WO2009130795A1 - Information processing equipment and program - Google Patents

Information processing equipment and program Download PDF

Info

Publication number
WO2009130795A1
WO2009130795A1 PCT/JP2008/058153 JP2008058153W WO2009130795A1 WO 2009130795 A1 WO2009130795 A1 WO 2009130795A1 JP 2008058153 W JP2008058153 W JP 2008058153W WO 2009130795 A1 WO2009130795 A1 WO 2009130795A1
Authority
WO
WIPO (PCT)
Prior art keywords
information
order information
communication devices
group
secret information
Prior art date
Application number
PCT/JP2008/058153
Other languages
French (fr)
Japanese (ja)
Inventor
隆 伊藤
健 米田
宏郷 辻
和美 齋藤
英憲 太田
規 松田
充洋 服部
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2008/058153 priority Critical patent/WO2009130795A1/en
Priority to JP2010509022A priority patent/JP5279824B2/en
Publication of WO2009130795A1 publication Critical patent/WO2009130795A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/02Details
    • H04L12/16Arrangements for providing special services to substations
    • H04L12/18Arrangements for providing special services to substations for broadcast or conference, e.g. multicast
    • H04L12/185Arrangements for providing special services to substations for broadcast or conference, e.g. multicast with management of multicast group membership
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/065Network architectures or network communication protocols for network security for supporting key management in a packet data network for group communications

