associated with the root node. Since all leaf nodes are connected below it, the root node is represented by a set that comprehensively or selectively contains these leaf nodes.
- the root node in Fig. 3 is associated with a set (1 ⁇ 64) and a set (2-64). Therefore, consider the set (1 ⁇ 6 4).
- the set (1 ⁇ 64) includes subsets [1, 1], [1, 2],..., [1, 64] as its elements. For example, to represent all users (leaf nodes), the subset [1, 64] can be used.
- a subset of the user set is associated with the intermediate node on the BT.
- a set (lv + 1-rv) is associated with the intermediate node V belonging to the above set BTL.
- a set (lv ⁇ rv ⁇ 1) is associated with the intermediate node V belonging to the set BTR.
- these sets are associated with all intermediate nodes V on the BT. See Figure 3 Then, it can be seen that these sets are described beside each intermediate node. For example, if you look at the intermediate node associated with the set (2-4), below this intermediate node are two intermediate nodes associated with the set (2-2) and the set (3 ⁇ 3) In addition, the leaf nodes from # to! -4 are connected.
- a subset of the user set is defined using a binary tree structure BT!
- This method makes it possible to represent a subset of users with various combinations.
- the whole set constructed by these subsets is called the set system ⁇ and is defined as the following equation (1).
- the following equation (1) is a mathematical expression of the binary tree structure constructed by the above method.
- the method for setting a binary tree structure that defines a subset has been described above.
- the basic concept of the infrastructure method is to set a set key for encrypting the content key for each of these subsets, and encrypt the content key with each set key and distribute it to all users. .
- at least one means of classifying user combinations was defined.
- an algorithm for generating a set key using these subsets is described.
- PRSG Pulseudo-Random Sequence Generator
- S0 set key k
- S2 subsets Sl, S2
- intermediate keys t (Sl), t (S2), ..., t (Sk) corresponding to Sk are output.
- the sets SO and Sl,..., Sk are any of the subsets constituting the set system ⁇ .
- this PRSG is the key generator.
- the basic method is characterized by the logic that defines the relationship between the PRSG input and output. Therefore, a directed graph that defines the relationship between the set SO and the sets Sl, S2,.
- the parameter k (k is a natural number) is determined.
- k I log (n) (hereinafter, the base of log is 2).
- this parameter k is related to the number of intermediate keys to be held by the terminal device 20 and the amount of calculation required to generate the set key. is there.
- k 6 is set
- a directed graph H (lv ⁇ rv-1) corresponding to an intermediate node V belonging to BTR will be described.
- SI Set the horizontal coordinate axis to construct the directed graph H (lv ⁇ rv— 1). This coordinate axis is assigned as a coordinate point a subset Si that is an element of the set (lv ⁇ rv ⁇ 1). The subset Si that forms these coordinate points is arranged so that the inclusive relation increases from left to right.
- the coordinate axes are the subset [5, 5 ], [5, 6] and [5, 7] have three coordinate points assigned.
- the starting point is a vertical line force on the right directed graph H on the first horizontal coordinate axis
- the intersection of this effective graph H and the vertical line y represents [X, y]
- the intersection of this effective graph H and the vertical spring y represents [y, z].
- the temporary coordinate point that is the starting point is set on the left side of the coordinate point that is located on the leftmost side of the coordinate axis
- the temporary coordinate point that is the end point is set on the right side of the coordinate point that is located on the rightmost side of the coordinate axis.
- the directed graph H (33 ⁇ 63) located on the right side of the third row from the top of Fig. 4, as an example, it is connected to the effective branch of the arched curve and one end of the arched curve, and A set of lines composed of straight lines extending in the direction is the substance of the directed graph H (33 ⁇ 63).
- Each curve and straight line constituting the directed graph H (33 ⁇ 63) is a directed branch.
- the intersection of the end of the directional branch and the vertical line is the coordinate point.
- the horizontal coordinate axis is not explicitly shown in Fig. 4, the horizontal coordinate axis is composed of a set of intersections between the vertical lines and the ends of the directed branches.
- a force with a white arrow drawn at the top of the directed graph H (33 ⁇ 63) indicates the direction of the directed edge.
- the directional branches that make up the directed graph H (33 ⁇ 63) are all directed to the right.
- the directed graph H (lv + 1-rv) associated with the intermediate node V belonging to the BTL and the directed graph H ( l ⁇ n) and H (2 ⁇ n) are set.
- the subset Si is arranged on the horizontal coordinate axis so that the inclusion relation increases from right to left.
- the direction of the directional branch is set to the left.
- the directed graph H (l ⁇ n) is generated by adding the directed edge E ([l, n-1], [1, n]) to the directed graph H (l ⁇ n ⁇ 1).
- the directed graph H (2 ⁇ n) is set by the same method as the directed graph H (lv + 1 ⁇ rv).
- the directed graph H (l ⁇ 64) in Fig. 4 is taken as an example to add a description.
- an arrow drawn immediately above or directly below each directed graph represents the direction indicated by all the directed branches constituting the directed graph H.
- the directed graph H (l ⁇ 64) has a directional branch from the coordinate point [1, 1] to [1, 2], and the coordinate points [1, 2] to [1, 3] and [1, There are two directional branches extending to [4].
- the black circles at the bottom of Fig. 4 represent the directed graphs H (2 ⁇ 2), H (3 ⁇ 3), ..., H (63 ⁇ 63), respectively, from the left! .
- Fig. 4 shows the directed graph H corresponding to each intermediate node and root node on the BT by the above method.
- the logic to generate a set key using this directed graph H is described below! /.
- the content key mek is encrypted and distributed using the set key k (Si) assigned to each subset Si constituting the set system ⁇ . That is, each coordinate point of the directed graph H corresponds to a subset Si composed of one or more users, and is assigned a set key k (Si).
- the intermediate key t (S) is also assigned to each of the above subsets Si and used to generate a set key k (Si).
- step (S2-2) since the number of iterations in the process of generating the effective graph H described above in step (S2-2) is X and l ⁇ x ⁇ k, from each coordinate point of the directed graph H, the maximum is k directional branches come out and V. From a certain coordinate point (subset SO), V, a subset of the coordinate points to which one or more directional branches are reached, in the order close to the certain coordinate point (in the order of short directional branch), SI, S2, ..., Sk. However, in the case of a number of directional branches from the coordinate point (subset SO) (q k k), Sq + 1, Sq + 2, ..., Sk are dummy and actually Is not used.
- the PRSG described above that outputs (k + 1) ⁇ -bit output for ⁇ -bit input is used to generate the set key k (Si).
- each coordinate point (subset S1, S2, First, intermediate keys t (Sl), t (S2),..., T (Sk) corresponding to Sk) and the set key k (S0) of the subset SO are output. That is, t (Sl)
- an intermediate key can be reached by repeatedly using PRSG to reach a chain of directional branches extending from the coordinate point corresponding to the intermediate key.
- the intermediate key and set key corresponding to the point can be derived. Therefore, each user only needs to hold the minimum number of intermediate keys that can derive all the intermediate keys corresponding to the subset in which the user is included.
- the key distribution server that generates the set key for encrypting the content key can repeat the calculation by PRSG as long as it holds only the intermediate key corresponding to the first coordinate point of each directed graph H.
- a set key corresponding to another coordinate point of the directed graph can be derived.
- the manager of the key distribution system sets, for example, a random number of bits as an intermediate key of the first coordinate point (root) of each directed graph H in the key distribution server at the time of setting up the key distribution system.
- the head coordinate point (root) of the directed graph H is a coordinate point from which a directional branch comes out but does not reach the coordinate point.
- the first coordinate point of the directed graph H (l ⁇ 64) in Fig. 4 is the [1, 1] coordinate point at the left end of the horizontal coordinate axis.
- the intermediate key is used for the purpose of improving security. There is no need to pay special attention to security, but if you want to reduce the amount of computation for generating a set key, do not use an intermediate key, but instead calculate one set key directly from another set key. It may be.
- the output when the set key k (SO) of the subset SO is input to the PRSG is k (Sl), k (S2), k (S3), and k (S4). It may be a set key of subset S;! ⁇ 4.
- the set key generation method has been described above.
- the set key generation method described above is used not only by the key generation server on the content key sender side but also on the terminal device on the receiver side.
- the distributor of the intermediate key refers to the subset to which the terminal device of user u belongs (hereinafter referred to as "subset to which user u belongs” or “subset to which user u is included”). Extract all directed graphs H that have as elements. If the user u is included in the subset corresponding to the head coordinate point (root) of the directed graph H, only the intermediate key corresponding to the head coordinate point is given to the terminal device of the user u. If the user u belongs to any subset corresponding to a coordinate point other than the first coordinate point of the directed graph H, the user u is the force included in the subset SO and is the parent of the subset SO.
- a subset SO that is not included in the subset parent (SO) is found, and the intermediate key SO of this subset SO is given to the terminal device of the user u.
- the subset SO when there are a plurality of coordinate points other than the first coordinate point that include the user u in the subset corresponding to the coordinate point, the subset SO
- the coordinate point SO that does not include the user u in the subset parent (SO) corresponding to the starting point of the directional branch that reaches the coordinate point corresponding to is extracted, and the intermediate key t (SO) of the coordinate point SO is Give to user u terminal. If there are multiple such coordinate points SO, give each intermediate key t (SO).
- the parent-child relationship of the coordinate points is determined by the directional branch, and the start point coordinate point of the directional branch is the parent of the end point coordinate point, and the end point coordinate point of the directional branch is the child of the start point coordinate point.
- the starting coordinate point parent (SO) of a directional branch that reaches a certain coordinate point SO is referred to as a parent coordinate point. If a coordinate point SO is the start point of the valid graph H, then there is no parent coordinate point, and if it is not the start point of the valid graph H, there is only one parent coordinate point.
- Example 1 Consider an intermediate key distributed to user 1. First, if we search the directed graph H whose elements are the subset to which user 1 belongs, we can see that it is only the directed graph H (l ⁇ 64). And user 1 is the part that is the first coordinate point of directed graph H (l ⁇ 64) Belongs to the set [1, 1]. Therefore, user 1 is given only the intermediate key t ([l, 1]).
- Example 2 Consider an intermediate key distributed to user 3.
- the directed graph H (l ⁇ 64), H (2-6 4), H (2-32), H (2-16), H ( 2-8), H (2-4), H (3 ⁇ 3) are applicable. So, if we consider the directed graph H (l ⁇ 64), user 3 does not belong to the subset [1, 1] of the first coordinate point, and the subset [1, 3], It can be seen that it belongs to [1, 4], ..., [1, 64]. Of these coordinate points, [1, 3], [1, 4] are the only coordinate points that do not include user 3 in the parent coordinate point.
- the coordinate point [1, 3], [1, 4] including user 3 is the parent coordinate point parent ([1, 3]) and parent ([1, 4]). Does not include user 3. Therefore, user 3 is given t ([l, 3]) and ([1, 4]) as intermediate keys corresponding to the directed graph H (l ⁇ 64). In the same way, other directed graphs H (2-64), H (2-32), H (2-16), H (2-8), H (2-4), H (3 ⁇ For 3), the corresponding intermediate key is selected and given to User 3. As a result, a total of 8 intermediate keys are given to user 3.
- FIG. 5 is a flowchart showing a processing flow relating to intermediate key distribution in the key distribution server at the time of system setup.
- the key distribution server of the key distribution system sets various parameters. For example, the number of users n, the number of bits of the set key and intermediate key, the predetermined parameter k, and the pseudorandom number generation algorithm based on PRSG are determined and released to the terminal devices of all users (S102).
- the key distribution server divides the set of users into predetermined subsets, and determines and publishes the set system ⁇ (refer to the above formula (1)) expressed by the union (S104).
- the directed graph H and the directed edge T constituting the directed graph H are determined and disclosed (S106). Further, an intermediate key corresponding to each subset constituting the set system ⁇ is determined (S108).
