WO2009157050A1 - Information processing device and program - Google Patents

Information processing device and program Download PDF

Info

Publication number
WO2009157050A1
WO2009157050A1 PCT/JP2008/061400 JP2008061400W WO2009157050A1 WO 2009157050 A1 WO2009157050 A1 WO 2009157050A1 JP 2008061400 W JP2008061400 W JP 2008061400W WO 2009157050 A1 WO2009157050 A1 WO 2009157050A1
Authority
WO
WIPO (PCT)
Prior art keywords
node
secret information
nodes
unused
management structure
Prior art date
Application number
PCT/JP2008/061400
Other languages
French (fr)
Japanese (ja)
Inventor
伊藤 隆
米田 健
宏郷 辻
和美 齋藤
英憲 太田
松田 規
充洋 服部
Original Assignee
三菱電機株式会社
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 三菱電機株式会社 filed Critical 三菱電機株式会社
Priority to PCT/JP2008/061400 priority Critical patent/WO2009157050A1/en
Priority to JP2010517608A priority patent/JPWO2009157050A1/en
Publication of WO2009157050A1 publication Critical patent/WO2009157050A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network

Definitions

  • the present invention relates to a technique for broadcasting (multicasting) information to, for example, only a plurality of legitimate terminal devices (hereinafter also referred to as terminals) from a server device (hereinafter also referred to as a server) using encryption technology.
  • a server device hereinafter also referred to as a server
  • the secure multicast system uses cryptographic technology to broadcast information (multicast) from the server only to a number of legitimate terminals, and the revoked terminals (groups) are collocated between revoked terminals.
  • groups are collocated between revoked terminals.
  • a legitimate terminal is a terminal that is allowed to decrypt encrypted messages transmitted from the server
  • an expired terminal is a terminal that is prohibited from decrypting encrypted messages transmitted from the server. (Group).
  • a secure multicast system in which a device key held by a terminal is not updated at all is called a stateless method.
  • a stateless method various techniques for minimizing the number of device keys held by a terminal, multicast communication overhead, and calculation overhead for the terminal to derive a key have been proposed.
  • the server places each terminal on a leaf (bottom layer) of a tree structure, and each node including the leaf This is a scheme in which secret information is allocated and each terminal holds secret information corresponding to each node on the path from its own node to the root node.
  • CS method Complete Subtree method
  • SD method Subset Difference method
  • the server when the server performs multicasting, a plurality of valid terminals are represented by a sum of S1 + S2 +... + Sj of a subset of terminals by an appropriate method.
  • the message M (or session key K for encrypting the message M) (in this specification, the message M and the session key K are collectively referred to as a transmission message) is encrypted.
  • the server does not hold (cannot derive) the revoked terminal, but extracts the key held (can be derived) by the legitimate terminal, encrypts the message using each of the extracted keys, and Broadcasts an encrypted message.
  • the CS method and the SD method are methods for performing efficient secure multicast under a model in which there are a plurality of predetermined legitimate terminals, and revocation terminals are gradually generated from there.
  • Patent Document 1 it is possible to add a terminal without limitation by adding a plurality of nodes under an unused leaf node (no terminal is assigned). is doing. JP 2003-204321 PR D. Naor, M.M. Naor, and J.M. Lostpiech, “Revocation and tracing schemes for stateless receivers,” Advances in Cryptology—CRYPTO'01, LNCS vol. 2139, pp. 41-62, 2001.
  • Key management algorithms such as the CS method and SD method create a key management tree by placing all existing terminals on the leaf nodes of the tree structure, and then change the multicast header according to the revocation of each terminal It is a method to do. For this reason, when the CS method or the SD method is used as it is, a new terminal cannot be added.
  • the method disclosed in Patent Document 1 some leaf nodes are left without being associated with terminals, and when these nodes are reduced, a plurality of nodes are added below to add terminals. In this case, the tree becomes unbalanced as the number of terminals added increases, and there is a problem that the necessary device keys and communication overhead increase as a whole. Also, it is not disclosed to which node the additional terminal is assigned.
  • the main object of the present invention is to solve the above-mentioned problems. For example, in a secure multicast system, it is possible to add a terminal and to reduce communication overhead.
  • the information processing apparatus is a cipher that is encrypted using secret information to two or more multicast target communication apparatuses selected as multicast transmission targets from m (m ⁇ 2) communication apparatuses.
  • An information processing apparatus for multicast transmission of an encrypted message A secret information management structure generation unit that generates a secret information management structure including n (n> m) nodes arranged;
  • the m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and a node to which no communication device is allocated among the n nodes is designated as an unused node.
  • a device allocation unit A secret information selection unit that selects secret information used for encryption of an encrypted message to be multicast-transmitted to the multicast target communication device based on a result of assignment of the terminal device to the secret information management structure by the device assignment unit. It is characterized by that.
  • the device allocation unit is When a new communication device other than the m communication devices is selected as a multicast target communication device, the new communication device is assigned to an unused node.
  • the information processing apparatus further includes: a secret information storage unit for storing n + 1 or more secret information; Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit A secret information management unit that manages secret information other than node secret information among grouped secret information as group secret information that is commonly applied to a plurality of nodes grouped, The device allocation unit is The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node.
  • the secret information selection unit Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped.
  • the device allocation unit is When a new communication device other than the m communication devices is selected as a multicast target communication device, the new communication device is assigned to an unused node, and the unused node to which the new communication device is assigned is valid. It is characterized by changing to a node.
  • the device allocation unit is When the new communication device is selected as a multicast target communication device, if there is only one unused node among the n nodes of the secret information management structure, the new communication device is assigned to the unused node. , Changing the unused node to which the new communication device is assigned to a valid node, The secret information selection unit It is determined whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes and invalid nodes in the n nodes after the unused node is changed to a valid node by the device allocation unit. It is characterized by doing.
  • the secret information selection unit When a plurality of unused nodes exist in n nodes of the secret information management structure when the new communication device is selected as a multicast target communication device, the new communication device is added to each unused node. Based on the position of the valid node, the position of the revoked node, and the position of the unused node in the n nodes when assigned, the number of secret information used for encrypting the encrypted message is calculated for each unused node. , Select an unused node that minimizes the calculated number of confidential information, The device allocation unit is The new communication device is assigned to an unused node selected by the secret information selection unit.
  • the secret information selection unit The n nodes are divided into blocks for each k (2 ⁇ k ⁇ m) nodes according to the order of arrangement, and for each block, which type of node is included in the k nodes in the block. It is characterized by analyzing whether or not a plurality of valid nodes can be grouped.
  • the secret information selection unit If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes; If the k nodes in the block do not contain revoked nodes, specify the legitimate node as the parent node of the k nodes, If the k nodes in the block contain an invalid node, specify the invalid node as the parent node of the k nodes, Thereafter, the same processing is repeated, Each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
  • the secret information management structure generation unit Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
  • the secret information storage unit Storing secret information corresponding to the number of nodes included in the secret information management structure;
  • the secret information management unit Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
  • the secret information selection unit The group secret information associated with the legitimate node corresponding to the child node of the revocation node that is an ancestor node is applied to a plurality of legitimate nodes grouped.
  • the secret information selection unit Designate a node that meets a given condition as an SD (Subset Difference) node, If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes; If the k nodes in the block contain neither the revoked node nor the SD node, the legitimate node is designated as the parent node of the k nodes, When k nodes in the block include only one invalid node and SD node in total, the SD node is designated as the parent node of k nodes, If the k nodes in the block include two or more revocation nodes and SD nodes in total, specify the revocation node as the parent node of the k nodes, Thereafter, the same processing is repeated, Each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
  • SD Subset Difference
  • the secret information management structure generation unit Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
  • the secret information storage unit Storing secret information corresponding to the number of nodes included in the secret information management structure;
  • the secret information management unit Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
  • the secret information selection unit The group secret information associated with either the legitimate node or the SD node corresponding to the child node of the revocation node that is an ancestor node is applied to the grouped legitimate nodes.
  • the device allocation unit is The m communication devices are allocated to the m nodes so that legitimate nodes, invalid nodes, and unused nodes are distributed.
  • the program according to the present invention provides an encrypted message encrypted using secret information to two or more multicast target communication devices selected as multicast transmission targets from m (m ⁇ 2) communication devices.
  • a secret information management structure generation process for generating a secret information management structure including n (n> m) nodes arranged; N secret information among n + 1 or more secret information stored in the secret information storage area is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage area
  • Secret information management processing for managing secret information other than node secret information among stored secret information as group secret information that is commonly applied to a plurality of nodes grouped;
  • the m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node.
  • a node to which a communication device other than the multicast target communication device is assigned among the m nodes is designated as an invalid node
  • a node to which no communication device is assigned among the n nodes is designated as an unused node.
  • a device allocation process to be specified Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped.
  • Secret information used for encryption of encrypted messages that are multicast-transmitted to the multicast target communication device by applying group secret information and applying corresponding node secret information to legitimate nodes that cannot be grouped And performing secret information selection processing for selecting.
  • a secret information management structure including n nodes is generated for m terminal devices, and a node to which no terminal device is assigned is set as an unused node, thereby creating a new terminal.
  • a new terminal device can be assigned to an unused node.
  • a new terminal device is allocated to an unused node that already exists, and a node is not added for a new terminal device, and the node configuration of the secret information management structure is not unbalanced, Communication overhead can be suppressed.
  • Embodiment 1 FIG.
  • a key management tree composed of a number of leaf nodes that is sufficiently larger than the number of terminals at the start of operation is created, and multicast is performed by managing each node in three states: valid, revoked, and unused.
  • a secure multicast system capable of adding terminals and reducing communication overhead will be described.
  • FIG. 1 shows a system configuration example of a secure multicast system according to the present embodiment.
  • a server device 201 hereinafter also simply referred to as a server
  • terminals terminals
  • information is broadcast (multicast) only from the server apparatus 201 to a plurality of legitimate terminal apparatuses 301 using encryption technology, and the revoked terminals (groups) Even if there is a collusion between revoked terminals, no information is leaked.
  • the server device 201 is an example of an information processing device
  • the terminal device 301 is an example of a communication device.
  • a legitimate terminal device 301 that is, a terminal device 301 that is a target of multicast from the server device 201 is an example of a multicast target communication device.
  • FIG. 2 is a block diagram illustrating a configuration example of the server apparatus 201.
  • Server apparatus 201 determines a key to be stored in each terminal and transmits a message to each terminal.
  • an algorithm storage area 211 is data storage means for storing algorithms such as key assignment in secure multicast and message transmission to a valid terminal.
  • an algorithm based on the CS method is used as an algorithm for managing terminals in a tree structure.
  • the key management structure generation unit 212 is a unit that generates a key management structure in accordance with an algorithm stored in the algorithm storage area 211 and assigns secret information to each element on the key management structure.
  • the secret information is, for example, a key or information from which a key is derived.
  • a key management tree structure (hereinafter also referred to as a key management tree) is generated, and secret information is assigned to each node (root node, intermediate node, leaf node) on the key management tree structure.
  • the key The management structure generation unit 212 when the server 201 is connected to m (m ⁇ 2) terminals 301 and two or more terminals 301 are selected from among the m terminals 301 as multicast transmission targets, the key The management structure generation unit 212 generates a tree-structured key management structure (secret information management structure) that includes n (n> m) arranged leaf nodes, and converts the n pieces of secret information into the key management structure. Management is performed in association with n leaf nodes. Further, the key management structure generation unit 212 manages secret information corresponding to the number of upper hierarchy nodes (also referred to as upper nodes) of leaf nodes in association with each upper hierarchy node. The upper nodes of the leaf node are an intermediate node and a root node.
  • An upper node of the intermediate node is a higher intermediate node and a root node.
  • secret information associated with n leaf nodes is also referred to as node secret information.
  • the secret information associated with the upper node of the leaf node is also referred to as group secret information.
  • the group secret information is secret information that is commonly applied to a plurality of grouped lower layer nodes (also referred to as lower nodes).
  • the key management structure generation unit 212 is an example of a secret information management unit and a secret information management structure generation unit.
  • FIG. 6 shows an example of a key management structure in a state where the key management structure generation unit 212 assigns secret information to each node.
  • the key management structure generation unit 212 assigns secret information to each node.
  • there are eight leaf nodes and two adjacent nodes for each hierarchy are aggregated to the upper node and finally reach the root node.
  • Ka-ko described in each node is secret information assigned to each node.
  • the secret information kh-ko assigned to the eight leaf nodes corresponds to the node secret information
  • the secret information ka-kg assigned to the upper node corresponds to the group secret information.
  • the terminal arrangement unit 213 assigns each terminal to a leaf node to which no terminal is assigned in the key management tree structure stored in the key management structure storage area 214, and according to the algorithm stored in the algorithm storage area 211, This is means for assigning appropriate secret information on the key management tree structure to the terminal. More specifically, the terminal arrangement unit 213 is configured when the server 201 is connected to the m terminals 301 and the key management structure generation unit 212 generates a key management structure including n leaf nodes. , M terminals are allocated to m nodes of n nodes of the key management structure, and a node to which a valid terminal is allocated among m leaf nodes is designated as a valid node.