Definitions

  • the present invention relates to a technique for multicasting information by using, for example, a server device (hereinafter also referred to as a server) only to a plurality of valid terminal devices (hereinafter also referred to as a terminal) using encryption technology.
  • a server device hereinafter also referred to as a server
  • a terminal a plurality of valid terminal devices
  • the secure multicast system broadcasts (multicasts) information from the server only to a plurality of valid terminals using encryption technology, and it is assumed that the revoked terminal (group) has collusion among revoked terminals.
  • the valid terminal is a terminal that is permitted to decrypt the encrypted message transmitted from the server
  • the revoked terminal (groups) is a terminal to which the decryption of the encrypted message transmitted from the server is prohibited. It is (group).
  • various techniques have been proposed to minimize the operation overhead for the terminal to derive the key, the number of device keys held by the terminal, the communication overhead of the multicast, and the key.
  • the server arranges each terminal in a leaf (bottom layer) of a tree structure, and each node includes a leaf. Secret information is allocated, and each terminal holds secret information corresponding to each node on the path from its own node to the root node.
  • CS method Complete Subtree method
  • SD method Subset Difference method
  • the server when the server performs multicasting, a plurality of valid terminals are expressed by the sum S1 + S2 +... + Sj of subsets of terminals in an appropriate manner.
  • a transmission message (or a session key K for encrypting the transmission message) (herein, the transmission message and the session key K are collectively referred to as a transmission message) is encrypted. That is, although the server does not hold (cannot derive) the revoked terminal, it extracts the key that the valid terminal holds (which can be derived), encrypts the message using each of the extracted keys, and encrypts the message. Broadcast the broadcast message. By performing encryption as described above, secure multicast can be realized in which only valid terminals can acquire information.
  • Patent Document 1 discloses a method of reducing communication overhead by a server holding a plurality of tree structures used in the CS method and the SD method.
  • the communication overhead for performing secure multicast on the remainder of which r has been revoked is O (r log (n / r)) by CS method and O (r) by SD method.
  • O Landau's notation
  • log is base 2 logarithm, and the same applies to the following.
  • the communication overhead is increased in a manner approximately proportional to r, there is a problem that the communication band is compressed particularly when narrow band communication is performed.
  • the transmission message is encrypted using each of the extracted keys for the valid terminal, and all encrypted messages are multicast-transmitted. For this reason, the number of encrypted messages multicast from the server will match the number of extracted keys. Therefore, in order to reduce communication overhead, it is necessary to minimize the number of extracted keys.
  • Patent Document 1 Although the method of reducing communication overhead by holding a plurality of tree structures by the server is disclosed in Patent Document 1, the configuration method of the plurality of trees and the effect thereof are configured based on the characteristics of the device and the user. It does not simply disclose the relationship between the law of construction and its effects.
  • the present invention has as its main object to solve the above-mentioned problems, and has as its main object to reduce the communication overhead by suppressing the number of secret information used in secure multicast.
  • An information processing apparatus is an encrypted message in which a transmission message is encrypted using secret information to two or more communication apparatuses connected to a plurality of communication apparatuses and selected from the plurality of communication apparatuses.
  • Is an information processing apparatus for multicast transmission of A plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping
  • An order information generation unit that generates information;
  • Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information
  • a secret information assignment unit that assigns group-specific secret information that can be used for decryption of When two or more communication devices to be transmission destinations of multicast transmission are selected as the transmission destination communication devices from among the plurality of communication devices, the same group communication devices and the transmission for each group indicated in each order information
  • a combination deriving unit
  • the combination deriving unit It is characterized in that a combination of secret information which allows all the destination communication devices to decrypt the encrypted message, and which derives the combination of the least number of secret information.
  • the combination deriving unit For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extracting the group-specific secret information and extracting the device-specific secret information assigned to each of the same group communication devices when one or more same group communication devices are not selected as the transmission destination communication devices Then, for each order information, extract secret information necessary for encryption so that all transmission destination communication devices can decrypt the encrypted message, and count the number of extracted secret information, The order information having the smallest number of secret information is determined from the plurality of order information, and the secret information extracted for the determined order information is used as the secret information used for encryption of the transmission message.
  • the order information generation unit Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
  • the combination deriving unit The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication
  • the group-specific secret information is extracted and encrypted so that all destination communication devices can decrypt the encrypted message for each order information And extracting the secret information necessary in order.
  • the combination deriving unit For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extract group-specific secret information, A combination of secret information necessary for encrypting all the destination communication devices to decrypt the encrypted message by combining the group secret information extracted for the plurality of order information, It is characterized in that the combination with the smallest number is derived.
  • the order information generation unit Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
  • the combination deriving unit The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication It is characterized by comparing with a device.
  • the order information generation unit When the number of communication apparatuses connected to the information processing apparatus is 2 m (m ⁇ 2), m pieces of order information indicating ordering and grouping of m types are generated.
  • the order information generation unit When the number of communication devices connected to the information processing device is less than 2 m (m 2 2), m virtual communication devices for the missing number are replenished to indicate m kinds of ordering and grouping Generating order information of
  • the order information generation unit m pieces of order information indicating ordering (m ⁇ 2) kinds and ordering are set as one set, and order information of t (t ⁇ 2) sets is generated,
  • the information processing apparatus may further include For each set of order information, the expected value of the number of pieces of secret information necessary for encrypting the transmission message is calculated using the m pieces of order information included in the set, and t sets are calculated based on the calculated expected value.
  • an order information selection unit for selecting a specific set from among The combination deriving unit When the transmission destination communication apparatus is selected, a combination of secret information used for encryption of the transmission message is derived using the m pieces of order information included in the set selected by the order information selection unit. I assume.
  • the order information selection unit Among t sets, it is characterized in that the set with the smallest expected value is selected.
  • the order information selection unit Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices; From the m pieces of order information included in the set for each set of order information, the order information having the least number of secret information required to encrypt the transmission message for each combination pattern is extracted, and the combination pattern is obtained. An expected value for each set is calculated based on the number of pieces of secret information in the order information extracted for each.
  • the order information selection unit Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices; For each set of order information, the transmission message is encrypted for each combination pattern by comparing the same group communication device of each group indicated in the m pieces of order information included in the set with the communication device included in the combination pattern. Extracting a combination of groups that minimizes the number of secret information required to perform the pairing, and calculating an expected value for each set based on the number of secret information in the combination of groups extracted for each combination pattern Do.
  • the order information generation unit At each stage of m (m ⁇ 2) stages, generate t order information indicating ordering and grouping of t (t ⁇ 2) kinds,
  • the information processing apparatus may further include In each of the m stages, an expected value of the number of secret information necessary to encrypt the transmission message is calculated for each order information, and a specific one of t pieces of order information is calculated based on the calculated expected value.
  • the combination deriving unit Deriving a combination of secret information used for encryption of a transmission message using the m pieces of order information selected in each of the m stages by the order information selection unit when the transmission destination communication apparatus is selected It is characterized by
  • the order information selection unit In each of m stages, it is characterized in that the order information having the smallest expected value is selected from the t pieces of order information.
  • the order information generation unit After specific order information is selected from the t pieces of order information by the order information selection unit, t pieces of order information indicating ordering and grouping different from the selected order information are displayed in the following t It is characterized by generating as order information.
  • a program according to the present invention is connected to a plurality of communication devices, and multicasts an encrypted message in which a transmission message is encrypted using secret information to two or more communication devices selected from the plurality of communication devices.
  • a plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping Order information generation processing for generating information;
  • Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information
  • Secret information assignment processing for assigning group-specific secret information that can be used for decryption of
  • a plurality of types of ordering are performed on the communication apparatus to generate a plurality of types of order information, and the secret information used to encrypt the transmission message based on the allocation status of the secret information in the plurality of types of order information. It is possible to derive the combination of the secret information which is the combination of the secret information that all the destination communication devices can decrypt the encrypted message in order to derive the combination of Communication overhead at the time of transmission of
  • Embodiment 1 In this embodiment and the following embodiments, a secure multicast system will be described in which communication overhead is reduced by devising a configuration method of a plurality of structures.
  • FIG. 1 shows an example of the system configuration of a secure multicast system according to the present embodiment.
  • a server device 201 hereinafter, also simply referred to as a server
  • a plurality of terminal devices 301 hereinafter, also simply referred to as a terminal
  • information is broadcasted (multicast) from the server device 201 to only a plurality of valid terminal devices 301 using encryption technology, and the revoked terminal (group) Even if there is a collusion among the revoked terminals, no information is leaked.
  • the server apparatus 201 is an example of an information processing apparatus
  • the terminal apparatus 301 is an example of a communication apparatus.
  • FIG. 2 is a block diagram showing a configuration example of the server device 201. As shown in FIG.
  • an algorithm storage area 211 is data storage means for storing an algorithm such as key assignment in secure multicast and message transmission to a valid terminal.
  • an algorithm for managing terminals in a tree structure is used.
  • an algorithm such as the CS method or the SD method is stored.
  • the stirring unit 212 is a means for rearranging all terminals and outputting the order. Further, the structure information generation unit 219 gives a structure between the terminals according to the ordering of the terminals by the stirring unit 212, and generates plural types of structure information (order information) representing the ordering of the terminals with a predetermined structure. In the present embodiment, the structure information of the tree structure is generated. More specifically, stirring unit 212 performs ordering of a plurality of types with respect to a plurality of terminal devices 301, and structure information generating unit 219, two or more terminal devices ordered in proximity in each ordering.
  • a plurality of layers 301 are grouped into a plurality of layers, and a plurality of pieces of structure information indicating contents of grouping in each ordering and a plurality of layers are generated.
  • the stirring unit 212 performs m types of ordering
  • the structure information generating unit 219 generates m types of devices.
  • Generate m pieces of structure information indicating ordering and grouping of The stirring unit 212 and the structure information generation unit 219 are examples of the order information generation unit.
  • the key assignment unit 213 is a means for inputting structure information indicating an ordered terminal according to the algorithm stored in the algorithm storage area 211, and assigning secret information to each node on the structure indicated by the structure information. . More specifically, for each piece of structure information generated by the structure information generation unit 219, the key assignment unit 213 uses the terminal-specific secret information (device-specific secret information) used to decrypt the encrypted message in each terminal device.
  • terminal-specific secret information device-specific secret information
  • group-specific secret information that can be commonly used for decrypting encrypted messages in two or more identical group terminal apparatuses (identical group communication apparatuses) classified into the same group is allocated in group units.
  • the key assignment unit 213 is an example of a secret information assignment unit.
  • FIG. 4 is an example of structure information of a tree structure in which secret information is assigned to each terminal and group.
  • two pieces of structural information of tree structure 1 and tree structure 2 are shown. Both the tree structure 1 and the tree structure 2 target eight terminals of the terminal 0 to the terminal 7, and these eight terminals are arranged in the nodes of leaf parts of the tree structure (hereinafter, also referred to as leaf nodes) .
  • leaf nodes the nodes of leaf parts of the tree structure
  • the arrangement order of the terminals is different.
  • two nodes adjacent to each other in each hierarchy are grouped and finally reach the root node.
  • the structure information generation unit 219 since the structure information generation unit 219 generates m pieces of structure information for 2 m terminals, three pieces of structure information are generated for eight terminals.
  • FIG. Two structural information is shown for reasons of
  • k0_1, ka_1, k0_2, ka_2 and so on shown in FIG. 4 are secret information assigned to each terminal or each group.
  • the secret information is, for example, a key or information that is the source of key derivation.
  • the secret information for each terminal assigned to the leaf node is terminal-specific secret information (device-specific secret information), and kd_1, ke_1, kf_1, kg_1, kb_1, kc_1, and ka_1 are groups assigned to each group of terminals. It is secret information.
  • each terminal can use the terminal-specific secret information assigned to the leaf node and the group-specific secret information assigned to the upper node connected to the leaf node.
  • the terminal 0 can use the secret information k0_1, kd_1, kb_1, ka_1.
  • the structure information generation unit 219 arranges each terminal on the leaf node of the tree structure and performs processing to group each two nodes according to the ordering of the plurality of types of terminals by the stirring unit 212, and the secret information shown in FIG. It generates structure information in a state where (k 0 _ 1 etc.) is not assigned to each node.
  • the structure information generation unit 219 generates a plurality of pieces of structure information, but the arrangement order of the terminals in the leaf node is different for each piece of structure information in accordance with the ordering of the plurality of types of terminals by the stirring unit 212 .
  • the key assignment unit 213 assigns secret information to each node of each piece of structure information generated by the structure information generation unit 219, and brings it into the state shown in FIG.
  • the secret information assigned to each node is mutually different.
  • the secret information storage area 214 is data storage means for storing a plurality of pieces of structure information to which secret information is assigned. In the present embodiment, as described above, all the terminals are managed in a tree structure.
  • the secret information storage area 214 stores the structure information illustrated in FIG.
  • the set derivation unit 215 receives the structure given to the terminal and the set of valid terminals according to the algorithm stored in the algorithm storage area 211, and the set of valid terminals is the sum S1 + S2 + of subsets of terminals. It is a means to derive each subset Si so that it may be represented as ... + Sj.
  • the set determination unit 216 is a unit that determines a combination of subsets used for secure multicast transmission according to the output of the set derivation unit 215 for the plurality of pieces of structure information stored in the secret information storage area 214.
  • two or more terminal devices 301 to be transmission destinations of secure multicast transmission are selected as transmission destination terminal devices (transmission destination communication devices) from among the plurality of terminal devices 301.
  • transmission destination terminal devices transmission destination communication devices
  • it is a combination of secret information that all destination terminal devices can decrypt the encrypted message by comparing the same group terminal device and the destination terminal device. Deriving and determining the least number of secret information combinations.
  • the set derivation unit 215 and the set determination unit 216 are examples of a combination derivation unit.
  • the communication unit 217 is a unit that communicates with the terminal device 301.
  • the encryption unit 218 is means for performing key generation / encryption, random number generation and the like of the common key / public key encryption.
  • FIG. 3 is a block diagram showing a configuration example of the terminal device 301 that receives the multicast from the server device 201 in the secure multicast system (FIG. 1).
  • an algorithm storage area 311 is data storage means for storing an algorithm such as key derivation / decryption in secure multicast.
  • an algorithm for managing terminals in a tree structure is used.
  • an algorithm such as the CS method or the SD method is stored.
  • the secret information storage area 312 is a data storage unit that stores a plurality of pieces of secret information (encryption key or information serving as an origin of derivation of the encryption key) associated with a certain structure managed by the server device 201.
  • all the terminals store secret information associated with the tree structure.
  • FIG. 5 shows an example of data stored in the secret information storage area 312. More specifically, FIG. 5 shows an example of data held by the terminal 0 shown in FIG. That is, although it is shown that terminal 0 can use secret information k0_1, kd_1, kb_1 and ka_1 in the structure information of tree structure 1 in FIG. 4, terminal 0 corresponds to these in FIG. 5 and terminal 0 can use these k0_1 and kd_1.
  • Kb_1 and ka_1 are shown.
  • the terminal 0 can use the secret information k0_2, kd_2, kb_2 and ka_2 in the tree structure 2.
  • the terminal 0 corresponds to the secret information k0_2, kd_2 and kb_2 in FIG. , Indicates that it holds ka_2.
  • the key derivation unit 313 derives, from the secret information stored in the secret information storage area 312, the encryption key required to decrypt the encrypted message received from the server device 201 according to the algorithm stored in the algorithm storage area 311. Means to
  • the communication unit 314 is a unit that communicates with the server device 201.
  • the encryption unit 315 is a unit that performs decryption of a common key and public key encryption, random number generation, and the like.
  • FIG. 6 is a flowchart for explaining distribution processing of secret information from the server to each terminal in the present embodiment.
  • n a value represented by a power of 2 and each terminal is given a terminal ID of 0 to n-1.
  • an algorithm of secure multicast is shared in advance between the server apparatus 201 and each terminal apparatus 301 (step S601).
  • the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
  • the stirring unit 212 of the server device 201 receives the number n of terminals and outputs a permutation in which terminal IDs from 0 to n ⁇ 1 are rearranged (step S602). Details of this process will be described later.
  • structure information generation unit 219 gives a tree structure between the terminals according to the algorithm stored in algorithm storage area 211 to generate structure information, and key assignment unit 213
  • the encryption unit 218 assigns secret information to each node of the tree structure according to the algorithm stored in the algorithm storage area 211, and stores the structure information to which the secret information is assigned in the secret information storage area 214 (step S603).
  • step S604 the secret information required for each terminal is stored (step S604).
  • the details of steps S603 and S604 depend on the algorithm (such as the CS method or the SD method) stored in the algorithm storage area 211.
  • the above processing is performed, and when the structure information of m tree structures is configured and stored, the processing is ended. If not, the process returns to step S602 to repeat the process (step S605).
  • step S602 is executed m times, but the stirring unit 212 outputs a different permutation each time it is executed, so that m different tree structures are stored in the secret information storage area 214.
  • FIG. 7 is a flowchart for explaining the terminal ID rearranging process (step S602) of stirring unit 212 in the present embodiment. The operation in the terminal ID rearranging process will be described with reference to the flowchart of FIG.
  • each terminal ID is cyclically shifted by 1 bit to the right with respect to the previous output (0, 1, 2, 3, 4, 5, 6, 7) (0, 4 , 1, 5, 2, 6, 3, 7) are output.
  • a plurality of different tree structures as shown in FIG. 4 are stored in the secret information storage area 214 after the key assignment algorithm application (step S603).
  • FIG. 8 is a flow chart for explaining encryption communication processing from the server to each terminal using secret information shared in advance in the present embodiment. The operation in the encryption communication process will be described with reference to the flowchart of FIG.
  • the server apparatus 201 and each terminal apparatus 301 share an algorithm of secure multicast in advance.
  • the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
  • m tree structures are stored in the secret information storage area 214 of the server device 201, and secret information corresponding to the m tree structure is stored in the secret information storage area 312 of the terminal device 301.
  • the secret information may be stored in the secret information storage area 312 of the terminal device 301 by encrypting the secret information and transmitting it from the server device 201 to the terminal device 301, or storing the secret information in a storage medium such as a memory card. It may be supplied to the terminal device 301 offline.
  • a set of revoked terminals is given as an input to the server device 201 (steps S801 and S802).
  • the set derivation unit 215 reads out the structure information of the first tree structure from the secret information storage area 214, and according to this tree structure and the algorithm stored in the algorithm storage area 211, a valid terminal Is expressed as a sum S1 + S2 +... + Sj of subsets of terminals (steps S803, S804, and S805).
  • the details of step S 805 depend on the algorithm (such as CS method or SD method) stored in the algorithm storage area 211. This process is performed on all m tree structures (step S806).
  • the set determination unit 216 determines one of the m tree structures in which the communication overhead is minimized, that is, one in which the number of elements j when represented by the sum of subsets is minimized (step S807). Then, in accordance with the determined tree structure and the algorithm stored in the algorithm storage area 211, the encryption unit 218 encrypts the message (step S808), and the communication unit 217 determines the terminal device 301 the determined tree structure. And the encrypted message are multicast (step S809). The details of step S 808 depend on the algorithm (such as CS method or SD method) stored in the algorithm storage area 211.
  • the received message is decrypted with the encryption key derived from the secret information stored in the storage area 312 (step S811).
  • the details of step S811 depend on the algorithm (such as the CS method or the SD method) stored in the algorithm storage area 311.
  • the terminal device 301 that has been revoked receives a multicast message, it can not derive information because it can not derive an encryption key necessary for decryption. By performing the above processing, secure multicast can be realized.
  • FIG. 11 shows structure information of the tree structure 1 and the tree structure 2 shown in FIG.
  • the terminal 0, the terminal 1, the terminal 3, and the terminal 7 are valid terminals, and the terminal 2, terminal 4, terminal 5, and terminal 6 are expired terminals.
  • all the same group terminal devices are selected as the transmission destination terminal devices by comparing the same group terminal device and the transmission destination terminal device in order from the group of the upper hierarchy for each structure information,
  • the secret information classified by group allocated to the group is extracted and one or more same group terminal apparatuses are not selected as a transmission destination terminal apparatus (when the same group terminal apparatus includes a revoked terminal)
  • the same group terminal apparatus of the lower level group and the transmission destination terminal apparatus are compared.
  • the group of the lowest layer Device-specific secret information (leaf node secret information) assigned to each of the same group terminal devices is extracted, and encrypted for each structure information so that all transmission destination terminal devices can decrypt the encrypted message. Extract secret information required for
  • the terminal 2 which is a revoked terminal is included in kb_1, it can not be selected.
  • kc_1 can not be selected because it includes the terminal 4 which is a revoked terminal, the terminal 5 and the terminal 6.
  • the same secret information can be used for the terminal 0 and the terminal 1, it is possible to select kd_1 which is group-specific secret information.
  • the terminal 2 is a revoked terminal, ke_1 can not be selected.
  • the terminal-specific secret information k3_1 is selected.
  • kf_1 and kg_1 can not be selected because terminal 4, terminal 5, and terminal 6 are revoked terminals. Therefore, the terminal-specific secret information k7_1 is selected.
  • a combination of kd_1, k3_1, and k7_1 is derived.
  • a combination of k0_2, k1_2, and kg_2 is derived.
  • either of the tree structure 1 and the tree structure 2 may be selected. If the secret information of either tree structure 1 or tree structure 2 is small, the smaller one is selected.
  • the number of pieces of secret information in the plurality of pieces of structure information is the same as in the example of FIG. 11, based on the preset priority (order of IDs of tree structures, LRU (Least Recently Used), etc.). , Select the structure information to use.
  • the terminal ID rearranging process (step S602) described above is performed, in the first tree, the one with the most significant bit of the terminal ID of 0 is the left half and the one with the most significant bit of 1 is the right half. Similarly, in the i-th tree, the left half is the one in which the i-th bit is 0 from the top of the terminal ID, and the right half is 1 in the i-th tree.
  • step S602 the permutation of the terminals is definitely given, and there is no need for each terminal to store its own tree structure.
  • the determination of the key to be stored in each terminal and the message transmission to each terminal are performed by the same server device, but these may be performed by different devices.
  • the number of terminals n is a value represented by a power of 2, but even if this is not the case, the present method is applied by adding virtual terminals until the power of 2 is obtained. It is possible. That is, when the number of terminal devices 301 connected to the server device 201 is less than 2 m (m 2 2), the stirring unit 212 supplements the virtual terminals for the insufficient number and performs m types of ordering.
  • the structure information generation unit 219 generates m pieces of order information indicating ordering and grouping of m types.
  • step S702 although the fixed permutation in which the terminal IDs are arranged in order from 0 to n-1 is output in step S702, even if the permutation rearranged in a definite or stochastic manner is output here good. That is, the arrangement of terminal IDs in step S702 does not necessarily have to arrange the terminal IDs in order from 0 to n-1, and any arrangement can be made.
  • the optimum one is selected from the m tree structures in step S 807, and the sum S 1 + S 2 +... + S j of the subsets is determined based on this. It is also possible to determine each subset Si, and in this case, the number of elements j may be further reduced as compared with the case where only one is selected. In this case, for each subset, additional information is required to indicate which tree structure.
  • kd_1 of tree structure 1 and kg_2 of tree structure 2 are combined, and two pieces of secret information are used. be able to.
  • the tree structure 1 alone is three secret information
  • the tree structure 2 alone is three secret information, but combining the tree structure 1 and the tree structure 2 into two secret information Can.
  • the kd_1 of the tree structure 1 can be commonly used in the terminal 0 and the terminal 1
  • kg_2 of the tree structure 2 can be used in the terminal 3 and the terminal 7.
  • management of each terminal is performed based on the tree structure information, but if it is a secure multicast algorithm with different communication overhead by changing the permutation of the terminals, what kind of each terminal is Even if it is managed by structure, it is effective.
  • a tree structure structural information of a line structure may be used.
  • a key management algorithm for example, it can be considered that terminals continuing on a line hold one key in common.
  • any structure such as a circle, a lattice, or a graph can be used.
  • the ordering of the terminal devices is changed to generate a plurality of types of structure information, and the smallest number of secret information is generated based on the allocation status of the secret information in the plurality of types of structure information. It is possible to derive a combination of the two, thereby suppressing communication overhead at the time of secure multicast transmission.
  • the server transmitting information holds a plurality of representing the relationship between the terminals in a certain structure in order to manage the plurality of terminals receiving information, and multicasting
  • a method to reduce communication overhead that occurs in multicasting by using the optimal structure among them has been described.
  • a method has been described in which the relationship between terminals is represented by a tree structure.
  • the method of systematically determining a plurality of tree structures based on the ID of each terminal has been described.
  • FIG. 9 is a block diagram showing a configuration example of the server apparatus 201 according to the present embodiment.
  • the algorithm storage area 211 to the structure information generation unit 219 in FIG. 9 are the same as those in FIG.
  • the structure determination unit 220 is a unit that generates a plurality of sets of plural pieces of structure information that manages the terminal, and determines a combination that minimizes the expected value of the communication overhead from among them.
  • the efficiency calculating unit 221 is a unit that receives a plurality of structures for managing terminals and the number r of revoked terminals, and calculates an expected value of communication overhead of secure multicast when r terminals are revoked.
  • the structure determination unit 220 and the efficiency calculation unit 221 are examples of the order information selection unit.
  • the structure information generation unit 219 generates m pieces of structure information indicating ordering and grouping of m (m ⁇ 2) types as one set, and generates structure information for t (t 2 2) sets. Do.
  • the efficiency calculating unit 221 calculates, for each set of structure information, an expected value of the number of pieces of secret information required when encrypting a transmission message using the m pieces of structure information included in the set. Further, based on the expected value calculated by the efficiency calculating unit 221, the structure determining unit 220 selects a set having the smallest expected value from the t sets.
  • the set derivation unit 215 and the set determination unit 216 use the m pieces of structure information included in the set selected by the structure determination unit 220 when the terminal device to which secure multicast transmission is to be transmitted is selected. In the same procedure as in the first embodiment, a combination of secret information used for encryption of a transmission message is derived.
  • the efficiency calculating unit 221 derives a plurality of combination patterns of terminal devices by combining the connection terminals with a predetermined number of transmission destination terminals (the number of terminals to be a target of secure multicast) in the calculation of the expected value.
  • a predetermined number of transmission destination terminals the number of terminals to be a target of secure multicast
  • the efficiency calculation unit 221 The terminal 0 to the terminal 7 are allocated to five terminals (or three terminals, which are the number of revoked terminals), which is the number of transmission destination terminals, and a plurality of combination patterns are derived.
  • the efficiency calculation unit 221 minimizes the number of pieces of secret information required to encrypt the transmission message for each combination pattern among the m pieces of structure information included in the set.
  • the structure information is extracted, and an expected value for each set is calculated based on the number of secret information in the structure information extracted for each combination pattern.
  • FIG. 10 is a flow chart for explaining distribution processing of secret information from the server to each terminal in the present embodiment. The operation in the distribution process will be described with reference to the flowchart of FIG. The number m of structure information held and managed by the server and the number of trials t of structure determination are determined in advance.
  • an algorithm of secure multicast is shared in advance between the server device 901 and each terminal device 301 (step S1001).
  • the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
  • the stirring unit 212 receives the number n of terminals and outputs m permutations in which terminal IDs from 0 to n-1 are randomly rearranged (step S1002).
  • the structure information generation unit 219 gives a tree structure between the terminals according to the algorithm stored in the algorithm storage area 211 to obtain m structure information Are generated (step S1003).
  • the efficiency calculating unit 221 calculates an expected value of communication overhead with respect to a predetermined number r of revoked terminals set in advance (step S1004). Specifically, for all the revocation patterns for a specific number r of revoked terminals, the communication overhead in the case of using the optimal structure of m is obtained, and the expected value is calculated by averaging these.
  • the efficiency calculating unit 221 compares the number r of revoked terminals with three.
  • Terminal 0 to terminal 7 are allocated, and in the form of revocation pattern 1: (terminal 0, terminal 1, terminal 2 is expired), revocation pattern 2: (terminal 0, terminal 1, terminal 3 is revoked), terminal 0 to terminal Deriving all revocation patterns obtained from the combination of 7.
  • a plurality of “specific revoked terminal numbers” may be set.
  • the transmission pattern may be generated by combining the terminal 0 to the terminal 7 with respect to the number of transmission destination terminals.
  • the efficiency calculating unit 221 is configured to minimize the number of pieces of secret information required to encrypt the transmission message when performing secure multicast to terminals other than the revoked terminal included in the revocation pattern for each revocation pattern.
  • Information is extracted from m pieces of structure information.
  • the efficiency calculating unit 221 has the smallest number of secret information for the revocation pattern 1 as the structure information 3 and the smallest number of secret information for the revocation pattern 2
  • the structural information is extracted for each of the revocation patterns in the form of the structural information 1 in which the number of secret information is the smallest for the structural information 2 and the revocation pattern 3.
  • the efficiency calculating unit 221 obtains an average value of the number of pieces of secret information in the extracted structure information, and sets the obtained average value as an expected value for the m pieces of structure information.
  • the structure determination unit 220 sets the smallest expected value of the communication overhead, that is, m pieces of structural information having the smallest expected value of the communication overhead. It determines (step S1006). Then, the key assignment unit 213 assigns secret information to each node for the selected m pieces of structure information, and stores m pieces of structure information to which the secret information is assigned in the secret information storage area 214, The corresponding secret information is stored in the secret information storage area 312 of the terminal (step S1007).
  • the encryption communication process from the server device 201 to each terminal 301 is the same as that described with reference to FIG.
  • m pieces of structure information (m1-1, m1-2, m1-3, etc.) are generated in S1002 and S1003, and in S1004, expected values (expected value e1, etc.) for m pieces of structure information Is calculated and t times are tried (S1005), m sets of structure information of t sets are generated, and expected values (expected values e1 to e5) of each set are generated.
  • each structure information (m1-1, m1-2, m1-3, etc.) is, for example, structure information of a tree structure as shown in FIG. 4 (however, in the stage up to S1004, as shown in FIG.
  • the structure determination unit 220 selects a set (m pieces of structure information) with the smallest expected value (S1006), and the key allocation unit 213 allocates secret information to the m pieces of structure information of the selected set. (S1007).
  • m structures are generated at one time, and the structure is determined so that the communication overhead expectation value when all m are used is minimized.
  • one structure is generated. Also, it is possible to select one with the smallest expected value for each additional structure.
  • the structure information generation unit 219 determines five pieces of structure information (t1-1, t1 and t2) as candidates for the first (m1) of m pieces of structure information. t1-2, t1-3, t1-4, t1-5) are generated, and the efficiency calculation unit 221 applies each of the revocation patterns to each of the five pieces of structure information, and the communication overhead for each piece of structure information The expected value (e1 to e5) of is calculated.
  • the generation procedure of the structure information and the calculation procedure of the expected value are the same as those described in the flow of FIG. Then, the structure determination unit 220 selects the structure information with the smallest expected value. In FIG. 14, t1-3 is selected. Next, the structure information generation unit 219 sets five pieces of structure information (t2-1, t2-2, t2-3, t2-4, t2-2) as the second (m2) candidate of the m pieces of structure information. 5), and the efficiency calculation unit 221 combines each of the revocation patterns with each of the structure information (t1-3) selected so far and each of the 5 pieces of structure information generated as candidates for m2 It applies to those to calculate expected values (f1 to f5) of communication overhead for each combination.
  • the structure determination unit 220 selects, from m2 candidates, the structure information with the smallest expected value.
  • t2-2 is selected.
  • the above processing is performed for m steps, and in each step, structure information with the smallest expected value (f1 to f5, g1 to g5) of communication overhead is selected, and m pieces of structure information are obtained.
  • t1-3, t2-2, t3-1 are selected.
  • the set derivation unit 215 and the set determination unit 216 select the m pieces of structure information selected by the structure determination unit 220 when a terminal device to be a transmission destination of secure multicast transmission is selected.
  • a combination of secret information used for encryption of a transmission message is derived using
  • the efficiency calculation unit 221 calculates the expected value of the communication overhead based on all the revocation patterns for the number r of revoked terminals
  • the r overhead is randomly selected to select the communication overhead.
  • the estimated value of the expected value may be calculated by repeatedly performing the desired simulation.
  • the number n of terminals and the number r of revoked terminals are large, it is possible to reduce the amount of calculation by doing this. That is, if the number of terminals n and the number r of revoked terminals are large, the number of revocation patterns becomes very large. Therefore, calculating communication overhead for all the revocation patterns requires a long time for arithmetic processing. For this reason, it is possible to estimate the entire expected value and shorten the processing time by conducting sample survey and obtaining communication overhead for a part.
  • the determination of the key to be stored in each terminal and the message transmission to each terminal are performed by the same server device, but these may be performed by different devices.
  • an optimum one is selected from the m tree structures in step S1004 and step S807 of the encryption communication processing, and the sum S1 + S2 +... + Sj of subsets is determined based on this. It is also possible to determine each subset Si across a plurality of tree structures, and in this case, the number of elements j may be further reduced as compared with the case where only one is selected. In this case, for each subset, additional information is required to indicate which tree structure. The details are similar to the procedure described in the first embodiment with reference to FIG.
  • the m ⁇ t pieces of structure information are combined in a round-robin manner to be optimum. It is conceivable to search for combinations.
  • a structure other than the tree structure can be used.
  • FIG. 15 is a diagram illustrating an example of hardware resources of the server device 201 and the terminal device 301 described in the first and second embodiments.
  • the configuration of FIG. 15 merely shows an example of the hardware configuration of the server device 201 and the terminal device 301, and the hardware configuration of the server device 201 and the terminal device 301 is not limited to the configuration described in FIG. It may be another configuration.
  • the server device 201 and the terminal device 301 each include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor) that executes a program.
  • the CPU 911 is connected to, for example, a read only memory (ROM) 913, a random access memory (RAM) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903 and a magnetic disk drive 920 via a bus 912.
  • ROM read only memory
  • RAM random access memory
  • the CPU 911 may be connected to a flexible disk drive (FDD) 904, a compact disk drive 905 (CDD), a printer 906, and a scanner 907.
  • FDD flexible disk drive
  • CDD compact disk drive 905
  • printer 906 printer 906, and a scanner 907.
  • a storage device such as an optical disk drive or a memory card (registered trademark) read / write device may be used.
  • the RAM 914 is an example of a volatile memory.
  • the storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk drive 920 are examples of non-volatile memory. These are examples of storage devices.
  • the communication board 915, the keyboard 902, the mouse 903, the scanner device 907, the FDD 904, and the like are examples of the input device.
  • the communication board 915, the display device 901, the printer device 906, etc. are examples of the output device.
  • the communication board 915 is connected to the network as shown in FIG.
  • the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network) or the like.
  • the magnetic disk drive 920 stores an operating system 921 (OS), a window system 922, programs 923, and files 924.
  • the programs of the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.
  • the RAM 914 temporarily stores at least a part of a program of the operating system 921 to be executed by the CPU 911 and an application program.
  • the RAM 914 stores various data necessary for processing by the CPU 911.
  • the ROM 913 stores a BIOS (Basic Input Output System) program
  • the magnetic disk drive 920 stores a boot program.
  • BIOS Basic Input Output System
  • the BIOS program of the ROM 913 and the boot program of the magnetic disk drive 920 are executed, and the operating system 921 is started up by the BIOS program and the boot program.
  • the program group 923 stores programs for executing the functions described as “... Unit” in the description of the first and second embodiments.
  • the program is read and executed by the CPU 911.
  • ... file and “... database” are stored in a recording medium such as a disk or a memory.
  • Information, data, signal values, variable values, and parameters stored in storage media such as disks and memories are read by the CPU 911 to the main memory or cache memory via the read / write circuit, and are extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
  • Information, data, signal values, variable values, and parameters are stored in main memory, registers, cache memory, and buffers during CPU operation of extraction, search, reference, comparison, operation, calculation, processing, editing, printing, and display. It is temporarily stored in a memory or the like.
  • the arrows in the flowcharts described in the first and second embodiments mainly indicate input and output of data and signals, and data and signal values are stored in the memory of the RAM 914, the flexible disk of the FDD 904, the compact disk of the CDD 905, and the magnetic It is recorded on the magnetic disk of the disk drive 920, and other recording media such as an optical disk, a mini disk, and a DVD. Also, data and signals are transmitted online via the bus 912, signal lines, cables and other transmission media.
  • ... Part may be “... Circuit”, “. Also, “... Step”, “... Procedure”, “... Processing” may be used. That is, what is described as “... Part” may be realized by the firmware stored in the ROM 913. Alternatively, it may be implemented by only software, or only hardware such as an element, device, substrate, wiring, or a combination of software and hardware, or a combination of firmware.
  • the firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD.
  • the program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as the “... Unit” in the first and second embodiments. Alternatively, the computer is made to execute the procedure and method of “... Unit” in the first and second embodiments.
  • the server device 201 and the terminal device 301 described in the first and second embodiments display the CPU as the processing device, the memory as the storage device, the magnetic disk etc., the keyboard as the input device, the display as the output device such as the mouse. It is a computer provided with an apparatus, a communication board, etc., and realizes the functions indicated as “... Part” as described above using these processing apparatus, storage apparatus, input apparatus, and output apparatus.
  • FIG. 1 is a diagram showing an example of the configuration of a secure multicast system according to a first embodiment.
  • FIG. 2 shows an exemplary configuration of a server apparatus according to Embodiment 1;
  • FIG. 2 is a diagram showing an example of configuration of a terminal apparatus according to Embodiment 1;
  • FIG. 3 is a diagram showing an example of structure information of a tree structure according to the first embodiment.
  • FIG. 6 is a diagram showing an example of data stored by the terminal device according to the first embodiment.
  • FIG. 5 is a flowchart showing an example of a process of distributing secret information according to the first embodiment.
  • FIG. 7 is a flowchart showing an example of terminal ID rearrangement processing according to the first embodiment.
  • FIG. 1 is a diagram showing an example of the configuration of a secure multicast system according to a first embodiment.
  • FIG. 2 shows an exemplary configuration of a server apparatus according to Embodiment 1;
  • FIG. 2 is a diagram showing an example of configuration of a terminal
  • FIG. 7 is a view showing an example of the arrangement of a server apparatus according to Embodiment 2;
  • FIG. 7 is a flowchart showing an example of a process of distributing secret information according to the second embodiment.
  • FIG. 7 is a diagram showing an example of a selection procedure of secret information according to the first embodiment.
  • FIG. 7 is a diagram showing an example of a selection procedure of secret information according to the first embodiment.
  • FIG. 7 is a view showing an example of a selection procedure of structure information according to the second embodiment.
  • FIG. 7 is a view showing an example of a selection procedure of structure information according to the second embodiment.
  • FIG. 1 shows the hardware structural example of the server apparatus and terminal device which concern on Embodiment 1, 2.
  • DESCRIPTION OF SYMBOLS 101 network 201 server apparatus, 211 algorithm storage area, 212 stirring part, 213 key allocation part, 214 secret information storage area, 215 set derivation part, 216 set determination part, 217 communication part, 218 encryption part, 219 structure information generation part , 220 structure determination unit, 221 efficiency calculation unit, 301 terminal device, 311 algorithm storage area, 312 secret information storage area, 313 key derivation unit, 314 communication unit, 315 encryption unit.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

In realizing a secure multicast transmission to a plurality of terminal devices, a disturbing portion (212) rearranges ID's of the terminal devices connected to a server device (201) and generates various kinds of orderings of the terminal devices. Then, a structure information generating portion (219) generates structure information on a plurality of tree structures which correspond to the various kinds of orderings, respectively, and a key assignment portion (213) assigns secret information to each node of each tree structure. A set determining portion (216) determines such structure information that only the terminal devices which are the destination of the secure multicast are assigned secret information which allows for decoding of an encoded message and there is the least communication overhead. An encoding portion (218) encodes a message to be transmitted using the secret information assigned to the structure information determined by the set determining portion (216), and a communicating portion (217) multicast-transmits the encoded message.