- a necessary intermediate key is distributed to the terminal device 20 of each user so that each user can derive a set key corresponding to a subset including the user (S110).
- the intermediate key distribution method has been described above. When this distribution method is used, the minimum intermediate key necessary for the terminal device of each authorized user to generate the set key is distributed, the amount of communication between the key distribution server and the terminal device, and each user's The amount of intermediate key memory in the terminal device can be saved.
- the key distribution server encrypts the content key mek using a set key that can be generated only by the terminal device 20 of the licensed user. More specifically, the key distribution server determines a set R of terminal devices of users to be excluded (hereinafter referred to as excluded users), and determines the set of terminal devices of excluded users from a set N of terminal devices l to n of all users.
- a set N ⁇ R (hereinafter referred to as “permitted user set (N ⁇ R)”) of authorized user terminals excluding the set R (hereinafter referred to as “rejected user set (R)”) is determined.
- a subset Si that minimizes the force m that exists in large numbers is selected.
- the content key mek is encrypted with the set key k (Si) corresponding to each subset Si.
- the content key mek is encrypted by the set keys k (Sl), k (S2),..., K (Sm), and becomes m numbered content keys mek.
- m numbered content keys mek are distributed to terminal devices l to n of all users.
- information indicating a set of licensed users (N ⁇ R) or information indicating m subsets Si is also distributed to terminal devices l to n of all users.
- FIG. 6 is a flowchart showing a processing flow relating to distribution of content keys.
- the key distribution server determines a set (R) of excluded users and obtains a set (N ⁇ R) of authorized users (S 112).
- the set key k S Each content key mek is encrypted using i) (SI 16).
- the information representing the set of licensed users (N ⁇ R) or each subset Si and the m encrypted content keys me k are distributed to the terminal devices l to n of all users (SI 18).
- decryption processing of the encrypted content key in each user terminal device will be described. This decryption processing is performed based on the information representing the set N ⁇ R of authorized users or m subsets Si received from the key distribution server by the terminal device and the m ciphertexts. It is a process to get mek.
- the terminal device receives the encrypted content key and information representing the set N ⁇ R of licensed users or information representing the m subsets Si from the key distribution server. Further, the terminal device analyzes the information and determines whether or not it belongs to any of the m subsets Si. If it does not belong to any subset, it is the excluded user's terminal device, so the decoding process ends. On the other hand, when the subset Si to which it belongs is found, the terminal device derives the set key k (Si) corresponding to the subset Si using the PRSG. The structure of PRSG has already been described.
- the terminal device is given an intermediate key t (Si) corresponding to the subset Si from the key distribution server at the time of system setup in advance, and this intermediate key t (S If i) is input to PRSG, the set key k (Si) corresponding to the subset Si can be derived. On the other hand, if the intermediate key t (Si) is not held, the terminal device repeatedly derives the desired set key k (Si) by repeatedly inputting the held intermediate key to the PRSG. S can. Furthermore, the terminal device decrypts the encoded content key mek using the set key k (Si) derived in this way.
- the derivation of the set key k (Si) in the terminal device will be specifically described with reference to the example of FIG. Assume that “1, 8” is selected as the subset to which User 3 belongs.
- the terminal device of user 3 holds the intermediate key of the subset [1, 4] as described above.
- the third one of the directional branches starting from the coordinate point is the shortest (jump distance)! /.
- the third ⁇ -bit part from the beginning of the output when [1, 4] intermediate key t ([l, 4]) is input to PRSG is the subset [1, 8].
- Intermediate key t ([l, 8]) The terminal device extracts the intermediate key t ([l, 8]) from the PRSG output, and extracts the ⁇ bit of the final part when it is input to the PRSG again, thereby obtaining the desired set key k ([[ l, 8]).
- the terminal device 20 outputs the first ⁇ -bit portion (intermediate key t () of the output when the intermediate key t ([l, 1]) of [1, 1] is input to the PRSG. [l, 2]))) is extracted, and then the second ⁇ -bit part from the beginning of the output when this intermediate key t ([l, 2]) is input to the PRSG ( The intermediate key t ([l, 4]) is extracted, and the intermediate key t ([l, 4]) is input to the PRSG.
- the ⁇ -bit part (corresponding to the intermediate key t ([l, 8])) is extracted, and finally, the intermediate key t ([l, 8]) is output to the PRSG.
- the desired set key k ([l, 8]) can be obtained by extracting the final part (corresponding to the set key k ([l, 8])).
- FIG. 7 is a flowchart showing a key generation processing flow related to the decryption of the content key in the terminal device of each user.
- terminal equipment Searches for the subset Si to which it belongs based on the information (S122), and determines whether it belongs to! / Of m subset Si! / Step S 124).
- the set key k (Si) corresponding to the subset Si is derived using the PRSG (S126).
- the structure of PRSG has already been described. If the intermediate key t (Si) corresponding to the subset Si is given in advance by the key distribution server at the time of setup and is V, the set key k (Si) is obtained by using PRSG once. On the other hand, if the intermediate key t (Si) is not held, the ability to derive the desired set key k (Si) by repeatedly using PRSG S can. Next, the terminal device uses the set key k (Si) derived in this way to decrypt the encoded content key mek (S 128).
- the terminal device is excluded from the terminal device that can use the content. (It is an excluded user) is displayed and output (S130), and the content key decryption processing is terminated.
- the content key decryption method in the terminal device has been described above.
- the above decryption method is executed using a PRSG that generates an intermediate key and a set key based on the information of the directed graph H. Therefore, directed graph information and PRSG are also required on the terminal device side of each user. However, with this PRSG method, the number of intermediate keys held by each user's terminal device can be minimized.
- the encryption key distribution method according to the basic technology of the present embodiment has been described.
- the number of intermediate keys that each user's terminal device should hold is ⁇ (k * log (n)), and the amount of computation required to generate a set key (PRSG operation count) is (2k - 1) * (which is the n 1 / k -l) does not exceed.
- the encryption key distribution method according to the basic technology has a problem that the number of intermediate keys to be held by each user terminal device is still large, as shown in FIG.
- the dominant amount of computation required by the terminal device depends on how many times PRSG is executed to derive the desired intermediate key. is doing. This worst value is the farthest from the first coordinate point (root) in the directed graph H. It is represented by the number of directional branches (ie, the number of jumps) up to the last coordinate point (the leaf that does not have a directional branch). In the example shown in Fig. 4, in order to reach the first coordinate point [1, 1] force and the last coordinate point [1, 64] of the directed graph H (l ⁇ 64), it goes through 11 directional branches ( 11 jumps), indicating that the PRSG must be run 11 times. As described above, the encryption key distribution method related to the basic technology has a problem that the calculation amount for deriving the intermediate key is large because the PRSG is executed many times.
- the inventors of the present application have made intensive efforts to solve the above problems, and have developed an encryption key distribution method according to one embodiment (first embodiment) of the present invention as described below.
- this encrypted distribution method according to the present embodiment the large binary tree structure BT indicating the terminal devices of all users is divided into a plurality of small basic subtrees to form a hierarchical structure.
- the key derivation method of the infrastructure method is used, and the directional branch is set between these basic subtrees. Thereby, both the number of intermediate keys held by the terminal device 20 and the amount of calculation of the terminal device 20 can be reduced.
- the functional configuration of the key distribution server 10 and the terminal device 20 that realize the encryption key distribution method according to the present embodiment, and the features and operational effects of this encryption key distribution method will be described in detail.
- FIG. 8 is a block diagram showing functional configurations of the key distribution server 10 and the terminal device 20 according to the present embodiment.
- the key distribution server 10 includes a tree structure setting unit 102, a coordinate axis setting unit 104, a directional branch setting unit 106, a partial inter-tree directional branch setting unit 108, and an initial intermediate A key setting unit 112, a key generation unit 114, an encryption unit 116, a transmission unit 118, and a subset determination unit 120 are provided.
- the coordinate axis setting unit 104, the directed edge setting unit 106, and the sub-tree directed edge setting unit 108 constitute a directed graph generation unit.
- the tree structure setting unit 102 and the directed graph setting unit 110 are collectively referred to as a key generation logic building block.
- the initial intermediate key setting unit 112 and the key generation unit 114 are collectively referred to as a key generation block.
- the key generation logic building block performs processing corresponding to (Tree structure setting) and (Directed graph generation) in [Description of basic technology] above.
- the tree structure setting unit 102 assigns an overall tree structure BT having n leaf nodes to which numbers (! To n (n is a natural number)) assigned to n (n is a power of 2) terminal devices 20; Set a tree structure divided into multiple basic subtrees and hierarchized into the y hierarchy. As described above, the present embodiment is characterized in that the tree structure setting unit 102 sets a tree structure that is hierarchized by the basic subtree.
- the power described in this example is assumed that the total number n of the terminal devices 20 is a power of two. For example, the total number of terminal devices 20 does not match the power of two. In this case, an entire tree structure having n (power of 2) leaf nodes exceeding the total number of the terminal devices 20 may be set! / ,.
- a parameter y indicating the number of hierarchies of the whole tree structure BT is newly used.
- y I log (n) that is, y is a divisor of lo g (n).
- the tree structure setting unit 102 stratifies the entire tree structure BT of the binary tree representing all the terminal devices 20 of each user using a basic subtree having n 1 / y leaf nodes.
- Whole tree structure BT is a complete binary tree structure with a log (n) height corresponding to the binary tree structure BT of the above basic technology (see Fig. 3).
- This whole tree structure BT is composed of n leaf nodes to which the terminal device 20 is assigned, a root node at the vertex of the whole tree structure BT, and a plurality of intermediate nodes other than these root nodes and leaf nodes.
- the basic subtree has a complete binary tree structure with a height ((log (n)) / y).
- This basic subtree is composed of n 1 / y leaf nodes, root nodes at the vertices of the basic subtree, and a plurality of intermediate nodes other than these root nodes and leaf nodes.
- the tree structure setting unit 102 first creates an entire tree structure so that the number of leaf nodes is n, and the total number of terminal devices 20 is greater than or equal to each leaf node. Assign 1, 2, ..., n .
- the tree structure setting unit 102 divides the entire tree structure BT into a plurality of basic subtrees and hierarchizes them into the y hierarchy, and the root node of the basic subtree of the lower hierarchy is the base of the upper hierarchy. Combining basic subtrees to match the leaf nodes of this subtree, the entire tree structure BT is constructed.
- Fig. 9 shows a specific example of the hierarchical tree structure.
- the whole tree structure BT (height 6, leaf node number 64) is divided into 9 basic subtrees (height 3, leaf node number 8) and has a two-layer structure. ing. Of these, there is one basic subtree in the upper hierarchy and eight basic subtrees in the lower hierarchy.
- the root node of the basic subtree in the upper hierarchy is the same as the root node (root) of the whole tree structure BT, and there are eight leaf nodes a, b, c,. .
- each basic subtree in the lower hierarchy matches the leaf nodes a, b, c, ..., h of the basic subtree in the upper hierarchy, and the leaf nodes of the basic subtree in the lower hierarchy.
- leaf nodes for example, 1-8, 9-16, 17-24,..., 57-64.
- a, b, c,..., H in FIG. 9 represent the leaf nodes of the upper-level basic subtree and the root nodes of the lower-level basic subtree, and are positioned below the root node.
- the set of leaf nodes ⁇ Aa ⁇ , ⁇ Ab ⁇ , ⁇ Ac ⁇ , ..., ⁇ Ah ⁇ is also represented.
- each leaf node of the basic sub-tree in the lowest hierarchy corresponds to each terminal device 20.
- the terminal device 20 and the user have a 1: 1 correspondence, and the leaf nodes of the entire tree structure BT (leaf nodes of each basic subtree in the lowest hierarchy);!
- “terminal device 20” associated with is described as “user”.
- ⁇ ⁇ ⁇ , n may be an exponent of any two.