  • a node to which an invalid terminal is assigned is designated as an invalid node
  • a node to which no terminal is assigned among n nodes is designated as an unused node. That is, the leaf node has three states: “legitimate terminal is assigned (legitimate node)”, “revoked terminal is assigned (revocation node)”, and “terminal is not assigned (unused node)”. Managed by either.
  • the terminal placement unit 213 assigns a new terminal to an unused node and validates an unused node to which the new terminal is assigned.
  • the terminal arrangement unit 213 is an example of a device allocation unit.
  • the key management structure storage area 214 is data storage means for storing data in which each terminal is assigned to a leaf node of the key management structure (including secret information) generated by the key management structure generation unit 212.
  • FIG. 4 shows an example of data stored in the key management structure storage area 214.
  • ka to ko are secret information corresponding to each node.
  • the key management structure storage area 214 stores n + 1 or more secret information in association with the key management structure. Specifically, secret information corresponding to the number of nodes in the key management structure is stored in association with the key management structure (in the example of FIG. 4, 15 secret information is stored in association with 15 nodes. ing).
  • the key management structure storage area 214 is an example of a secret information storage unit and a secret information storage area.
  • the set deriving unit 215 inputs the key management structure stored in the key management structure storage area 214 according to the algorithm stored in the algorithm storage area 211, and the set of valid terminals is the sum of the subsets of terminals S1 + S2 + ... + Sj is a means for deriving each subset Si so that the expired terminal is not included in this. More specifically, the set derivation unit 215 determines whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes, invalid nodes, and unused nodes in n leaf nodes.
  • the group secret information is applied to a plurality of legitimate nodes that can be grouped, and the associated node secret information is applied to a legitimate node that cannot be grouped, and multicast transmission is performed to a legitimate terminal.
  • the set derivation unit 215 is an example of a secret information selection unit.
  • the server apparatus 201 can perform encryption by using the node secret information assigned to the leaf node and the group secret information assigned to the upper node connected to the leaf node, and each terminal supports itself.
  • the encrypted message can be decrypted using the node secret information assigned to the leaf node and the group secret information assigned to the upper node connected to the leaf node.
  • the server apparatus 201 can encrypt any of secret information ka, kb, kd, and kh with respect to the terminal 0, and the terminal 0 can store the secret information ka, kb, kd, Any of kh can decrypt the encrypted message.
  • the server apparatus 201 can encrypt any of the secret information ka, kb, kd, ki with respect to the terminal 4, and the terminal 4 can encrypt any of the secret information ka, kb, kd, ki.
  • Decoding of encrypted messages is possible. For this reason, it is more communication overhead to use group secret information kd that can be commonly applied to terminal 0 and terminal 4 than to use secret information kh and ki that are node secret information for terminal 0 and terminal 4. Can be reduced. Further, if there are no revoked nodes in the two nodes on the right side of the node to which the terminal 4 is allocated, the communication overhead can be further reduced by using the group secret information kb that can be commonly applied to the four terminals. (However, in the example of FIG. 4, since the terminal 2 has expired, the secret information kb cannot be applied).
  • the set deriving unit 215 determines whether such group secret information can be applied, and derives a set of secret information that minimizes the communication overhead.
  • the communication unit 216 is means for communicating with the terminal device 301.
  • the encryption unit 217 is a unit that performs key generation / encryption of common key / public key encryption, random number generation, and the like.
  • FIG. 3 is a block diagram illustrating a configuration example of the terminal device 301 that receives the multicast from the server device 201 in the secure multicast system (FIG. 1).
  • an algorithm storage area 311 is data storage means for storing algorithms such as key derivation and decryption in secure multicast.
  • an algorithm of CS method is used.
  • the secret information storage area 312 is a data storage unit that stores secret information (encryption key or information used to derive the encryption key) associated with the key management structure managed by the server apparatus 201.
  • all terminals store secret information associated with a tree structure.
  • FIG. 5 shows an example of data stored in the secret information storage area 312. More specifically, FIG. 5 shows an example of data held by the terminal 0 shown in FIG. That is, the terminal 0 can use the secret information ka, kb, kd, and kh in the key management structure of FIG. 4, and FIG. 5 corresponds to the terminal 0 that corresponds to the secret information ka, kb, It shows that kd and kh are held.
  • the key derivation unit 313 derives an encryption key necessary for decrypting the message received from the server apparatus 201 from the secret information stored in the secret information storage area 312 according to the algorithm stored in the algorithm storage area 311. It is.
  • the communication unit 314 is a unit that communicates with the server device 201.
  • the encryption unit 315 is a means for performing decryption of common key / public key encryption, random number generation, and the like.
  • the procedures in secure multicast are the part where the server creates the key management structure, the part where the server assigns multiple terminals to the key management structure at the start of operation, the part where the terminal is revoked, the part where the terminal is added, the server to each terminal It is roughly divided into the parts that perform cryptographic communication.
  • each procedure will be described with reference to the flowchart of FIG. In this embodiment, an example in which (1) to (5) are executed in numerical order will be described. However, (3) to (5) can be performed in any order (as long as the restriction on the number of terminals allows). Can be executed repeatedly.
  • the key management structure generation unit 212 and the encryption unit 217 receive the maximum value n of the number of terminals including the revoked terminals used as a whole in the system and are stored in the algorithm storage area 211.
  • a key management structure is created (step S1801) (secret information management structure generation process), and secret information is assigned to each node (step S1802) (secret information management process).
  • the key management structure in which the secret information is assigned to each node is stored in the key management structure storage area 214.
  • the key management structure generation unit 212 creates a key management tree with n leaf nodes according to the CS method.
  • the secret information may be generated by the server device 201, or information generated outside may be input to the server device 201.
  • the terminal arrangement unit 213 allocates m (m ⁇ n) terminals used at the start of operation to the key management tree stored in the key management structure storage area 214 (step) S1803) (apparatus allocation processing).
  • the leaf node to which the terminal is assigned becomes a “valid node”.
  • the arrangement is performed so that m terminals are distributed as much as possible on the key management structure.
  • the terminal arrangement unit 213 uses a “legitimate node” corresponding to the valid terminal in the key management tree stored in the key management structure storage area 214. Is changed to “revocation node” (step S1804) (apparatus allocation processing). Thereby, a valid node and an invalid node are designated (step S1805) (device allocation process). For example, when the terminal 2 is revoked in the key management tree of FIG. 7, a key management tree as shown in FIG. 8 is created.
  • step S1806 the terminal arrangement unit 213 determines the number of “unused nodes” in the key management tree stored in the key management structure storage area 214. (Step S1807), and when the number of unused nodes is one, an additional terminal is allocated to the unused node (step S1808). On the other hand, when there are a plurality of unused nodes, it is necessary to select one from the plurality of unused nodes. Upon selection, the processing from S1001 to S1004 and S1006 in FIG.
  • step S1810 is performed using a key management tree in which a new terminal device is assigned to each unused node (step S1809), and the entire key management tree is obtained for each unused node.
  • the number of secret information necessary for encryption is calculated, an unused node with the smallest number of secret information is selected, and an additional terminal is assigned to the selected unused node (step S1810). Details of each step in FIG. 10 will be described later. However, in step S1809, it is not necessary to actually perform encryption.
  • a terminal that is distributed as much as possible on the key management tree is selected. Thereafter, the node to which the additional terminal is assigned is changed to “legitimate node” (step S1811).
  • the server device 201 stores secret information necessary for the additional terminal according to the algorithm stored in the algorithm storage area 211.
  • secret information is stored according to the CS method. Note that in “(5) Encrypted communication from server to each terminal”, the processing after S1001 in FIG. 10 is performed (step S1812). If step S1809 has already been performed, the secret already used for encryption is used. Since the information is selected, encryption is performed using the selected secret information (step S1005), encryption is performed using the selected secret information (steps S1005 and S1007), and an encrypted message is transmitted. (Step S1008) may be performed.
  • FIG. 10 is a flowchart for explaining the operation in the encryption communication process.
  • the server apparatus 201 and each terminal apparatus 301 share the secure multicast algorithm in advance.
  • the algorithm storage area 211 stores an algorithm based on the CS method (details will be described later)
  • the algorithm storage area 311 stores a decoding algorithm of the CS method.
  • the key management structure storage area 214 of the server device 201 contains the key management tree created in the above (1) to (4)
  • the secret information storage area 312 of the terminal device 301 contains the corresponding secret information. Stored (steps S1001, S1002).
  • the key management tree shown in FIG. 8 is stored in the key management structure storage area 214.
  • any leaf node is assigned one of the “legitimate node”, “invalid node”, and “unused node”, and no state is assigned to the intermediate node (and the root node) ( FIG. 11).
  • the set deriving unit 215 selects one intermediate node (or root node) in which a state is assigned to all child nodes and a state is not assigned to itself (step S1003).
  • the state of the node is determined (step S1004).
  • the encryption unit 217 encrypts the message (or session key) (step S1005).
  • the above processing is repeated until the state of the root node is determined (step S1006). If the root node finally becomes a “valid node”, the encryption unit 217 uses a key corresponding to the root node to send a message (or session). Key) is encrypted (step S1007).
  • the communication unit 216 multicasts all the encrypted messages (or session keys) created in step S1005 and step S1007 to the terminal device 301 (step S1008).
  • the communication unit 314 of the legitimate terminal device 301 receives the message (step S1009), and the key derivation unit 313 and the encryption unit 315 are stored in the secret information storage area 312 according to the algorithm stored in the algorithm storage area 311.
  • the received message is decrypted with the encryption key derived from the stored secret information (step S1010). Details of step S1010 depend on the algorithm stored in the algorithm storage area 311. In the present embodiment, a CS algorithm is used.
  • the revoked terminal device 301 cannot obtain information because it cannot derive an encryption key necessary for decryption even when it receives a multicast message. By performing the above processing, secure multicast can be realized.
  • the final state of all the nodes is as shown in FIG. 13, and encryption is performed with the secret information corresponding to the nodes indicated by bold lines. .
  • the rule of FIG. 12 analyzes which kind of state (legitimate, invalid, unused) of two child nodes and determines the state of the upper node according to the combination of child node states. is there.
  • the leaf nodes to which the terminal 0 and the terminal 4 are assigned have valid states, and therefore, an intermediate node (intermediate node 1) that is an upper node of these leaf nodes is a valid node.
  • encryption at this point is not performed.
  • a leaf node to which the terminal 2 is assigned and a leaf node to which the terminal on the right side of the leaf node is not assigned are a combination of revocation and unused.
  • Node 2 becomes an invalid node.
  • encryption is performed with the secret information assigned to the lower legitimate node of the intermediate node 2, but since no legitimate node exists under the intermediate node 2, no encryption is performed.
  • intermediate node 1 and intermediate node 2 are a combination of legitimacy and revocation, the upper nodes of intermediate node 1 and intermediate node 2 are revocation nodes. For this reason, encryption is performed on the terminal 0 and the terminal 4 by using the secret information assigned to the intermediate node 1 which is a lower right node of the upper node.
  • the set deriving unit 215 divides the n nodes into blocks (k in each of the two nodes in the example of FIG. 12) according to the order of the array (k in a case of 2 ⁇ k ⁇ m). For each block, it is determined whether or not a plurality of valid nodes can be grouped by analyzing which type of node is included in k nodes in the block. More specifically, the set derivation unit 215 designates an unused node as a parent node of k nodes when all of k nodes in the block are unused nodes, and sets the k nodes in the block.
  • a valid node When a node does not contain an invalid node, a valid node is designated as a parent node of k nodes, and when an invalid node is included in k nodes in a block, an invalid node as a parent node of k nodes After that, the same processing is repeated.
  • encryption is performed on the descendant nodes that are valid nodes by applying secret information associated with the valid nodes that are child nodes of the invalid node.
  • the CS method which is one of the key management algorithms
  • this node has to be managed in either “legitimate” or “revocation” state.
  • the CS method is modified. Since there is no terminal corresponding to “unused node” using the above algorithm, there is no need to consider “unused node” in the selection of secret information, and freedom to represent a legitimate terminal as a sum of subsets. As a result, the multicast communication overhead can be reduced. Further, by devising selection of a node to which a terminal is allocated at the time of starting operation or adding a terminal, an effect of reducing communication overhead throughout the entire system can be obtained, which is effective when performing secure multicast in a narrow band.
  • node addition to the key management structure is not assumed, but it is possible to combine with an existing method for adding a node to the key management structure.
  • step S1004 when the root node finally becomes a “valid node” or “SD node”, the encryption unit 217 encrypts the message (or session key) with a key corresponding to the root node.
  • the final state of all nodes is as shown in FIG. 15, and encryption is performed with the keys corresponding to the nodes indicated by the bold lines.
  • the set deriving unit 215 determines that all k nodes in the block are unused nodes.
  • An unused node is designated as the parent node of k nodes, and when the revocation node and the SD node are not included in the k nodes in the block, a valid node is designated as the parent node of the k nodes, and the block
  • the SD node is designated as the parent node of the k nodes, and the revocation node and SD are designated in the k nodes in the block.
  • an invalid node is designated as the parent node of k nodes, and the same processing is repeated thereafter.
  • encryption is performed on the descendant node that is a legitimate / SD node by applying secret information associated with the legitimate / SD node that is a child node of the invalid node. I do.