Description

情報処理装置及びプログラムInformation processing apparatus and program
 本発明は、暗号技術を利用して、例えばサーバ装置(以下、サーバともいう)から複数の正当な端末装置(以下、端末ともいう)だけに情報を同報送信(マルチキャスト)する技術に関する。 The present invention relates to a technique for multicasting information by using, for example, a server device (hereinafter also referred to as a server) only to a plurality of valid terminal devices (hereinafter also referred to as a terminal) using encryption technology.
 セキュアマルチキャストシステムは、暗号技術を利用して、サーバから複数の正当な端末だけに情報を同報送信(マルチキャスト)し、失効した端末(群)には、たとえ失効端末同士で結託があったとしても情報が一切漏れないようにする通信システムである。
 ここで、正当な端末とは、サーバから送信される暗号化メッセージの復号が許される端末であり、失効した端末(群)とは、サーバから送信される暗号化メッセージの復号が禁止される端末(群)である。
 このようなセキュアマルチキャストシステムに関して、端末が保持するデバイス鍵の数・マルチキャストの通信オーバーヘッド・端末が鍵を導出するための演算オーバーヘッドをできるだけ小さくする様々な技術が提案されている。 The secure multicast system broadcasts (multicasts) information from the server only to a plurality of valid terminals using encryption technology, and it is assumed that the revoked terminal (group) has collusion among revoked terminals. Is a communication system that ensures that no information leaks.
Here, the valid terminal is a terminal that is permitted to decrypt the encrypted message transmitted from the server, and the revoked terminal (groups) is a terminal to which the decryption of the encrypted message transmitted from the server is prohibited. It is (group).
With regard to such a secure multicast system, various techniques have been proposed to minimize the operation overhead for the terminal to derive the key, the number of device keys held by the terminal, the communication overhead of the multicast, and the key.
 非特許文献1にて開示されているComplete Subtree法(CS法)やSubset Difference法(SD法)は、サーバが各端末を木構造の葉(最下層)に配置し、葉を含む各ノードに秘密情報を割り当て、各端末が自分のノードから根ノードまでのパス上にある各ノードに対応する秘密情報を保持する方式である。
 これらの方式では、サーバがマルチキャストを行う際に、複数の正当な端末を、適切な方法で、端末の部分集合の和S1+S2+…+Sjで表現する。その後、S1に属する端末だけが保持する(もしくは導出可能である)暗号鍵K1、S2に属する端末だけが保持する暗号鍵K2、…、Sjに属する端末だけが保持する暗号鍵Kjを用いて、送信メッセージ(もしくは送信メッセージを暗号化するためのセッション鍵K)(本明細書では、送信メッセージ及びセッション鍵Kをまとめて送信メッセージと表記する)を暗号化する。
 つまり、サーバは、失効した端末は保持していない(導出できない)が、正当な端末は保持している(導出できる)鍵を抽出し、抽出した鍵の各々を用いてメッセージを暗号化し、暗号化メッセージを同報送信する。
 上記のように暗号化を行うことで、正当な端末だけが情報を取得することができるセキュアマルチキャストが実現できる。 In the Complete Subtree method (CS method) and the Subset Difference method (SD method) disclosed in Non-Patent Document 1, the server arranges each terminal in a leaf (bottom layer) of a tree structure, and each node includes a leaf. Secret information is allocated, and each terminal holds secret information corresponding to each node on the path from its own node to the root node.
In these schemes, when the server performs multicasting, a plurality of valid terminals are expressed by the sum S1 + S2 +... + Sj of subsets of terminals in an appropriate manner. Thereafter, using the encryption key K1 held (or derivable) only by the terminal belonging to S1, the encryption key K2 held only by the terminal belonging to S2,..., The encryption key Kj held only by the terminal belonging to Sj A transmission message (or a session key K for encrypting the transmission message) (herein, the transmission message and the session key K are collectively referred to as a transmission message) is encrypted.
That is, although the server does not hold (cannot derive) the revoked terminal, it extracts the key that the valid terminal holds (which can be derived), encrypts the message using each of the extracted keys, and encrypts the message. Broadcast the broadcast message.
By performing encryption as described above, secure multicast can be realized in which only valid terminals can acquire information.
 このとき、通信オーバーヘッドは和で表現した際の要素数jに比例する値となるが、CS法やSD法では、各端末に持たせる秘密情報を工夫することによって、jの値を小さくすることを実現している。
 また、特許文献1では、CS法やSD法で用いる木構造を、サーバが複数保持することで、通信オーバーヘッドを低減する方式が開示されている。
特開2006-13790号公報 D.Naor, M.Naor, and J.Lostpiech, "Revocation and tracing schemes for stateless receivers," Advances in Cryptology - CRYPTO’01, LNCS vol.2139, pp.41-62, 2001. At this time, the communication overhead is a value proportional to the number of elements j when expressed as a sum, but in the CS method and the SD method, the value of j should be reduced by devising the secret information to be given to each terminal. Is realized.
Further, Patent Document 1 discloses a method of reducing communication overhead by a server holding a plurality of tree structures used in the CS method and the SD method.
Unexamined-Japanese-Patent No. 2006-13790 D. Naor, M. Naor, and J. Lostpiech, "Revocation and tracing schemes for stateless receivers," Advances in Cryptology-CRYPTO'01, LNCS vol. 2139, pp. 41-62, 2001.
 n個の端末があるとき、そのうちr個を失効させた残りに対してセキュアマルチキャストを行うための通信オーバーヘッドはCS法でO(r log(n/r))、SD法でO(r)である(Oはランダウの記法、logは底を2とする対数を表す。以下においても同様)。
 いずれもrにほぼ比例する形で通信オーバーヘッドが大きくなるため、特に狭帯域の通信を行う際に通信帯域を圧迫してしまうという課題がある。 When there are n terminals, the communication overhead for performing secure multicast on the remainder of which r has been revoked is O (r log (n / r)) by CS method and O (r) by SD method. (O is Landau's notation, log is base 2 logarithm, and the same applies to the following).
In either case, since the communication overhead is increased in a manner approximately proportional to r, there is a problem that the communication band is compressed particularly when narrow band communication is performed.
 上述したように、セキュアマルチキャストにおいては、正当な端末に対して抽出された鍵の各々を用いて送信メッセージを暗号化し、暗号化した全メッセージをマルチキャスト送信する。このため、サーバからマルチキャストされる暗号化メッセージの数は、抽出された鍵数に一致することになる。
 従って、通信オーバーヘッドを小さくするためには、抽出される鍵の数をできるだけ小さくすることが必要である。 As described above, in secure multicast, the transmission message is encrypted using each of the extracted keys for the valid terminal, and all encrypted messages are multicast-transmitted. For this reason, the number of encrypted messages multicast from the server will match the number of extracted keys.
Therefore, in order to reduce communication overhead, it is necessary to minimize the number of extracted keys.
 特許文献1ではサーバが複数の木構造を保持することで通信オーバーヘッドを低減する方法が開示されているが、複数木構造の構成法とその効果については、装置・利用者の特性に基づいて構成するとの記述に留まっており、構成法とその効果との関係を明白に開示しているものではない。 Although the method of reducing communication overhead by holding a plurality of tree structures by the server is disclosed in Patent Document 1, the configuration method of the plurality of trees and the effect thereof are configured based on the characteristics of the device and the user. It does not simply disclose the relationship between the law of construction and its effects.
 本発明は、上記の課題を解決することを主な目的としており、セキュアマルチキャストにおいて使用する秘密情報の数を抑制し、通信オーバーヘッドを小さくすることを主な目的とする。 The present invention has as its main object to solve the above-mentioned problems, and has as its main object to reduce the communication overhead by suppressing the number of secret information used in secure multicast.
 本発明に係る情報処理装置は、複数の通信装置に接続され、前記複数の通信装置の中から選択された2つ以上の通信装置に、秘密情報を用いて送信メッセージを暗号化した暗号化メッセージをマルチキャスト送信する情報処理装置であって、
 前記複数の通信装置に対して複数種の順序付けを行い、各々の順序付けにおいて近接して順序付けられている2つ以上の通信装置同士をグループ化し、各々の順序付け及びグループ化の内容を示す複数の順序情報を生成する順序情報生成部と、
 順序情報ごとに、各々の通信装置において暗号化メッセージの復号に利用される装置別秘密情報を通信装置単位で割り当てるとともに同じグループに分類される2つ以上の同一グループ通信装置において共通に暗号化メッセージの復号に利用できるグループ別秘密情報をグループ単位で割り当てる秘密情報割り当て部と、
 前記複数の通信装置の中からマルチキャスト送信の送信先となる2つ以上の通信装置が送信先通信装置として選択された際に、各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、送信メッセージの暗号化に用いる秘密情報の組合せを導出する組合せ導出部とを有することを特徴とする。 An information processing apparatus according to the present invention is an encrypted message in which a transmission message is encrypted using secret information to two or more communication apparatuses connected to a plurality of communication apparatuses and selected from the plurality of communication apparatuses. Is an information processing apparatus for multicast transmission of
A plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping An order information generation unit that generates information;
Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information A secret information assignment unit that assigns group-specific secret information that can be used for decryption of
When two or more communication devices to be transmission destinations of multicast transmission are selected as the transmission destination communication devices from among the plurality of communication devices, the same group communication devices and the transmission for each group indicated in each order information And a combination deriving unit that derives a combination of secret information used for encryption of the transmission message by comparing with the previous communication device.
 前記組合せ導出部は、
 全ての送信先通信装置が暗号化メッセージを復号できる秘密情報の組合せであって、最も数の少ない秘密情報の組合せを導出することを特徴とする。 The combination deriving unit
It is characterized in that a combination of secret information which allows all the destination communication devices to decrypt the encrypted message, and which derives the combination of the least number of secret information.
 前記組合せ導出部は、
 各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、同一グループ通信装置の各々に割り当てられている装置別秘密情報を抽出して、順序情報ごとに、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報を抽出し、抽出した秘密情報の数を計数し、
 前記複数の順序情報の中から秘密情報の数が最も少ない順序情報を判別し、判別した順序情報について抽出された秘密情報を送信メッセージの暗号化に用いる秘密情報とすることを特徴とする。 The combination deriving unit
For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extracting the group-specific secret information and extracting the device-specific secret information assigned to each of the same group communication devices when one or more same group communication devices are not selected as the transmission destination communication devices Then, for each order information, extract secret information necessary for encryption so that all transmission destination communication devices can decrypt the encrypted message, and count the number of extracted secret information,
The order information having the smallest number of secret information is determined from the plurality of order information, and the secret information extracted for the determined order information is used as the secret information used for encryption of the transmission message.
 前記順序情報生成部は、
 近接して順序付けられている2つ以上の通信装置同士を複数階層にてグループ化し、複数階層にて通信装置のグループが示される順序情報を生成し、
 前記組合せ導出部は、
 順序情報ごとに、上位の階層のグループから順に同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、下位の階層のグループの同一グループ通信装置と前記送信先通信装置とを比較し、最下位階層のグループにおいて1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、最下位階層のグループの同一グループ通信装置の各々に割り当てられている装置別秘密情報を抽出して、順序情報ごとに、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報を抽出することを特徴とする。 The order information generation unit
Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
The combination deriving unit
The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication When compared with the device and one or more same group communication devices are not selected as the transmission destination communication device in the group of the lowest hierarchy, assigned to each of the same group communication devices of the group of the lowest hierarchy Device-specific secret information is extracted and encrypted so that all destination communication devices can decrypt the encrypted message for each order information And extracting the secret information necessary in order.
 前記組合せ導出部は、
 各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、
 前記複数の順序情報について抽出されたグループ別秘密情報を組み合わせて、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報の組合せであって、秘密情報の数が最も少なくなる組合せを導出することを特徴とする。 The combination deriving unit
For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extract group-specific secret information,
A combination of secret information necessary for encrypting all the destination communication devices to decrypt the encrypted message by combining the group secret information extracted for the plurality of order information, It is characterized in that the combination with the smallest number is derived.
 前記順序情報生成部は、
 近接して順序付けられている2つ以上の通信装置同士を複数階層にてグループ化し、複数階層にて通信装置のグループが示される順序情報を生成し、
 前記組合せ導出部は、
 順序情報ごとに、上位の階層のグループから順に同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、下位の階層のグループの同一グループ通信装置と前記送信先通信装置とを比較することを特徴とする。 The order information generation unit
Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
The combination deriving unit
The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication It is characterized by comparing with a device.
 前記順序情報生成部は、
 前記情報処理装置に接続している通信装置の数が2個(m≧2)である場合に、m種の順序付け及びグループ化を示すm個の順序情報を生成することを特徴とする。 The order information generation unit
When the number of communication apparatuses connected to the information processing apparatus is 2 m (m ≧ 2), m pieces of order information indicating ordering and grouping of m types are generated.
 前記順序情報生成部は、
 前記情報処理装置に接続している通信装置の数が2個(m≧2)に満たない場合に、不足数分の仮想通信装置を補充してm種の順序付け及びグループ化を示すm個の順序情報を生成することを特徴とする。 The order information generation unit
When the number of communication devices connected to the information processing device is less than 2 m (m 2 2), m virtual communication devices for the missing number are replenished to indicate m kinds of ordering and grouping Generating order information of
 前記順序情報生成部は、
 m(m≧2)種の順序付け及びグループ化を示すm個の順序情報を1セットとし、t(t≧2)セット分の順序情報を生成し、
 前記情報処理装置は、更に、
 順序情報のセットごとに、そのセットに含まれるm個の順序情報を用いて送信メッセージを暗号化する場合に必要な秘密情報の数の期待値を算出し、算出した期待値に基づいてtセットの中から特定のセットを選択する順序情報選択部を有し、
 前記組合せ導出部は、
 送信先通信装置が選択された際に、前記順序情報選択部により選択されたセットに含まれるm個の順序情報を用いて、送信メッセージの暗号化に用いる秘密情報の組合せを導出することを特徴とする。 The order information generation unit
m pieces of order information indicating ordering (m ≧ 2) kinds and ordering are set as one set, and order information of t (t ≧ 2) sets is generated,
The information processing apparatus may further include
For each set of order information, the expected value of the number of pieces of secret information necessary for encrypting the transmission message is calculated using the m pieces of order information included in the set, and t sets are calculated based on the calculated expected value. And an order information selection unit for selecting a specific set from among
The combination deriving unit
When the transmission destination communication apparatus is selected, a combination of secret information used for encryption of the transmission message is derived using the m pieces of order information included in the set selected by the order information selection unit. I assume.
 前記順序情報選択部は、
 tセットの中から、期待値が最も小さいセットを選択することを特徴とする。 The order information selection unit
Among t sets, it is characterized in that the set with the smallest expected value is selected.
 前記順序情報選択部は、
 所定数の送信先通信装置数に対して前記複数の通信装置を組み合わせて、通信装置の組合せパターンを複数導出し、
 順序情報のセットごとに、そのセットに含まれるm個の順序情報の中から、組合せパターンごとに送信メッセージを暗号化するために必要な秘密情報の数が最も少ない順序情報を抽出し、組合せパターンごとに抽出した順序情報における秘密情報の数に基づいて、セットごとの期待値を算出することを特徴とする。 The order information selection unit
Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices;
From the m pieces of order information included in the set for each set of order information, the order information having the least number of secret information required to encrypt the transmission message for each combination pattern is extracted, and the combination pattern is obtained. An expected value for each set is calculated based on the number of pieces of secret information in the order information extracted for each.
 前記順序情報選択部は、
 所定数の送信先通信装置数に対して前記複数の通信装置を組み合わせて、通信装置の組合せパターンを複数導出し、
 順序情報のセットごとに、そのセットに含まれるm個の順序情報に示される各グループの同一グループ通信装置と組合せパターンに含まれる通信装置とを比較して、組合せパターンごとに送信メッセージを暗号化するために必要な秘密情報の数が最も少なくなるグループの組合せを抽出し、組合せパターンごとに抽出したグループの組合せにおける秘密情報の数に基づいて、セットごとの期待値を算出することを特徴とする。 The order information selection unit
Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices;
For each set of order information, the transmission message is encrypted for each combination pattern by comparing the same group communication device of each group indicated in the m pieces of order information included in the set with the communication device included in the combination pattern. Extracting a combination of groups that minimizes the number of secret information required to perform the pairing, and calculating an expected value for each set based on the number of secret information in the combination of groups extracted for each combination pattern Do.
 前記順序情報生成部は、
 m(m≧2)段階の各段階において、t(t≧2)種の順序付け及びグループ化を示すt個の順序情報を生成し、
 前記情報処理装置は、更に、
 m段階の各段階において、順序情報ごとに、送信メッセージを暗号化するために必要な秘密情報の数の期待値を算出し、算出した期待値に基づいてt個の順序情報の中から特定の順序情報を選択する順序情報選択部を有し、
 前記組合せ導出部は、
 送信先通信装置が選択された際に、前記順序情報選択部によりm段階の各段階において選択されたm個の順序情報を用いて、送信メッセージの暗号化に用いる秘密情報の組合せを導出することを特徴とする。 The order information generation unit
At each stage of m (m ≧ 2) stages, generate t order information indicating ordering and grouping of t (t ≧ 2) kinds,
The information processing apparatus may further include
In each of the m stages, an expected value of the number of secret information necessary to encrypt the transmission message is calculated for each order information, and a specific one of t pieces of order information is calculated based on the calculated expected value. Having an order information selection unit for selecting order information;
The combination deriving unit
Deriving a combination of secret information used for encryption of a transmission message using the m pieces of order information selected in each of the m stages by the order information selection unit when the transmission destination communication apparatus is selected It is characterized by
 前記順序情報選択部は、
 m段階の各段階において、t個の順序情報の中から、期待値が最も小さい順序情報を選択することを特徴とする。 The order information selection unit
In each of m stages, it is characterized in that the order information having the smallest expected value is selected from the t pieces of order information.
 前記順序情報生成部は、
 前記順序情報選択部によりt個の順序情報の中から特定の順序情報が選択された後に、選択された順序情報と異なる順序付け及びグループ化を示すt個の順序情報を次の段階のt個の順序情報として生成することを特徴とする。 The order information generation unit
After specific order information is selected from the t pieces of order information by the order information selection unit, t pieces of order information indicating ordering and grouping different from the selected order information are displayed in the following t It is characterized by generating as order information.
 本発明に係るプログラムは、複数の通信装置に接続され、前記複数の通信装置の中から選択された2つ以上の通信装置に、秘密情報を用いて送信メッセージを暗号化した暗号化メッセージをマルチキャスト送信するコンピュータに、
 前記複数の通信装置に対して複数種の順序付けを行い、各々の順序付けにおいて近接して順序付けられている2つ以上の通信装置同士をグループ化し、各々の順序付け及びグループ化の内容を示す複数の順序情報を生成する順序情報生成処理と、
 順序情報ごとに、各々の通信装置において暗号化メッセージの復号に利用される装置別秘密情報を通信装置単位で割り当てるとともに同じグループに分類される2つ以上の同一グループ通信装置において共通に暗号化メッセージの復号に利用できるグループ別秘密情報をグループ単位で割り当てる秘密情報割り当て処理と、
 前記複数の通信装置の中からマルチキャスト送信の送信先となる2つ以上の通信装置が送信先通信装置として選択された際に、各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、送信メッセージの暗号化に用いる秘密情報の組合せを導出する組合せ導出処理とを実行させることを特徴とする。 A program according to the present invention is connected to a plurality of communication devices, and multicasts an encrypted message in which a transmission message is encrypted using secret information to two or more communication devices selected from the plurality of communication devices. On the sending computer,
A plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping Order information generation processing for generating information;
Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information Secret information assignment processing for assigning group-specific secret information that can be used for decryption of
When two or more communication devices to be transmission destinations of multicast transmission are selected as the transmission destination communication devices from among the plurality of communication devices, the same group communication devices and the transmission for each group indicated in each order information It is characterized in that a combination derivation process of deriving a combination of secret information used for encryption of a transmission message by comparing with the previous communication device is executed.
 本発明によれば、通信装置に対して複数種の順序付けを行い複数種の順序情報を生成するとともに、複数種の順序情報における秘密情報の割り当て状況に基づき、送信メッセージの暗号化に用いる秘密情報の組合せを導出するため、全ての送信先通信装置が暗号化メッセージを復号できる秘密情報の組合せであって、最も数の少ない秘密情報の組合せを導出することが可能であり、このため暗号化メッセージの送信時の通信オーバーヘッドを抑制することができる。 According to the present invention, a plurality of types of ordering are performed on the communication apparatus to generate a plurality of types of order information, and the secret information used to encrypt the transmission message based on the allocation status of the secret information in the plurality of types of order information. It is possible to derive the combination of the secret information which is the combination of the secret information that all the destination communication devices can decrypt the encrypted message in order to derive the combination of Communication overhead at the time of transmission of
 実施の形態1.
 本実施の形態及び以降の実施の形態では、複数の構造の構成法を工夫することで、通信オーバーヘッドを小さくするセキュアマルチキャストシステムについて説明する。 Embodiment 1
In this embodiment and the following embodiments, a secure multicast system will be described in which communication overhead is reduced by devising a configuration method of a plurality of structures.
 図1は、本実施の形態に係るセキュアマルチキャストシステムのシステム構成例を示す。
 図1において、サーバ装置201(以下、単にサーバともいう)と複数の端末装置301(以下、単に端末ともいう)がネットワーク101を介して接続されている。
 本実施の形態に係るセキュアマルチキャストシステムにおいても、暗号技術を利用して、サーバ装置201から複数の正当な端末装置301だけに情報を同報送信(マルチキャスト)し、失効した端末(群)には、たとえ失効端末同士で結託があったとしても情報が一切漏れないようにする。
 なお、サーバ装置201は情報処理装置の例であり、端末装置301は通信装置の例である。 FIG. 1 shows an example of the system configuration of a secure multicast system according to the present embodiment.
In FIG. 1, a server device 201 (hereinafter, also simply referred to as a server) and a plurality of terminal devices 301 (hereinafter, also simply referred to as a terminal) are connected via a network 101.
Also in the secure multicast system according to the present embodiment, information is broadcasted (multicast) from the server device 201 to only a plurality of valid terminal devices 301 using encryption technology, and the revoked terminal (group) Even if there is a collusion among the revoked terminals, no information is leaked.
The server apparatus 201 is an example of an information processing apparatus, and the terminal apparatus 301 is an example of a communication apparatus.
 図2は、サーバ装置201の構成例を表すブロック図である。 FIG. 2 is a block diagram showing a configuration example of the server device 201. As shown in FIG.
 図2において、アルゴリズム記憶領域211は、セキュアマルチキャストにおける鍵割り当て、正当な端末へのメッセージ送信などのアルゴリズムを記憶するデータ記憶手段である。
 本実施の形態では、端末を木構造で管理するアルゴリズムを用いる。
 例えば、前記のCS法やSD法などのアルゴリズムが記憶される。 In FIG. 2, an algorithm storage area 211 is data storage means for storing an algorithm such as key assignment in secure multicast and message transmission to a valid terminal.
In the present embodiment, an algorithm for managing terminals in a tree structure is used.
For example, an algorithm such as the CS method or the SD method is stored.
 攪拌部212は、全ての端末を並べ替え、その順序付けを出力する手段である。
 また、構造情報生成部219は、攪拌部212による端末の順序付けに従い、端末間に構造を与え、端末の順序付けを所定の構造で表す構造情報(順序情報)を複数種生成する。
 本実施の形態では、木構造の構造情報を生成する。
 より具体的には、攪拌部212は、複数の端末装置301に対して複数種の順序付けを行い、構造情報生成部219は、各々の順序付けにおいて近接して順序付けられている2つ以上の端末装置301を複数階層にてグループ化し、各々の順序付け及び複数階層におけるグループ化の内容を示す複数の構造情報を生成する。
 また、サーバ装置201に接続している端末装置301の数が2個(m≧2)である場合に、攪拌部212はm種の順序付けを行い、また、構造情報生成部219はm種の順序付け及びグループ化を示すm個の構造情報を生成する。