- the tree structure setting unit 102 determines the positional relationship between the nodes for each node (node) constituting the entire tree structure BT set as described above, that is, the root node and the intermediate node of each basic subtree.
- Each set is associated with each other.
- the tree structure setting unit 102 also functions as a set association unit.
- the association of the set will be described in detail.
- N set of all terminal devices 20 (users) ⁇ 1, 2, ..., n ⁇
- Aw A set of leaf nodes located below the node w of the whole tree structure BT. However, if node w is a leaf node of the whole tree structure BT (ie, if node w is a leaf node of the basic subtree of the lowest hierarchy), Aw is a set of only the leaf node (ie, node w) Represents. Hereinafter, these leaf nodes are collectively referred to as “a set of leaf nodes belonging to Aw”.
- rv ' The leaf node located at the right end among the multiple leaf nodes located below the node V (root node or intermediate node) of the basic subtree
- A A set obtained by removing the root node (root) of the whole tree structure from the set of root nodes of the basic subtree
- BTL A set of intermediate nodes on the left side of the parent node among the intermediate nodes of the basic subtree
- the parent-child relationship means a vertical relationship between nodes connected on the basic subtree, and indicates a relationship in which the parent node is positioned higher and the child node is positioned lower.
- the tree structure setting unit 102 applies to each node of the entire tree structure BT hierarchically structured as described above, that is, the root node and the intermediate node of each basic subtree. In consideration of the positional relationship between the nodes, the leaf nodes corresponding to the terminal device 20;
- the tree structure setting unit 102 applies the set (1 ' ⁇ r') and the root node root (corresponding to the root node root of the whole tree structure BT) of the basic subtree of the highest hierarchy.
- the tree structure setting unit 102 determines that the intermediate node V of each basic subtree is located on the left side of its parent node. If a set (lv 'rv') is associated with V, and it is located on the right side of its parent node, then a set (lv ' ⁇ rv' ( — ⁇ ) is associated with the intermediate node V. In the example of Fig. 9, for the six intermediate nodes V of the upper-level basic subtree, the set (b—d), set (e ⁇ g), set (b—b), set (c ⁇ c), respectively.
- Set (f ⁇ f), and set (g ⁇ g), for example, e, f, and g are the subset ⁇ 33, ..., 40 ⁇ and subset ⁇ 4 1, , 48 ⁇ , representing the subset ⁇ 49, ..., 56 ⁇ , the set (e ⁇ g) is the set of these subsets ⁇ Ae, AeUAf, Ae U Af U Ag ⁇ ⁇ 33, ⁇ , 40 ⁇ , ⁇ 33, ⁇ , 48 ⁇ , ⁇ 33, ⁇ , 56 ⁇ .
- the tree structure setting unit 102 sets the root node V of the basic subtree of the hierarchy other than the highest hierarchy.
- the set (lv ' ⁇ rv' (- . ⁇ ) and ( ⁇ '(+ 1) -rv ') associated with the example of FIG. 9 eight basic root of the subtree node a lower hierarchy, b, c, Two sets are associated with h and h, respectively, for example, root node a is associated with set (2-8) and set (1 ⁇ 7).
- two sets other than the root node root are associated with each other as long as they are root nodes of the basic subtree.
- the tree structure setting unit 102 sets a set (lv'rv '), If it is on the right side of its parent node, associate the set (lv' ⁇ rv '(— ⁇ )) with the intermediate node V. For example, the left end of the lower hierarchy in FIG. For each intermediate node of the basic subtree, set (2-4), set (5 ⁇ 7), set (2 ⁇ 2), etc. are associated.
- a subset of the user set is defined using a binary tree structure ⁇ that is hierarchized by a plurality of basic subtrees.
- This method makes it possible to represent a subset of users with various combinations.
- the whole set constructed by these subsets is called the set system ⁇ and is defined as in the following equation (2).
- the following equation (2) is a mathematical expression of the whole tree structure ⁇ of the binary tree constructed by the above method.
- the method for setting the binary tree structure that defines the subset of the user terminal device 20 by the tree structure setting unit 102 according to the present embodiment has been described above.
- the basic concept of the signal key distribution method according to the present embodiment is that a set key for encrypting the content key is set for each of these subsets, and the content key is encrypted with each set key and all the keys are encrypted. It is to be distributed to users.
- subsets as described above, at least one means of classifying user combinations was defined. In the following, these subsets are used.
- An algorithm for creating a directed graph and generating a set key based on the directed graph is described.
- the directed graph generation unit 110 generates a set a ′ ⁇ r ′), a set associated with each node of the hierarchical whole tree structure BT set by the tree structure setting unit 102.
- the directed graph H ' is a directed graph that connects the coordinate points corresponding to the subsets included in these sets sequentially, and the coordinate points on the horizontal coordinate axis, which are sequentially arranged so that the inclusion relationship of the subsets increases. It consists of a counter branch.
- the directed graph generation unit 110 includes a coordinate axis setting unit 104 that sets a horizontal coordinate axis of each directed graph H ′, and a directed edge setting unit 106 that sets a directed edge on the horizontal coordinate axis of each directed graph H ′.
- a sub-tree directional branch setting unit 108 that additionally sets a directional branch between the directed graphs H ′ corresponding to different basic sub-trees.
- the coordinate axis setting unit 104 points the coordinate points corresponding to each subset included in the set (1 ′ ⁇ r ′) associated with the root node root of the basic subtree of the highest hierarchy from the left to the right.
- the coordinate axis setting unit 104 also sets each subset included in the set (lv ′ ⁇ rv ′) associated with the root node v of the basic subtree other than the top hierarchy or the intermediate node V of each basic subtree.
- the first horizontal coordinate axes (for example, H '(e ⁇ g), ⁇ ' (1 ⁇ 7), H 'in Fig. 10) are arranged so that the inclusive relation increases from left to right.
- Set coordinate axes such as (5 ⁇ 7).
- the coordinate axis setting unit 104 determines whether the coordinate point corresponding to each subset included in the set (1 r ') associated with the root node root of the basic subtree of the highest hierarchy is to the right.
- the coordinate axis setting unit 104 is included in the root node v of the basic subtree other than the top hierarchy or the set (lv ′ (+1) — rv ′) associated with the intermediate node V of each basic subtree.
- Coordinate points corresponding to each subset, with the right force toward the left Second horizontal coordinate axes (for example, coordinate axes such as H '(b—d), H' (2-8), H '(2-4) in Fig. 10) that are arranged so that the inclusive relation is large are set. To do.
- the coordinate axis setting unit 104 sets the coordinate axes for constructing the directed graph H ′ corresponding to each node of the basic partial tree set by the tree structure setting unit 102.
- the first horizontal coordinate axis is a rightward coordinate axis
- the second horizontal coordinate axis is a leftward coordinate axis. Since these first and second horizontal coordinate axes are set for each root node and intermediate node V of each basic subtree, a plurality of coordinate axes are respectively set.
- the coordinate axis setting unit 104 additionally sets at least two temporary coordinate points in total at the left end and / or right end of each of the first and second horizontal coordinate axes.
- one temporary coordinate point is additionally set on each of the left side of the coordinate point at the left end of each of the first and second horizontal coordinate axes and on the further right side of the coordinate point at the right end end.
- the temporary coordinate point set at the left end of the first horizontal coordinate axis is the starting point when the directional branch is set
- the temporary coordinate point set at the right end of the first horizontal coordinate axis is the end point when the directional branch is set. Become.
- the temporary coordinate point set at the left end of the second horizontal coordinate axis is the end point when the directional branch is set
- the temporary coordinate point set at the right end of the second horizontal coordinate axis is the start point when the directional branch is set .
- the method for setting temporary coordinate points is not limited to the above example.
- at least two temporary coordinate points may be set at either the left end or the right end of the first and second horizontal coordinate axes.
- the directed edge setting unit 106 has a function of setting an effective edge constituting the effective graph I between the coordinate points set by the coordinate axis setting unit 104.
- the directed edge setting unit 106 first determines a predetermined integer k (where k I log (n 1 / y ) 0 , where k is a divisor of log (n 1 / y )). And calculate an integer x that satisfies n (x— 1) / k ' y ⁇ ( rv , -lv' + l) ⁇ n x / k ' y .
- the directional branch setting unit 106 excludes all the directional branches with the first and second horizontal coordinate axes having a temporary coordinate point at the left end and one right end of the coordinate axis as the start point or the end point, respectively. To do. Further, the directional branch setting unit 106 excludes a directional branch other than the longest directional branch among the directional branches that reach the coordinate points on the first and second coordinate axes. In this way, the effective edge setting unit 106 is a chain connecting coordinate points on each horizontal coordinate axis of each effective graph I associated with each root node and intermediate node of each basic subtree. Set several valid branches.
- the method of generating the effective graph I by the coordinate axis setting unit 104 and the effective branch setting unit 106 which is the force of the present embodiment as described above, is the above described except that the number of leaf nodes is n 1 / y .
- This is almost the same as the method for generating the effective graph H related to the basic technology. Specific examples are described below.
- the directed graph I (1 ' ⁇ r') associated with the root node (root node root of the whole tree structure BT) of the basic subtree in the highest hierarchy shown in Fig. 9 An example of a directed graph I (a ⁇ h) is explained.
- the directed graph I (a ⁇ h) which is the rightward graph associated with the root node root, is first directed to the directed graph I corresponding to the set (lv ' ⁇ rv' ( ⁇ )). (a ⁇ g), and then add the directional branch E ([a, g], [a, h]) to create the directed graph I (a ⁇ g). Create as follows.
- the coordinate axis setting unit 104 sets a first horizontal coordinate axis for constructing the directed graph I (a ⁇ g).
- the first horizontal coordinate axis is assigned as a coordinate point a subset Si that is an element of the set (a ⁇ g).
- the subset Si that forms these coordinate points is arranged so that the inclusion relation increases from left to right.
- H (a ⁇ h) H ( ⁇ [a, a], [a, b], ..., [a, g] ⁇ )
- the coordinate axes are the subset [a, a ], [a,], ..., has seven coordinate points assigned [a, g].
- the effective edge setting unit 106 sets the directional branch that forms the directed graph I (a ⁇ g).
- n ( x — 1) / k ′ y is calculated as an integer x satisfying (h ⁇ a + 1) ⁇ n x / k ′ y .
- This integer X satisfies l ⁇ x ⁇ k.
- the directed graph I (a ⁇ g) is completed. Then, the directed graph I (a ⁇ h) is completed by adding the directed edge E ([a, g], [a, h]) to the directed graph I (a ⁇ g). For example, referring to the directed graph I (a ⁇ h) shown in Fig. 10, the subset [a, a] (displayed in the box “a"), [a, b] (displayed in the box "b”), ⁇ ⁇ ⁇ , [A, h] (indicated by a box with "h") and the effective point of a straight line or an arched curve that connects these points is set. ing. In Fig.
- the horizontal coordinate axes are clearly shown!!, NA! /, But the horizontal coordinate axes are composed of a set of intersections between the coordinate points and the ends of the directed branches. Furthermore, a right-pointing white arrow is drawn at the top of the directed graph I (a ⁇ h). This indicates the direction of the directional branch. In other words, all of the directional branches that make up the directed graph I (a ⁇ h) are directed to the right. Therefore, in the directed graph I (a ⁇ h), for example, from the coordinate point a of the subset [a, a], only one effective rightward branch that reaches the coordinate point b of the subset [a, b] is set.
- An effective graph I (lv ' ⁇ rv' ( _ ⁇ ) and effective graph ⁇ (1 ⁇ 'rv') associated with the core intermediate nodes of each basic subtree is generated, provided that the effective graph I (lv ' ⁇
- the subset Si is set so that the incline relation is increased on the second horizontal coordinate axis from right to left. And the direction of the directional branch is set to the left.
- Directed graphs I (a ⁇ h) and I (b—h) shown in FIG. 10 are effective graphs I associated with the root node root of the basic subtree of the highest hierarchy.