  • a key management method using a tree structure is used as a key management algorithm.
  • key management can be performed with an arbitrary structure such as a straight line, a circle, a grid, or a graph. It is also possible to use the method to be performed.
  • FIG. 16 shows an example of a state determination rule based on the CS method for a key management structure having a binary tree structure.
  • FIG. 17 shows an example of a state determination rule based on the SD method for a key management structure having a binary tree structure.
  • the same server device performs determination of the key stored in each terminal and message transmission to each terminal, but these may be performed by different devices.
  • a server that transmits information manages each node in three states of valid, invalid, and unused in order to manage a plurality of terminals that receive the information.
  • a method has been described in which a multicast header is determined based on a state to allow a terminal to be added and reduce communication overhead generated during multicast.
  • a method has been described in which, when a terminal is added to the key management structure, a terminal is allocated by selecting a location where the subsequent secure multicast communication overhead is minimized.
  • FIG. 19 is a diagram illustrating an example of hardware resources of the server apparatus 201 illustrated in the first embodiment. Note that the configuration in FIG. 19 is merely an example of the hardware configuration of the server apparatus 201, and the hardware configuration of the server apparatus 201 is not limited to the configuration illustrated in FIG. .
  • the server apparatus 201 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
  • the CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
  • the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907.
  • FDD 904 Flexible Disk Drive
  • CDD compact disk device
  • printer device 906 printer device 907
  • a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
  • the RAM 914 is an example of a volatile memory.
  • the storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
  • a communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
  • the communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.
  • the communication board 915 is connected to the network as shown in FIG.
  • the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network), or the like.
  • the magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
  • the programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.
  • the RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
  • the RAM 914 stores various data necessary for processing by the CPU 911.
  • the ROM 913 stores a BIOS (Basic Input Output System) program
  • the magnetic disk device 920 stores a boot program.
  • BIOS Basic Input Output System
  • the BIOS program in the ROM 913 and the boot program in the magnetic disk apparatus 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.
  • the program group 923 stores a program for executing the function described as “... Unit” in the description of the first embodiment.
  • the program is read and executed by the CPU 911.
  • the file group 924 includes “determination of...”, “Calculation of...”, “Calculation of...”, “Comparison of. ”Generation”, “Derivation of ...”, “Extraction of ...”, “Update of ...”, “Designation of ...”, “Registration of ...”, “Selection of ...”
  • Information, data, signal values, variable values, and parameters indicating the results of the processing described as “...” are stored as items of “... File” and “. “... File” and “... Database” are stored in a recording medium such as a disk or a memory.
  • Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
  • Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
  • the arrows in the flowchart described in the first embodiment mainly indicate input and output of data and signals.
  • the data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic disk device. It is recorded on a recording medium such as a 920 magnetic disk, other optical disks, minidisks, and DVDs. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.
  • ... part in the description of the first embodiment may be “... circuit”, “... device”, “... device”. , “... Step”, “... Procedure”, “. That is, what is described as “... Unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware.
  • Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD.
  • the program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “... Unit” in the first embodiment. Alternatively, the computer executes the procedure and method of “... Unit” in the first embodiment.
  • the server device 201 shown in the first embodiment includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, a display device as an output device, a communication board, and the like.
  • the computer includes the functions indicated as “... Unit” using these processing devices, storage devices, input devices, and output devices.
  • FIG. 1 is a diagram illustrating a configuration example of a secure multicast system according to Embodiment 1.
  • FIG. FIG. 3 shows a configuration example of a server apparatus according to the first embodiment.
  • FIG. 3 shows a configuration example of a terminal apparatus according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 4 is a diagram illustrating an example of data stored in the terminal device according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a flowchart showing an operation example of the server apparatus according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment.
  • FIG. 3 is a flowchart showing an operation example of the server apparatus according to the first embodiment.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A key management structure generating section (212) generates the key management structure of a tree structure including n leaf-nodes and allocates confidential information to each node. A terminal arranging section (213) allocates m(2≤m<n) terminals to each of the leaf-nodes, takes a node to which a valid terminal which is subject to multicast is allocated as a valid node, takes a node to which an invalid node which is not subject to multicast is allocated as an invalid node, takes a node to which no terminals are not allocated as an unused node, and, if a new terminal is subject to multicast, allocates the new terminal to the unused node. An aggregation deriving section (215) analyzes the state in which the terminal is allocated to each of the nodes and derives the combination with the least communication overhead, which is the combination of the confidential information in which the valid terminal alone can decode an encrypted message. A cipher section (217) encrypts a transmission message by using the derived combination of the confidential information. A communication section (216) then multicast-transmits the encrypted message.

Description

情報処理装置及びプログラムInformation processing apparatus and program
 本発明は、暗号技術を利用して、例えばサーバ装置(以下、サーバともいう)から複数の正当な端末装置(以下、端末ともいう)だけに情報を同報送信(マルチキャスト)する技術に関する。 The present invention relates to a technique for broadcasting (multicasting) information to, for example, only a plurality of legitimate terminal devices (hereinafter also referred to as terminals) from a server device (hereinafter also referred to as a server) using encryption technology.
 セキュアマルチキャストシステムは、暗号技術を利用して、サーバから複数の正当な端末だけに情報を同報送信(マルチキャスト)し、失効した端末(群)には、たとえ失効端末同士で結託があったとしても情報が一切漏れないようにする通信システムである。
 ここで、正当な端末とは、サーバから送信される暗号化メッセージの復号が許される端末であり、失効した端末(群)とは、サーバから送信される暗号化メッセージの復号が禁止される端末(群)である。 The secure multicast system uses cryptographic technology to broadcast information (multicast) from the server only to a number of legitimate terminals, and the revoked terminals (groups) are collocated between revoked terminals. Is a communication system that prevents any information from leaking.
Here, a legitimate terminal is a terminal that is allowed to decrypt encrypted messages transmitted from the server, and an expired terminal (group) is a terminal that is prohibited from decrypting encrypted messages transmitted from the server. (Group).
 セキュアマルチキャストシステムのうち、端末が保持するデバイス鍵が一切更新されないものをstatelessな方式という。
 statelessな方式として、端末が保持するデバイス鍵の数、マルチキャストの通信オーバーヘッド、端末が鍵を導出するための演算オーバーヘッドをできるだけ小さくする様々な技術が提案されている。 A secure multicast system in which a device key held by a terminal is not updated at all is called a stateless method.
As a stateless method, various techniques for minimizing the number of device keys held by a terminal, multicast communication overhead, and calculation overhead for the terminal to derive a key have been proposed.
 非特許文献1にて開示されているComplete Subtree法(CS法)やSubset Difference法(SD法)は、サーバが各端末を木構造の葉(最下層)に配置し、葉を含む各ノードに秘密情報を割り当て、各端末が自分のノードからルートノードまでのパス上にある各ノードに対応する秘密情報を保持する方式である。
 これらの方式では、サーバがマルチキャストを行う際に、複数の正当な端末を、適切な方法で、端末の部分集合の和S1+S2+…+Sjで表現する。その後、S1に属する端末だけが保持する(もしくは導出可能である)暗号鍵K1、S2に属する端末だけが保持する暗号鍵K2、…、Sjに属する端末だけが保持する暗号鍵Kjを用いて、メッセージM(もしくはメッセージMを暗号化するためのセッション鍵K)(本明細書では、メッセージM及びセッション鍵Kをまとめて送信メッセージと表記する)を暗号化する。
 つまり、サーバは、失効した端末は保持していない(導出できない)が、正当な端末は保持している(導出できる)鍵を抽出し、抽出した鍵の各々を用いてメッセージを暗号化し、暗号化メッセージを同報送信する。
 上記のように暗号化を行うことで、正当な端末だけに情報を送信するセキュアマルチキャストが実現できる。 In the Complete Subtree method (CS method) and the Subset Difference method (SD method) disclosed in Non-Patent Document 1, the server places each terminal on a leaf (bottom layer) of a tree structure, and each node including the leaf This is a scheme in which secret information is allocated and each terminal holds secret information corresponding to each node on the path from its own node to the root node.
In these methods, when the server performs multicasting, a plurality of valid terminals are represented by a sum of S1 + S2 +... + Sj of a subset of terminals by an appropriate method. Thereafter, using the encryption key K1 held only by the terminal belonging to S1, the encryption key K2 held only by the terminal belonging to S2,..., The encryption key Kj held only by the terminal belonging to Sj, The message M (or session key K for encrypting the message M) (in this specification, the message M and the session key K are collectively referred to as a transmission message) is encrypted.
In other words, the server does not hold (cannot derive) the revoked terminal, but extracts the key held (can be derived) by the legitimate terminal, encrypts the message using each of the extracted keys, and Broadcasts an encrypted message.
By performing encryption as described above, it is possible to realize secure multicast in which information is transmitted only to legitimate terminals.
 このとき、通信オーバーヘッドは和で表現した際の要素数jに比例する値となるが、CS法やSD法では、各端末に持たせる秘密情報を工夫することによって、jの値を小さくすることを実現している。
 CS法やSD法は既定の複数個の正当な端末があり、ここから徐々に失効端末が発生するというモデルのもとで、効率の良いセキュアマルチキャストを行うための方式である。
 これに対し、特許文献1にて開示されている方式では、未使用の(端末が割り当てられていない)葉ノードの下に複数のノードを追加することで、端末を制限なく追加することを実現している。
特開2003-204321号広報 D.Naor, M.Naor, and J.Lostpiech, "Revocation and tracing schemes for stateless receivers," Advances in Cryptology - CRYPTO’01, LNCS vol.2139, pp.41-62, 2001. At this time, the communication overhead becomes a value proportional to the number of elements j when expressed in the sum, but in the CS method and the SD method, the value of j is reduced by devising the secret information to be given to each terminal. Is realized.
The CS method and the SD method are methods for performing efficient secure multicast under a model in which there are a plurality of predetermined legitimate terminals, and revocation terminals are gradually generated from there.
On the other hand, in the method disclosed in Patent Document 1, it is possible to add a terminal without limitation by adding a plurality of nodes under an unused leaf node (no terminal is assigned). is doing.
JP 2003-204321 PR D. Naor, M.M. Naor, and J.M. Lostpiech, "Revocation and tracing schemes for stateless receivers," Advances in Cryptology—CRYPTO'01, LNCS vol. 2139, pp. 41-62, 2001.
 CS法やSD法などの鍵管理アルゴリズムは、最初に存在する全ての端末を木構造の葉ノードに配置することで鍵管理木を作成し、その後各端末の失効に応じてマルチキャストのヘッダを変更する方式である。
 このため、CS法やSD法をそのまま用いる場合、端末を新たに追加することができない。
 特許文献1にて開示されている方式では、いくつかの葉ノードを端末に対応付けせずに残しておき、これらのノードが少なくなった際に下に複数ノードを追加することで端末の追加を可能としているが、この場合、端末の追加が多くなるほど木がアンバランスになるため、必要なデバイス鍵や通信オーバーヘッドが全体的に増加するという課題がある。
 また、追加端末をどのノードに割り当てるかについては開示されていない。 Key management algorithms such as the CS method and SD method create a key management tree by placing all existing terminals on the leaf nodes of the tree structure, and then change the multicast header according to the revocation of each terminal It is a method to do.
For this reason, when the CS method or the SD method is used as it is, a new terminal cannot be added.
In the method disclosed in Patent Document 1, some leaf nodes are left without being associated with terminals, and when these nodes are reduced, a plurality of nodes are added below to add terminals. In this case, the tree becomes unbalanced as the number of terminals added increases, and there is a problem that the necessary device keys and communication overhead increase as a whole.
Also, it is not disclosed to which node the additional terminal is assigned.
 本発明は、上記の課題を解決することを主な目的としており、例えばセキュアマルチキャストシステムにおいて、端末の追加を可能とし、また、通信オーバーヘッドを小さくすることを主な目的とする。 The main object of the present invention is to solve the above-mentioned problems. For example, in a secure multicast system, it is possible to add a terminal and to reduce communication overhead.
 本発明に係る情報処理装置は、m(m≧2)個の通信装置の中からマルチキャスト送信の対象として選択された2個以上のマルチキャスト対象通信装置に、秘密情報を用いて暗号化された暗号化メッセージをマルチキャスト送信する情報処理装置であって、
 配列されたn(n>m)個のノードが含まれる秘密情報管理構造を生成する秘密情報管理構造生成部と、
 前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記n個のノードのうち通信装置が割り当てられていないノードを未使用ノードとして指定する装置割当て部と、
 前記装置割当て部による前記秘密情報管理構造への端末装置の割り当て結果に基づいて、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択する秘密情報選択部とを有することを特徴とする。 The information processing apparatus according to the present invention is a cipher that is encrypted using secret information to two or more multicast target communication apparatuses selected as multicast transmission targets from m (m ≧ 2) communication apparatuses. An information processing apparatus for multicast transmission of an encrypted message,
A secret information management structure generation unit that generates a secret information management structure including n (n> m) nodes arranged;
The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and a node to which no communication device is allocated among the n nodes is designated as an unused node. A device allocation unit;
A secret information selection unit that selects secret information used for encryption of an encrypted message to be multicast-transmitted to the multicast target communication device based on a result of assignment of the terminal device to the secret information management structure by the device assignment unit. It is characterized by that.