 攪拌部212及び構造情報生成部219は、順序情報生成部の例である。 The stirring unit 212 is a means for rearranging all terminals and outputting the order.
Further, the structure information generation unit 219 gives a structure between the terminals according to the ordering of the terminals by the stirring unit 212, and generates plural types of structure information (order information) representing the ordering of the terminals with a predetermined structure.
In the present embodiment, the structure information of the tree structure is generated.
More specifically, stirring unit 212 performs ordering of a plurality of types with respect to a plurality of terminal devices 301, and structure information generating unit 219, two or more terminal devices ordered in proximity in each ordering. A plurality of layers 301 are grouped into a plurality of layers, and a plurality of pieces of structure information indicating contents of grouping in each ordering and a plurality of layers are generated.
In addition, when the number of terminal devices 301 connected to the server device 201 is 2 m (m 攪拌 2), the stirring unit 212 performs m types of ordering, and the structure information generating unit 219 generates m types of devices. Generate m pieces of structure information indicating ordering and grouping of
The stirring unit 212 and the structure information generation unit 219 are examples of the order information generation unit.
 鍵割り当て部213は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、順序付けられた端末が示される構造情報を入力し、当該構造情報に示される構造上の各ノードに秘密情報を割り当てる手段である。
 より具体的には、鍵割り当て部213は、構造情報生成部219により生成された構造情報ごとに、各々の端末装置において暗号化メッセージの復号に利用される端末別秘密情報(装置別秘密情報)を端末装置単位で割り当てるとともに同じグループに分類される2つ以上の同一グループ端末装置(同一グループ通信装置)において共通に暗号化メッセージの復号に利用できるグループ別秘密情報をグループ単位で割り当てる。
 鍵割り当て部213は、秘密情報割り当て部の例である。 The key assignment unit 213 is a means for inputting structure information indicating an ordered terminal according to the algorithm stored in the algorithm storage area 211, and assigning secret information to each node on the structure indicated by the structure information. .
More specifically, for each piece of structure information generated by the structure information generation unit 219, the key assignment unit 213 uses the terminal-specific secret information (device-specific secret information) used to decrypt the encrypted message in each terminal device. Are allocated in terminal units, and group-specific secret information that can be commonly used for decrypting encrypted messages in two or more identical group terminal apparatuses (identical group communication apparatuses) classified into the same group is allocated in group units.
The key assignment unit 213 is an example of a secret information assignment unit.
 詳細は後述するが、図4が各端末及びグループに秘密情報が割り当てられた木構造の構造情報の例である。
 図4の例では、木構造1及び木構造2の二つの構造情報が示される。
 木構造1、木構造2ともに、端末0から端末7の8台の端末を対象としており、これら8台の端末が木構造の葉部分のノード(以下、葉ノードともいう)に配列されている。木構造1と木構造2では、端末の配列順序が異なっている。
 また、木構造1、木構造2ともに、階層ごとに隣合う2つのノードずつグループ化され、最終的にルートノードに至る。
 なお、構造情報生成部219は2台の端末に対してm個の構造情報を生成するため、8台の端末に対しては3個の構造情報が生成されるが、図4では作図上の理由から2つの構造情報を示している。 Although details will be described later, FIG. 4 is an example of structure information of a tree structure in which secret information is assigned to each terminal and group.
In the example of FIG. 4, two pieces of structural information of tree structure 1 and tree structure 2 are shown.
Both the tree structure 1 and the tree structure 2 target eight terminals of the terminal 0 to the terminal 7, and these eight terminals are arranged in the nodes of leaf parts of the tree structure (hereinafter, also referred to as leaf nodes) . In the tree structure 1 and the tree structure 2, the arrangement order of the terminals is different.
Also, in both tree structure 1 and tree structure 2, two nodes adjacent to each other in each hierarchy are grouped and finally reach the root node.
In addition, since the structure information generation unit 219 generates m pieces of structure information for 2 m terminals, three pieces of structure information are generated for eight terminals. However, in FIG. Two structural information is shown for reasons of
 また、図4に示すk0_1、ka_1、k0_2、ka_2等は、各端末又は各グループに割り当てられた秘密情報である。秘密情報は例えば鍵、もしくは鍵導出の元となる情報である。葉ノードに割り当てられている端末ごとの秘密情報が端末別秘密情報(装置別秘密情報)であり、kd_1、ke_1、kf_1、kg_1、kb_1、kc_1及びka_1は端末のグループごとに割り当てられたグループ別秘密情報である。
 図4では、各端末は、葉ノードに割り当てられている端末別秘密情報及び葉ノードに連結する上位のノードに割り当てられているグループ別秘密情報を用いることができる。
 例えば、木構造1において、端末0は秘密情報k0_1、kd_1、kb_1、ka_1を利用することができる。
 構造情報生成部219では、攪拌部212による複数種の端末の順序付けに従って、木構造の葉ノードに各端末を配置するとともに、2つのノードごとにグループ化する処理を行い、図4に示す秘密情報(k0_1等)が各ノードに割り当てられていない状態の構造情報を生成する。前述したように、構造情報生成部219は、複数の構造情報を生成するが、攪拌部212による複数種の端末の順序付けに対応して、構造情報ごとに、葉ノードにおける端末の配置順序は異なる。
 そして、鍵割り当て部213は、構造情報生成部219で生成された各構造情報の各ノードに秘密情報を割り当てて図4に示す状態とする。各ノードに割当てる秘密情報は相互に異なる。 Further, k0_1, ka_1, k0_2, ka_2 and so on shown in FIG. 4 are secret information assigned to each terminal or each group. The secret information is, for example, a key or information that is the source of key derivation. The secret information for each terminal assigned to the leaf node is terminal-specific secret information (device-specific secret information), and kd_1, ke_1, kf_1, kg_1, kb_1, kc_1, and ka_1 are groups assigned to each group of terminals. It is secret information.
In FIG. 4, each terminal can use the terminal-specific secret information assigned to the leaf node and the group-specific secret information assigned to the upper node connected to the leaf node.
For example, in the tree structure 1, the terminal 0 can use the secret information k0_1, kd_1, kb_1, ka_1.
The structure information generation unit 219 arranges each terminal on the leaf node of the tree structure and performs processing to group each two nodes according to the ordering of the plurality of types of terminals by the stirring unit 212, and the secret information shown in FIG. It generates structure information in a state where (k 0 _ 1 etc.) is not assigned to each node. As described above, the structure information generation unit 219 generates a plurality of pieces of structure information, but the arrangement order of the terminals in the leaf node is different for each piece of structure information in accordance with the ordering of the plurality of types of terminals by the stirring unit 212 .
Then, the key assignment unit 213 assigns secret information to each node of each piece of structure information generated by the structure information generation unit 219, and brings it into the state shown in FIG. The secret information assigned to each node is mutually different.
 秘密情報記憶領域214は、秘密情報が割り当てられた構造情報を複数個記憶するデータ記憶手段である。
 本実施の形態では、前述したように、全ての端末は木構造で管理される。
 秘密情報記憶領域214は、図4に例示した構造情報を記憶する。 The secret information storage area 214 is data storage means for storing a plurality of pieces of structure information to which secret information is assigned.
In the present embodiment, as described above, all the terminals are managed in a tree structure.
The secret information storage area 214 stores the structure information illustrated in FIG.
 集合導出部215は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、端末に与えられた構造と、正当な端末の集合とを入力として、正当な端末の集合が、端末の部分集合の和S1+S2+…+Sjとして表されるよう、各部分集合Siを導出する手段である。
 集合決定部216は、秘密情報記憶領域214に記憶されている複数の構造情報に対する集合導出部215の出力に従い、セキュアマルチキャストの送信に利用する部分集合の組合せを決定する手段である。
 つまり、集合導出部215と集合決定部216は、複数の端末装置301の中からセキュアマルチキャスト送信の送信先となる2つ以上の端末装置301が送信先端末装置(送信先通信装置)として選択された際に、各構造情報に示されるグループごとに、同一グループ端末装置と送信先端末装置とを比較して、全ての送信先端末装置が暗号化メッセージを復号できる秘密情報の組合せであって、最も数の少ない秘密情報の組合せを導出し、決定する。
 集合導出部215と集合決定部216は、組合せ導出部の例である。 The set derivation unit 215 receives the structure given to the terminal and the set of valid terminals according to the algorithm stored in the algorithm storage area 211, and the set of valid terminals is the sum S1 + S2 + of subsets of terminals. It is a means to derive each subset Si so that it may be represented as ... + Sj.
The set determination unit 216 is a unit that determines a combination of subsets used for secure multicast transmission according to the output of the set derivation unit 215 for the plurality of pieces of structure information stored in the secret information storage area 214.
That is, in the set derivation unit 215 and the set determination unit 216, two or more terminal devices 301 to be transmission destinations of secure multicast transmission are selected as transmission destination terminal devices (transmission destination communication devices) from among the plurality of terminal devices 301. In this case, for each group indicated in each structure information, it is a combination of secret information that all destination terminal devices can decrypt the encrypted message by comparing the same group terminal device and the destination terminal device. Deriving and determining the least number of secret information combinations.
The set derivation unit 215 and the set determination unit 216 are examples of a combination derivation unit.
 通信部217は、端末装置301と通信を行う手段である。
 暗号部218は、共通鍵・公開鍵暗号の鍵生成・暗号化、乱数生成などを行う手段である。 The communication unit 217 is a unit that communicates with the terminal device 301.
The encryption unit 218 is means for performing key generation / encryption, random number generation and the like of the common key / public key encryption.
 図3は、セキュアマルチキャストシステム(図1)において、サーバ装置201からのマルチキャストを受信する端末装置301の構成例を表すブロック図である。 FIG. 3 is a block diagram showing a configuration example of the terminal device 301 that receives the multicast from the server device 201 in the secure multicast system (FIG. 1).
 図3において、アルゴリズム記憶領域311は、セキュアマルチキャストにおける鍵導出・復号などのアルゴリズムを記憶するデータ記憶手段である。
 本実施の形態では、端末を木構造で管理するアルゴリズムを用いる。例えば、前記のCS法やSD法などのアルゴリズムが記憶される。 In FIG. 3, an algorithm storage area 311 is data storage means for storing an algorithm such as key derivation / decryption in secure multicast.
In the present embodiment, an algorithm for managing terminals in a tree structure is used. For example, an algorithm such as the CS method or the SD method is stored.
 秘密情報記憶領域312は、サーバ装置201が管理するある構造に対応付けられた秘密情報(暗号鍵、もしくは暗号鍵導出の元となる情報)を複数個記憶するデータ記憶手段である。
 本実施の形態では、全ての端末は木構造に対応付けられた秘密情報を記憶する。
 図5は、秘密情報記憶領域312が記憶するデータの一例を表す。
 より具体的には、図5は、図4に示す端末0が保有するデータの例を示している。
 すなわち、端末0は図4の木構造1の構造情報では、秘密情報k0_1、kd_1、kb_1、ka_1を利用できることが示されるが、図5では、これに対応して、端末0はこれらk0_1、kd_1、kb_1、ka_1を保有していることを示している。
 木構造2についても同様に、図4では端末0は秘密情報k0_2、kd_2、kb_2、ka_2を利用できることが示されるが、図5では、これに対応して、端末0はこれらk0_2、kd_2、kb_2、ka_2を保有していることを示している。 The secret information storage area 312 is a data storage unit that stores a plurality of pieces of secret information (encryption key or information serving as an origin of derivation of the encryption key) associated with a certain structure managed by the server device 201.
In this embodiment, all the terminals store secret information associated with the tree structure.
FIG. 5 shows an example of data stored in the secret information storage area 312.
More specifically, FIG. 5 shows an example of data held by the terminal 0 shown in FIG.
That is, although it is shown that terminal 0 can use secret information k0_1, kd_1, kb_1 and ka_1 in the structure information of tree structure 1 in FIG. 4, terminal 0 corresponds to these in FIG. 5 and terminal 0 can use these k0_1 and kd_1. , Kb_1 and ka_1 are shown.
Similarly, it is shown in FIG. 4 that the terminal 0 can use the secret information k0_2, kd_2, kb_2 and ka_2 in the tree structure 2. However, in FIG. 5, the terminal 0 corresponds to the secret information k0_2, kd_2 and kb_2 in FIG. , Indicates that it holds ka_2.
 鍵導出部313は、アルゴリズム記憶領域311に記憶されているアルゴリズムに従い、サーバ装置201から受信した暗号化メッセージの復号に必要な暗号鍵を、秘密情報記憶領域312に記憶されている秘密情報から導出する手段である。 The key derivation unit 313 derives, from the secret information stored in the secret information storage area 312, the encryption key required to decrypt the encrypted message received from the server device 201 according to the algorithm stored in the algorithm storage area 311. Means to
 通信部314は、サーバ装置201と通信を行う手段である。
 暗号部315は、共通鍵・公開鍵暗号の復号、乱数生成などを行う手段である。 The communication unit 314 is a unit that communicates with the server device 201.
The encryption unit 315 is a unit that performs decryption of a common key and public key encryption, random number generation, and the like.
 セキュアマルチキャストにおける手続きは、サーバが各端末に秘密情報を配布する部分と、その秘密情報を用いてサーバから各端末への暗号通信を行う部分の2つに大別される。
 図6は、本実施の形態における、サーバから各端末への秘密情報の配布処理を説明するためのフローチャートである。 The procedure in secure multicast is roughly divided into two parts: a part where the server distributes secret information to each terminal, and a part where the server performs encrypted communication from the server to each terminal using the secret information.
FIG. 6 is a flowchart for explaining distribution processing of secret information from the server to each terminal in the present embodiment.
 配布処理における動作について、図6のフローチャートを参照しながら説明する。
 なお、簡単のため、端末数nは2のべき乗で表される値とし、各端末には0からn-1までの端末IDが与えられているものとする。
 また、サーバが保持・管理する木構造の数mを定めておく。本実施の形態では、m=log nとする。 The operation in the distribution process will be described with reference to the flowchart of FIG.
For the sake of simplicity, it is assumed that the number of terminals n is a value represented by a power of 2 and each terminal is given a terminal ID of 0 to n-1.
Also, the number m of tree structures held and managed by the server is defined. In this embodiment, m = log n.
 配布処理を行う前に、あらかじめサーバ装置201と各端末装置301とで、セキュアマルチキャストのアルゴリズムを共有しておく(ステップS601)。
 ここでは、アルゴリズム記憶領域211、アルゴリズム記憶領域311に、対応するアルゴリズムが格納されているものとする。 Before performing the distribution process, an algorithm of secure multicast is shared in advance between the server apparatus 201 and each terminal apparatus 301 (step S601).
Here, it is assumed that the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
 まず、サーバ装置201の攪拌部212が、端末数nを入力として、0からn-1までの端末IDを並べ替えた順列を出力する(ステップS602)。
 本処理の詳細については後述する。
 ステップS602で得られた順列を入力として、構造情報生成部219が、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、端末間に木構造を与えて構造情報を生成し、また、鍵割り当て部213および暗号部218が、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、木構造の各ノードに秘密情報を割り当て、秘密情報が割り当てられた構造情報を秘密情報記憶領域214に格納する(ステップS603)。
 同時に、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、各端末に必要な秘密情報を格納する(ステップS604)。ステップS603、S604の詳細は、アルゴリズム記憶領域211に記憶されているアルゴリズム(CS法やSD法など)に依存する。
 以上の処理を行い、m個の木構造の構造情報が構成・格納された場合は処理を終了する。
 そうでない場合は、ステップS602に戻って処理を繰り返す(ステップS605)。
 この結果、ステップS602はm回実行されるが、攪拌部212は実行のたびに異なる順列を出力するため、秘密情報記憶領域214にはm個の異なる木構造が格納されることになる。 First, the stirring unit 212 of the server device 201 receives the number n of terminals and outputs a permutation in which terminal IDs from 0 to n−1 are rearranged (step S602).
Details of this process will be described later.
With the permutation obtained in step S602 as an input, structure information generation unit 219 gives a tree structure between the terminals according to the algorithm stored in algorithm storage area 211 to generate structure information, and key assignment unit 213 And the encryption unit 218 assigns secret information to each node of the tree structure according to the algorithm stored in the algorithm storage area 211, and stores the structure information to which the secret information is assigned in the secret information storage area 214 (step S603). .
At the same time, according to the algorithm stored in the algorithm storage area 211, the secret information required for each terminal is stored (step S604). The details of steps S603 and S604 depend on the algorithm (such as the CS method or the SD method) stored in the algorithm storage area 211.
The above processing is performed, and when the structure information of m tree structures is configured and stored, the processing is ended.
If not, the process returns to step S602 to repeat the process (step S605).
As a result, step S602 is executed m times, but the stirring unit 212 outputs a different permutation each time it is executed, so that m different tree structures are stored in the secret information storage area 214.
 図7は、本実施の形態における、攪拌部212の端末ID並べ替え処理(ステップS602)を説明するためのフローチャートである。
 端末ID並べ替え処理における動作について、図7のフローチャートを参照しながら説明する。 FIG. 7 is a flowchart for explaining the terminal ID rearranging process (step S602) of stirring unit 212 in the present embodiment.
The operation in the terminal ID rearranging process will be described with reference to the flowchart of FIG.
 まず、攪拌部212は、端末ID並べ替え処理の呼び出しが初回であるかを判断する(ステップS701)。
 初回である場合、端末IDの順列として、0からn-1までのIDを順に並べたものを設定し(ステップS702)、その結果を出力する(ステップS704)。
 例えばn=8の場合、(0,1,2,3,4,5,6,7)が出力される。
 2回目以降の呼び出しである場合、前回の出力の各端末IDに対し、これらをlog nビットで2進表示したものを考え、右に1ビットずつ巡回シフトを行ったものを設定し(ステップS703)、その結果を出力する(ステップS704)。
 例えばn=8で2回目の呼び出しの場合、前回出力(0,1,2,3,4,5,6,7)に対し、各端末IDを右に1ビットずつ巡回シフトした(0,4,1,5,2,6,3,7)が出力される。
 以上のように端末ID並べ替え処理を行った結果、鍵割り当てアルゴリズム適用(ステップS603)後の秘密情報記憶領域214には例えば図4のような、複数の異なる木構造が格納されることになる。 First, the stirring unit 212 determines whether the call of the terminal ID rearranging process is the first time (step S701).
If it is the first time, a sequence of terminal IDs from 0 to n-1 is set as the terminal ID permutation (step S702), and the result is output (step S704).
For example, when n = 8, (0, 1, 2, 3, 4, 5, 6, 7) is output.
In the case of the second and subsequent calls, for each terminal ID of the previous output, consider those displayed in binary with log n bits, and set those to which cyclic shift has been performed by 1 bit to the right (step S703) And the result is output (step S704).
For example, in the case of the second call with n = 8, each terminal ID is cyclically shifted by 1 bit to the right with respect to the previous output (0, 1, 2, 3, 4, 5, 6, 7) (0, 4 , 1, 5, 2, 6, 3, 7) are output.
As a result of the terminal ID rearranging process as described above, a plurality of different tree structures as shown in FIG. 4, for example, are stored in the secret information storage area 214 after the key assignment algorithm application (step S603). .
 次に、サーバから各端末への暗号通信処理について説明する。
 図8は、本実施の形態における、事前共有した秘密情報を用いた、サーバから各端末への暗号通信処理を説明するためのフローチャートである。
 暗号通信処理における動作について、図8のフローチャートを参照しながら説明する。 Next, cryptographic communication processing from the server to each terminal will be described.
FIG. 8 is a flow chart for explaining encryption communication processing from the server to each terminal using secret information shared in advance in the present embodiment.
The operation in the encryption communication process will be described with reference to the flowchart of FIG.
 暗号通信処理を行う前に、あらかじめサーバ装置201と各端末装置301とで、セキュアマルチキャストのアルゴリズムを共有しておく。
 ここでは、アルゴリズム記憶領域211、アルゴリズム記憶領域311に、対応するアルゴリズムが格納されているものとする。
 また、サーバ装置201の秘密情報記憶領域214にはm個の木構造が、端末装置301の秘密情報記憶領域312にはこれに対応する秘密情報が格納されている。端末装置301の秘密情報記憶領域312への秘密情報の格納は、秘密情報を暗号化してサーバ装置201から端末装置301に送信してもよいし、秘密情報をメモリカード等の記憶媒体に格納し、オフラインにて端末装置301に供給するようにしてもよい。
 また、サーバ装置201への入力として、失効端末の集合が与えられる(ステップS801、S802)。 Before performing the encryption communication process, the server apparatus 201 and each terminal apparatus 301 share an algorithm of secure multicast in advance.
Here, it is assumed that the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
Further, m tree structures are stored in the secret information storage area 214 of the server device 201, and secret information corresponding to the m tree structure is stored in the secret information storage area 312 of the terminal device 301. The secret information may be stored in the secret information storage area 312 of the terminal device 301 by encrypting the secret information and transmitting it from the server device 201 to the terminal device 301, or storing the secret information in a storage medium such as a memory card. It may be supplied to the terminal device 301 offline.
Also, a set of revoked terminals is given as an input to the server device 201 (steps S801 and S802).
 まず、サーバ装置201では、集合導出部215が、秘密情報記憶領域214から1番目の木構造の構造情報を読み出し、この木構造と、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、正当な端末の集合を、端末の部分集合の和S1+S2+…+Sjとして表す(ステップS803、S804、S805)。
 ステップS805の詳細は、アルゴリズム記憶領域211に記憶されているアルゴリズム(CS法やSD法など)に依存する。
 この処理を、m個全ての木構造について行う(ステップS806)。 First, in the server device 201, the set derivation unit 215 reads out the structure information of the first tree structure from the secret information storage area 214, and according to this tree structure and the algorithm stored in the algorithm storage area 211, a valid terminal Is expressed as a sum S1 + S2 +... + Sj of subsets of terminals (steps S803, S804, and S805).
The details of step S 805 depend on the algorithm (such as CS method or SD method) stored in the algorithm storage area 211.
This process is performed on all m tree structures (step S806).
 その後、集合決定部216が、m個の木構造のうち通信オーバーヘッドが最小になるもの、すなわち部分集合の和で表した際の要素数jが最小になるものを決定する(ステップS807)。
 そして、決定された木構造と、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、暗号部218がメッセージの暗号化を行い(ステップS808)、通信部217が端末装置301に、決定された木構造の番号および暗号化メッセージをマルチキャストする(ステップS809)。
 ステップS808の詳細は、アルゴリズム記憶領域211に記憶されているアルゴリズム(CS法やSD法など)に依存する。 Thereafter, the set determination unit 216 determines one of the m tree structures in which the communication overhead is minimized, that is, one in which the number of elements j when represented by the sum of subsets is minimized (step S807).
Then, in accordance with the determined tree structure and the algorithm stored in the algorithm storage area 211, the encryption unit 218 encrypts the message (step S808), and the communication unit 217 determines the terminal device 301 the determined tree structure. And the encrypted message are multicast (step S809).
The details of step S 808 depend on the algorithm (such as CS method or SD method) stored in the algorithm storage area 211.
 正当な(=失効されていない)端末装置301の通信部314はメッセージを受信し(ステップS810)、鍵導出部313と暗号部315が、アルゴリズム記憶領域311に記憶されているアルゴリズムに従い、秘密情報記憶領域312に記憶されている秘密情報から導出した暗号鍵で受信メッセージを復号する(ステップS811)。
 ステップS811の詳細は、アルゴリズム記憶領域311に記憶されているアルゴリズム(CS法やSD法など)に依存する。
 一方、失効された端末装置301は、マルチキャストのメッセージを受信しても、復号に必要な暗号鍵を導出できないため、情報を得ることができない。
 以上の処理を行うことで、セキュアマルチキャストを実現することができる。 The communication unit 314 of the valid (= not revoked) terminal device 301 receives the message (step S 810), and the key derivation unit 313 and the encryption unit 315 follow the algorithm stored in the algorithm storage area 311 and secret information The received message is decrypted with the encryption key derived from the secret information stored in the storage area 312 (step S811).
The details of step S811 depend on the algorithm (such as the CS method or the SD method) stored in the algorithm storage area 311.
On the other hand, even if the terminal device 301 that has been revoked receives a multicast message, it can not derive information because it can not derive an encryption key necessary for decryption.
By performing the above processing, secure multicast can be realized.
 次に、図11を参照して、図8のS806及びS807の具体例を説明する。
 なお、前述したように、CS法やSD法等のアルゴリズムによって具体的な処理内容は異なるため、ここでは処理の概要を説明するにとどめる。 Next, specific examples of S806 and S807 of FIG. 8 will be described with reference to FIG.
As described above, since the specific processing contents differ depending on the algorithm such as the CS method or the SD method, only the outline of the processing will be described here.