- the directed graphs I (b—d) and I (e ⁇ g) are effective graphs I associated with the upper intermediate nodes of the basic subtree of the highest hierarchy, and the directed graphs I (b—b), I (c ⁇ c), I (f ⁇ f), and I (g ⁇ g) are effective graphs I associated with the lower intermediate nodes of the basic subtree of the highest hierarchy.
- Directed graphs 1 (57 ⁇ 63) and 1 (58-64) are effective graphs I associated with root nodes V of the eight basic subtrees in the lower hierarchy.
- directed graphs 1 (2-4), 1 (5 ⁇ 7), ..., 1 (58-60), 1 (61 ⁇ 63) are respectively higher ranks of the eight basic subtrees in the lower hierarchy.
- each effective graph I can be shortened by dividing the entire tree structure BT into a plurality of basic subtrees and generating a hierarchy and generating the corresponding effective graph I.
- the number and length (number of jumps and distance) of effective branches in each effective graph I can be reduced. Therefore, the number of keys that the terminal device 20 should hold and the amount of calculation of the terminal device 20 can be reduced.
- the sub-tree directed edge setting unit 108 shown in FIG. 8 is applied to the hierarchically structured whole tree structure BT. From the directed graph I corresponding to the basic subtree of the lower hierarchy, the directional branch of the directed graph corresponding to the basic subtree of the upper hierarchy is additionally set. Specifically, the directed sub-tree setting unit 108 between the subtrees sets the first coordinate point in the directed graph I corresponding to the basic subtree in the lower hierarchy (for example, a subset of the effective graph 1 (1 ⁇ 7) in FIG.
- Figure 11 shows a state in which the directional branch is set so that the subset Si has an inclusion relation between the directed graphs I corresponding to different basic subtrees by the directional branch setting unit 108 between subtrees. Indicates directed graph I.
- the sub-tree directed edge setting unit 108 sets the subset in the effective graph 1 (58-64).
- the sub-tree directed edge setting unit 108 determines the effective graph I (b— from the coordinate point (first coordinate point) corresponding to the subset [32, 26] in the effective graph 1 (26-32).
- An effective branch is additionally set up to the coordinate point (second coordinate point) corresponding to the subset [d, d] in d), and the subset [33, 39] in the effective graph 1 (3 3 ⁇ 39)
- An additional valid branch is set from the corresponding coordinate point (first coordinate point) to the coordinate point (second coordinate point) corresponding to the subset [e, e] in the effective draft I (e ⁇ g).
- the sub-tree directed edge setting unit 108 sets the subsets [16, 16 to 16], 1 (17 to 23), 1 (42 to 48), 1 (49 to 55) of the effective graph 1 10], [17, 23], [48, 4 2], [49, 55] from the coordinate point (first coordinate point), including the effective graph 1 (10-16 ), I (17 ⁇ 23), 1 (42—48), I (49 ⁇ 55) subset [b, b], [c, c], [f, f], [g, g] coordinates For each point (second coordinate point), add valid branches.
- the number of intermediate keys to be held by the terminal device 20 can be further reduced. For example, by setting additional valid branches from subset [1, 7] of valid graph 1 (1 ⁇ 7) to subset [a, a] of valid graph I (a ⁇ h) Even if the terminal device 20 does not hold an intermediate key such as a subset [a, a], the terminal device 20 inputs its own intermediate key (for example, the intermediate key t ([l, 7])) to the PRSG.
- the terminal device 20 inputs its own intermediate key (for example, the intermediate key t ([l, 7])) to the PRSG.
- the eight subsets [a, a], [a, b], ..., [a, h] intermediate keys t ([a, a co), t ([a, b co), ...,, H]) can be derived. For this reason.
- These terminal devices 20 can reduce the number of intermediate keys t (S) held.
- effective branches between other basic subtrees also have an effect of reducing the number of intermediate keys t (S) to be held by the terminal device 20.
- the key distribution server 10 includes a key generation block having an initial intermediate key setting unit 112 and a key generation unit 114, an encryption unit 116, , Transmitting section 118 and subset determining section 120.
- the initial intermediate key setting unit 112 generates an intermediate key corresponding to the first coordinate point of the directed graph I for each directed graph I corresponding to each node of the basic subtree.
- the first coordinate point is the leftmost coordinate point in the valid graph I with the first horizontal coordinate axis facing right (for example, the coordinate point of the subset [1, 1] in the valid graph 1 (1 ⁇ 7))
- the coordinate point located at the right edge for example, the coordinate points of the subset [64, 64] in the valid graph 1 (5 8—64)
- the initial intermediate key is the intermediate key t (S) at this head coordinate point.
- the pseudo-random number generator PR SG is used to sequentially derive intermediate keys at other coordinate points included in the effective graph I based on the effective graph I corresponding to the initial intermediate key. it can.
- the initial intermediate key setting unit 112 may generate a random number by the pseudo random number generator PRSG and set the random number as each intermediate key, or may set a predetermined numerical value for each intermediate key .
- the key generation unit 114 generates a set key K (Si) for encrypting the content key mek based on the directed graph I generated by the graph generation unit 110, as a subset corresponding to the coordinate points in the effective graph I. Generated for each Si. Specifically, when the intermediate key t (S0) of the subset S corresponding to a certain coordinate point in the directed graph I is input, the key generation unit 114 receives the set key k (S0 corresponding to the subset SO. ) And the intermediate keys t (Sl), t (S2), ... of the subset SI, S2, ..., Sk corresponding to the coordinate points of the end points of each directed edge starting from the coordinate point S.
- ⁇ , T (Sk) and, are output. That is, when a predetermined intermediate key t (S0) corresponding to the coordinate point indicated by the start point of the directional branch is input to the directional branch I of the directional branch I, the key generation unit 114 receives the directional branch.
- a set key k (SO) corresponding to the coordinate point indicated by the start point of, and intermediate keys t (Sl), t corresponding to the end points of all k directional branches extending from the start point of the directional branch (S2), ..., t (Sk) is output.
- the key generation unit 114 includes, for example, a pseudo-random number generator (PRSG) that powers the basic technology and a control unit that controls the PRSG.
- PRSG pseudo-random number generator
- the PRSG of the key generation unit 114 for example, the above-described PRSG that outputs (k + 1) ⁇ -bit output to ⁇ -bit input is used to generate the set key k (Si).
- This PRSG receives an intermediate key t (SO) corresponding to a certain coordinate point (subset SO), and each coordinate point (subset Sl, S2,. ..., intermediate keys t (Sl), t (S2), ... ⁇ t (Sk) corresponding to Sk)
- the encryption unit 116 encrypts the content key mek for encrypting the content using the set key k (Si).
- the content key mek is one force.
- the set key k (Si) exists as many as the number of subsets Si constituting the set system ⁇ .
- the encryption unit 116 encrypts the content key using each set key corresponding to the subset selected by the subset determination unit 120 described later, out of all the subsets constituting the set system S. That is, the signature key 116 generates an encrypted content key mek corresponding to each set key k (Si). Therefore, if the number of selected subsets is m, the encrypted content key mek is also m are created. Note that the encryption unit 116 can also encrypt the content itself.
- the encryption unit 116 may encrypt the content itself using the content key mek, or may encrypt the content itself using each set key k (Si) described above.
- the configuration in which the content itself is encrypted using the set key k (Si) is a modification of the present embodiment.
- the transmission unit 118 transmits various information to each terminal device 20 via the network 5. For example, the transmission unit 118 transmits the content encrypted with each set key k (Si) by the encryption unit 116 to all the terminal devices 20 associated with the leaf nodes of the entire tree structure BT ;! to n. Send the key mek. Note that the transmission unit 118 may transmit the content itself encrypted with each set key k (Si) to the terminal device 20 instead of the content key mek encoded above.
- the transmission unit 118 distributes the intermediate key to each terminal device 20 at the time of setup.
- the transmitting unit 118 may distribute the intermediate key t (Si) of the subset Si to which the terminal device 20 belongs to each terminal device 20 while referring to the directed graph I.
- the transmitting unit 118 may distribute the minimum necessary intermediate key so that each terminal device 20 can derive intermediate keys of all the subsets Si to which the terminal device 20 belongs. That is, the transmission unit 118 extracts the subset Si to which the terminal device 20 belongs from the subsets constituting the set system ⁇ , and among the coordinate points of the directed graph I corresponding to the extracted subset Si.
- a coordinate point is selected such that the terminal device 20 is not included in the subset corresponding to the starting point of the directional branch that reaches the coordinate point, and the intermediate key t (Sj) corresponding to the selected coordinate point is selected. May be delivered to the terminal device 20 only.
- the transmission unit 118 corresponds to the first coordinate point. Only the intermediate key t (Si) may be distributed to the distribution destination user.
- the transmission unit 118 for example, information on the set system ⁇ (for example, information on n, e, k, y, PRSG, etc.) and information on the directed graph I (for example, by the directed graph generation unit 110). It can also function as a directed graph information distribution unit that distributes a plurality of generated directed graphs I itself) to each terminal device 20.
- the transmission unit 118 is information about the PRSG key generation algorithm that outputs a predetermined intermediate key t (Si) and set key k (Si) based on the directed graph I by inputting each intermediate key t (Si). , A key generation program) may be distributed.
- the distribution of the intermediate key t (Si) by the transmission unit 118 may be performed using a communication path different from the content distribution prior to the content distribution.
- the key distribution server 10 outputs an intermediate key t (Si) for each terminal device 20 and records it on a recording medium.
- the key distribution server 10 reads the intermediate key t (Si) from the recording medium. Further, the intermediate key t (Si) for each terminal device 20 may be stored in each terminal device 20.
- the subset determining unit 120 sets the content key mek using the set key k (Si) or the set of terminal devices 20 to be excluded (R) (hereinafter referred to as “set of excluded users (R)”). )) And excluding the set of excluded users (R) from the set (N) of all terminal devices 20 assigned to the leaf nodes of the whole tree structure BT ;! to n.
- a set (N ⁇ R) (hereinafter referred to as “set of authorized users (N ⁇ R)”) of terminal devices 20 that permit decryption of the content key mek or content by k (Si) is determined.
- the subset determination unit 120 determines a set of a licensed user set determination unit that determines a set of licensed users (N ⁇ R) and a subset Si that constitutes the set of licensed users (N ⁇ R). V, which consists of a licensed user subset determination unit.
- This licensed terminal identification information includes, for example, information indicating a set of licensed users (N ⁇ R), information indicating a set of excluded users (R), and a subset (S l , S2, ..., Sm) Information indicating one or more set keys k (Sj) used to encrypt the key mek.
- the terminal device 20 can determine whether or not the terminal device 20 is excluded based on the licensed terminal identification information.
- the encryption unit 116 sets the subsets (Sl, S2,.
- the content key mek is encrypted using the set key corresponding to Sm), and the transmitting unit 118 distributes the encrypted content key mek to each terminal device 20.
- the configuration of the key distribution server 10 according to the preferred embodiment of the present invention has been described above.
- the feature of the present embodiment is mainly in the configuration of the key generation logic building block.
- the directed branch setting unit 108 between subtrees for generating the directed graph I that determines the key generation logic is hierarchized with a basic subtree.
- the inter-partitioned tree directed branch setting unit 108 according to the present embodiment does not increase the amount of calculation required when the terminal device 20 of each user generates the set key k (Si).
- Key generation logic directed graph
- the amount of memory required for each terminal device 20 to hold the intermediate key t (Si) can be reduced, and the distribution cost for distributing the intermediate key t (Si) to the terminal device 20 can be reduced. It becomes possible.
- each part of the key distribution server 10 is not limited to the power configured by installing the program that realizes the above functions in the key distribution server 10, and is not limited to this example. All may be configured by dedicated hardware.
- the program may be stored in a computer-readable storage medium such as a portable storage medium and provided to the key distribution server 10, or may be provided from an external device via a communication path such as the network 5. May be transmitted to the key distribution server 10.