 前記装置割当て部は、
 前記m個の通信装置以外の新たな通信装置がマルチキャスト対象通信装置として選択された場合に、前記新たな通信装置を未使用ノードに割り当てることを特徴とする。 The device allocation unit is
When a new communication device other than the m communication devices is selected as a multicast target communication device, the new communication device is assigned to an unused node.
 前記情報処理装置は、更に、
 n+1個以上の秘密情報を記憶する秘密情報記憶部と、
 前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ化された複数個のノードに共通に適用されるグループ秘密情報として管理する秘密情報管理部とを有し、
 前記装置割当て部は、
 前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記m個のノードのうちマルチキャスト対象通信装置が割り当てられているノードを正当ノードとして指定し、前記m個のノードのうちマルチキャスト対象通信装置以外の通信装置が割り当てられているノードを失効ノードとして指定し、
 前記秘密情報選択部は、
 前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断し、グループ化できる複数個の正当ノードに対してはグループ秘密情報を適用し、グループ化できない正当ノードに対しては対応付けられているノード秘密情報を適用して、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択することを特徴とする。 The information processing apparatus further includes:
a secret information storage unit for storing n + 1 or more secret information;
Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit A secret information management unit that manages secret information other than node secret information among grouped secret information as group secret information that is commonly applied to a plurality of nodes grouped,
The device allocation unit is
The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node. And a node to which a communication device other than the multicast target communication device is allocated among the m nodes is designated as an invalid node,
The secret information selection unit
Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped. Secret information used for encryption of encrypted messages that are multicast-transmitted to the multicast target communication device by applying group secret information and applying corresponding node secret information to legitimate nodes that cannot be grouped It is characterized by selecting.
 前記装置割当て部は、
 前記m個の通信装置以外の新たな通信装置がマルチキャスト対象通信装置として選択された場合に、前記新たな通信装置を未使用ノードに割り当て、前記新たな通信装置が割り当てられた未使用ノードを正当ノードに変更することを特徴とする。 The device allocation unit is
When a new communication device other than the m communication devices is selected as a multicast target communication device, the new communication device is assigned to an unused node, and the unused node to which the new communication device is assigned is valid. It is characterized by changing to a node.
 前記装置割当て部は、
 前記新たな通信装置がマルチキャスト対象通信装置として選択された際に前記秘密情報管理構造のn個のノードにおいて未使用ノードが1つだけ存在する場合に、前記新たな通信装置を未使用ノードに割り当て、前記新たな通信装置が割り当てられた未使用ノードを正当ノードに変更し、
 前記秘密情報選択部は、
 前記装置割当て部により前記未使用ノードが正当ノードに変更された後の前記n個のノードにおける正当ノードの位置と失効ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断することを特徴とする。 The device allocation unit is
When the new communication device is selected as a multicast target communication device, if there is only one unused node among the n nodes of the secret information management structure, the new communication device is assigned to the unused node. , Changing the unused node to which the new communication device is assigned to a valid node,
The secret information selection unit
It is determined whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes and invalid nodes in the n nodes after the unused node is changed to a valid node by the device allocation unit. It is characterized by doing.
 前記秘密情報選択部は、
 前記新たな通信装置がマルチキャスト対象通信装置として選択された際に前記秘密情報管理構造のn個のノードにおいて未使用ノードが複数個存在する場合に、各々の未使用ノードに前記新たな通信装置が割り当てられた場合の前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、未使用ノードごとに、暗号化メッセージの暗号化に用いる秘密情報の数を算出し、算出した秘密情報の数が最小となる未使用ノードを選択し、
 前記装置割当て部は、
 前記秘密情報選択部により選択された未使用ノードに前記新たな通信装置を割り当てることを特徴とする。 The secret information selection unit
When a plurality of unused nodes exist in n nodes of the secret information management structure when the new communication device is selected as a multicast target communication device, the new communication device is added to each unused node. Based on the position of the valid node, the position of the revoked node, and the position of the unused node in the n nodes when assigned, the number of secret information used for encrypting the encrypted message is calculated for each unused node. , Select an unused node that minimizes the calculated number of confidential information,
The device allocation unit is
The new communication device is assigned to an unused node selected by the secret information selection unit.
 前記秘密情報選択部は、
 前記n個のノードを配列の順に従ってk(2≦k<m)個のノードごとのブロックに分け、ブロックごとに、ブロック内のk個のノードにいずれの種類のノードが含まれているかを解析して、複数個の正当ノードをグループ化できるか否かを判断することを特徴とする。 The secret information selection unit
The n nodes are divided into blocks for each k (2 ≦ k <m) nodes according to the order of arrangement, and for each block, which type of node is included in the k nodes in the block. It is characterized by analyzing whether or not a plurality of valid nodes can be grouped.
 前記秘密情報選択部は、
 ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、
 ブロック内のk個のノードに失効ノードが含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、
 ブロック内のk個のノードに失効ノードが含まれる場合にk個のノードの親ノードとして失効ノードを指定し、
 以降、同様の処理を繰り返し、
 失効ノードが指定されるごとに、指定された失効ノードの子孫ノードにあたる複数個の正当ノードをグループ化することを特徴とする。 The secret information selection unit
If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes;
If the k nodes in the block do not contain revoked nodes, specify the legitimate node as the parent node of the k nodes,
If the k nodes in the block contain an invalid node, specify the invalid node as the parent node of the k nodes,
Thereafter, the same processing is repeated,
Each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
 前記秘密情報管理構造生成部は、
 最下位階層に前記n個のノードが配置される複数階層のk分木構造の秘密情報管理構造を生成し、
 前記秘密情報記憶部は、
 前記秘密情報管理構造に含まれるノード数分の秘密情報を記憶し、
 前記秘密情報管理部は、
 前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ秘密情報として前記n個のノード以外のノードに対応付けて管理し、
 前記秘密情報選択部は、
 グループ化された複数個の正当ノードに対して、祖先ノードである失効ノードの子ノードにあたる正当ノードに対応付けられているグループ秘密情報を適用することを特徴とする。 The secret information management structure generation unit
Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
The secret information storage unit
Storing secret information corresponding to the number of nodes included in the secret information management structure;
The secret information management unit
Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
The secret information selection unit
The group secret information associated with the legitimate node corresponding to the child node of the revocation node that is an ancestor node is applied to a plurality of legitimate nodes grouped.
 前記秘密情報選択部は、
 所定の条件に合致するノードをSD(Subset Difference)ノードとして指定し、
 ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、
 ブロック内のk個のノードに失効ノードもSDノードも含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、
 ブロック内のk個のノードに失効ノードとSDノードが合わせて1個だけ含まれている場合にk個のノードの親ノードとしてSDノードを指定し、
 ブロック内のk個のノードに失効ノードとSDノードが合わせて2個以上含まれている場合にk個のノードの親ノードとして失効ノードを指定し、
 以降、同様の処理を繰り返し、
 失効ノードが指定されるごとに、指定された失効ノードの子孫ノードにあたる複数個の正当ノードをグループ化することを特徴とする。 The secret information selection unit
Designate a node that meets a given condition as an SD (Subset Difference) node,
If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes;
If the k nodes in the block contain neither the revoked node nor the SD node, the legitimate node is designated as the parent node of the k nodes,
When k nodes in the block include only one invalid node and SD node in total, the SD node is designated as the parent node of k nodes,
If the k nodes in the block include two or more revocation nodes and SD nodes in total, specify the revocation node as the parent node of the k nodes,
Thereafter, the same processing is repeated,
Each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
 前記秘密情報管理構造生成部は、
 最下位階層に前記n個のノードが配置される複数階層のk分木構造の秘密情報管理構造を生成し、
 前記秘密情報記憶部は、
 前記秘密情報管理構造に含まれるノード数分の秘密情報を記憶し、
 前記秘密情報管理部は、
 前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ秘密情報として前記n個のノード以外のノードに対応付けて管理し、
 前記秘密情報選択部は、
 グループ化された複数個の正当ノードに対して、祖先ノードである失効ノードの子ノードにあたる正当ノード及びSDノードのいずれかに対応付けられているグループ秘密情報を適用することを特徴とする。 The secret information management structure generation unit
Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
The secret information storage unit
Storing secret information corresponding to the number of nodes included in the secret information management structure;
The secret information management unit
Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
The secret information selection unit
The group secret information associated with either the legitimate node or the SD node corresponding to the child node of the revocation node that is an ancestor node is applied to the grouped legitimate nodes.
 前記装置割当て部は、
 正当ノードと失効ノードと未使用ノードが分散して配置されるように、前記m個の通信装置を前記m個のノードに割り当てることを特徴とする。 The device allocation unit is
The m communication devices are allocated to the m nodes so that legitimate nodes, invalid nodes, and unused nodes are distributed.
 本発明に係るプログラムは、m(m≧2)個の通信装置の中からマルチキャスト送信の対象として選択された2個以上のマルチキャスト対象通信装置に、秘密情報を用いて暗号化された暗号化メッセージをマルチキャスト送信するコンピュータに、
 配列されたn(n>m)個のノードが含まれる秘密情報管理構造を生成する秘密情報管理構造生成処理と、
 秘密情報記憶領域に記憶されているn+1個以上の秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶領域に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ化された複数個のノードに共通に適用されるグループ秘密情報として管理する秘密情報管理処理と、
 前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記m個のノードのうちマルチキャスト対象通信装置が割り当てられているノードを正当ノードとして指定し、前記m個のノードのうちマルチキャスト対象通信装置以外の通信装置が割り当てられているノードを失効ノードとして指定し、前記n個のノードのうち通信装置が割り当てられていないノードを未使用ノードとして指定する装置割当て処理と、
 前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断し、グループ化できる複数個の正当ノードに対してはグループ秘密情報を適用し、グループ化できない正当ノードに対しては対応付けられているノード秘密情報を適用して、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択する秘密情報選択処理とを実行させることを特徴とする。 The program according to the present invention provides an encrypted message encrypted using secret information to two or more multicast target communication devices selected as multicast transmission targets from m (m ≧ 2) communication devices. To computers sending multicast
A secret information management structure generation process for generating a secret information management structure including n (n> m) nodes arranged;
N secret information among n + 1 or more secret information stored in the secret information storage area is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage area Secret information management processing for managing secret information other than node secret information among stored secret information as group secret information that is commonly applied to a plurality of nodes grouped;
The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node. Then, a node to which a communication device other than the multicast target communication device is assigned among the m nodes is designated as an invalid node, and a node to which no communication device is assigned among the n nodes is designated as an unused node. A device allocation process to be specified;
Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped. Secret information used for encryption of encrypted messages that are multicast-transmitted to the multicast target communication device by applying group secret information and applying corresponding node secret information to legitimate nodes that cannot be grouped And performing secret information selection processing for selecting.
 本発明によれば、m個の端末装置に対して、n個のノードが含まれる秘密情報管理構造を生成し、端末装置が割り当てられていないノードを未使用ノードとすることで、新たな端末装置をマルチキャスト送信の対象とする場合に、新たな端末装置を未使用ノードに割り当てることができる。
 また、既に存在している未使用ノードに新たな端末装置を割り当てるものであり、新たな端末装置のためにノードを追加するわけではなく、秘密情報管理構造のノード構成がアンバランスにならず、通信オーバーヘッドを抑制することができる。 According to the present invention, a secret information management structure including n nodes is generated for m terminal devices, and a node to which no terminal device is assigned is set as an unused node, thereby creating a new terminal. When a device is targeted for multicast transmission, a new terminal device can be assigned to an unused node.
In addition, a new terminal device is allocated to an unused node that already exists, and a node is not added for a new terminal device, and the node configuration of the secret information management structure is not unbalanced, Communication overhead can be suppressed.
 実施の形態1.
 本実施の形態では、運用開始時の端末数よりも十分大きい数の葉ノードから構成される鍵管理木を作成し、各ノードを正当・失効・未使用の3状態で管理してマルチキャストを行うことで、端末の追加を可能とし、かつ通信オーバーヘッドを小さく抑えるセキュアマルチキャストシステムについて説明する。 Embodiment 1 FIG.
In this embodiment, a key management tree composed of a number of leaf nodes that is sufficiently larger than the number of terminals at the start of operation is created, and multicast is performed by managing each node in three states: valid, revoked, and unused. Thus, a secure multicast system capable of adding terminals and reducing communication overhead will be described.
 図1は、本実施の形態に係るセキュアマルチキャストシステムのシステム構成例を示す。
 図1において、サーバ装置201(以下、単にサーバともいう)と複数の端末装置301(以下、単に端末ともいう)がネットワーク101を介して接続されている。
 本実施の形態に係るセキュアマルチキャストシステムにおいては、暗号技術を利用して、サーバ装置201から複数の正当な端末装置301だけに情報を同報送信(マルチキャスト)し、失効した端末(群)には、たとえ失効端末同士で結託があったとしても情報が一切漏れないようにする。
 なお、サーバ装置201は情報処理装置の例であり、端末装置301は通信装置の例である。また、正当な端末装置301、つまりサーバ装置201からのマルチキャストの対象となる端末装置301は、マルチキャスト対象通信装置の例である。 FIG. 1 shows a system configuration example of a secure multicast system according to the present embodiment.