 図11は、図4に示した木構造1及び木構造2の構造情報を示す。
 例えば、端末0、端末1、端末3、端末7が正当な端末であり、端末2、端末4、端末5、端末6が失効した端末であるとする。
 ここでは、構造情報ごとに、上位の階層のグループから順に同一グループ端末装置と送信先端末装置とを比較して、全ての同一グループ端末装置が送信先端末装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ端末装置が送信先端末装置として選択されていない場合(同一グループ端末装置に失効端末が含まれている場合)に、下位の階層のグループの同一グループ端末装置と送信先端末装置とを比較する。
 そして、最下位階層のグループにおいて1つ以上の同一グループ端末装置が送信先端末装置として選択されていない場合(同一グループ端末装置に失効端末が含まれている場合)に、最下位階層のグループの同一グループ端末装置の各々に割り当てられている装置別秘密情報(葉ノードの秘密情報)を抽出して、構造情報ごとに、全ての送信先端末装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報を抽出する。 FIG. 11 shows structure information of the tree structure 1 and the tree structure 2 shown in FIG.
For example, it is assumed that the terminal 0, the terminal 1, the terminal 3, and the terminal 7 are valid terminals, and the terminal 2, terminal 4, terminal 5, and terminal 6 are expired terminals.
Here, when all the same group terminal devices are selected as the transmission destination terminal devices by comparing the same group terminal device and the transmission destination terminal device in order from the group of the upper hierarchy for each structure information, When the secret information classified by group allocated to the group is extracted and one or more same group terminal apparatuses are not selected as a transmission destination terminal apparatus (when the same group terminal apparatus includes a revoked terminal), The same group terminal apparatus of the lower level group and the transmission destination terminal apparatus are compared.
Then, when one or more same group terminal devices are not selected as a transmission destination terminal device in the group of the lowest layer (when a revoked terminal is included in the same group terminal device), the group of the lowest layer Device-specific secret information (leaf node secret information) assigned to each of the same group terminal devices is extracted, and encrypted for each structure information so that all transmission destination terminal devices can decrypt the encrypted message. Extract secret information required for
 木構造1では、端末2、端末4、端末5、端末6が失効端末であるため、これらが同一グループ端末装置に含まれてしまう最上位階層のka_1は選択することができない。
 また、kb_1についても、失効端末である端末2が含まれてしまうので選択できない。同様に、kc_1についても、失効端末である端末4、端末5、端末6が含まれてしまうので選択できない。
 一方、端末0と端末1に対しては同じ秘密情報を利用できるので、グループ別秘密情報であるkd_1を選択することができる。
 また、端末2が失効端末であるので、ke_1は選択できない。このため、端末3の端末別秘密情報であるk3_1が選択される。
 同様に、端末4、端末5、端末6が失効端末であるので、kf_1及びkg_1は選択できない。このため、端末7の端末別秘密情報であるk7_1が選択される。
 以上、木構造1では、kd_1、k3_1、k7_1の組合せが導出される。
 また、同様の手順にて、木構造2では、k0_2、k1_2、kg_2の組合せが導出される。
 図11の例では、木構造1、木構造2のいずれにおいても3つの秘密情報になるので、木構造1及び木構造2のいずれが選択されてもよい。
 木構造1、木構造2のどちらかの秘密情報が少なければ、少ない方が選択される。
 なお、図11の例のように複数の構造情報において秘密情報の数が同数の場合には、予め設定している優先順位(木構造のID順、LRU(Least Recently Used)等)に基づいて、利用する構造情報を選択する。 In the tree structure 1, since the terminal 2, the terminal 4, the terminal 5, and the terminal 6 are revoked terminals, it is not possible to select the highest layer ka_1 which is included in the same group terminal device.
In addition, since the terminal 2 which is a revoked terminal is included in kb_1, it can not be selected. Similarly, kc_1 can not be selected because it includes the terminal 4 which is a revoked terminal, the terminal 5 and the terminal 6.
On the other hand, since the same secret information can be used for the terminal 0 and the terminal 1, it is possible to select kd_1 which is group-specific secret information.
Also, since the terminal 2 is a revoked terminal, ke_1 can not be selected. Thus, the terminal-specific secret information k3_1 is selected.
Similarly, kf_1 and kg_1 can not be selected because terminal 4, terminal 5, and terminal 6 are revoked terminals. Therefore, the terminal-specific secret information k7_1 is selected.
As described above, in the tree structure 1, a combination of kd_1, k3_1, and k7_1 is derived.
In the same manner, in tree structure 2, a combination of k0_2, k1_2, and kg_2 is derived.
In the example of FIG. 11, since three pieces of secret information are obtained in any of the tree structure 1 and the tree structure 2, either of the tree structure 1 and the tree structure 2 may be selected.
If the secret information of either tree structure 1 or tree structure 2 is small, the smaller one is selected.
If the number of pieces of secret information in the plurality of pieces of structure information is the same as in the example of FIG. 11, based on the preset priority (order of IDs of tree structures, LRU (Least Recently Used), etc.). , Select the structure information to use.
 一般に、CS法やSD法を始めとする鍵割り当て方式では、木構造が変化することで、部分集合の和で表した際の要素数が変化する。
 従って、上記のようにm個の木構造から最適なものを用いることで、単一の木構造だけを用いる場合に比べ、秘密情報の記憶容量はm倍になるものの、通信オーバーヘッドを低減することができるため、狭帯域でセキュアマルチキャストを行う際に有効である。
 さらに、SD法などの鍵割り当て方式では、例えば失効端末数r=2の場合、失効した2つの端末が木構造の左半分、右半分に1個ずつ存在する方が通信オーバーヘッドが少ない。前述した端末ID並べ替え処理(ステップS602)を行うと、1番目の木では端末IDの最上位ビットが0であるものが左半分、1であるものが右半分となる。同様に、i番目の木では端末IDの上からiビット目が0であるものが左半分、1であるものが右半分となる。従って、m(=lon n)個の木構造を使用する場合、どの2端末が失効した場合でも、1個が左半分、1個が右半分にあるような木構造が必ず存在し、通信オーバーヘッドの少ないセキュアマルチキャストを確実に行うことが可能となる。
 また、失効端末が3個以上の場合でも同様の効果が得られる。 In general, in the key assignment methods including the CS method and the SD method, the number of elements when represented by the sum of subsets changes as the tree structure changes.
Therefore, as described above, by using the optimum of the m tree structures, the storage capacity of the secret information is m times that of the case where only a single tree structure is used, but the communication overhead is reduced. It is effective when performing secure multicast in a narrow band.
Furthermore, in the case of the number r of revoked terminals r = 2, for example, in the case of the key assignment method such as the SD method, the communication overhead is less when two revoked terminals exist in the left half and the right half of the tree structure. When the terminal ID rearranging process (step S602) described above is performed, in the first tree, the one with the most significant bit of the terminal ID of 0 is the left half and the one with the most significant bit of 1 is the right half. Similarly, in the i-th tree, the left half is the one in which the i-th bit is 0 from the top of the terminal ID, and the right half is 1 in the i-th tree. Therefore, when using m (= lon n) tree structures, there is always a tree structure in which one is in the left half and one is in the right half, regardless of which two terminals are expired, and communication overhead It is possible to reliably perform secure multicast with less
Also, the same effect can be obtained even in the case of three or more revoked terminals.
 さらに、本実施の形態における端末ID並べ替え処理(ステップS602)によると、端末の順列は確定的に与えられるため、各端末がそれぞれの木構造を記憶する必要がない。 Furthermore, according to the terminal ID reordering process (step S602) in the present embodiment, the permutation of the terminals is definitely given, and there is no need for each terminal to store its own tree structure.
 なお、本実施の形態では、各端末に格納する鍵の決定と、各端末へのメッセージ送信を同一のサーバ装置が行っているが、これらを別々の装置で行っても良い。 In the present embodiment, the determination of the key to be stored in each terminal and the message transmission to each terminal are performed by the same server device, but these may be performed by different devices.
 また、本実施の形態では、端末数nを2のべき乗で表される値としているが、そうでない場合でも、2のべき乗になるまで仮想的な端末を追加するなどして、本方式を適用することが可能である。
 つまり、攪拌部212は、サーバ装置201に接続している端末装置301の数が2個(m≧2)に満たない場合に、不足数分の仮想端末を補充してm種の順序付けを行い、構造情報生成部219はm種の順序付け及びグループ化を示すm個の順序情報を生成する。 Also, in the present embodiment, the number of terminals n is a value represented by a power of 2, but even if this is not the case, the present method is applied by adding virtual terminals until the power of 2 is obtained. It is possible.
That is, when the number of terminal devices 301 connected to the server device 201 is less than 2 m (m 2 2), the stirring unit 212 supplements the virtual terminals for the insufficient number and performs m types of ordering. The structure information generation unit 219 generates m pieces of order information indicating ordering and grouping of m types.
 また、本実施の形態では、サーバが保持・管理する木構造の値mをm=log nとしているが、サーバや各端末の性能を考慮して、これより小さい値を利用しても良い。 Further, in the present embodiment, the value m of the tree structure held and managed by the server is m = log n, but in consideration of the performance of the server and each terminal, a smaller value may be used.
 また、本実施の形態では、ステップS702で端末IDを0からn-1まで順に並べた決まった順列を出力しているが、ここで確定的もしくは確率的に並べ替えた順列を出力しても良い。
 つまり、ステップS702における端末IDの並べ方は、必ずしも端末IDを0からn-1まで順に並べる必要はなく、任意の並べ方が可能である。 Moreover, in the present embodiment, although the fixed permutation in which the terminal IDs are arranged in order from 0 to n-1 is output in step S702, even if the permutation rearranged in a definite or stochastic manner is output here good.
That is, the arrangement of terminal IDs in step S702 does not necessarily have to arrange the terminal IDs in order from 0 to n-1, and any arrangement can be made.
 また、本実施の形態では、ステップS807でm個の木構造から最適な1個を選択し、これに基づいて部分集合の和S1+S2+…+Sjを決定しているが、複数の木構造にまたがって各部分集合Siを決定することも可能であり、このようにすると、1個だけを選択する場合に比べ、要素数jをさらに削減できる可能性がある。
 この場合、各部分集合について、どの木構造のものかを表す付加情報が必要になる。 In the present embodiment, the optimum one is selected from the m tree structures in step S 807, and the sum S 1 + S 2 +... + S j of the subsets is determined based on this. It is also possible to determine each subset Si, and in this case, the number of elements j may be further reduced as compared with the case where only one is selected.
In this case, for each subset, additional information is required to indicate which tree structure.
 複数の木構造にまたがって各部分集合Siを決定することにより、例えば、図12に示すように、木構造1のkd_1と木構造2のkg_2とを組み合わせて、利用する秘密情報を2つとすることができる。
 図11の例では、木構造1単独では3つの秘密情報となり、木構造2単独でも3つの秘密情報であったが、木構造1と木構造2とを組み合わせることにより2つの秘密情報にすることができる。
 木構造1のkd_1は、端末0と端末1において共通に利用することができ、木構造2のkg_2は、端末3と端末7に利用することができる。
 なお、このような部分集合を組み合わせる方式の実現方法としては、部分集合を総当りで組み合わせることにより最適な組合せを探索することが考えられる。 By determining each subset Si across plural tree structures, for example, as shown in FIG. 12, kd_1 of tree structure 1 and kg_2 of tree structure 2 are combined, and two pieces of secret information are used. be able to.
In the example of FIG. 11, the tree structure 1 alone is three secret information, and the tree structure 2 alone is three secret information, but combining the tree structure 1 and the tree structure 2 into two secret information Can.
The kd_1 of the tree structure 1 can be commonly used in the terminal 0 and the terminal 1, and kg_2 of the tree structure 2 can be used in the terminal 3 and the terminal 7.
As a method of realizing such a scheme of combining subsets, it is conceivable to search for an optimal combination by combining subsets in a roundabout manner.
 また、本実施の形態では、各端末の管理を木構造の構造情報に基づいて行っているが、端末の順列を変えることによって通信オーバーヘッドが異なるセキュアマルチキャストアルゴリズムであれば、各端末がどのような構造で管理されていたとしても効果がある。 Also, in this embodiment, management of each terminal is performed based on the tree structure information, but if it is a secure multicast algorithm with different communication overhead by changing the permutation of the terminals, what kind of each terminal is Even if it is managed by structure, it is effective.
 例えば、木構造の代わりに、線構造の構造情報を用いてもよい。
 この場合、鍵管理アルゴリズムとして、例えば線上で連続している端末が1個の鍵を共通に保持するようなものが考えられる。また、木構造、線構造以外に円状、格子状、グラフ状などの任意の構造を用いることができる。 For example, instead of a tree structure, structural information of a line structure may be used.
In this case, as a key management algorithm, for example, it can be considered that terminals continuing on a line hold one key in common. Further, in addition to the tree structure and the line structure, any structure such as a circle, a lattice, or a graph can be used.
 このように、本実施の形態によれば、端末装置の順序付けを変化させて複数種の構造情報を生成するとともに、複数種の構造情報における秘密情報の割り当て状況に基づき、最も数の少ない秘密情報の組合せを導出することが可能であり、このためセキュアマルチキャスト送信時の通信オーバーヘッドを抑制することができる。 As described above, according to the present embodiment, the ordering of the terminal devices is changed to generate a plurality of types of structure information, and the smallest number of secret information is generated based on the allocation status of the secret information in the plurality of types of structure information. It is possible to derive a combination of the two, thereby suppressing communication overhead at the time of secure multicast transmission.
 以上、本実施の形態では、セキュアマルチキャストシステムにおいて、情報を送信するサーバが、情報を受信する複数の端末を管理するために、端末同士の関係をある構造で表したものを複数保持し、マルチキャストの際にこれらのうち最適な構造を利用することで、マルチキャストの際に生じる通信オーバーヘッドを削減する方式について説明した。
 また、本実施の形態では、端末同士の関係を木構造で表した方式について説明した。
 また、本実施の形態では、複数の木構造を、各端末のIDに基づいて系統的に決定する方式について説明した。 As described above, in the present embodiment, in the secure multicast system, the server transmitting information holds a plurality of representing the relationship between the terminals in a certain structure in order to manage the plurality of terminals receiving information, and multicasting We have described a method to reduce communication overhead that occurs in multicasting by using the optimal structure among them.
Further, in the present embodiment, a method has been described in which the relationship between terminals is represented by a tree structure.
Further, in the present embodiment, the method of systematically determining a plurality of tree structures based on the ID of each terminal has been described.
 実施の形態2.
 図9は、本実施の形態に係るサーバ装置201の構成例を表すブロック図である。
 図9において、アルゴリズム記憶領域211から構造情報生成部219までについては、図2のものと同様であるので、説明は省略する。
 構造決定部220は、端末を管理する複数の構造情報の組を多数生成し、これらの中から、通信オーバーヘッドの期待値が最も小さくなる組合せを決定する手段である。
 効率算出部221は、端末を管理する複数の構造、および失効端末数rを入力とし、r個の端末が失効した際のセキュアマルチキャストの通信オーバーヘッドの期待値を算出する手段である。
 構造決定部220及び効率算出部221は、順序情報選択部の例である。 Second Embodiment
FIG. 9 is a block diagram showing a configuration example of the server apparatus 201 according to the present embodiment.
The algorithm storage area 211 to the structure information generation unit 219 in FIG. 9 are the same as those in FIG.
The structure determination unit 220 is a unit that generates a plurality of sets of plural pieces of structure information that manages the terminal, and determines a combination that minimizes the expected value of the communication overhead from among them.
The efficiency calculating unit 221 is a unit that receives a plurality of structures for managing terminals and the number r of revoked terminals, and calculates an expected value of communication overhead of secure multicast when r terminals are revoked.
The structure determination unit 220 and the efficiency calculation unit 221 are examples of the order information selection unit.
 本実施の形態では、構造情報生成部219は、m(m≧2)種の順序付け及びグループ化を示すm個の構造情報を1セットとし、t(t≧2)セット分の構造情報を生成する。
 効率算出部221は、構造情報のセットごとに、そのセットに含まれるm個の構造情報を用いて送信メッセージを暗号化する場合に必要な秘密情報の数の期待値を算出する。
 また、構造決定部220は、効率算出部221により算出された期待値に基づいてtセットの中から期待値が最も小さいセットを選択する。
 そして、集合導出部215及び集合決定部216は、セキュアマルチキャスト送信の送信先となる端末装置が選択された際に、構造決定部220により選択されたセットに含まれるm個の構造情報を用いて、実施の形態1と同様の手順にて、送信メッセージの暗号化に用いる秘密情報の組合せを導出する。 In this embodiment, the structure information generation unit 219 generates m pieces of structure information indicating ordering and grouping of m (m ≧ 2) types as one set, and generates structure information for t (t 2 2) sets. Do.
The efficiency calculating unit 221 calculates, for each set of structure information, an expected value of the number of pieces of secret information required when encrypting a transmission message using the m pieces of structure information included in the set.
Further, based on the expected value calculated by the efficiency calculating unit 221, the structure determining unit 220 selects a set having the smallest expected value from the t sets.
The set derivation unit 215 and the set determination unit 216 use the m pieces of structure information included in the set selected by the structure determination unit 220 when the terminal device to which secure multicast transmission is to be transmitted is selected. In the same procedure as in the first embodiment, a combination of secret information used for encryption of a transmission message is derived.
 また、効率算出部221は、期待値の算出において、所定数の送信先端末数(セキュアマルチキャストの対象となる端末数)に対して接続端末を組み合わせて、端末装置の組合せパターンを複数導出する。詳細は後述するが、例えば、サーバ装置201に端末0から端末7の8台の端末装置が接続され、送信先端末数が5台(失効端末数が3台)の場合に、効率算出部221は、送信先端末数である5台(又は失効端末数である3台)に対して端末0から端末7を割り当てて、組合せパターンを複数導出する。
 そして、効率算出部221は、構造情報のセットごとに、そのセットに含まれるm個の構造情報の中から、組合せパターンごとに送信メッセージを暗号化するために必要な秘密情報の数が最も少ない構造情報を抽出し、組合せパターンごとに抽出した構造情報における秘密情報の数に基づいて、セットごとの期待値を算出する。 Further, the efficiency calculating unit 221 derives a plurality of combination patterns of terminal devices by combining the connection terminals with a predetermined number of transmission destination terminals (the number of terminals to be a target of secure multicast) in the calculation of the expected value. Although the details will be described later, for example, when eight terminal devices of terminal 0 to terminal 7 are connected to the server device 201 and the number of transmission destination terminals is five (the number of revoked terminals is three), the efficiency calculation unit 221 The terminal 0 to the terminal 7 are allocated to five terminals (or three terminals, which are the number of revoked terminals), which is the number of transmission destination terminals, and a plurality of combination patterns are derived.
Then, for each set of structure information, the efficiency calculation unit 221 minimizes the number of pieces of secret information required to encrypt the transmission message for each combination pattern among the m pieces of structure information included in the set. The structure information is extracted, and an expected value for each set is calculated based on the number of secret information in the structure information extracted for each combination pattern.
 端末装置301については、図3に示した構成と同様であるので、説明は省略する。
 また、本実施の形態に係るセキュアマルチキャストシステムの構成例は、図1に示したものと同様である。 About the terminal device 301, since it is the same as that of the structure shown in FIG. 3, description is abbreviate | omitted.
Further, the configuration example of the secure multicast system according to the present embodiment is the same as that shown in FIG.
 図10は、本実施の形態における、サーバから各端末への秘密情報の配布処理を説明するためのフローチャートである。
 配布処理における動作について、図10のフローチャートを参照しながら説明する。
 なお、サーバが保持・管理する構造情報の数m、構造決定の試行回数tをあらかじめ定めておく。 FIG. 10 is a flow chart for explaining distribution processing of secret information from the server to each terminal in the present embodiment.
The operation in the distribution process will be described with reference to the flowchart of FIG.
The number m of structure information held and managed by the server and the number of trials t of structure determination are determined in advance.
 配布処理を行う前に、あらかじめサーバ装置901と各端末装置301とで、セキュアマルチキャストのアルゴリズムを共有しておく(ステップS1001)。
 ここでは、アルゴリズム記憶領域211、アルゴリズム記憶領域311に、対応するアルゴリズムが格納されているものとする。 Before performing the distribution process, an algorithm of secure multicast is shared in advance between the server device 901 and each terminal device 301 (step S1001).
Here, it is assumed that the algorithm storage area 211 and the algorithm storage area 311 store corresponding algorithms.
 まず、攪拌部212が、端末数nを入力として、0からn-1までの端末IDをランダムに並べ替えた順列をm個出力する(ステップS1002)。
 次に、ステップS1002で得られたm個の順列それぞれを入力として、構造情報生成部219が、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、端末間に木構造を与えてm個の構造情報を生成する(ステップS1003)。
 ステップS1003で得られたm個の構造情報を入力として、効率算出部221が、あらかじめ定めておいた特定の失効端末数rに対する通信オーバーヘッドの期待値を算出する(ステップS1004)。
 具体的には、特定の失効端末数rに対する全ての失効パターンについて、m個のうち最適な構造を用いた場合の通信オーバーヘッドを求め、これらを平均することによって期待値を算出する。 First, the stirring unit 212 receives the number n of terminals and outputs m permutations in which terminal IDs from 0 to n-1 are randomly rearranged (step S1002).
Next, with the m permutations obtained in step S1002 as input, the structure information generation unit 219 gives a tree structure between the terminals according to the algorithm stored in the algorithm storage area 211 to obtain m structure information Are generated (step S1003).
With the m pieces of structure information obtained in step S1003 as input, the efficiency calculating unit 221 calculates an expected value of communication overhead with respect to a predetermined number r of revoked terminals set in advance (step S1004).
Specifically, for all the revocation patterns for a specific number r of revoked terminals, the communication overhead in the case of using the optimal structure of m is obtained, and the expected value is calculated by averaging these.
 つまり、例えば、サーバ装置201に端末0から端末7の8台の端末装置が接続され、失効端末数が3台の場合に、効率算出部221は、失効端末数rである3台に対して端末0から端末7を割り当てて、失効パターン1:(端末0、端末1、端末2が失効)、失効パターン2:(端末0、端末1、端末3が失効)という形で、端末0から端末7の組合せから得られる全ての失効パターンを導出する。
 なお、「特定の失効端末数」は複数定めておいても良い。
 また、ここでは失効端末数に対して端末0から端末7を組み合わせて失効パターンを生成しているが、送信先端末数に対して端末0から端末7を組み合わせて送信パターンを生成してもよい。
 そして、効率算出部221は、失効パターンごとに、その失効パターンに含まれる失効端末以外の端末にセキュアマルチキャストを行う場合に、送信メッセージを暗号化するために必要な秘密情報の数が最も少ない構造情報をm個の構造情報の中から抽出する。
 m=3の場合に、効率算出部221は、例えば、失効パターン1に対しては最も秘密情報の数が少ないのが構造情報3、失効パターン2に対しては最も秘密情報の数が少ないのが構造情報2、失効パターン3に対しては最も秘密情報の数が少ないのが構造情報1という形で、失効パターンごとに構造情報を抽出する。
 そして、効率算出部221は、抽出した構造情報における秘密情報の数の平均値を求め、求めた平均値を当該m個の構造情報についての期待値とする。 That is, for example, when eight terminal devices of the terminal 0 to the terminal 7 are connected to the server device 201 and the number of revoked terminals is three, the efficiency calculating unit 221 compares the number r of revoked terminals with three. Terminal 0 to terminal 7 are allocated, and in the form of revocation pattern 1: (terminal 0, terminal 1, terminal 2 is expired), revocation pattern 2: (terminal 0, terminal 1, terminal 3 is revoked), terminal 0 to terminal Deriving all revocation patterns obtained from the combination of 7.
Note that a plurality of “specific revoked terminal numbers” may be set.
Furthermore, although the revocation pattern is generated by combining the terminal 0 to the terminal 7 with the number of revoked terminals here, the transmission pattern may be generated by combining the terminal 0 to the terminal 7 with respect to the number of transmission destination terminals. .
Then, the efficiency calculating unit 221 is configured to minimize the number of pieces of secret information required to encrypt the transmission message when performing secure multicast to terminals other than the revoked terminal included in the revocation pattern for each revocation pattern. Information is extracted from m pieces of structure information.
In the case of m = 3, for example, the efficiency calculating unit 221 has the smallest number of secret information for the revocation pattern 1 as the structure information 3 and the smallest number of secret information for the revocation pattern 2 The structural information is extracted for each of the revocation patterns in the form of the structural information 1 in which the number of secret information is the smallest for the structural information 2 and the revocation pattern 3.
Then, the efficiency calculating unit 221 obtains an average value of the number of pieces of secret information in the extracted structure information, and sets the obtained average value as an expected value for the m pieces of structure information.