- FIG. 8 is a block diagram showing a functional configuration of the terminal device 20 which is effective in the present embodiment.
- the terminal device 20 includes a receiving unit 124, a determining unit 126, a key generating unit 128, A decoding unit 130.
- the terminal device 20 is assigned to each of the leaf nodes at the end of the whole tree structure;! / N! /.
- the receiving unit 124 receives various types of information transmitted from the transmitting unit 118 included in the key distribution server 10 via the network 5. For example, the receiving unit 124 receives from the key distribution server 10 content encoded with the content key mek or each set key k (Si), content key mek encoded with each set key k (Si), Information on one or more predetermined intermediate keys t (Si), set system ⁇ or directed graph I, or the above-mentioned licensed terminal identification information (for example, information representing the set of licensed users (N ⁇ R), or license) Receives a subset of users (N ⁇ R) (information indicating S1, S2,..., Sm).
- the receiving unit 124 may collect information from a plurality of information sources as well as receiving information from only one information source.
- the receiving unit 124 includes a plurality of information sources (for example, the key distribution server 10) connected to the wired or wireless network 5, or information sources (for example, directly or indirectly connected without using the network 5).
- Information may be obtained from an information medium such as an optical disk device, a magnetic disk device, or a portable terminal device.
- the receiving unit 124 may receive information from other terminal devices 20, for example, the information of the directed graph I may be shared with other terminal devices 20 belonging to the same distribution destination group. It may be configured.
- the same distribution destination group means, for example, a group of a plurality of terminal devices 20 that are certified as viewer user groups of content distributed from the same or a plurality of key distribution servers 10, and the whole Tree structure BT leaf node; corresponds to any of! ⁇ N.
- the intermediate key may be given to the terminal device 20 in advance and held by the terminal device 20 as described above.
- the determination unit 126 determines that the terminal device 20 uses the received licensed terminal identification information and the terminal device 20 collects the authorized user ( N ⁇ R) is included in the subset S;! ⁇ Sm!
- This licensed terminal identification information is information representing a set (N ⁇ R) of licensed users or information representing subsets Sl to Sm constituting this set (N ⁇ R). More In addition, the determination unit 126 determines whether the terminal device 20 is permitted to decrypt the encrypted content based on the determination result.
- the terminal device 20 holds only the intermediate key t (Si) for generating the set key k (Si) corresponding to the subset Si to which the terminal device 20 belongs. For this reason, the key distribution server 10 uses this information representing the set of licensed users (N ⁇ R) or the information representing the partial sets S 1 to Sm constituting the set (N ⁇ R). It is necessary to determine in advance whether or not the subsets S1 to Sm constituting the set (N ⁇ R) include the subset Si to which the terminal device 20 belongs. The determination unit 126 makes this determination.
- the received information from the key distribution server 10 serving as the determination criterion is, for example, information indicating one or more set keys k (Sj) used for encrypting the content key mek. It may be.
- the licensed terminal identification information and the like are distributed, for example, from the key distribution server 10 in advance or simultaneously with the content key mek, and are received by the receiving unit 124. If it is determined that the subset S constituting the set of licensed users (N ⁇ R) does not include the subset Si to which the terminal device 20 itself belongs, the Since the process of generating the intermediate key t (Si) force and the set key k () held by! Cannot be executed! /, The decryption process of the content key mek ends.
- the key generation unit of the terminal device 20 128 generates the set key k (Si) from the intermediate key t (Si) held by itself using PRSG.
- the key generation unit 128 Based on the information of the directed graph I received from the key distribution server 10, the key generation unit 128 generates a set key for decrypting the encoded content or the content key mek. Based on the directed graph I received from the key distribution server 10, the key generation unit 128 generates a set key k (Si) for encrypting the content key mek corresponding to the coordinate point in the validity graph I. Generate for each set Si. Specifically, when the intermediate key t (S0) of the subset S corresponding to a certain coordinate point in the directed graph I is input, the key generation unit 128 receives the set key k (S0) corresponding to the subset SO.
- this key generation unit 128 has substantially the same functional configuration as the key generation unit 114 of the key distribution server 10 described above, detailed description thereof will be omitted.
- Decryption unit 130 decrypts content key mek using set key k (Si). Specifically, the decryption unit 130 extracts the subset Sii that includes itself as an element from the subset Si corresponding to the set key k (Si), and sets the set key k corresponding to the subset Sii. The content key mek is decrypted using (Sii).
- each unit of the terminal device 20 is configured by installing a program that realizes each of the functions in the terminal device 20, but is not limited to the above example. Alternatively, all may be configured with dedicated hardware.
- the above program may be stored in a computer-readable storage medium such as a portable storage medium and provided to the terminal device 20 or may be provided from the external device via a communication path such as the network 5. May be transmitted.
- the terminal device 20 performs a desired operation based on the special key generation logic (the directed graph I) generated by the directed graph generation unit 110 provided in the key distribution server 10 described above.
- Set key k (Si) can be generated.
- the terminal device 20 can reduce the number of intermediate keys t (Si) to be held in order to generate the set key k (Si) used for decrypting the content key mek and the like.
- the directional branch in the directed graph I is efficiently set by the hierarchical structure of the whole tree structure BT, the amount of calculation by the key generation unit 128 for generating the set key k (Si) is also reduced. can do.
- the directed graph having the subset Si to which each terminal device 20 belongs as an element. Extract all I.
- the terminal device 20 is included in the subset Si corresponding to the head coordinate point (root) of the directed graph I, only the intermediate key t (Si) corresponding to the head coordinate point is given to the terminal device 20. If the terminal device 20 belongs to any subset Si corresponding to a coordinate point other than the first coordinate point of the directed graph I, the terminal device 20 includes the force S included in the subset SO and the subset SO.
- a subset SO that is not included in the parent subset pare nt (SO) is found, and the intermediate key S0 of this subset S0 is given to the terminal device 20. If there are multiple such subsets S0, each intermediate key t (S0) is given.
- the parent-child relationship of the subset Si is determined by the directional branch, and the start point coordinate point of the directional branch is the parent of the end point coordinate point, and the end point coordinate point of the directional branch is the child of the start point coordinate point.
- the starting coordinate point parent (S0) of the directional branch that reaches a certain coordinate point S0 is referred to as a parent coordinate point.
- a coordinate point S0 is the start point of the valid graph I, there is no parent coordinate point, and if it is not the start point of the valid graph I, there is only one parent coordinate point.
- Example 1 Consider an intermediate key t (Si) distributed to terminal device 20 of user 1.
- the directed graph I having the subset Si to which the user 1 belongs as an element is searched, it is found that the directed graph 1 (1 ⁇ 7) and the directed graph I (a ⁇ h).
- the terminal device 20 of the user 1 belongs to the subset [1, 1] that is the first coordinate point of the directed graph 1 (1 ⁇ 7). Therefore, the user 1 is given the intermediate key t ([l, 1]).
- the terminal device 20 of the user 1 displays a graph from the force-directed graph I (1 ⁇ 7) belonging to the subset [a, a] of the directed graph I (a ⁇ h) to the directed graph I (a ⁇ h). Since the inter-directional branch is set! /, The terminal device 20 of the user 1 is directed if the intermediate key t ([l, 1]) is held.
- the intermediate key t ([a, a]) can be derived based on the graph I (l ⁇ 7) and the above directed directional branch. Therefore, it is not necessary to give the intermediate key t ([a, a]) to the terminal device 20 of the user 1. Therefore, the intermediate key to be held by the terminal device 20 of the user 1 may be one of the intermediate keys t ([l, 1]).
- the inter-graph directional branch is set from the directed graph 1 (1 ⁇ 7) to the directed graph I (a ⁇ h), so the terminal devices 20 of the users 1 to 7
- the intermediate key t ([a, a]) can be derived, and from this intermediate key t ([a, a]), the intermediate key t ( [a, *]) can be derived (where * is one of b to h). Therefore, it is not necessary to give an intermediate key related to the directed graph I (a ⁇ h) to the terminal devices 20 of the users;
- the directed graph I having the subset Si to which the terminal device 20 of the user 12 belongs is searched, the directed graph I (a ⁇ h), I (b ⁇ h), I (b ⁇ d), I (b ⁇ b), 1 (9 ⁇ 15), 1 (10-16), 1 (10-12) are applicable. Therefore, if we examine directed graph 1 (10-16), terminal device 20 of user 12 does not belong to the subset [16, 16] of the first coordinate point, and the subset after the fifth coordinate point [ It can be seen that it belongs to [16, 12], [16, 11], [16, 10]. Of these coordinate points, [16, 12], [16, 11] are the only coordinate points that do not include the user 12 as a parent coordinate point.
- FIG. 12 is a flowchart showing a processing flow related to intermediate key distribution in the key distribution server 10 at the time of system setup according to the present embodiment.
- the key distribution server 10 of the key distribution system 100 sets various parameters and the like. For example, the number of leaf nodes (number of users) n for assigning each terminal device 20 to n, the number of bits of the set key and intermediate key, the parameter y indicating the number of hierarchies of the whole tree structure BT, a predetermined number
- the parameter k, the pseudorandom number generation algorithm by PRSG, and the like are determined and disclosed to the terminal devices 20 of all users (S202).
- the parameter y indicating the number of hierarchies of the entire tree structure BT is also determined and disclosed.
- the key distribution server 10 divides the set of the terminal devices 20 assigned to the leaf nodes into a predetermined subset Si, and a set system ⁇ (the above formula (2
- the key distribution server 10 generates the plurality of directed graphs I described above, determines a configuration T composed of a set of these directed graphs I, and publishes the configuration T of the plurality of directed graphs I. (S206). Furthermore, the key distribution server 10 determines an intermediate key corresponding to each subset constituting the set system ⁇ (S208). Thereafter, the key distribution server 10 uses the determined intermediate key and the PRSG of the key generation unit 114 to derive intermediate keys corresponding to other coordinate points, and sends each terminal to the terminal device 20 of each user. Necessary intermediate keys are distributed so that set keys corresponding to all subsets including the device 20 can be derived (S210). Then, the terminal device 20 receives information such as the intermediate key from the key distribution server 10 and stores it safely in the secure storage unit 208 or the like.
- the content key distribution method according to the present embodiment is substantially the same as the content distribution method according to the basic technology described above, and will be described with reference to FIG. 6 again.
- the decryption process flow of the encrypted content key in the terminal device 20 of each user who works on this embodiment will be described.
- the content key decryption method that is effective in the present embodiment is substantially the same as the content key decryption method that is effective in the basic technology described above, and will be described with reference to FIG. 7 again.
- each user terminal device 20 represents m number of content keys mek and a set of licensed users (N ⁇ R) from the key distribution server 10.
- the terminal device 20 searches the subset Si to which it belongs based on the licensed terminal identification information (S 122), and belongs to one of the m subset Si.
- the terminal device 20 uses the PRSG of the key generation unit 128 and the intermediate key given from the key distribution server 10 in advance and the directed dalla. Based on the key I, a set key k (Si) corresponding to the subset Si is derived (S 126). The configuration of P RSG is as already described. If the intermediate key t (Si) corresponding to the subset Si is given in advance by the key distribution server at the time of setup! /, The terminal device 20 is set by using PRSG once. It is possible to derive the key k (Si).
- the terminal device 20 can derive the desired set key k (Si) by repeatedly using PR SG. Next, the terminal device 20 can decrypt the encrypted content key mek using the set key k (Si) derived in this way, and can decrypt the encrypted content (S 128).
- the terminal device is excluded from the terminal device 20 that can use the content.
- the entire tree structure BT is hierarchized into a basic subtree, and the directional branch of the directed graph I is preferably configured. Since the directed edge between graphs is also set, the terminal device 20 can reduce the amount of calculation using the PRSG for obtaining the intermediate key and the set key, as compared with the basic technology described above.