In FIG. 1, a server device 201 (hereinafter also simply referred to as a server) and a plurality of terminal devices 301 (hereinafter also simply referred to as terminals) are connected via a network 101.
In the secure multicast system according to the present embodiment, information is broadcast (multicast) only from the server apparatus 201 to a plurality of legitimate terminal apparatuses 301 using encryption technology, and the revoked terminals (groups) Even if there is a collusion between revoked terminals, no information is leaked.
The server device 201 is an example of an information processing device, and the terminal device 301 is an example of a communication device. A legitimate terminal device 301, that is, a terminal device 301 that is a target of multicast from the server device 201 is an example of a multicast target communication device.
 図2は、サーバ装置201の構成例を表すブロック図である。
 本実施の形態に係るサーバ装置201は、各端末に格納する鍵の決定と、各端末へのメッセージ送信を行う。 FIG. 2 is a block diagram illustrating a configuration example of the server apparatus 201.
Server apparatus 201 according to the present embodiment determines a key to be stored in each terminal and transmits a message to each terminal.
 図2において、アルゴリズム記憶領域211は、セキュアマルチキャストにおける鍵割り当て、正当な端末へのメッセージ送信などのアルゴリズムを記憶するデータ記憶手段である。
 本実施の形態では、端末を木構造で管理するアルゴリズムとして、CS法をベースとするアルゴリズムを利用する。 In FIG. 2, an algorithm storage area 211 is data storage means for storing algorithms such as key assignment in secure multicast and message transmission to a valid terminal.
In this embodiment, an algorithm based on the CS method is used as an algorithm for managing terminals in a tree structure.
 鍵管理構造生成部212は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、鍵管理構造を生成し、鍵管理構造上の各要素に秘密情報を割り当てる手段である。秘密情報は例えば鍵、もしくは鍵導出の元となる情報である。
 本実施の形態では、鍵管理木構造(以下、鍵管理木ともいう)が生成され、鍵管理木構造上の各ノード(ルートノード、中間ノード、葉ノード)に秘密情報が割り当てられる。
 より具体的には、サーバ201がm(m≧2)個の端末301に接続され、m個の端末301の中からマルチキャスト送信の対象として2個以上の端末301が選択される場合に、鍵管理構造生成部212は、配列されたn(n>m)個の葉ノードが含まれる木構造の鍵管理構造(秘密情報管理構造)を生成するとともに、n個の秘密情報を鍵管理構造のn個の葉ノードに対応付けて管理する。また、鍵管理構造生成部212は、葉ノードの上位階層ノード(上位ノードともいう)数分の秘密情報を各上位階層ノードに対応付けて管理する。
 葉ノードの上位ノードは、中間ノードとルートノードである。中間ノードの上位ノードは、より上位の中間ノードとルートノードである。
 なお、n個の葉ノードに対応付けられる秘密情報をノード秘密情報ともいう。また、葉ノードの上位ノードに対応付けられる秘密情報をグループ秘密情報ともいう。グループ秘密情報は、グループ化された複数個の下位階層ノード(下位ノードともいう)に共通に適用される秘密情報である。
 鍵管理構造生成部212は、秘密情報管理部及び秘密情報管理構造生成部の例である。 The key management structure generation unit 212 is a unit that generates a key management structure in accordance with an algorithm stored in the algorithm storage area 211 and assigns secret information to each element on the key management structure. The secret information is, for example, a key or information from which a key is derived.
In the present embodiment, a key management tree structure (hereinafter also referred to as a key management tree) is generated, and secret information is assigned to each node (root node, intermediate node, leaf node) on the key management tree structure.
More specifically, when the server 201 is connected to m (m ≧ 2) terminals 301 and two or more terminals 301 are selected from among the m terminals 301 as multicast transmission targets, the key The management structure generation unit 212 generates a tree-structured key management structure (secret information management structure) that includes n (n> m) arranged leaf nodes, and converts the n pieces of secret information into the key management structure. Management is performed in association with n leaf nodes. Further, the key management structure generation unit 212 manages secret information corresponding to the number of upper hierarchy nodes (also referred to as upper nodes) of leaf nodes in association with each upper hierarchy node.
The upper nodes of the leaf node are an intermediate node and a root node. An upper node of the intermediate node is a higher intermediate node and a root node.
Note that secret information associated with n leaf nodes is also referred to as node secret information. The secret information associated with the upper node of the leaf node is also referred to as group secret information. The group secret information is secret information that is commonly applied to a plurality of grouped lower layer nodes (also referred to as lower nodes).
The key management structure generation unit 212 is an example of a secret information management unit and a secret information management structure generation unit.
 図6は、鍵管理構造生成部212が各ノードに秘密情報を割り当てた状態の鍵管理構造の例を示す。
 図6の例では、葉ノードが8個あり、また、階層ごとに隣合う2個のノードずつ上位ノードに集約され、最終的にルートノードに至る。各ノードに記述されているka-koは各ノードに割り当てられている秘密情報である。
 8個の葉ノードに割り当てられている秘密情報kh-koがノード秘密情報に相当し、上位ノードに割り当てられている秘密情報ka-kgがグループ秘密情報に相当する。 FIG. 6 shows an example of a key management structure in a state where the key management structure generation unit 212 assigns secret information to each node.
In the example of FIG. 6, there are eight leaf nodes, and two adjacent nodes for each hierarchy are aggregated to the upper node and finally reach the root node. Ka-ko described in each node is secret information assigned to each node.
The secret information kh-ko assigned to the eight leaf nodes corresponds to the node secret information, and the secret information ka-kg assigned to the upper node corresponds to the group secret information.
 端末配置部213は、各端末を、鍵管理構造記憶領域214に記憶されている鍵管理木構造のうち端末が割り当てられていない葉ノードに割り当て、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、鍵管理木構造上の適切な秘密情報を端末に割り当てる手段である。
 より具体的には、端末配置部213は、サーバ201がm個の端末301に接続され、また、鍵管理構造生成部212によりn個の葉ノードが含まれる鍵管理構造が生成された場合に、鍵管理構造のn個のノードのうちのm個のノードにm個の端末を割り当てるとともに、m個の葉ノードのうち正当な端末が割り当てられているノードを正当ノードとして指定し、m個の葉ノードのうち失効端末が割り当てられているノードを失効ノードとして指定し、n個のノードのうち端末が割り当てられていないノードを未使用ノードとして指定する。つまり、葉ノードは、「正当な端末が割り当てられている(正当ノード)」「失効した端末が割り当てられている(失効ノード)」「端末が割り当てられていない(未使用ノード)」の3状態のいずれかで管理される。
 また、端末配置部213は、m個の端末以外の新たな端末がマルチキャストの対象として選択された場合に、新たな端末を未使用ノードに割り当て、新たな端末が割り当てられた未使用ノードを正当ノードに変更し、未使用ノードが正当ノードに変更された後のn個の葉ノードにおける正当ノードの位置と失効ノードの位置に基づき、複数個の正当ノードをグループ化できるか否か(上位ノードの秘密情報を適用できるか否か)を判断する。
 端末配置部213は、装置割当て部の例である。 The terminal arrangement unit 213 assigns each terminal to a leaf node to which no terminal is assigned in the key management tree structure stored in the key management structure storage area 214, and according to the algorithm stored in the algorithm storage area 211, This is means for assigning appropriate secret information on the key management tree structure to the terminal.
More specifically, the terminal arrangement unit 213 is configured when the server 201 is connected to the m terminals 301 and the key management structure generation unit 212 generates a key management structure including n leaf nodes. , M terminals are allocated to m nodes of n nodes of the key management structure, and a node to which a valid terminal is allocated among m leaf nodes is designated as a valid node. Among the leaf nodes, a node to which an invalid terminal is assigned is designated as an invalid node, and a node to which no terminal is assigned among n nodes is designated as an unused node. That is, the leaf node has three states: “legitimate terminal is assigned (legitimate node)”, “revoked terminal is assigned (revocation node)”, and “terminal is not assigned (unused node)”. Managed by either.
In addition, when a new terminal other than m terminals is selected as a multicast target, the terminal placement unit 213 assigns a new terminal to an unused node and validates an unused node to which the new terminal is assigned. Whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes and invalid nodes in n leaf nodes after an unused node is changed to a valid node (upper node) Whether or not confidential information can be applied).
The terminal arrangement unit 213 is an example of a device allocation unit.
 鍵管理構造記憶領域214は、鍵管理構造生成部212が生成した鍵管理構造(秘密情報を含む)の葉ノードに、各端末を割り当てたデータを記憶するデータ記憶手段である。
 図4は鍵管理構造記憶領域214が記憶するデータの一例を表す。前述したように、図4において、kaからkoまでは各ノードに対応する秘密情報である。
 また、鍵管理構造記憶領域214は、鍵管理構造に対応付けてn+1個以上の秘密情報を記憶している。具体的には、鍵管理構造に対応付けて鍵管理構造のノード数分の秘密情報を記憶している(図4の例では、15個のノードに対応させて15個の秘密情報を記憶している)。
 鍵管理構造記憶領域214は、秘密情報記憶部及び秘密情報記憶領域の例である。 The key management structure storage area 214 is data storage means for storing data in which each terminal is assigned to a leaf node of the key management structure (including secret information) generated by the key management structure generation unit 212.
FIG. 4 shows an example of data stored in the key management structure storage area 214. As described above, in FIG. 4, ka to ko are secret information corresponding to each node.
The key management structure storage area 214 stores n + 1 or more secret information in association with the key management structure. Specifically, secret information corresponding to the number of nodes in the key management structure is stored in association with the key management structure (in the example of FIG. 4, 15 secret information is stored in association with 15 nodes. ing).
The key management structure storage area 214 is an example of a secret information storage unit and a secret information storage area.
 集合導出部215は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、鍵管理構造記憶領域214に記憶されている鍵管理構造を入力として、正当な端末の集合が、端末の部分集合の和S1+S2+…+Sjに含まれ、失効した端末はこれに含まれないよう、各部分集合Siを導出する手段である。
 より具体的には、集合導出部215は、n個の葉ノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断し、グループ化できる複数個の正当ノードに対してはグループ秘密情報を適用し、グループ化できない正当ノードに対しては対応付けられているノード秘密情報を適用して、正当な端末にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択する。
 集合導出部215は、秘密情報選択部の例である。 The set deriving unit 215 inputs the key management structure stored in the key management structure storage area 214 according to the algorithm stored in the algorithm storage area 211, and the set of valid terminals is the sum of the subsets of terminals S1 + S2 + ... + Sj is a means for deriving each subset Si so that the expired terminal is not included in this.
More specifically, the set derivation unit 215 determines whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes, invalid nodes, and unused nodes in n leaf nodes. The group secret information is applied to a plurality of legitimate nodes that can be grouped, and the associated node secret information is applied to a legitimate node that cannot be grouped, and multicast transmission is performed to a legitimate terminal. Select the secret information used to encrypt the encrypted message.
The set derivation unit 215 is an example of a secret information selection unit.
 サーバ装置201は、葉ノードに割り当てられているノード秘密情報及び葉ノードに連結する上位ノードに割り当てられているグループ秘密情報を用いて暗号化を行うことができ、また、各端末は自身に対応する葉ノードに割り当てられているノード秘密情報及び葉ノードに連結する上位ノードに割り当てられているグループ秘密情報を用いて暗号化メッセージの復号ができる。
 例えば、図4の例では、端末0に対して、サーバ装置201は、秘密情報ka、kb、kd、khのいずれでも暗号化ができ、また、端末0は、秘密情報ka、kb、kd、khのいずれでも暗号化メッセージの復号ができる。同様に、端末4に対して、サーバ装置201は、秘密情報ka、kb、kd、kiのいずれでも暗号化ができ、また、端末4は、秘密情報ka、kb、kd、kiのいずれでも暗号化メッセージの復号ができる。
 このため、端末0及び端末4に対して、ノード秘密情報である秘密情報khとkiを利用するよりも、端末0及び端末4に共通して適用できるグループ秘密情報kdを利用する方が通信オーバーヘッドを少なくすることができる。また、端末4が割り当てられているノードの右隣2つのノードに失効ノードがなければ、4つの端末に共通して適用できるグループ秘密情報kbを利用することで更に通信オーバーヘッドを少なくすることができる(但し、図4の例では、端末2が失効しているので、秘密情報kbは適用できない)。
 集合導出部215は、このようなグループ秘密情報の適用可否を判断して、通信オーバーヘッドが最小値となる秘密情報の集合を導出する。 The server apparatus 201 can perform encryption by using the node secret information assigned to the leaf node and the group secret information assigned to the upper node connected to the leaf node, and each terminal supports itself. The encrypted message can be decrypted using the node secret information assigned to the leaf node and the group secret information assigned to the upper node connected to the leaf node.
For example, in the example of FIG. 4, the server apparatus 201 can encrypt any of secret information ka, kb, kd, and kh with respect to the terminal 0, and the terminal 0 can store the secret information ka, kb, kd, Any of kh can decrypt the encrypted message. Similarly, the server apparatus 201 can encrypt any of the secret information ka, kb, kd, ki with respect to the terminal 4, and the terminal 4 can encrypt any of the secret information ka, kb, kd, ki. Decoding of encrypted messages is possible.