 そして、S1002からS1004の試行がt回繰り返された後(ステップS1005)、構造決定部220が、通信オーバーヘッドの期待値が最も小さいセット、すなわち通信オーバーヘッドの期待値が最も小さいm個の構造情報を決定する(ステップS1006)。
 そして、選択されたm個の構造情報に対して、鍵割り当て部213が各ノードに秘密情報を割り当て、秘密情報記憶領域214に、秘密情報が割り当てられたm個の構造情報を格納し、各端末の秘密情報記憶領域312に、対応する秘密情報を格納する(ステップS1007)。 Then, after the trial of S1002 to S1004 is repeated t times (step S1005), the structure determination unit 220 sets the smallest expected value of the communication overhead, that is, m pieces of structural information having the smallest expected value of the communication overhead. It determines (step S1006).
Then, the key assignment unit 213 assigns secret information to each node for the selected m pieces of structure information, and stores m pieces of structure information to which the secret information is assigned in the secret information storage area 214, The corresponding secret information is stored in the secret information storage area 312 of the terminal (step S1007).
 サーバ装置201から各端末301への暗号通信処理については、図8で説明したものと同様であるので、説明は省略する。 The encryption communication process from the server device 201 to each terminal 301 is the same as that described with reference to FIG.
 図13は、図10の処理の概要を示した図である。
 図13では、m=3、t=5としている。
 各回の試行において、S1002及びS1003で、m個の構造情報(m1-1、m1-2、m1-3等)が生成され、S1004で、m個の構造情報に対する期待値(期待値e1等)が算出され、t回試行されると(S1005)、tセットのm個の構造情報が生成されるとともに、各セットの期待値(期待値e1からe5)が生成される。
 なお、各構造情報(m1-1、m1-2、m1-3等)は、例えば、図4に示すような木構造の構造情報である(但し、S1004までの段階では、図4のように各ノードに秘密情報は割り当てられていない)。
 そして、構造決定部220が、期待値の最も少ないセット(m個の構造情報)を選択し(S1006)、鍵割り当て部213が選択されたセットのm個の構造情報に対して秘密情報を割当てる(S1007)。 FIG. 13 is a diagram showing an outline of the process of FIG.
In FIG. 13, m = 3 and t = 5.
In each trial, m pieces of structure information (m1-1, m1-2, m1-3, etc.) are generated in S1002 and S1003, and in S1004, expected values (expected value e1, etc.) for m pieces of structure information Is calculated and t times are tried (S1005), m sets of structure information of t sets are generated, and expected values (expected values e1 to e5) of each set are generated.
In addition, each structure information (m1-1, m1-2, m1-3, etc.) is, for example, structure information of a tree structure as shown in FIG. 4 (however, in the stage up to S1004, as shown in FIG. Secret information is not assigned to each node).
Then, the structure determination unit 220 selects a set (m pieces of structure information) with the smallest expected value (S1006), and the key allocation unit 213 allocates secret information to the m pieces of structure information of the selected set. (S1007).
 以上のように、ランダムに決定した構造から最適なm個の構造を決定することで、任意のセキュアマルチキャストアルゴリズム・任意の鍵管理構造について、通信オーバーヘッドが小さくなるような構造を自動的に(人手を介することなく)決定することが可能となる。 As described above, by determining the optimum m structures from the randomly determined structures, a structure that reduces the communication overhead automatically for any secure multicast algorithm and any key management structure (manual Can be determined without
 なお、本実施の形態では、一度にm個の構造を生成し、m個全部を用いた場合の通信オーバーヘッド期待値が最小になるように構造を決定しているが、1個ずつ構造を生成し、1個の構造追加ごとに期待値が最小になるものを選ぶようにしても良い。 In this embodiment, m structures are generated at one time, and the structure is determined so that the communication overhead expectation value when all m are used is minimized. However, one structure is generated. Also, it is possible to select one with the smallest expected value for each additional structure.
 例えば、図14に示すように、m段階の各段階において、t個の構造情報の中から期待値が最も小さい構造情報を選択して、各段階で選択された構造情報を組み合わせてm個の構造情報とする。
 より具体的には、m=3、t=5の場合に、構造情報生成部219は、m個の構造情報の1つ目(m1)の候補として、5個の構造情報(t1-1、t1-2、t1-3、t1-4、t1-5)を生成し、効率算出部221が、失効パターンの各々を5個の構造情報の各々に対して適用して構造情報ごとに通信オーバーヘッドの期待値(e1からe5)を算出する。
 構造情報の生成手順、期待値の算出手順は図10のフローにおいて説明したものと同様である。
 そして、構造決定部220が、期待値が最も小さい構造情報を選択する。
 図14では、t1-3が選択されている。
 次に、構造情報生成部219は、m個の構造情報の2つ目(m2)の候補として、5個の構造情報(t2-1、t2-2、t2-3、t2-4、t2-5)を生成し、効率算出部221が、失効パターンの各々を、これまでに選択された構造情報(t1-3)と、m2の候補として生成された5個の構造情報の各々を組み合わせたものに対して適用して、組み合わせごとに通信オーバーヘッドの期待値(f1からf5)を算出する。そして、構造決定部220が、m2の候補から、期待値が最も小さくなる構造情報を選択する。図14では、t2ー2が選択されている。
 以上の処理をm段階分行い、各段階で通信オーバヘッドの期待値(f1からf5、g1からg5)が最も小さい構造情報を選択し、m個の構造情報が得られる。
 図14の例では、t1-3、t2-2、t3-1が選択されている。
 そして、上述したのと同様に、集合導出部215及び集合決定部216は、セキュアマルチキャスト送信の送信先となる端末装置が選択された際に、構造決定部220により選択されたm個の構造情報を用いて、実施の形態1と同様の手順にて、送信メッセージの暗号化に用いる秘密情報の組合せを導出する。 For example, as shown in FIG. 14, in each of the m stages, structure information having the smallest expected value is selected from the t pieces of structure information, and the structure information selected in each stage is combined to form m Structure information
More specifically, in the case of m = 3 and t = 5, the structure information generation unit 219 determines five pieces of structure information (t1-1, t1 and t2) as candidates for the first (m1) of m pieces of structure information. t1-2, t1-3, t1-4, t1-5) are generated, and the efficiency calculation unit 221 applies each of the revocation patterns to each of the five pieces of structure information, and the communication overhead for each piece of structure information The expected value (e1 to e5) of is calculated.
The generation procedure of the structure information and the calculation procedure of the expected value are the same as those described in the flow of FIG.
Then, the structure determination unit 220 selects the structure information with the smallest expected value.
In FIG. 14, t1-3 is selected.
Next, the structure information generation unit 219 sets five pieces of structure information (t2-1, t2-2, t2-3, t2-4, t2-2) as the second (m2) candidate of the m pieces of structure information. 5), and the efficiency calculation unit 221 combines each of the revocation patterns with each of the structure information (t1-3) selected so far and each of the 5 pieces of structure information generated as candidates for m2 It applies to those to calculate expected values (f1 to f5) of communication overhead for each combination. Then, the structure determination unit 220 selects, from m2 candidates, the structure information with the smallest expected value. In FIG. 14, t2-2 is selected.
The above processing is performed for m steps, and in each step, structure information with the smallest expected value (f1 to f5, g1 to g5) of communication overhead is selected, and m pieces of structure information are obtained.
In the example of FIG. 14, t1-3, t2-2, t3-1 are selected.
Then, in the same manner as described above, the set derivation unit 215 and the set determination unit 216 select the m pieces of structure information selected by the structure determination unit 220 when a terminal device to be a transmission destination of secure multicast transmission is selected. In accordance with the same procedure as in the first embodiment, a combination of secret information used for encryption of a transmission message is derived using
 また、本実施の形態では、効率算出部221が失効端末数rに対する全ての失効パターンに基づいて通信オーバーヘッドの期待値を算出しているが、r個の端末をランダムに選択して通信オーバーヘッドを求めるシミュレーションを繰り返し行うことで、期待値の概算値を算出しても良い。
 端末数nおよび失効端末数rが大きい場合、このようにすることで計算量を小さく抑えることが可能である。
 つまり、端末数nと失効端末数rが大きいと、失効パターン数が非常に大きくなるため、全ての失効パターンについて通信オーバーヘッドを求めると、演算処理に長時間を要することになる。このため、標本調査を行い、一部について通信オーバーヘッドを求めることで、全体の期待値を見積り、処理時間を短縮することができる。 Further, in the present embodiment, although the efficiency calculation unit 221 calculates the expected value of the communication overhead based on all the revocation patterns for the number r of revoked terminals, the r overhead is randomly selected to select the communication overhead. The estimated value of the expected value may be calculated by repeatedly performing the desired simulation.
When the number n of terminals and the number r of revoked terminals are large, it is possible to reduce the amount of calculation by doing this.
That is, if the number of terminals n and the number r of revoked terminals are large, the number of revocation patterns becomes very large. Therefore, calculating communication overhead for all the revocation patterns requires a long time for arithmetic processing. For this reason, it is possible to estimate the entire expected value and shorten the processing time by conducting sample survey and obtaining communication overhead for a part.
 また、本実施の形態では、各端末に格納する鍵の決定と、各端末へのメッセージ送信を同一のサーバ装置が行っているが、これらを別々の装置で行っても良い。 Further, in the present embodiment, the determination of the key to be stored in each terminal and the message transmission to each terminal are performed by the same server device, but these may be performed by different devices.
 また、本実施の形態では、ステップS1004、および暗号通信処理のステップS807でm個の木構造から最適な1個を選択し、これに基づいて部分集合の和S1+S2+…+Sjを決定しているが、複数の木構造にまたがって各部分集合Siを決定することも可能であり、このようにすると、1個だけを選択する場合に比べ、要素数jをさらに削減できる可能性がある。この場合、各部分集合について、どの木構造のものかを表す付加情報が必要になる。詳細については、実施の形態1において、図12を参照して説明した手順と同様である。 Further, in the present embodiment, an optimum one is selected from the m tree structures in step S1004 and step S807 of the encryption communication processing, and the sum S1 + S2 +... + Sj of subsets is determined based on this. It is also possible to determine each subset Si across a plurality of tree structures, and in this case, the number of elements j may be further reduced as compared with the case where only one is selected. In this case, for each subset, additional information is required to indicate which tree structure. The details are similar to the procedure described in the first embodiment with reference to FIG.
 また、本実施の形態では、図10のS1004において、セットごとにm個の構造情報の通信オーバーヘッドの期待値を算出しているが、m個の構造情報のセットをtセット生成した後に、m×t個の構造情報の中から通信オーバーヘッドの期待値が最も小さくなるm個の組合せを抽出するようにしてもよい。
 例えば、図13に示すようなm=3、t=5の場合に、図10では、セットごと(3つの構造情報ごと)に通信オーバーヘッドの期待値を算出しているが、m1-1からm5-3の15個の構造情報の中から通信オーバーヘッドの期待値がもっとも小さくなる3個の構造情報を選択してもよい。
 このようなm×t個の構造情報の中から通信オーバーヘッドの期待値が最も小さくなるm個の組合せを抽出する具体的方法としては、m×t個の構造情報を総当りで組み合わせて最適な組合せを探索することが考えられる。 Further, in the present embodiment, the expected value of the communication overhead of m pieces of structure information is calculated for each set in S1004 of FIG. 10, but m sets of the structure information are generated after t sets are generated. From the (t) pieces of structure information, m combinations in which the expected value of the communication overhead is the smallest may be extracted.
For example, in the case of m = 3 and t = 5 as shown in FIG. 13, in FIG. 10, the expected value of the communication overhead is calculated for each set (every three pieces of structure information), but m1-1 to m5 Among the fifteen pieces of structure information of -3, three pieces of structure information with the smallest expected communication overhead value may be selected.
As a specific method of extracting m combinations having the smallest expected value of communication overhead from such m × t pieces of structure information, the m × t pieces of structure information are combined in a round-robin manner to be optimum. It is conceivable to search for combinations.
 また、本実施の形態においても、端末の順列を変えることによって通信オーバーヘッドが異なるセキュアマルチキャストアルゴリズムであれば、木構造以外の構造を用いることができる。 Also in the present embodiment, as long as the secure multicast algorithm has a different communication overhead by changing the permutation of the terminals, a structure other than the tree structure can be used.
 以上、本実施の形態では、複数の木構造を、乱数によって決定することを繰り返し、そのうち最適な組み合わせに関して、それら複数の木構造を保持する方式について説明した。 As described above, in the present embodiment, determination of a plurality of tree structures by random numbers is repeated, and a method of holding the plurality of tree structures with respect to an optimal combination thereof has been described.
 最後に、実施の形態1、2に示したサーバ装置201及び端末装置301のハードウェア構成例について説明する。
 図15は、実施の形態1、2に示すサーバ装置201及び端末装置301のハードウェア資源の一例を示す図である。
 なお、図15の構成は、あくまでもサーバ装置201及び端末装置301のハードウェア構成の一例を示すものであり、サーバ装置201及び端末装置301のハードウェア構成は図15に記載の構成に限らず、他の構成であってもよい。 Finally, a hardware configuration example of the server device 201 and the terminal device 301 shown in the first and second embodiments will be described.
FIG. 15 is a diagram illustrating an example of hardware resources of the server device 201 and the terminal device 301 described in the first and second embodiments.
The configuration of FIG. 15 merely shows an example of the hardware configuration of the server device 201 and the terminal device 301, and the hardware configuration of the server device 201 and the terminal device 301 is not limited to the configuration described in FIG. It may be another configuration.
 図15において、サーバ装置201及び端末装置301は、プログラムを実行するCPU911(Central Processing Unit、中央処理装置、処理装置、演算装置、マイクロプロセッサ、マイクロコンピュータ、プロセッサともいう)を備えている。
 CPU911は、バス912を介して、例えば、ROM(Read Only Memory)913、RAM(Random Access Memory)914、通信ボード915、表示装置901、キーボード902、マウス903、磁気ディスク装置920と接続され、これらのハードウェアデバイスを制御する。
 更に、CPU911は、FDD904(Flexible Disk Drive)、コンパクトディスク装置905(CDD)、プリンタ装置906、スキャナ装置907と接続していてもよい。また、磁気ディスク装置920の代わりに、光ディスク装置、メモリカード(登録商標)読み書き装置などの記憶装置でもよい。
 RAM914は、揮発性メモリの一例である。ROM913、FDD904、CDD905、磁気ディスク装置920の記憶媒体は、不揮発性メモリの一例である。これらは、記憶装置の一例である。
 通信ボード915、キーボード902、マウス903、スキャナ装置907、FDD904などは、入力装置の一例である。
 また、通信ボード915、表示装置901、プリンタ装置906などは、出力装置の一例である。 In FIG. 15, the server device 201 and the terminal device 301 each include a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, or a processor) that executes a program.
The CPU 911 is connected to, for example, a read only memory (ROM) 913, a random access memory (RAM) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903 and a magnetic disk drive 920 via a bus 912. Control the hardware devices of
Furthermore, the CPU 911 may be connected to a flexible disk drive (FDD) 904, a compact disk drive 905 (CDD), a printer 906, and a scanner 907. Also, instead of the magnetic disk drive 920, a storage device such as an optical disk drive or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk drive 920 are examples of non-volatile memory. These are examples of storage devices.
The communication board 915, the keyboard 902, the mouse 903, the scanner device 907, the FDD 904, and the like are examples of the input device.
The communication board 915, the display device 901, the printer device 906, etc. are examples of the output device.
 通信ボード915は、図1に示すように、ネットワークに接続されている。例えば、通信ボード915は、LAN(ローカルエリアネットワーク)、インターネット、WAN(ワイドエリアネットワーク)などに接続されていても構わない。 The communication board 915 is connected to the network as shown in FIG. For example, the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network) or the like.
 磁気ディスク装置920には、オペレーティングシステム921(OS)、ウィンドウシステム922、プログラム群923、ファイル群924が記憶されている。
 プログラム群923のプログラムは、CPU911がオペレーティングシステム921、ウィンドウシステム922を利用しながら実行する。 The magnetic disk drive 920 stores an operating system 921 (OS), a window system 922, programs 923, and files 924.
The programs of the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.
 また、RAM914には、CPU911に実行させるオペレーティングシステム921のプログラムやアプリケーションプログラムの少なくとも一部が一時的に格納される。
 また、RAM914には、CPU911による処理に必要な各種データが格納される。 The RAM 914 temporarily stores at least a part of a program of the operating system 921 to be executed by the CPU 911 and an application program.
The RAM 914 stores various data necessary for processing by the CPU 911.
 また、ROM913には、BIOS(Basic Input Output System)プログラムが格納され、磁気ディスク装置920にはブートプログラムが格納されている。
 サーバ装置201及び端末装置301の起動時には、ROM913のBIOSプログラム及び磁気ディスク装置920のブートプログラムが実行され、BIOSプログラム及びブートプログラムによりオペレーティングシステム921が起動される。 The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk drive 920 stores a boot program.
When the server device 201 and the terminal device 301 start up, the BIOS program of the ROM 913 and the boot program of the magnetic disk drive 920 are executed, and the operating system 921 is started up by the BIOS program and the boot program.
 上記プログラム群923には、実施の形態1、2の説明において「・・・部」として説明している機能を実行するプログラムが記憶されている。プログラムは、CPU911により読み出され実行される。 The program group 923 stores programs for executing the functions described as “... Unit” in the description of the first and second embodiments. The program is read and executed by the CPU 911.
 ファイル群924には、実施の形態1、2の説明において、「・・・の判断」、「・・・の計算」、「・・・の算出」、「・・・の比較」、「・・・の生成」、「・・・の順序付け」、「・・・の抽出」、「・・・の更新」、「・・・の設定」、「・・・の登録」、「・・・の選択」等として説明している処理の結果を示す情報やデータや信号値や変数値やパラメータが、「・・・ファイル」や「・・・データベース」の各項目として記憶されている。
 「・・・ファイル」や「・・・データベース」は、ディスクやメモリなどの記録媒体に記憶される。ディスクやメモリなどの記憶媒体に記憶された情報やデータや信号値や変数値やパラメータは、読み書き回路を介してCPU911によりメインメモリやキャッシュメモリに読み出され、抽出・検索・参照・比較・演算・計算・処理・編集・出力・印刷・表示などのCPUの動作に用いられる。
 抽出・検索・参照・比較・演算・計算・処理・編集・出力・印刷・表示のCPUの動作の間、情報やデータや信号値や変数値やパラメータは、メインメモリ、レジスタ、キャッシュメモリ、バッファメモリ等に一時的に記憶される。
 また、実施の形態1、2で説明しているフローチャートの矢印の部分は主としてデータや信号の入出力を示し、データや信号値は、RAM914のメモリ、FDD904のフレキシブルディスク、CDD905のコンパクトディスク、磁気ディスク装置920の磁気ディスク、その他光ディスク、ミニディスク、DVD等の記録媒体に記録される。また、データや信号は、バス912や信号線やケーブルその他の伝送媒体によりオンライン伝送される。 In the file group 924, in the description of the first and second embodiments, "determination of ...", "calculation of ...", "calculation of ...", "comparison of ...", "· · ·・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・ ・Information, data, signal values, variable values, and parameters indicating the result of the process described as “selection of” and the like are stored as items of “... File” and “... Database”.
"... file" and "... database" are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in storage media such as disks and memories are read by the CPU 911 to the main memory or cache memory via the read / write circuit, and are extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in main memory, registers, cache memory, and buffers during CPU operation of extraction, search, reference, comparison, operation, calculation, processing, editing, printing, and display. It is temporarily stored in a memory or the like.
The arrows in the flowcharts described in the first and second embodiments mainly indicate input and output of data and signals, and data and signal values are stored in the memory of the RAM 914, the flexible disk of the FDD 904, the compact disk of the CDD 905, and the magnetic It is recorded on the magnetic disk of the disk drive 920, and other recording media such as an optical disk, a mini disk, and a DVD. Also, data and signals are transmitted online via the bus 912, signal lines, cables and other transmission media.
 また、実施の形態1、2の説明において「・・・部」として説明しているものは、「・・・回路」、「・・・装置」、「・・・機器」であってもよく、また、「・・・ステップ」、「・・・手順」、「・・・処理」であってもよい。すなわち、「・・・部」として説明しているものは、ROM913に記憶されたファームウェアで実現されていても構わない。或いは、ソフトウェアのみ、或いは、素子・デバイス・基板・配線などのハードウェアのみ、或いは、ソフトウェアとハードウェアとの組み合わせ、さらには、ファームウェアとの組み合わせで実施されても構わない。ファームウェアとソフトウェアは、プログラムとして、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ミニディスク、DVD等の記録媒体に記憶される。プログラムはCPU911により読み出され、CPU911により実行される。すなわち、プログラムは、実施の形態1、2の「・・・部」としてコンピュータを機能させるものである。あるいは、実施の形態1、2の「・・・部」の手順や方法をコンピュータに実行させるものである。 Furthermore, in the description of the first and second embodiments, what is described as “... Part” may be “... Circuit”, “. Also, "... Step", "... Procedure", "... Processing" may be used. That is, what is described as “... Part” may be realized by the firmware stored in the ROM 913. Alternatively, it may be implemented by only software, or only hardware such as an element, device, substrate, wiring, or a combination of software and hardware, or a combination of firmware. The firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as the “... Unit” in the first and second embodiments. Alternatively, the computer is made to execute the procedure and method of “... Unit” in the first and second embodiments.
 このように、実施の形態1、2に示すサーバ装置201及び端末装置301は、処理装置たるCPU、記憶装置たるメモリ、磁気ディスク等、入力装置たるキーボード、マウス、通信ボード等、出力装置たる表示装置、通信ボード等を備えるコンピュータであり、上記したように「・・・部」として示された機能をこれら処理装置、記憶装置、入力装置、出力装置を用いて実現するものである。 As described above, the server device 201 and the terminal device 301 described in the first and second embodiments display the CPU as the processing device, the memory as the storage device, the magnetic disk etc., the keyboard as the input device, the display as the output device such as the mouse. It is a computer provided with an apparatus, a communication board, etc., and realizes the functions indicated as “... Part” as described above using these processing apparatus, storage apparatus, input apparatus, and output apparatus.
実施の形態1に係るセキュアマルチキャストシステムの構成例を示す図。FIG. 1 is a diagram showing an example of the configuration of a secure multicast system according to a first embodiment. 実施の形態1に係るサーバ装置の構成例を示す図。FIG. 2 shows an exemplary configuration of a server apparatus according to Embodiment 1; 実施の形態1に係る端末装置の構成例を示す図。FIG. 2 is a diagram showing an example of configuration of a terminal apparatus according to Embodiment 1; 実施の形態1に係る木構造の構造情報の例を示す図。FIG. 3 is a diagram showing an example of structure information of a tree structure according to the first embodiment. 実施の形態1に係る端末装置が記憶するデータの例を示す図。FIG. 6 is a diagram showing an example of data stored by the terminal device according to the first embodiment. 実施の形態1に係る秘密情報の配布処理の例を示すフローチャート図。FIG. 5 is a flowchart showing an example of a process of distributing secret information according to the first embodiment. 実施の形態1に係る端末ID並べ替え処理の例を示すフローチャート図。FIG. 7 is a flowchart showing an example of terminal ID rearrangement processing according to the first embodiment. 実施の形態1に係る暗号通信処理の例を示すフローチャート図。FIG. 5 is a flowchart showing an example of encryption communication processing according to the first embodiment. 実施の形態2に係るサーバ装置の構成例を示す図。FIG. 7 is a view showing an example of the arrangement of a server apparatus according to Embodiment 2; 実施の形態2に係る秘密情報の配布処理の例を示すフローチャート図。FIG. 7 is a flowchart showing an example of a process of distributing secret information according to the second embodiment. 実施の形態1に係る秘密情報の選択手順の例を示す図。FIG. 7 is a diagram showing an example of a selection procedure of secret information according to the first embodiment. 実施の形態1に係る秘密情報の選択手順の例を示す図。FIG. 7 is a diagram showing an example of a selection procedure of secret information according to the first embodiment. 実施の形態2に係る構造情報の選択手順の例を示す図。FIG. 7 is a view showing an example of a selection procedure of structure information according to the second embodiment. 実施の形態2に係る構造情報の選択手順の例を示す図。FIG. 7 is a view showing an example of a selection procedure of structure information according to the second embodiment. 実施の形態1、2に係るサーバ装置及び端末装置のハードウェア構成例を示す図。The figure which shows the hardware structural example of the server apparatus and terminal device which concern on Embodiment 1, 2. FIG.
符号の説明Explanation of sign
 101 ネットワーク、201 サーバ装置、211 アルゴリズム記憶領域、212 攪拌部、213 鍵割り当て部、214 秘密情報記憶領域、215 集合導出部、216 集合決定部、217 通信部、218 暗号部、219 構造情報生成部、220 構造決定部、221 効率算出部、301 端末装置、311 アルゴリズム記憶領域、312 秘密情報記憶領域、313 鍵導出部、314 通信部、315 暗号部。 DESCRIPTION OF SYMBOLS 101 network, 201 server apparatus, 211 algorithm storage area, 212 stirring part, 213 key allocation part, 214 secret information storage area, 215 set derivation part, 216 set determination part, 217 communication part, 218 encryption part, 219 structure information generation part , 220 structure determination unit, 221 efficiency calculation unit, 301 terminal device, 311 algorithm storage area, 312 secret information storage area, 313 key derivation unit, 314 communication unit, 315 encryption unit.