- the directed system I is improved by changing the set system ⁇ , which also has the partial collective power of the terminal device 20, as shown in the above equation (2), as compared with the basic technology. This is because a large whole tree structure BT to which all terminal devices 20 are allocated is divided into small basic subtrees and hierarchized into y hierarchies.
- the directional branch of the directed graph I is set between the subsets that span the basic subtrees.
- the key derivation method using the pseudo random number generator PRSG is applied.
- the number of intermediate keys that the terminal device 20 should hold has a positive correlation with k'log (n), and the amount of computation of the terminal device 20 for deriving the key is k'n ( 1 / k ) And a positive correlation.
- a large whole tree structure BT is divided into small basic subtrees with n ( 1 / y ) leaf nodes, and the set system ⁇ and directed graph I are set by reducing the number n of leaf nodes in the tree structure. Therefore, it is possible to reduce the number of keys to be held by the terminal device 20 and the amount of calculation required for key derivation.
- the key distribution method of this embodiment when comparing the key distribution method of the present embodiment with the key distribution method of the basic technology, the number of intermediate keys is the same for the terminal devices 20 of users 1 and 64. Although there is no difference between one and two, in the terminal devices 20 of all other users 2 to 63, the key distribution method of this embodiment has a smaller number of keys than the key distribution method of the basic technology. ing . Further, the total number of keys to be held by all the terminal devices 20 is 00 in the key distribution method of the present embodiment, while the key distribution method in the basic technology is 705. In addition, the average number of keys per terminal device 20 is 6.25 for the key distribution method of this embodiment, while the key distribution method for the basic technology is about 11.02. . Thus, the key distribution method of this embodiment can reduce the number of keys to about 56.7% compared to the key distribution method of the basic technology, and the number of keys that each terminal device 20 should hold. The memory burden on the terminal device 20 can be reduced.
- the calculation amount of the terminal device 20 necessary for decrypting the content key mek and the like in the terminal device 20 is examined.
- the worst value of the amount of computation is that in the directed graph, the farthest distance from the first coordinate point (root) of the directed graph! It is represented by the number (that is, the number of jumps when a directional branch is set).
- the key distribution method of the basic technology in the example shown in Fig. 4 in order to reach the end coordinate point [1, 64] from the start coordinate point [1, 1] of the directed graph H (l ⁇ 64), 11 You have to go through the counter branch (perform one jump), indicating that you have to execute PRSG 11 times.
- the key distribution method of the present embodiment shown in FIG. 11 in the directed graphs 1 (1 ⁇ 7) and I (a ⁇ h), the start coordinate point [1, 1] to the end coordinate The force farthest to point [1, h], the number of directional branches required (the number of jumps) is 10 times, which is less than 11 of the key distribution method of the basic technology.
- the key distribution method according to the present embodiment it is possible to reduce the calculation amount of each terminal device 20 for key calculation at the time of decryption or the like as compared with the key distribution method of the basic technology.
- the number of keys to be held in the terminal device 20 and the encryption key are used even when the number of terminal devices 20 (recipients) is large. It can be said that both the amount of calculation of the terminal device required for decoding can be reduced.
- FIG. 14 is a block diagram showing a configuration of a broadcast encryption system (broadcast encryption system) using a broadcast satellite.
- the broadcast encryption system 300 transmits the encrypted data (so-called ciphertext) to the receiver 310 via the broadcast channel.
- the broadcast channel in the broadcast encryption system 300 is, for example, a satellite broadcast distribution channel.
- the data transmitted as the cipher text is, for example, content including a code key, audio data, video data, text data, or the like.
- satellite A broadcast trusted center 304 in the broadcasting station 302 transmits data to the broadcasting satellite 306.
- the broadcast management center 304 for example, selects an encryption key, and controls data encryption and data distribution.
- the broadcasting satellite 306 broadcasts data.
- the receiver 310 installed in the residence 308 includes, for example, a satellite broadcast receiver and receives broadcast data. A plurality of other receivers 310 can also receive the broadcast data.
- the management center 304 can transmit data to each receiver 310 in the receiver group consisting of the receivers 310. As will be described later, the management center 304 encrypts the broadcast data so that only the authorized receiver 310 can decrypt the broadcast data.
- FIG. 14 shows a broadcasting system using broadcasting satellite 306, other broadcasting channels such as cable television and computer network can be used.
- the configuration of the broadcast encryption system 300 which is an application example of the ⁇ key distribution system 100, has been described above. If the relationship with the encryption key distribution system 100 is simply arranged, the management center 304 corresponds to the key distribution server 10 (information processing apparatus of the present invention), and the receiver 310 is the terminal apparatus 20 (terminal of the present invention). Device).
- the broadcasting satellite 306 mediates the network connecting them.
- FIG. 15 is a block diagram showing a configuration of a broadcast encryption system 400 using a data medium.
- a broadcast channel is a distribution of data storage media.
- the management center 404 in the media manufacturer 402 stores, for example, a read-only storage medium (for example, CD-ROM, DVD-ROM, etc.) or a rewritable storage medium (for example, CD-RW, DVD-RW, etc.). Data is stored in each of the media 406 (article of data media).
- the management center 404 For read-only storage media, the management center 404 records the encrypted content key and the encrypted content, and only the authenticated user decrypts the data, and the encrypted content (e.g., Audio, video, or text). On the other hand, for the rewritable storage medium, the management center 404 records the encrypted content key, and stores data corresponding only to the authenticated recording device. Can be recorded.
- the media manufacturer 402 sends the storage media 406 to a distribution outlet 408, such as a retail store.
- Distribution intermediary 408 provides storage medium 410 to receiver 412 in residence 412. For example, the distribution intermediary 408 sells the storage medium 410 to an individual, who takes the storage medium 410 back to the residence 412 and inserts the storage medium 410 into the receiver 414.
- the receiver 414 may be a device that reads and reproduces data recorded in the storage medium 410, such as a CD player, a DVD player, or a computer.
- the receiver 414 may be a disk device that can record data on the storage medium 410 and read data from the storage medium 410, such as a DVD-RW drive. Good.
- the management center 404 encrypts the data so that only the authenticated receiver 414 can decrypt the encrypted data.
- the configuration of the broadcast encryption system 400 which is an application example of the ⁇ key distribution system 100, has been described above. If the relationship with the encryption key distribution system 100 is simply organized, the management center 404 corresponds to the key distribution server 10 (information processing apparatus of the present invention), and the receiver 414 is the terminal apparatus 20 (terminal of the present invention). Device). In place of the network connecting them, storage media 406 and 410 distributed by a distribution intermediary 408 are interposed.
- the tree structure setting unit 102 described above is assumed to have a tree structure in which branches extend from top to bottom, but is not necessarily limited to this, and is not necessarily limited to this, from bottom to top, from left to right, or from right to left.
- it may have a tree structure with branches extending in any direction.
- the definition of the subset associated with each intermediate node must be changed to conform. However, this change only rotates and arranges the tree structure set by the tree structure setting unit 102, and the meaning in any case is completely the same.
- the directional branch setting unit 106 and the sub-tree directional branch setting unit 108 described above are either left to right or right to right.
- the directed graphs ⁇ and I are constructed with the coordinate axis set to the left, it is possible to reverse the direction of this coordinate axis and change it to any direction other than the horizontal direction.
- various parameters are defined based on the vertical direction or the horizontal direction for the sake of convenience.
- the directed graph is rotated or inverted to change the top / bottom / left / right relationship, it is understood that it belongs to the same technical scope.
- the parameter y representing the number of hierarchies can be set to any natural number, and may be hierarchized into three or more hierarchies.
- the whole tree structure BT is divided into one basic subtree of the highest hierarchy, four basic subtrees of the intermediate hierarchy, and 16 basic subtrees of the lowest hierarchy, and the basic part of the highest hierarchy.
- the tree structure can be configured such that the root node of each intermediate hierarchy is matched with the root node of each intermediate hierarchy, and the root node of each basic hierarchy tree of each lowest hierarchy is matched with the leaf node of each intermediate hierarchy.
- the directed branch setting method set across the directed graphs I of different basic subtrees by the directed subtree setting unit 108 is not limited to the example in FIG.
- the design can be changed.
- it is necessary to set a directional branch between the subsets so that the subset of the directed graph I in the lower-level basic subtree is included in the subset of the directed graph I in the upper-level basic subtree.
- it is preferable from the viewpoint of reduction it is not limited to force and examples, and it is also possible to set a directional branch regardless of the inclusion relation.
- This encryption key distribution method which is effective in this embodiment, can realize a reduction in the amount of calculation required by the terminal device 20 by generating a directed graph having a longer directional branch.
- the functional configuration of the key distribution server 10 and the terminal device 20 that realize the encryption key distribution method that is the main feature of this embodiment, and the features and operational effects of this encryption key distribution method will be described in detail. To do.
- FIG. 16 is a block diagram showing the configuration of the key distribution server 10 and the terminal device 20 according to the present embodiment.
- the key distribution server 10 includes a tree structure setting unit 154, a coordinate axis setting unit 156, a directed graph generation unit 160, an initial intermediate key setting unit 162, a key generation unit 164, an encryption And a transmitting section 168 and a subset determining section 170.
- the tree structure setting unit 154, the coordinate axis setting unit 156, and the directed graph generation unit 160 are collectively referred to as a key generation logic building block.
- the initial intermediate key setting unit 162 and the key generation unit 164 are collectively referred to as a key generation block.
- This key generation logic building block executes the processing corresponding to (Tree structure setting) and (Directed graph generation) in [Description of fundamental technology] above.
- the tree structure setting unit 154 includes n leaf nodes with numbers l to n (n is a natural number), a root node, and a plurality of intermediate nodes other than the root node and the leaf node.
- n is a natural number
- the leaf node number located at the left end is lv
- the leaf located at the right end Set the node number to rv.
- the tree structure setting unit 154 assigns a set (1 ⁇ n) and a set (2-n) to the root node, and when an intermediate node V is located on the left side of its parent node, A set (lv + 1-rv) is assigned to the intermediate node, and if the intermediate node V is located on the right side of the parent node, a set (lv ⁇ rv-1) is assigned to the intermediate node.
- the coordinate axis setting unit 156 is arranged such that the coordinate point force S associated with each subset included in the set (l ⁇ n) is arranged so that the inclusion relation increases from left to right on the horizontal coordinate axis. Sets the first horizontal coordinate axis corresponding to the node. Next, the coordinate axis setting unit 156 is arranged so that the coordinate points associated with the respective subsets included in the set (2-n) increase on the horizontal coordinate axis from right to left. Set the second horizontal coordinate axis corresponding to the root node.
- the coordinate axis setting unit 156 has, for each intermediate node, the coordinate point associated with each subset included in the set (lv ⁇ rv ⁇ l) has an inclusion relationship from the left to the right on the horizontal coordinate axis.
- the coordinate axis setting unit 156 is arranged such that the coordinate points associated with each subset included in the set (lv + 1 ⁇ rv) increase in the inclusive relation from the right to the left on the horizontal coordinate axis.
- the fourth horizontal coordinate axis corresponding to a certain intermediate node V is set.
- the coordinate axis setting unit 156 has two sets for the right side of the coordinate point located at the right end on the third horizontal coordinate axis and the left side of the coordinate point located at the left end on the second and fourth horizontal coordinate axes. Place a temporary coordinate point, set the coordinate point located at the right end on the first horizontal coordinate axis as the first temporary coordinate point, and place the second temporary coordinate point to the right of the first temporary coordinate point .
- the coordinate axis setting unit 156 sets coordinate axes for constructing a directed graph corresponding to each node of the tree structure set by the tree structure setting unit 154.
- the first horizontal coordinate axis is the coordinate axis corresponding to the set (l ⁇ n)
- the second horizontal coordinate axis is the coordinate axis corresponding to the set (2—n)
- the third horizontal coordinate axis is the set (lv ⁇ rv—
- the coordinate axis corresponding to 1) and the fourth horizontal coordinate axis indicate the coordinate axes corresponding to the set (lv + 1-rv).