For this reason, it is more communication overhead to use group secret information kd that can be commonly applied to terminal 0 and terminal 4 than to use secret information kh and ki that are node secret information for terminal 0 and terminal 4. Can be reduced. Further, if there are no revoked nodes in the two nodes on the right side of the node to which the terminal 4 is allocated, the communication overhead can be further reduced by using the group secret information kb that can be commonly applied to the four terminals. (However, in the example of FIG. 4, since the terminal 2 has expired, the secret information kb cannot be applied).
The set deriving unit 215 determines whether such group secret information can be applied, and derives a set of secret information that minimizes the communication overhead.
 通信部216は、端末装置301と通信を行う手段である。
 暗号部217は、共通鍵・公開鍵暗号の鍵生成・暗号化、乱数生成などを行う手段である。 The communication unit 216 is means for communicating with the terminal device 301.
The encryption unit 217 is a unit that performs key generation / encryption of common key / public key encryption, random number generation, and the like.
 図3は、セキュアマルチキャストシステム(図1)において、サーバ装置201からのマルチキャストを受信する端末装置301の構成例を表すブロック図である。 FIG. 3 is a block diagram illustrating a configuration example of the terminal device 301 that receives the multicast from the server device 201 in the secure multicast system (FIG. 1).
 図3において、アルゴリズム記憶領域311は、セキュアマルチキャストにおける鍵導出・復号などのアルゴリズムを記憶するデータ記憶手段である。
 本実施の形態では、CS法のアルゴリズムを利用する。 In FIG. 3, an algorithm storage area 311 is data storage means for storing algorithms such as key derivation and decryption in secure multicast.
In this embodiment, an algorithm of CS method is used.
 秘密情報記憶領域312は、サーバ装置201が管理する鍵管理構造に対応付けられた秘密情報(暗号鍵、もしくは暗号鍵導出の元となる情報)を記憶するデータ記憶手段である。
 本実施の形態では、全ての端末は木構造に対応付けられた秘密情報を記憶する。図5は秘密情報記憶領域312が記憶するデータの一例を表す。
 より具体的には、図5は、図4に示す端末0が保有するデータの例を示している。
 すなわち、端末0は図4の鍵管理構造では、秘密情報ka、kb、kd、khを利用できることが示されるが、図5では、これに対応して、端末0はこれら秘密情報ka、kb、kd、khを保有していることを示している。 The secret information storage area 312 is a data storage unit that stores secret information (encryption key or information used to derive the encryption key) associated with the key management structure managed by the server apparatus 201.
In this embodiment, all terminals store secret information associated with a tree structure. FIG. 5 shows an example of data stored in the secret information storage area 312.
More specifically, FIG. 5 shows an example of data held by the terminal 0 shown in FIG.
That is, the terminal 0 can use the secret information ka, kb, kd, and kh in the key management structure of FIG. 4, and FIG. 5 corresponds to the terminal 0 that corresponds to the secret information ka, kb, It shows that kd and kh are held.
 鍵導出部313は、アルゴリズム記憶領域311に記憶されているアルゴリズムに従い、サーバ装置201から受信したメッセージの復号に必要な暗号鍵を、秘密情報記憶領域312に記憶されている秘密情報から導出する手段である。 The key derivation unit 313 derives an encryption key necessary for decrypting the message received from the server apparatus 201 from the secret information stored in the secret information storage area 312 according to the algorithm stored in the algorithm storage area 311. It is.
 通信部314は、サーバ装置201と通信を行う手段である。
 暗号部315は、共通鍵・公開鍵暗号の復号、乱数生成などを行う手段である。 The communication unit 314 is a unit that communicates with the server device 201.
The encryption unit 315 is a means for performing decryption of common key / public key encryption, random number generation, and the like.
 セキュアマルチキャストにおける手続きは、サーバが鍵管理構造を作成する部分、運用開始時にサーバが複数の端末を鍵管理構造に割り当てる部分、端末を失効させる部分、端末を追加する部分、サーバから各端末への暗号通信を行う部分に大別される。
 以下、図18のフローチャートを参照しながら、それぞれの手続きについて説明する。
 なお、本実施の形態では、(1)から(5)を番号順に実行する例について説明するが、(3)から(5)に関しては任意の順番で、(端末数の制約が許す限り)何度でも繰り返し実行することができる。 The procedures in secure multicast are the part where the server creates the key management structure, the part where the server assigns multiple terminals to the key management structure at the start of operation, the part where the terminal is revoked, the part where the terminal is added, the server to each terminal It is roughly divided into the parts that perform cryptographic communication.
Hereinafter, each procedure will be described with reference to the flowchart of FIG.
In this embodiment, an example in which (1) to (5) are executed in numerical order will be described. However, (3) to (5) can be performed in any order (as long as the restriction on the number of terminals allows). Can be executed repeatedly.
(1)鍵管理構造の作成
 鍵管理構造生成部212および暗号部217は、システムで全体で利用する、失効端末も含めた端末数の最大値nを入力として、アルゴリズム記憶領域211に格納されている鍵管理アルゴリズムに従い、鍵管理構造を作成し(ステップS1801)(秘密情報管理構造生成処理)、また、各ノードに秘密情報を割り当てる(ステップS1802)(秘密情報管理処理)。そして、各ノードに秘密情報が割り当てられた鍵管理構造を鍵管理構造記憶領域214に格納する。
 本実施の形態では、鍵管理構造生成部212は、CS法に従い、葉ノード数nの鍵管理木を作成する。また、秘密情報は、サーバ装置201で生成してもよいし、外部で生成されたものをサーバ装置201に入力してもよい。
 なお、この時点では、全ての葉ノードには端末が割り当てられておらず、各葉ノードは「未使用ノード」である。
 例えばn=8の場合、図6のような鍵管理木が作成される。 (1) Creation of Key Management Structure The key management structure generation unit 212 and the encryption unit 217 receive the maximum value n of the number of terminals including the revoked terminals used as a whole in the system and are stored in the algorithm storage area 211. In accordance with the key management algorithm, a key management structure is created (step S1801) (secret information management structure generation process), and secret information is assigned to each node (step S1802) (secret information management process). Then, the key management structure in which the secret information is assigned to each node is stored in the key management structure storage area 214.
In the present embodiment, the key management structure generation unit 212 creates a key management tree with n leaf nodes according to the CS method. Also, the secret information may be generated by the server device 201, or information generated outside may be input to the server device 201.
At this point, no terminal is assigned to all leaf nodes, and each leaf node is an “unused node”.
For example, when n = 8, a key management tree as shown in FIG. 6 is created.
(2)運用開始時の端末割り当て
 端末配置部213は、鍵管理構造記憶領域214に記憶されている鍵管理木に対し、運用開始時に利用するm(m<n)個の端末を割り当てる(ステップS1803)(装置割当て処理)。
 端末が割り当てられた葉ノードは「正当ノード」となる。
 ここで、m個の端末が、鍵管理構造の上でなるべく分散されるように配置を行う。
 一例として、n=8の鍵管理木に端末0から端末5までを配置する場合、各端末IDを3桁の二進表記で表したビット列を逆転させ、これが表す値の場所に当該端末の配置を行う(端末0→000→000→左から0番目、端末1→001→100→左から4番目、端末2→010→010→左から2番目、…)。
 例えば図6の鍵管理木に6個の端末を割り当てる場合、図7のような鍵管理木が作成される。
 その後、サーバ装置201は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、各端末に必要な秘密情報を格納する。
 本実施の形態では、CS法に従って秘密情報の格納が行われる。 (2) Terminal allocation at start of operation The terminal arrangement unit 213 allocates m (m <n) terminals used at the start of operation to the key management tree stored in the key management structure storage area 214 (step) S1803) (apparatus allocation processing).
The leaf node to which the terminal is assigned becomes a “valid node”.
Here, the arrangement is performed so that m terminals are distributed as much as possible on the key management structure.
As an example, when terminals 0 to 5 are arranged in a key management tree of n = 8, a bit string representing each terminal ID in binary notation of three digits is reversed, and the arrangement of the terminal at the position of the value represented by this is reversed. (Terminal 0 → 000 → 000 → 0th from left, terminal 1 → 001 → 100 → fourth from left, terminal 2 → 010 → 010 → second from left,...).
For example, when 6 terminals are allocated to the key management tree of FIG. 6, a key management tree as shown in FIG. 7 is created.
Thereafter, the server apparatus 201 stores secret information necessary for each terminal in accordance with the algorithm stored in the algorithm storage area 211.
In the present embodiment, secret information is stored according to the CS method.
(3)端末の失効
 正当な端末を失効させる必要がある場合、端末配置部213は、鍵管理構造記憶領域214に記憶されている鍵管理木において、当該の正当端末に対応する「正当ノード」を「失効ノード」に変更する(ステップS1804)(装置割当て処理)。
 これにより、正当ノード、失効ノードが指定される(ステップS1805)(装置割当て処理)。
 例えば図7の鍵管理木において端末2を失効させると、図8のような鍵管理木が作成される。
(4)端末の追加
 新たな端末をシステムに追加する場合(ステップS1806でYES)、端末配置部213は、鍵管理構造記憶領域214に記憶されている鍵管理木における「未使用ノード」の数を判断し(ステップS1807)、未使用ノードの数が1つの場合は、当該未使用ノードに追加端末を割り当てる(ステップS1808)。
 一方、未使用ノードが複数存在する場合は、複数の未使用ノードから1つを選択する必要がある。
 選択にあたっては、各未使用ノードに新たな端末装置を割り当てた鍵管理木を用いて図10のS1001からS1004及びS1006の処理を行って(ステップS1809)、未使用ノードごとに、鍵管理木全体として暗号化に必要な秘密情報の数を算出し、秘密情報の数が最も小さくなる未使用ノードを選択し、選択した未使用ノードに追加端末を割り当てることとする(ステップS1810)。
 なお、図10の各ステップの詳細は後述する。ただし、ステップS1809においては、暗号化を実際に行う必要はない。なお、通信オーバーヘッドが最小となるような「未使用ノード」が複数ある場合には、端末が鍵管理木の上でなるべく分散されるようなものを選択する。
 その後、追加端末を割り当てたノードを「正当ノード」に変更する(ステップS1811)。
 例えば図8の鍵管理木において新たな端末6を未使用ノード(右端)に割り当てると、図9のような鍵管理木となる。
 また、サーバ装置201は、アルゴリズム記憶領域211に記憶されているアルゴリズムに従い、追加端末に必要な秘密情報を格納する。本実施の形態では、CS法に従って秘密情報の格納が行われる。
 なお、「(5)サーバから各端末への暗号通信」では、図10のS1001以降の処理が行われるが(ステップS1812)、すでにステップS1809が行われている場合は、すでに暗号化に用いる秘密情報が選択されているので、選択された秘密情報を用いて暗号化を行い(ステップS1005)、選択された秘密情報を用いて暗号化を行い(ステップS1005、S1007)、暗号化メッセージを送信する(ステップS1008)ようにすればよい。 (3) Revocation of terminal When a valid terminal needs to be revoked, the terminal arrangement unit 213 uses a “legitimate node” corresponding to the valid terminal in the key management tree stored in the key management structure storage area 214. Is changed to “revocation node” (step S1804) (apparatus allocation processing).
Thereby, a valid node and an invalid node are designated (step S1805) (device allocation process).
For example, when the terminal 2 is revoked in the key management tree of FIG. 7, a key management tree as shown in FIG. 8 is created.
(4) Addition of terminal When a new terminal is added to the system (YES in step S1806), the terminal arrangement unit 213 determines the number of “unused nodes” in the key management tree stored in the key management structure storage area 214. (Step S1807), and when the number of unused nodes is one, an additional terminal is allocated to the unused node (step S1808).
On the other hand, when there are a plurality of unused nodes, it is necessary to select one from the plurality of unused nodes.
Upon selection, the processing from S1001 to S1004 and S1006 in FIG. 10 is performed using a key management tree in which a new terminal device is assigned to each unused node (step S1809), and the entire key management tree is obtained for each unused node. The number of secret information necessary for encryption is calculated, an unused node with the smallest number of secret information is selected, and an additional terminal is assigned to the selected unused node (step S1810).
Details of each step in FIG. 10 will be described later. However, in step S1809, it is not necessary to actually perform encryption. When there are a plurality of “unused nodes” that minimize the communication overhead, a terminal that is distributed as much as possible on the key management tree is selected.
Thereafter, the node to which the additional terminal is assigned is changed to “legitimate node” (step S1811).
For example, when a new terminal 6 is assigned to an unused node (right end) in the key management tree of FIG. 8, a key management tree as shown in FIG. 9 is obtained.
The server device 201 stores secret information necessary for the additional terminal according to the algorithm stored in the algorithm storage area 211. In the present embodiment, secret information is stored according to the CS method.
Note that in “(5) Encrypted communication from server to each terminal”, the processing after S1001 in FIG. 10 is performed (step S1812). If step S1809 has already been performed, the secret already used for encryption is used. Since the information is selected, encryption is performed using the selected secret information (step S1005), encryption is performed using the selected secret information (steps S1005 and S1007), and an encrypted message is transmitted. (Step S1008) may be performed.