Claims (16)

  1.  複数の通信装置に接続され、前記複数の通信装置の中から選択された2つ以上の通信装置に、秘密情報を用いて送信メッセージを暗号化した暗号化メッセージをマルチキャスト送信する情報処理装置であって、
     前記複数の通信装置に対して複数種の順序付けを行い、各々の順序付けにおいて近接して順序付けられている2つ以上の通信装置同士をグループ化し、各々の順序付け及びグループ化の内容を示す複数の順序情報を生成する順序情報生成部と、
     順序情報ごとに、各々の通信装置において暗号化メッセージの復号に利用される装置別秘密情報を通信装置単位で割り当てるとともに同じグループに分類される2つ以上の同一グループ通信装置において共通に暗号化メッセージの復号に利用できるグループ別秘密情報をグループ単位で割り当てる秘密情報割り当て部と、
     前記複数の通信装置の中からマルチキャスト送信の送信先となる2つ以上の通信装置が送信先通信装置として選択された際に、各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、送信メッセージの暗号化に用いる秘密情報の組合せを導出する組合せ導出部とを有することを特徴とする情報処理装置。     An information processing apparatus connected to a plurality of communication apparatuses and performing multicast transmission of an encrypted message obtained by encrypting a transmission message using secret information to two or more communication apparatuses selected from the plurality of communication apparatuses. ,
    A plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping An order information generation unit that generates information;
    Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information A secret information assignment unit that assigns group-specific secret information that can be used for decryption of
    When two or more communication devices to be transmission destinations of multicast transmission are selected as the transmission destination communication devices from among the plurality of communication devices, the same group communication devices and the transmission for each group indicated in each order information What is claimed is: 1. An information processing apparatus comprising: a combination deriving unit configured to compare a destination communication apparatus and derive a combination of secret information used for encryption of a transmission message.
  2.  前記組合せ導出部は、
     全ての送信先通信装置が暗号化メッセージを復号できる秘密情報の組合せであって、最も数の少ない秘密情報の組合せを導出することを特徴とする請求項1に記載の情報処理装置。     The combination deriving unit
    2. The information processing apparatus according to claim 1, wherein a combination of secret information which allows all the destination communication apparatuses to decrypt the encrypted message and which is the combination of the least number of secret information is derived.
  3.  前記組合せ導出部は、
     各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、同一グループ通信装置の各々に割り当てられている装置別秘密情報を抽出して、順序情報ごとに、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報を抽出し、抽出した秘密情報の数を計数し、
     前記複数の順序情報の中から秘密情報の数が最も少ない順序情報を判別し、判別した順序情報について抽出された秘密情報を送信メッセージの暗号化に用いる秘密情報とすることを特徴とする請求項1又は2に記載の情報処理装置。     The combination deriving unit
    For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extracting the group-specific secret information and extracting the device-specific secret information assigned to each of the same group communication devices when one or more same group communication devices are not selected as the transmission destination communication devices Then, for each order information, extract secret information necessary for encryption so that all transmission destination communication devices can decrypt the encrypted message, and count the number of extracted secret information,
    The order information having the smallest number of secret information is determined from the plurality of order information, and the secret information extracted for the determined order information is used as the secret information used for encryption of the transmission message. The information processing apparatus according to 1 or 2.
  4.  前記順序情報生成部は、
     近接して順序付けられている2つ以上の通信装置同士を複数階層にてグループ化し、複数階層にて通信装置のグループが示される順序情報を生成し、
     前記組合せ導出部は、
     順序情報ごとに、上位の階層のグループから順に同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、下位の階層のグループの同一グループ通信装置と前記送信先通信装置とを比較し、最下位階層のグループにおいて1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、最下位階層のグループの同一グループ通信装置の各々に割り当てられている装置別秘密情報を抽出して、順序情報ごとに、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報を抽出することを特徴とする請求項3に記載の情報処理装置。     The order information generation unit
    Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
    The combination deriving unit
    The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication When compared with the device and one or more same group communication devices are not selected as the transmission destination communication device in the group of the lowest hierarchy, assigned to each of the same group communication devices of the group of the lowest hierarchy Device-specific secret information is extracted and encrypted so that all destination communication devices can decrypt the encrypted message for each order information The information processing apparatus according to claim 3, characterized in that to extract the secret information necessary in order.
  5.  前記組合せ導出部は、
     各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、
     前記複数の順序情報について抽出されたグループ別秘密情報を組み合わせて、全ての送信先通信装置が暗号化メッセージを復号できるように暗号化するために必要な秘密情報の組合せであって、秘密情報の数が最も少なくなる組合せを導出することを特徴とする請求項1から4のいずれかに記載の情報処理装置。     The combination deriving unit
    For each group indicated in each order information, the same group communication device is compared with the transmission destination communication device, and if all the same group communication devices are selected as the transmission destination communication device, they are assigned to that group Extract group-specific secret information,
    A combination of secret information necessary for encrypting all the destination communication devices to decrypt the encrypted message by combining the group secret information extracted for the plurality of order information, The information processing apparatus according to any one of claims 1 to 4, wherein a combination that minimizes the number is derived.
  6.  前記順序情報生成部は、
     近接して順序付けられている2つ以上の通信装置同士を複数階層にてグループ化し、複数階層にて通信装置のグループが示される順序情報を生成し、
     前記組合せ導出部は、
     順序情報ごとに、上位の階層のグループから順に同一グループ通信装置と前記送信先通信装置とを比較して、全ての同一グループ通信装置が前記送信先通信装置として選択されている場合に、そのグループに割り当てられているグループ別秘密情報を抽出し、1つ以上の同一グループ通信装置が前記送信先通信装置として選択されていない場合に、下位の階層のグループの同一グループ通信装置と前記送信先通信装置とを比較することを特徴とする請求項5に記載の情報処理装置。     The order information generation unit
    Grouping two or more communication devices ordered in proximity to one another in a plurality of layers and generating order information in which a group of communication devices is indicated in the plurality of layers;
    The combination deriving unit
    The same group communication apparatus and the transmission destination communication apparatus are compared in order from the group of the upper hierarchy for each order information, and when all the same group communication apparatuses are selected as the transmission destination communication apparatus, the group Group secret information in the lower layer is extracted when the group-specific secret information assigned to the group is extracted and one or more same-group communication devices are not selected as the destination communication devices, the same-group communication devices in the lower layer group and the destination communication The information processing apparatus according to claim 5, wherein the apparatus is compared with the apparatus.
  7.  前記順序情報生成部は、
     前記情報処理装置に接続している通信装置の数が2個(m≧2)である場合に、m種の順序付け及びグループ化を示すm個の順序情報を生成することを特徴とする請求項1から6のいずれかに記載の情報処理装置。     The order information generation unit
    In the case where the number of communication devices connected to the information processing device is 2 m (m 、 2), m pieces of order information indicating ordering and grouping of m types are generated. The information processing apparatus according to any one of Items 1 to 6.
  8.  前記順序情報生成部は、
     前記情報処理装置に接続している通信装置の数が2個(m≧2)に満たない場合に、不足数分の仮想通信装置を補充してm種の順序付け及びグループ化を示すm個の順序情報を生成することを特徴とする請求項1から6のいずれかに記載の情報処理装置。     The order information generation unit
    When the number of communication devices connected to the information processing device is less than 2 m (m 2 2), m virtual communication devices for the missing number are replenished to indicate m kinds of ordering and grouping The information processing apparatus according to any one of claims 1 to 6, wherein order information of is generated.
  9.  前記順序情報生成部は、
     m(m≧2)種の順序付け及びグループ化を示すm個の順序情報を1セットとし、t(t≧2)セット分の順序情報を生成し、
     前記情報処理装置は、更に、
     順序情報のセットごとに、そのセットに含まれるm個の順序情報を用いて送信メッセージを暗号化する場合に必要な秘密情報の数の期待値を算出し、算出した期待値に基づいてtセットの中から特定のセットを選択する順序情報選択部を有し、
     前記組合せ導出部は、
     送信先通信装置が選択された際に、前記順序情報選択部により選択されたセットに含まれるm個の順序情報を用いて、送信メッセージの暗号化に用いる秘密情報の組合せを導出することを特徴とする請求項1から8のいずれかに記載の情報処理装置。     The order information generation unit
    m pieces of order information indicating ordering (m ≧ 2) kinds and ordering are set as one set, and order information of t (t ≧ 2) sets is generated,
    The information processing apparatus may further include
    For each set of order information, the expected value of the number of pieces of secret information necessary for encrypting the transmission message is calculated using the m pieces of order information included in the set, and t sets are calculated based on the calculated expected value. And an order information selection unit for selecting a specific set from among
    The combination deriving unit
    When the transmission destination communication apparatus is selected, a combination of secret information used for encryption of the transmission message is derived using the m pieces of order information included in the set selected by the order information selection unit. The information processing apparatus according to any one of claims 1 to 8, wherein:
  10.  前記順序情報選択部は、
     tセットの中から、期待値が最も小さいセットを選択することを特徴とする請求項9に記載の情報処理装置。     The order information selection unit
    10. The information processing apparatus according to claim 9, wherein a set having the smallest expected value is selected from the t sets.
  11.  前記順序情報選択部は、
     所定数の送信先通信装置数に対して前記複数の通信装置を組み合わせて、通信装置の組合せパターンを複数導出し、
     順序情報のセットごとに、そのセットに含まれるm個の順序情報の中から、組合せパターンごとに送信メッセージを暗号化するために必要な秘密情報の数が最も少ない順序情報を抽出し、組合せパターンごとに抽出した順序情報における秘密情報の数に基づいて、セットごとの期待値を算出することを特徴とする請求項9又は10に記載の情報処理装置。     The order information selection unit
    Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices;
    From the m pieces of order information included in the set for each set of order information, the order information having the least number of secret information required to encrypt the transmission message for each combination pattern is extracted, and the combination pattern is obtained. 11. The information processing apparatus according to claim 9, wherein an expected value for each set is calculated based on the number of pieces of secret information in the order information extracted for each.
  12.  前記順序情報選択部は、
     所定数の送信先通信装置数に対して前記複数の通信装置を組み合わせて、通信装置の組合せパターンを複数導出し、
     順序情報のセットごとに、そのセットに含まれるm個の順序情報に示される各グループの同一グループ通信装置と組合せパターンに含まれる通信装置とを比較して、組合せパターンごとに送信メッセージを暗号化するために必要な秘密情報の数が最も少なくなるグループの組合せを抽出し、組合せパターンごとに抽出したグループの組合せにおける秘密情報の数に基づいて、セットごとの期待値を算出することを特徴とする請求項9から11のいずれかに記載の情報処理装置。     The order information selection unit
    Combining a plurality of communication devices with a predetermined number of transmission destination communication devices to derive a plurality of combination patterns of communication devices;
    For each set of order information, the transmission message is encrypted for each combination pattern by comparing the same group communication device of each group indicated in the m pieces of order information included in the set with the communication device included in the combination pattern. Extracting a combination of groups that minimizes the number of secret information required to perform the pairing, and calculating an expected value for each set based on the number of secret information in the combination of groups extracted for each combination pattern The information processing apparatus according to any one of claims 9 to 11.
  13.  前記順序情報生成部は、
     m(m≧2)段階の各段階において、t(t≧2)種の順序付け及びグループ化を示すt個の順序情報を生成し、
     前記情報処理装置は、更に、
     m段階の各段階において、順序情報ごとに、送信メッセージを暗号化するために必要な秘密情報の数の期待値を算出し、算出した期待値に基づいてt個の順序情報の中から特定の順序情報を選択する順序情報選択部を有し、
     前記組合せ導出部は、
     送信先通信装置が選択された際に、前記順序情報選択部によりm段階の各段階において選択されたm個の順序情報を用いて、送信メッセージの暗号化に用いる秘密情報の組合せを導出することを特徴とする請求項1から8のいずれかに記載の情報処理装置。     The order information generation unit
    At each stage of m (m ≧ 2) stages, generate t order information indicating ordering and grouping of t (t ≧ 2) kinds,
    The information processing apparatus may further include
    In each of the m stages, an expected value of the number of secret information necessary to encrypt the transmission message is calculated for each order information, and a specific one of t pieces of order information is calculated based on the calculated expected value. Having an order information selection unit for selecting order information;
    The combination deriving unit
    Deriving a combination of secret information used for encryption of a transmission message using the m pieces of order information selected in each of the m stages by the order information selection unit when the transmission destination communication apparatus is selected The information processing apparatus according to any one of claims 1 to 8, wherein
  14.  前記順序情報選択部は、
     m段階の各段階において、t個の順序情報の中から、期待値が最も小さい順序情報を選択することを特徴とする請求項13に記載の情報処理装置。     The order information selection unit
    14. The information processing apparatus according to claim 13, wherein the order information having the smallest expected value is selected from the t pieces of order information at each of m stages.
  15.  前記順序情報生成部は、
     前記順序情報選択部によりt個の順序情報の中から特定の順序情報が選択された後に、選択された順序情報と異なる順序付け及びグループ化を示すt個の順序情報を次の段階のt個の順序情報として生成することを特徴とする請求項13又は14に記載の情報処理装置。     The order information generation unit
    After specific order information is selected from the t pieces of order information by the order information selection unit, t pieces of order information indicating ordering and grouping different from the selected order information are displayed in the following t 15. The information processing apparatus according to claim 13, generating as order information.
  16.  複数の通信装置に接続され、前記複数の通信装置の中から選択された2つ以上の通信装置に、秘密情報を用いて送信メッセージを暗号化した暗号化メッセージをマルチキャスト送信するコンピュータに、
     前記複数の通信装置に対して複数種の順序付けを行い、各々の順序付けにおいて近接して順序付けられている2つ以上の通信装置同士をグループ化し、各々の順序付け及びグループ化の内容を示す複数の順序情報を生成する順序情報生成処理と、
     順序情報ごとに、各々の通信装置において暗号化メッセージの復号に利用される装置別秘密情報を通信装置単位で割り当てるとともに同じグループに分類される2つ以上の同一グループ通信装置において共通に暗号化メッセージの復号に利用できるグループ別秘密情報をグループ単位で割り当てる秘密情報割り当て処理と、
     前記複数の通信装置の中からマルチキャスト送信の送信先となる2つ以上の通信装置が送信先通信装置として選択された際に、各順序情報に示されるグループごとに、同一グループ通信装置と前記送信先通信装置とを比較して、送信メッセージの暗号化に用いる秘密情報の組合せを導出する組合せ導出処理とを実行させることを特徴とするプログラム。     To a computer that is connected to a plurality of communication devices and multicasts an encrypted message obtained by encrypting a transmission message using secret information to two or more communication devices selected from the plurality of communication devices,
    A plurality of types of ordering are performed on the plurality of communication devices, and two or more communication devices closely ordered in each ordering are grouped with each other, and a plurality of orders indicating the contents of each ordering and grouping Order information generation processing for generating information;
    Device-specific secret information used for decryption of encrypted messages in each communication device is assigned in units of communication devices and shared in two or more identical group communication devices classified in the same group for each order information Secret information assignment processing for assigning group-specific secret information that can be used for decryption of
    When two or more communication devices to be transmission destinations of multicast transmission are selected as the transmission destination communication devices from among the plurality of communication devices, the same group communication devices and the transmission for each group indicated in each order information A program for executing a combination derivation process for comparing a destination communication device and deriving a combination of secret information used for encryption of a transmission message.
PCT/JP2008/058153 2008-04-26 2008-04-26 Information processing equipment and program WO2009130795A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2008/058153 WO2009130795A1 (en) 2008-04-26 2008-04-26 Information processing equipment and program
JP2010509022A JP5279824B2 (en) 2008-04-26 2008-04-26 Information processing apparatus and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2008/058153 WO2009130795A1 (en) 2008-04-26 2008-04-26 Information processing equipment and program