- the third horizontal coordinate axis and the fourth horizontal coordinate axis are set for each intermediate node V, a plurality of coordinate axes are respectively set. That is, the third horizontal coordinate axis and the fourth horizontal coordinate axis are set by the number of intermediate nodes.
- the directed graph generation unit 160 sets a predetermined integer k, and calculates an integer x that satisfies n ( x — 1) / k ⁇ (rv ⁇ lv + 1) ⁇ n x / k .
- one or more directional branches having a length of n i / k are connected and connected to the leftmost coordinate point on the first and third horizontal coordinate axes. Forming a directional path, and connecting one or more directional branches facing the left direction having a length of n i / k to obtain a rightmost coordinate point on the second and fourth horizontal coordinate axes.
- a directed path is formed as a starting point.
- the directed graph generation unit 160 excludes all directional branches having the temporary coordinate points as the start point or the end point for each of the first to fourth horizontal coordinate axes. Then, the directed graph generation unit 160 excludes a directional branch other than the longest directional branch from the directional branches that reach each coordinate point on the first to fourth horizontal coordinate axes, thereby obtaining a set (l ⁇ n— Generate directed graphs for 1), set (2-n), set (lv + 1-rv), set (lv ⁇ rv-1).
- the directed graph generation unit 160 for the directed graph related to the set (l ⁇ n ⁇ 1), has a length 1 directed edge with the first temporary coordinate point on the first horizontal coordinate axis as an end point. Is added to generate a directed graph for the set (l ⁇ n).
- the directed graph generation unit 160 generates a directed graph by a method similar to the basic scheme.
- the directed graph generation unit 160 can generate a directed graph composed of longer directional branches as compared to the directed graph of the base method. This reduces the amount of computation required for each user to derive the set key, as will be described later. Therefore, a processing flow relating to processing executed by the directed graph generation unit 160 will be described in detail with reference to FIG.
- FIG. 17 is a flowchart showing a processing flow related to directed graph generation by the directed graph generation unit 160.
- the directed graph generation unit 160 generates a directed graph through the following steps.
- a method for generating the directed graph I (lv ⁇ rv ⁇ 1) corresponding to the set (lv ⁇ rv ⁇ 1) will be described as an example.
- the directed graph generation unit 160 increases the inclusion relation of each partial set included in the set (lv ⁇ rv ⁇ l) from left to right on a horizontal straight line (horizontal coordinate axis). Place them side by side. More precisely, the directed graph generation unit 160 assigns a subset of each element of the set (lv ⁇ rv— 1) to each coordinate point on the horizontal coordinate axis, and the inclusion relation of the assigned subset is right. Coordinate points are arranged so as to increase in the direction. The directed duff generator 160 then adds two temporary coordinates to the right of the rightmost coordinate point on the horizontal coordinate axis. Place a point.
- the directed graph generation unit 160 calculates an integer x (1 ⁇ X ⁇ k) that satisfies n (x - 1) / k ⁇ Lv ⁇ nx / k .
- the directed graph generation unit 160 sets the integer value i as a counter, and repeats the following operation while changing the counter i from 0 to ⁇ -1.
- Set a directed directional branch pointing to the right starting from the start point at the left end of the horizontal coordinate axis and extending away from that coordinate point by n i / k (to a coordinate point separated by n i / k (Jump), the force at which the end of the directional branch reaches the temporary coordinate point at the right end or one left of the horizontal coordinate axis, or the end of the directed branch that is set next is Repeat until it exceeds.
- Step 3; S144 The directed graph generation unit 160 removes all the directional branches that reach the temporary coordinate point from the directional branches created in (Step 2).
- Step 4; S146 When there are a plurality of directional branches reaching a certain coordinate point, the directed graph generation unit 160 removes all the directional branches other than the longest directional branch.
- the directed graph generation unit 160 can generate a directed graph formed by longer directional branches as compared to the base method. Note that the directed graph generation unit 160 generates each directed graph for all intermediate nodes and root nodes constituting the tree structure by the same method as the above directed dialog I (lv ⁇ rv ⁇ 1). For example, the directed graph generation unit 160 generates a directed graph I (lv + 1—rv) corresponding to a certain intermediate node V, and further, directed graphs I (l ⁇ n) and 1 (2—n) corresponding to the root node. Is generated.
- each of the coordinate points of the directed drafts I (lv + 1—rv) and 1 (2—n) is arranged so that the inclusion relationship of the subsets contained in each of them increases in the “left direction”. Formed on the horizontal coordinate axis.
- the coordinate point placement rule on the horizontal coordinate axis set in (Step 1) above is reversed.
- the two temporary coordinate points for forming the directed graphs I (lv + 1—rv) and 1 (2—n) are arranged on the left side of the coordinate point located at the leftmost position on the horizontal coordinate axis.
- the directed graph 1 (1 ⁇ n) is generated by adding the directed edge E ([l, n ⁇ 1], [1, n]) to the directed graph I (l ⁇ n ⁇ 1).
- the directed graph I has a longer directional branch.
- the power that is included is s component power. Comparing the longest directional path ⁇ ([ ⁇ , 1], [1, 64]), the directed graph te is composed of 11 directional branches, while the directed graph I is limited to 6 It consists of directional branches. Therefore, it was confirmed that the amount of calculation required for generating the set key was reduced by the directed graph generation unit 160.
- a directed graph to which the user u belongs must be extracted.
- all intermediate nodes that include the leaf node u corresponding to the user u are extracted from the lower-level leaf nodes, and the directed graph corresponding to these intermediate nodes is extracted.
- Select an effective graph corresponding to the root node is also selected.
- the maximum number of intermediate keys that the user should hold is determined by the maximum number of directional branches starting from one coordinate point.
- the number of effective branches starting from one coordinate point is counted and the maximum number of coordinate points is extracted, the number of effective branches starting from that coordinate point is This corresponds to the maximum number of intermediate keys that the user should hold.
- the user does not need to keep at least as many intermediate keys as the directed graph exceeds the maximum number of keys.
- the number of directional branches starting from each coordinate point does not exceed the parameter k, based on the directed graph generation logic.
- the number of intermediate keys held by each user does not exceed k * (log (n) +1) even when the number is the largest.
- the number of users n is sufficiently large, so the upper limit of the number of keys is evaluated by O (k * log (n)).
- this evaluation value is overestimated.
- the upper limit of the number of keys is given by the following equation (3).
- the evaluation formula for the number of keys is the following formula (3), and there is no change in the number of intermediate keys that the user should hold.
- the evaluation of the amount of calculation required for each user to generate a set key depends on the length of the effective path constituting the directed graph. That is, as the number of directional branches constituting each directional path is smaller, the amount of calculation for each user can be reduced.
- the longest directed path is the directed path V ([l, 1], [1, n]) of the directed graph H (l ⁇ n).
- This directed path includes (2 * k ⁇ 1) * (n 1 / k ⁇ l) directional branches.
- the longest effective path is the directed path V ([l, 1], [1, n]) of the directed graph I (l ⁇ n), and this directed path.
- this embodiment can reduce the amount of calculation required by the user's terminal device by about half compared to the basic method.
- the key distribution server 10 includes the initial intermediate key setting unit 162, the key generation unit 164, the encryption unit 166, and the transmission unit in addition to the key generation logic building block described above. 168 and a subset determining unit 170. [0285] (Initial intermediate key setting part 162)
- the initial intermediate key setting unit 162 generates an intermediate key corresponding to the first coordinate point of the directed graph I for each directed graph I corresponding to each intermediate node of the tree structure.
- the initial intermediate key setting unit 162 may generate a random number using a pseudo-random number generator, and set a random number for each intermediate key corresponding to the top coordinate point (root). May be set for each intermediate key.
- the key generation unit 164 When a predetermined intermediate key assigned to the coordinate point indicated by the start point of the directional branch is input for a directional branch constituting the directed graph I, the key generation unit 164 indicates the coordinates indicated by the start point of the directional branch. A set key corresponding to the point and an intermediate key corresponding to the end points of all directional branches extending from the start point of the directional branch are output. In other words, the key generation unit 164 corresponds to the basic PRSG. However, the key generation unit 164 is different from the basic PRSG in that the intermediate key is output based on the directed graph I generated by the directed graph generation unit 160.
- the key generator 164 is expressed as the same PRSG, when an intermediate key t (SO) corresponding to a coordinate point SO in the directed graph I is input, the coordinate point (corresponding to the subset SO) is set as the start point.
- the intermediate keys t (Sl), t (S2),..., T (Sm) and the set key k (S0) corresponding to the end point of the directed edge are output.
- m represents the number of directional branches starting from a certain coordinate point SO.
- the encryption unit 166 encrypts the content key using the set key. There is one content key, but there are as many set keys as there are subsets of the set system ⁇ . Therefore, the encryption unit 166 encrypts the content key using each corresponding set key for all the subsets constituting the set system ⁇ . That is, the encryption key 116 generates an encrypted content key corresponding to each set key. Therefore, if the number of subsets that make up the set system ⁇ is m, m encrypted content keys are also created. Note that the encryption unit 166 may encrypt the content itself. For example, the encryption unit 166 may encrypt the content itself using the content key V, and may encrypt the content itself using the above set keys. However, the configuration in which the content itself is encrypted using the set key is a modification of the present embodiment. [0288] (Transmitter 168)
- the transmission unit 168 distributes the content key encrypted by the encryption unit 116 to all users corresponding to the leaf nodes. Further, the transmission unit 168 may distribute the intermediate key to each user while referring to the directed graph I. At this time, the transmission unit 168 may distribute the minimum necessary intermediate key so that each user can derive all the intermediate keys corresponding to the subset to which the user belongs. That is, the transmission unit 168 extracts the subset to which the intermediate key distribution destination user belongs from the subsets that constitute the set system ⁇ (see the above equation (1)), and corresponds to the extracted subsets.
- the transmission unit 168 may function as a directed graph information distribution unit that distributes information of the directed graph I to each user. In other words, the transmission unit 168 distributes information (for example, a key generation program) on a PRSG key generation algorithm that outputs a predetermined intermediate key and set key based on the directed graph I by inputting each intermediate key. Also good.
- the subset determination unit 170 determines a set (R) of exclusion users whose contents or content keys should not be decrypted, and selects a predetermined portion selected from the subsets corresponding to the coordinate points of the directed graph I.
- the set of licensed users (N ⁇ R) excluding the set of excluded users (R) from the set of users (N)
- the set of licensed users (N ⁇ R) is formed by the union of sets
- the set of subsets that make up the set of authorized users (N ⁇ R) is determined so that the number of subsets is minimized.
- the subset determination unit 170 includes a licensed user set determination unit that determines a set of licensed users (N ⁇ R) and a licensed user that determines a set of subsets that constitute the licensed user set (N ⁇ R). And a subset determining unit.
- the transmitting unit 168 determines whether the licensed user set (N ⁇ R) or the licensed user set Information indicating a subset (Sl, S2,..., Sm) constituting (N ⁇ R) is distributed to each user.
- the encryption unit 166 encrypts the content or the content key using the set key corresponding to the subset (S1, S2,..., Sm) determined by the subset determination unit 170, and transmits it.
- the unit 168 distributes the decrypted content or content key to each user.
- the configuration of the key distribution server 10 according to the preferred embodiment of the present invention has been described above.
- the feature of the present embodiment is mainly in the configuration of the key generation logic building block.
- the configuration of the directed graph generation unit 160 for generating the directed graph for determining the key generation logic is characteristic.
- the directed graph generation unit 160 according to the present embodiment can reduce the amount of calculation required for the terminal device to generate a set key without increasing the number of keys to be held by each user terminal device.
- the power S is generated to generate the key generation logic (directed graph).
- FIG. 16 is a block diagram showing the configuration of the terminal device 20.