(5)サーバから各端末への暗号通信
 図10は、暗号通信処理における動作を説明するフローチャートである。
 以下、図10のフローチャートを参照しながら説明する。
 暗号通信処理を行う前に、あらかじめサーバ装置201と各端末装置301とで、セキュアマルチキャストのアルゴリズムを共有しておく。
 ここでは、アルゴリズム記憶領域211にCS法をベースとするアルゴリズム(詳細は後述)が、アルゴリズム記憶領域311にCS法の復号アルゴリズムが格納されているものとする。
 また、サーバ装置201の鍵管理構造記憶領域214には前記(1)~(4)で作成されている鍵管理木が、端末装置301の秘密情報記憶領域312にはこれに対応する秘密情報が格納されている(ステップS1001、S1002)。
 以下では、鍵管理構造記憶領域214に図8で表される鍵管理木が格納されているものとする。 (5) Encryption Communication from Server to Each Terminal FIG. 10 is a flowchart for explaining the operation in the encryption communication process.
Hereinafter, a description will be given with reference to the flowchart of FIG.
Before performing the cryptographic communication process, the server apparatus 201 and each terminal apparatus 301 share the secure multicast algorithm in advance.
Here, it is assumed that the algorithm storage area 211 stores an algorithm based on the CS method (details will be described later), and the algorithm storage area 311 stores a decoding algorithm of the CS method.
The key management structure storage area 214 of the server device 201 contains the key management tree created in the above (1) to (4), and the secret information storage area 312 of the terminal device 301 contains the corresponding secret information. Stored (steps S1001, S1002).
In the following, it is assumed that the key management tree shown in FIG. 8 is stored in the key management structure storage area 214.
 処理の開始時には、全ての葉ノードに「正当ノード」「失効ノード」「未使用ノード」のいずれかの状態が割り当てられており、中間ノード(およびルートノード)には状態が割り当てられていない(図11)。
 集合導出部215は、全ての子ノードに状態が割り当てられており、かつ自身には状態が割り当てられていないような中間ノード(もしくはルートノード)を一つ選択する(ステップS1003)。
 そして、図12の規則に従い、当該ノードの状態を決定する(ステップS1004)。
 さらに、図12の「暗号化」欄に記載されているとおり、暗号部217がメッセージ(もしくはセッション鍵)の暗号化を行う(ステップS1005)。
 以上の処理を、ルートノードの状態が決定するまで繰り返し(ステップS1006)、最終的にルートノードが「正当ノード」となった場合は、暗号部217がルートノードに対応する鍵でメッセージ(もしくはセッション鍵)の暗号化を行う(ステップS1007)。 At the start of the process, any leaf node is assigned one of the “legitimate node”, “invalid node”, and “unused node”, and no state is assigned to the intermediate node (and the root node) ( FIG. 11).
The set deriving unit 215 selects one intermediate node (or root node) in which a state is assigned to all child nodes and a state is not assigned to itself (step S1003).
Then, according to the rules of FIG. 12, the state of the node is determined (step S1004).
Further, as described in the “encryption” column of FIG. 12, the encryption unit 217 encrypts the message (or session key) (step S1005).
The above processing is repeated until the state of the root node is determined (step S1006). If the root node finally becomes a “valid node”, the encryption unit 217 uses a key corresponding to the root node to send a message (or session). Key) is encrypted (step S1007).
 通信部216は、端末装置301に、ステップS1005やステップS1007で作られた全ての暗号化メッセージ(もしくはセッション鍵)をマルチキャストする(ステップS1008)。
 正当な端末装置301の通信部314はメッセージを受信し(ステップS1009)、鍵導出部313と暗号部315が、アルゴリズム記憶領域311に記憶されているアルゴリズムに従い、秘密情報記憶領域312に記憶されている秘密情報から導出した暗号鍵で受信メッセージを復号する(ステップS1010)。
 ステップS1010の詳細は、アルゴリズム記憶領域311に記憶されているアルゴリズムに依存する。本実施の形態では、CS法の復号アルゴリズムが用いられる。
 一方、失効された端末装置301は、マルチキャストのメッセージを受信しても、復号に必要な暗号鍵を導出できないため、情報を得ることができない。
 以上の処理を行うことで、セキュアマルチキャストを実現することができる。 The communication unit 216 multicasts all the encrypted messages (or session keys) created in step S1005 and step S1007 to the terminal device 301 (step S1008).
The communication unit 314 of the legitimate terminal device 301 receives the message (step S1009), and the key derivation unit 313 and the encryption unit 315 are stored in the secret information storage area 312 according to the algorithm stored in the algorithm storage area 311. The received message is decrypted with the encryption key derived from the stored secret information (step S1010).
Details of step S1010 depend on the algorithm stored in the algorithm storage area 311. In the present embodiment, a CS algorithm is used.
On the other hand, the revoked terminal device 301 cannot obtain information because it cannot derive an encryption key necessary for decryption even when it receives a multicast message.
By performing the above processing, secure multicast can be realized.
 なお、図8で表される鍵管理木を利用する上述の例では、最終的な全ノードの状態は図13のようになり、太線で示したノードに対応する秘密情報で暗号化が行われる。
 図12の規則は、2個の子ノードがいずれの種類の状態(正当、失効、未使用)であるかを解析し、子ノードの状態の組合せに応じて上位ノードの状態を決定するものである。
 例えば、図8において、端末0と端末4が割り当てられている葉ノードでは、両者ともに状態が正当なので、これら葉ノードの上位ノードである中間ノード(中間ノード1とする)は正当ノードとなる。また、この時点での暗号化は行われない。
 また、例えば、端末2が割り当てられている葉ノードとその右隣の端末が割り当てられていない葉ノードでは、失効と未使用の組合せとなるので、これら葉ノードの上位ノードである中間ノード(中間ノード2とする)は失効ノードとなる。そして、この中間ノード2の下位の正当ノードに割り当てられている秘密情報で暗号化が行われるが、中間ノード2の下位には正当ノードが存在しないので、暗号化は行われない。
 また、中間ノード1と中間ノード2では、正当と失効の組合せであるので、中間ノード1と中間ノード2の上位ノードは失効ノードとなる。このため、当該上位ノードの下位の正当ノードである中間ノード1に割り当てられている秘密情報を用いて端末0及び端末4に対する暗号化が行われる。 In the above example using the key management tree shown in FIG. 8, the final state of all the nodes is as shown in FIG. 13, and encryption is performed with the secret information corresponding to the nodes indicated by bold lines. .
The rule of FIG. 12 analyzes which kind of state (legitimate, invalid, unused) of two child nodes and determines the state of the upper node according to the combination of child node states. is there.
For example, in FIG. 8, the leaf nodes to which the terminal 0 and the terminal 4 are assigned have valid states, and therefore, an intermediate node (intermediate node 1) that is an upper node of these leaf nodes is a valid node. Also, encryption at this point is not performed.
In addition, for example, a leaf node to which the terminal 2 is assigned and a leaf node to which the terminal on the right side of the leaf node is not assigned are a combination of revocation and unused. Node 2) becomes an invalid node. Then, encryption is performed with the secret information assigned to the lower legitimate node of the intermediate node 2, but since no legitimate node exists under the intermediate node 2, no encryption is performed.
Since intermediate node 1 and intermediate node 2 are a combination of legitimacy and revocation, the upper nodes of intermediate node 1 and intermediate node 2 are revocation nodes. For this reason, encryption is performed on the terminal 0 and the terminal 4 by using the secret information assigned to the intermediate node 1 which is a lower right node of the upper node.
 このように、集合導出部215は、n個のノードを配列の順に従ってk(2≦k<m)個のノードごとのブロック(図12の例では2個のノードごとのブロック)に分け、ブロックごとに、ブロック内のk個のノードにいずれの種類のノードが含まれているかを解析して、複数個の正当ノードをグループ化できるか否かを判断している。
 より具体的には、集合導出部215は、ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、ブロック内のk個のノードに失効ノードが含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、ブロック内のk個のノードに失効ノードが含まれる場合にk個のノードの親ノードとして失効ノードを指定し、以降、同様の処理を繰り返す。
 そして、失効ノードが指定されるごとに、その子孫ノードのうち正当ノードであるものについて、失効ノードの子ノードである正当ノードに対応付けられている秘密情報を適用して暗号化を行う。 In this way, the set deriving unit 215 divides the n nodes into blocks (k in each of the two nodes in the example of FIG. 12) according to the order of the array (k in a case of 2 ≦ k <m). For each block, it is determined whether or not a plurality of valid nodes can be grouped by analyzing which type of node is included in k nodes in the block.
More specifically, the set derivation unit 215 designates an unused node as a parent node of k nodes when all of k nodes in the block are unused nodes, and sets the k nodes in the block. When a node does not contain an invalid node, a valid node is designated as a parent node of k nodes, and when an invalid node is included in k nodes in a block, an invalid node as a parent node of k nodes After that, the same processing is repeated.
Each time an invalid node is designated, encryption is performed on the descendant nodes that are valid nodes by applying secret information associated with the valid nodes that are child nodes of the invalid node.
 鍵管理アルゴリズムの一つであるCS法では、一度鍵管理木を作成するとその後ノードは追加されないため、端末の追加を行うためには、端末が割り当てられないノードをあらかじめ用意しておく必要がある。
 CS法ではこのノードを「正当」「失効」のいずれかの状態で管理せざるを得なかったが、本実施の形態のように「未使用」の状態で管理し、CS法に修正を加えたアルゴリズムを用いると、「未使用ノード」に対応する端末は存在しないので、「未使用ノード」を秘密情報の選択において考慮する必要がなく、正当な端末を部分集合の和として表す際の自由度が増し、結果的にマルチキャストの通信オーバーヘッドを削減することが可能となる。
 また、運用開始時・端末追加時に端末を割り当てるノードの選択を工夫することにより、システム全体を通しての通信オーバーヘッドを削減できるという効果が得られ、狭帯域でセキュアマルチキャストを行う際に有効である。 In the CS method, which is one of the key management algorithms, once a key management tree is created, no nodes are added thereafter. Therefore, in order to add a terminal, it is necessary to prepare a node to which no terminal is assigned in advance. .
In the CS method, this node has to be managed in either “legitimate” or “revocation” state. However, as in this embodiment, it is managed in an “unused” state, and the CS method is modified. Since there is no terminal corresponding to “unused node” using the above algorithm, there is no need to consider “unused node” in the selection of secret information, and freedom to represent a legitimate terminal as a sum of subsets. As a result, the multicast communication overhead can be reduced.
Further, by devising selection of a node to which a terminal is allocated at the time of starting operation or adding a terminal, an effect of reducing communication overhead throughout the entire system can be obtained, which is effective when performing secure multicast in a narrow band.
 なお、本実施の形態では、鍵管理構造へのノード追加を想定していないが、鍵管理構造へのノード追加を行う既存の方式と組み合わせることも可能である。 In this embodiment, node addition to the key management structure is not assumed, but it is possible to combine with an existing method for adding a node to the key management structure.
 また、本実施の形態では、鍵管理アルゴリズムとして、CS法をベースとしたものを利用しているが、SD法をベースとしたものを利用することも可能である。
 この場合、ステップS1004における中間ノード状態決定において、中間ノードの状態として新たに「SDノード」を導入し、図14の状態決定規則を用いる。
 また、ステップS1007では、最終的にルートノードが「正当ノード」もしくは「SDノード」となった場合に、暗号部217がルートノードに対応する鍵でメッセージ(もしくはセッション鍵)を暗号化する。
 なお、図8で表される鍵管理木を利用する上述の例では、最終的な全ノードの状態は図15のようになり、太線で示したノードに対応する鍵で暗号化が行われる。 In this embodiment, a key management algorithm based on the CS method is used, but an algorithm based on the SD method can also be used.
In this case, in the intermediate node state determination in step S1004, “SD node” is newly introduced as the intermediate node state, and the state determination rule of FIG. 14 is used.
In step S1007, when the root node finally becomes a “valid node” or “SD node”, the encryption unit 217 encrypts the message (or session key) with a key corresponding to the root node.
In the above example using the key management tree shown in FIG. 8, the final state of all nodes is as shown in FIG. 15, and encryption is performed with the keys corresponding to the nodes indicated by the bold lines.
 すなわち、SD法をベースとする場合は、ノードの状態として新たに「SDノード」を導入したうえで、集合導出部215は、ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、ブロック内のk個のノードに失効ノードもSDノードも含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、ブロック内のk個のノードに失効ノードとSDノードが合わせて1個だけ含まれている場合にk個のノードの親ノードとしてSDノードを指定し、ブロック内のk個のノードに失効ノードとSDノードが合わせて2個以上含まれている場合にk個のノードの親ノードとして失効ノードを指定し、以降、同様の処理を繰り返す。
 そして、失効ノードが指定されるごとに、その子孫ノードのうち正当・SDノードであるものについて、失効ノードの子ノードである正当・SDノードに対応付けられている秘密情報を適用して暗号化を行う。 That is, when the SD method is used as a base, after introducing a new “SD node” as a node state, the set deriving unit 215 determines that all k nodes in the block are unused nodes. An unused node is designated as the parent node of k nodes, and when the revocation node and the SD node are not included in the k nodes in the block, a valid node is designated as the parent node of the k nodes, and the block In the case where only one revocation node and one SD node are included in k nodes in the block, the SD node is designated as the parent node of the k nodes, and the revocation node and SD are designated in the k nodes in the block. When two or more nodes are included, an invalid node is designated as the parent node of k nodes, and the same processing is repeated thereafter.