Publications (1)

Publication Number Publication Date
WO2009130795A1 true WO2009130795A1 (en) 2009-10-29

Family

ID=41216544

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2008/058153 WO2009130795A1 (en) 2008-04-26 2008-04-26 Information processing equipment and program

Country Status (2)

Country Link
JP (1) JP5279824B2 (en)
WO (1) WO2009130795A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017129913A (en) * 2016-01-18 2017-07-27 日本電信電話株式会社 Secrecy decision tree system, device, method, and program

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004229128A (en) * 2003-01-24 2004-08-12 Sony Corp Encryption data distribution system, information processor and information processing method, and computer program
JP2006013790A (en) * 2004-06-24 2006-01-12 Internatl Business Mach Corp <Ibm> Encryption communication system for distributing message selectively to multiple decoding devices, encryption apparatus, decoding apparatus, encryption method, decoding method, encryption program and decoding program

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2002281013A (en) * 2000-12-18 2002-09-27 Matsushita Electric Ind Co Ltd Key management device for protecting copyright, recording medium, reproduction device, recording device, key management method, reproduction method, key management program, and computer readable recording medium with key management program recorded

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2004229128A (en) * 2003-01-24 2004-08-12 Sony Corp Encryption data distribution system, information processor and information processing method, and computer program
JP2006013790A (en) * 2004-06-24 2006-01-12 Internatl Business Mach Corp <Ibm> Encryption communication system for distributing message selectively to multiple decoding devices, encryption apparatus, decoding apparatus, encryption method, decoding method, encryption program and decoding program

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017129913A (en) * 2016-01-18 2017-07-27 日本電信電話株式会社 Secrecy decision tree system, device, method, and program

Also Published As

Publication number Publication date
JPWO2009130795A1 (en) 2011-08-11
JP5279824B2 (en) 2013-09-04

Similar Documents

Publication Publication Date Title
US7340054B2 (en) Information processing method, decrypting method, information processing apparatus, and computer program
US20070133806A1 (en) Information processing method, decryption method, information processing device, and computer program
JP2001358707A (en) Information processing system and method using cryptographic key block and program providing medium
JP2004520743A (en) Broadcast encryption and stateless receiver key revocation method
CN110035067B (en) Attribute encryption method supporting efficient data deduplication and attribute revocation in cloud storage
KR101485460B1 (en) Method of tracing device keys for broadcast encryption
JP5992295B2 (en) COMMUNICATION CONTROL DEVICE, COMMUNICATION DEVICE, AND PROGRAM
JP2008131076A (en) Information processor, terminal device, information processing method, key generation method, and program
JP2006115464A (en) Information processing method, decoding method, information processing device, and computer program
JP2014093666A (en) Communication control device, communication device, and program
JP2005333242A (en) Key management system and reproducing apparatus
JP2023553783A (en) Distributed network with multiple subnets
JP4561074B2 (en) Information processing apparatus, information processing method, and computer program
WO2009130795A1 (en) Information processing equipment and program
US7860255B2 (en) Content distribution server, key assignment method, content output apparatus, and key issuing center
KR101951545B1 (en) Wildcard identity-based key derivation, encryption and decryption method
JP2007189597A (en) Encryption device, encryption method, decoding device, and decoding method
WO2009157050A1 (en) Information processing device and program
JP2005086747A (en) Information processing apparatus, information recording medium, information processing method, and computer program
JP2021125810A (en) Encoding device, decoding device, encoding method, and encoding program
JP4635459B2 (en) Information processing method, decoding processing method, information processing apparatus, and computer program
JP2007020025A (en) Information processing device, information processing method, and computer program
Wang et al. Balanced double subset difference broadcast encryption scheme
JP2005191805A (en) Encryption message distribution method, information processing device, information processing method, and computer program
JP2005333241A (en) Key management system and reproducing apparatus

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08740892

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 2010509022

Country of ref document: JP

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08740892

Country of ref document: EP

Kind code of ref document: A1