- terminal device 20 includes a receiving unit 174, a determining unit 176, a key generating unit 178, and a decrypting unit 180.
- the terminal device 20 corresponds to the above user.
- the receiving unit 174 receives information transmitted from the transmitting unit 168 included in the key distribution server 10.
- the receiving unit 174 receives content distributed from the key distribution server 10, an encrypted content key, a predetermined intermediate key, information on the directed graph I, information on the licensed user, or the like.
- the receiving unit 174 may collect information from a plurality of information sources as well as receiving information from a single information source.
- the receiving unit 174 may include a plurality of information sources (for example, the key distribution server 10) connected to a wired or wireless network, or an information source (for example, directly or indirectly connected via a network).
- optical disk Information may be acquired from an information medium such as a device, a magnetic disk device, or a portable terminal device.
- the receiving unit 174 may receive information from other terminal devices 20, for example, the information of the directed graph I may be shared with other terminal devices 20 belonging to the same distribution destination group. It may be configured.
- the same distribution destination group means a group authorized as a viewer user of content distributed from the same or a plurality of key distribution servers 10, and a set of users corresponding to the leaf nodes of the tree structure described above. Corresponds to.
- the determination unit 176 determines whether or not itself is included as an element in any of the subsets corresponding to the set key. Since the terminal device 20 does not hold the intermediate key force for generating the set key corresponding to the subset to which the terminal device 20 belongs, the set used by the key distribution server 10 to encrypt the content or the content key From the key information, it is necessary to determine in advance whether or not the subset to which the set belongs belongs in the subset corresponding to the set key. The determination unit 176 performs this determination.
- the set key information is distributed from the key distribution server 10 at the same time as the content key or at a different timing, and is received by the receiving unit 174.
- the terminal device 20 If it is determined that the set key used for encryption contains a set key corresponding to the subset to which it belongs, the intermediate key held by itself The content key decryption process is terminated without executing the process for generating the set key from. Conversely, when a set key corresponding to the subset to which the terminal device 20 belongs is found, the terminal device 20 generates the set key from the intermediate key held by itself using the PRSG.
- the key generation unit 178 When a predetermined intermediate key assigned to the coordinate point indicated by the starting point of the directional branch is input for a directional branch constituting the directed graph I, the key generation unit 178 receives the coordinates indicated by the starting point of the directional branch. A set key corresponding to the point and an intermediate key corresponding to the end points of all directional branches extending from the start point of the directional branch are output. That is, the key generation unit 178 corresponds to the key generation unit 164 included in the key distribution server 10.
- the key generation unit 178 is expressed as PRSG, when an intermediate key t (S0) corresponding to a coordinate point SO in the directed graph I is input, the coordinate point The intermediate keys t (Sl), t (S2),..., T (Sm) and the set key k (SO) corresponding to the end point of the directional branch starting from SO are output.
- m represents the number of directional branches starting from a certain coordinate point SO.
- the information of the directed graph I may be acquired from the key distribution server 10 or may be stored in a storage unit (not shown) included in the terminal device 20.
- the decryption unit 180 decrypts the content key using the set key. Specifically, the decryption unit 180 extracts a subset including itself as an element from the subset corresponding to the set key, and uses the set key corresponding to the subset to obtain the content or the content key. Reissue.
- the terminal device 20 can generate a desired set key based on the special key generation logic (the directed graph I) generated by the directed graph generation unit 160 included in the key distribution server 10 described above. As a result, the terminal device 20 can reduce the amount of calculation necessary for generating the set key used for decrypting the content key.
- the special key generation logic the directed graph I
- the tree structure setting unit 154 assumed a tree structure in which branches spread from top to bottom, but is not necessarily limited thereto, and is not necessarily limited to this, from bottom to top, from left to right, or from right to left. It may have a tree structure with branches extending toward.
- the definition of the subset associated with each intermediate node must be changed to conform.
- this change only rotates and arranges the tree structure set by the tree structure setting unit 154, and the meaning in either case is completely the same.
- the directed graph generation unit 160 described above constructed the directed graphs ⁇ and I by setting the coordinate axes from left to right or from right to left, but it is also possible to change the left and right to be reversed.
- the information processing apparatus includes, for example, an arbitrary directed graph or an acquisition unit that acquires information related to the directed graph, and can generate a set key based on the acquired directed graph.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN200780042754.1A CN101542966B (zh) | 2006-11-16 | 2007-10-03 | 信息处理装置 |
US12/515,235 US8300814B2 (en) | 2006-11-16 | 2007-10-03 | Information processing unit, terminal unit, information processing method, key generation method and program |
EP07829127A EP2086161A1 (en) | 2006-11-16 | 2007-10-03 | Information processing device |
Applications Claiming Priority (4)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2006310208A JP2008131076A (ja) | 2006-11-16 | 2006-11-16 | 情報処理装置、端末装置、情報処理方法、鍵生成方法、及びプログラム |
JP2006310213A JP2008131078A (ja) | 2006-11-16 | 2006-11-16 | 情報処理装置、端末装置、情報処理方法、及び鍵生成方法 |
JP2006-310213 | 2006-11-16 | ||
JP2006-310208 | 2006-11-16 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2008059673A1 true WO2008059673A1 (fr) | 2008-05-22 |
Family
ID=39401485
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/JP2007/069388 WO2008059673A1 (fr) | 2006-11-16 | 2007-10-03 | Dispositif de traitement d'informations |
Country Status (4)
Country | Link |
---|---|
US (1) | US8300814B2 (ja) |
EP (1) | EP2086161A1 (ja) |
KR (1) | KR20090090308A (ja) |
WO (1) | WO2008059673A1 (ja) |
Families Citing this family (10)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9008303B1 (en) * | 2011-12-22 | 2015-04-14 | Emc Corporation | Method and apparatus for generating forward secure pseudorandom numbers |
US8595262B1 (en) * | 2012-03-29 | 2013-11-26 | Amazon Technologies, Inc. | Resource resolution in computing environments using directed graphs |
KR20140028342A (ko) * | 2012-08-28 | 2014-03-10 | 삼성전자주식회사 | 브로드캐스트 암호화를 위한 키 관리 방법 및 브로드캐스트 암호화를 이용한 메시지 전송 방법 |
WO2015097834A1 (ja) | 2013-12-26 | 2015-07-02 | 株式会社東芝 | 通信制御装置、通信制御方法およびプログラム |
JP6290443B2 (ja) | 2014-10-31 | 2018-03-07 | 株式会社東芝 | 通信制御装置、通信制御方法およびプログラム |
US10423804B2 (en) * | 2016-06-12 | 2019-09-24 | Apple Inc. | Cryptographic separation of users |
US10841078B2 (en) * | 2018-07-26 | 2020-11-17 | International Business Machines Corporation | Encryption key block generation with barrier descriptors |
CN111090651B (zh) * | 2019-12-18 | 2024-03-29 | 深圳前海微众银行股份有限公司 | 数据源的处理方法、装置、设备及可读存储介质 |
CN113179332B (zh) * | 2021-06-28 | 2021-09-17 | 脉策(上海)智能科技有限公司 | 用于获取配置信息的方法、电子设备和存储介质 |
CN114741388B (zh) * | 2022-03-29 | 2024-02-23 | 中山大学 | 一种集成电路版图数据索引的新型构建方法 |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
JP2006020292A (ja) * | 2004-06-03 | 2006-01-19 | Canon Inc | 情報処理方法、情報処理装置 |
-
2007
- 2007-10-03 KR KR1020097009872A patent/KR20090090308A/ko not_active Application Discontinuation
- 2007-10-03 EP EP07829127A patent/EP2086161A1/en not_active Withdrawn
- 2007-10-03 WO PCT/JP2007/069388 patent/WO2008059673A1/ja active Application Filing
- 2007-10-03 US US12/515,235 patent/US8300814B2/en not_active Expired - Fee Related
Non-Patent Citations (4)
Title |
---|
ASANO T. AND KUSAKAWA M.: "Subset Incremental Chain ni Motozuku Keisanryo no Chiisana Broadcast Encryption Hoshiki", 2007 NEN ANGO TO JOHO SECURITY SYMPOSIUM YOKOSHU CD-ROM, 23 January 2007 (2007-01-23), pages 1 - 6, XP003022549 * |
ATTRAPADUNG N. AND IMAI H.: "Subset Incremental Chain Based Broadcast Encryption with Shorter Ciphertext", PROCEEDINGS OF SYMPOSIUM ON INFORMATION THEORY AND ITS APPLICATIONS, 28TH, vol. 1, 20 November 2005 (2005-11-20), pages 57 - 60, XP003022548 * |
NUTTAPONG ATTRAPADUNG; HIDEKI IMAI: "The 28th Symposium on Information Theory and Its Applications", 2005, SITA, article "Subset Incremental Chain Based Broadcast Encryption with Shorter Ciphertext" |
YONG HO HWANG AND PIL JOONG LEE: "Efficient Broadcast Encryption Scheme with Log-Key Storage", CITESEER.IST, vol. 4107, 1 January 2006 (2006-01-01), pages 281 - 295, XP019045543, Retrieved from the Internet <URL:http://www.citeseer.ist.psu.edu/cache/papers/cs2/432> * |
Also Published As
Publication number | Publication date |
---|---|
US8300814B2 (en) | 2012-10-30 |
EP2086161A1 (en) | 2009-08-05 |
KR20090090308A (ko) | 2009-08-25 |
US20100077201A1 (en) | 2010-03-25 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2008059673A1 (fr) | Dispositif de traitement d'informations | |
US7308583B2 (en) | Data distribution system | |
CN101663856B (zh) | 密钥提供系统、密钥提供装置、终端设备、密钥提供方法和密钥生成方法 | |
US8600052B2 (en) | Key generation device, encryption device, reception device, key generation method, key processing method, and program | |
US20060059179A1 (en) | Information processing method, decrypting method, information processing apparatus, and computer program | |
WO2005099167A1 (ja) | 情報処理方法、復号処理方法、および情報処理装置、並びにコンピュータ・プログラム | |
JP4162237B2 (ja) | 複数の復号化装置に対し選択的にメッセージを配信する暗号化通信システム、暗号化装置、復号化装置、暗号化方法、復号化方法、暗号化プログラム、及び復号化プログラム | |
WO2008059672A1 (fr) | Dispositif de traitement d'informations | |
JP2008131076A (ja) | 情報処理装置、端末装置、情報処理方法、鍵生成方法、及びプログラム | |
JP4938763B2 (ja) | ブロードキャスト暗号化システムにおけるタグの形成方法 | |
US8229121B2 (en) | Method of tracing device keys for broadcast encryption | |
CN101536401B (zh) | 信息处理设备 | |
US20090177888A1 (en) | Information processing device, key setting method, and program | |
US8150040B2 (en) | Key providing system, terminal device, and information processing method | |
JP2007189597A (ja) | 暗号化装置および暗号化方法、並びに復号化装置および復号化方法 | |
JP2008131079A (ja) | 情報処理装置、端末装置、情報処理方法、及び鍵生成方法 | |
JP4635459B2 (ja) | 情報処理方法、復号処理方法、および情報処理装置、並びにコンピュータ・プログラム | |
JP2008131078A (ja) | 情報処理装置、端末装置、情報処理方法、及び鍵生成方法 | |
KR100879083B1 (ko) | 2 부분 차집합을 이용한 동보 메세지 암호화 방법 | |
JP2008113203A (ja) | 鍵生成装置、暗号化装置、受信装置、鍵生成方法、暗号化方法、鍵処理方法、およびプログラム | |
JP2005252916A (ja) | 情報処理方法、復号処理方法、および情報処理装置、並びにコンピュータ・プログラム |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
WWE | Wipo information: entry into national phase |
Ref document number: 200780042754.1 Country of ref document: CN |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 07829127 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 1020097009872 Country of ref document: KR |
|
WWE | Wipo information: entry into national phase |
Ref document number: 12515235 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2007829127 Country of ref document: EP |