Each time an invalid node is specified, encryption is performed on the descendant node that is a legitimate / SD node by applying secret information associated with the legitimate / SD node that is a child node of the invalid node. I do.
 また、本実施の形態では、鍵管理アルゴリズムとして、木構造を用いた鍵管理を行う方式を利用しているが、直線状・円状・格子状・グラフ状など、任意の構造で鍵管理を行う方式を利用することも可能である。 In this embodiment, a key management method using a tree structure is used as a key management algorithm. However, key management can be performed with an arbitrary structure such as a straight line, a circle, a grid, or a graph. It is also possible to use the method to be performed.
 また、本実施の形態では、「(2)運用開始時の端末割り当て」において、ビット列を用いた規則的な割り当てを行っているが、端末が適切に分散されるものであれば、これ以外の確定的もしくは確率的な方法を用いても良い。 In this embodiment, in “(2) Terminal allocation at the start of operation”, regular allocation using a bit string is performed. However, if terminals are appropriately distributed, other than this A deterministic or probabilistic method may be used.
 また、本実施の形態では、木構造として2分木を利用しているが、3分木や4分木などを利用した場合でも、同様のセキュアマルチキャストを行うことが可能である。また、各ノードの子ノードの数が異なっていても良い。
 図16は、3分木構造の鍵管理構造に対するCS法をベースにした状態決定規則の例を示している。
 また、図17は、3分木構造の鍵管理構造に対するSD法をベースにした状態決定規則の例を示している。 In the present embodiment, a binary tree is used as the tree structure, but the same secure multicast can be performed even when a triple tree or a quadtree is used. Further, the number of child nodes of each node may be different.
FIG. 16 shows an example of a state determination rule based on the CS method for a key management structure having a binary tree structure.
FIG. 17 shows an example of a state determination rule based on the SD method for a key management structure having a binary tree structure.
 なお、本実施の形態では、各端末に格納する鍵の決定と、各端末へのメッセージ送信を同一のサーバ装置が行っているが、これらを別々の装置で行っても良い。 In the present embodiment, the same server device performs determination of the key stored in each terminal and message transmission to each terminal, but these may be performed by different devices.
 以上、本実施の形態では、セキュアマルチキャストシステムにおいて、情報を送信するサーバが、情報を受信する複数の端末を管理するために、各ノードを正当・失効・未使用の3状態で管理し、この状態に基づいてマルチキャストのヘッダを決定することで、端末の追加を可能としつつ、マルチキャストの際に生じる通信オーバーヘッドを削減する方式を説明した。 As described above, in the present embodiment, in a secure multicast system, a server that transmits information manages each node in three states of valid, invalid, and unused in order to manage a plurality of terminals that receive the information. A method has been described in which a multicast header is determined based on a state to allow a terminal to be added and reduce communication overhead generated during multicast.
 また、本実施の形態では、端末を鍵管理構造に追加する際、その後のセキュアマルチキャストの通信オーバーヘッドが最小になる箇所を選んで端末を割り当てる方式を説明した。 Further, in the present embodiment, a method has been described in which, when a terminal is added to the key management structure, a terminal is allocated by selecting a location where the subsequent secure multicast communication overhead is minimized.
 また、本実施の形態では、運用開始時の正当端末を鍵管理構造上に分散配置する方式を説明した。 In the present embodiment, the method of distributing and arranging legitimate terminals at the start of operation on the key management structure has been described.
 また、本実施の形態では、CS法をベースとして秘密情報管理を行う方式及びSD法をベースとして秘密情報管理を行う方式を説明した。 Further, in the present embodiment, the method for performing secret information management based on the CS method and the method for performing secret information management based on the SD method have been described.
 最後に、実施の形態1に示したサーバ装置201のハードウェア構成例について説明する。
 図19は、実施の形態1に示すサーバ装置201のハードウェア資源の一例を示す図である。
 なお、図19の構成は、あくまでもサーバ装置201のハードウェア構成の一例を示すものであり、サーバ装置201のハードウェア構成は図19に記載の構成に限らず、他の構成であってもよい。 Finally, a hardware configuration example of the server device 201 shown in the first embodiment will be described.
FIG. 19 is a diagram illustrating an example of hardware resources of the server apparatus 201 illustrated in the first embodiment.
Note that the configuration in FIG. 19 is merely an example of the hardware configuration of the server apparatus 201, and the hardware configuration of the server apparatus 201 is not limited to the configuration illustrated in FIG. .
 図19において、サーバ装置201は、プログラムを実行するCPU911(Central Processing Unit、中央処理装置、処理装置、演算装置、マイクロプロセッサ、マイクロコンピュータ、プロセッサともいう)を備えている。
 CPU911は、バス912を介して、例えば、ROM(Read Only Memory)913、RAM(Random Access Memory)914、通信ボード915、表示装置901、キーボード902、マウス903、磁気ディスク装置920と接続され、これらのハードウェアデバイスを制御する。
 更に、CPU911は、FDD904(Flexible Disk Drive)、コンパクトディスク装置905(CDD)、プリンタ装置906、スキャナ装置907と接続していてもよい。また、磁気ディスク装置920の代わりに、光ディスク装置、メモリカード(登録商標)読み書き装置などの記憶装置でもよい。
 RAM914は、揮発性メモリの一例である。ROM913、FDD904、CDD905、磁気ディスク装置920の記憶媒体は、不揮発性メモリの一例である。これらは、記憶装置の一例である。
 通信ボード915、キーボード902、マウス903、スキャナ装置907、FDD904などは、入力装置の一例である。
 また、通信ボード915、表示装置901、プリンタ装置906などは、出力装置の一例である。 In FIG. 19, the server apparatus 201 includes a CPU 911 (also referred to as a central processing unit, a central processing unit, a processing unit, an arithmetic unit, a microprocessor, a microcomputer, and a processor) that executes a program.
The CPU 911 is connected to, for example, a ROM (Read Only Memory) 913, a RAM (Random Access Memory) 914, a communication board 915, a display device 901, a keyboard 902, a mouse 903, and a magnetic disk device 920 via a bus 912. Control hardware devices.
Further, the CPU 911 may be connected to an FDD 904 (Flexible Disk Drive), a compact disk device 905 (CDD), a printer device 906, and a scanner device 907. Further, instead of the magnetic disk device 920, a storage device such as an optical disk device or a memory card (registered trademark) read / write device may be used.
The RAM 914 is an example of a volatile memory. The storage media of the ROM 913, the FDD 904, the CDD 905, and the magnetic disk device 920 are an example of a nonvolatile memory. These are examples of the storage device.
A communication board 915, a keyboard 902, a mouse 903, a scanner device 907, an FDD 904, and the like are examples of input devices.
The communication board 915, the display device 901, the printer device 906, and the like are examples of output devices.
 通信ボード915は、図1に示すように、ネットワークに接続されている。例えば、通信ボード915は、LAN(ローカルエリアネットワーク)、インターネット、WAN(ワイドエリアネットワーク)などに接続されていても構わない。 The communication board 915 is connected to the network as shown in FIG. For example, the communication board 915 may be connected to a LAN (local area network), the Internet, a WAN (wide area network), or the like.
 磁気ディスク装置920には、オペレーティングシステム921(OS)、ウィンドウシステム922、プログラム群923、ファイル群924が記憶されている。
 プログラム群923のプログラムは、CPU911がオペレーティングシステム921、ウィンドウシステム922を利用しながら実行する。 The magnetic disk device 920 stores an operating system 921 (OS), a window system 922, a program group 923, and a file group 924.
The programs in the program group 923 are executed by the CPU 911 using the operating system 921 and the window system 922.
 また、RAM914には、CPU911に実行させるオペレーティングシステム921のプログラムやアプリケーションプログラムの少なくとも一部が一時的に格納される。
 また、RAM914には、CPU911による処理に必要な各種データが格納される。 The RAM 914 temporarily stores at least part of the operating system 921 program and application programs to be executed by the CPU 911.
The RAM 914 stores various data necessary for processing by the CPU 911.
 また、ROM913には、BIOS(Basic Input Output System)プログラムが格納され、磁気ディスク装置920にはブートプログラムが格納されている。
 サーバ装置201の起動時には、ROM913のBIOSプログラム及び磁気ディスク装置920のブートプログラムが実行され、BIOSプログラム及びブートプログラムによりオペレーティングシステム921が起動される。 The ROM 913 stores a BIOS (Basic Input Output System) program, and the magnetic disk device 920 stores a boot program.
When the server apparatus 201 is activated, the BIOS program in the ROM 913 and the boot program in the magnetic disk apparatus 920 are executed, and the operating system 921 is activated by the BIOS program and the boot program.
 上記プログラム群923には、実施の形態1の説明において「・・・部」として説明している機能を実行するプログラムが記憶されている。プログラムは、CPU911により読み出され実行される。 The program group 923 stores a program for executing the function described as “... Unit” in the description of the first embodiment. The program is read and executed by the CPU 911.
 ファイル群924には、実施の形態1の説明において、「・・・の判断」、「・・・の計算」、「・・・の算出」、「・・・の比較」、「・・・の生成」、「・・・の導出」、「・・・の抽出」、「・・・の更新」、「・・・の指定」、「・・・の登録」、「・・・の選択」等として説明している処理の結果を示す情報やデータや信号値や変数値やパラメータが、「・・・ファイル」や「・・・データベース」の各項目として記憶されている。
 「・・・ファイル」や「・・・データベース」は、ディスクやメモリなどの記録媒体に記憶される。ディスクやメモリなどの記憶媒体に記憶された情報やデータや信号値や変数値やパラメータは、読み書き回路を介してCPU911によりメインメモリやキャッシュメモリに読み出され、抽出・検索・参照・比較・演算・計算・処理・編集・出力・印刷・表示などのCPUの動作に用いられる。
 抽出・検索・参照・比較・演算・計算・処理・編集・出力・印刷・表示のCPUの動作の間、情報やデータや信号値や変数値やパラメータは、メインメモリ、レジスタ、キャッシュメモリ、バッファメモリ等に一時的に記憶される。
 また、実施の形態1で説明しているフローチャートの矢印の部分は主としてデータや信号の入出力を示し、データや信号値は、RAM914のメモリ、FDD904のフレキシブルディスク、CDD905のコンパクトディスク、磁気ディスク装置920の磁気ディスク、その他光ディスク、ミニディスク、DVD等の記録媒体に記録される。また、データや信号は、バス912や信号線やケーブルその他の伝送媒体によりオンライン伝送される。 The file group 924 includes “determination of...”, “Calculation of...”, “Calculation of...”, “Comparison of. ”Generation”, “Derivation of ...”, “Extraction of ...”, “Update of ...”, “Designation of ...”, “Registration of ...”, “Selection of ...” Information, data, signal values, variable values, and parameters indicating the results of the processing described as “...” Are stored as items of “... File” and “.
“... File” and “... Database” are stored in a recording medium such as a disk or a memory. Information, data, signal values, variable values, and parameters stored in a storage medium such as a disk or memory are read out to the main memory or cache memory by the CPU 911 via a read / write circuit, and extracted, searched, referenced, compared, and calculated. Used for CPU operations such as calculation, processing, editing, output, printing, and display.
Information, data, signal values, variable values, and parameters are stored in the main memory, registers, cache memory, and buffers during the CPU operations of extraction, search, reference, comparison, calculation, processing, editing, output, printing, and display. It is temporarily stored in a memory or the like.
In addition, the arrows in the flowchart described in the first embodiment mainly indicate input and output of data and signals. The data and signal values are the RAM 914 memory, the FDD 904 flexible disk, the CDD 905 compact disk, and the magnetic disk device. It is recorded on a recording medium such as a 920 magnetic disk, other optical disks, minidisks, and DVDs. Data and signals are transmitted online via a bus 912, signal lines, cables, or other transmission media.
 また、実施の形態1の説明において「・・・部」として説明しているものは、「・・・回路」、「・・・装置」、「・・・機器」であってもよく、また、「・・・ステップ」、「・・・手順」、「・・・処理」であってもよい。すなわち、「・・・部」として説明しているものは、ROM913に記憶されたファームウェアで実現されていても構わない。或いは、ソフトウェアのみ、或いは、素子・デバイス・基板・配線などのハードウェアのみ、或いは、ソフトウェアとハードウェアとの組み合わせ、さらには、ファームウェアとの組み合わせで実施されても構わない。ファームウェアとソフトウェアは、プログラムとして、磁気ディスク、フレキシブルディスク、光ディスク、コンパクトディスク、ミニディスク、DVD等の記録媒体に記憶される。プログラムはCPU911により読み出され、CPU911により実行される。すなわち、プログラムは、実施の形態1の「・・・部」としてコンピュータを機能させるものである。あるいは、実施の形態1の「・・・部」の手順や方法をコンピュータに実行させるものである。 In addition, what is described as “... part” in the description of the first embodiment may be “... circuit”, “... device”, “... device”. , “... Step”, “... Procedure”, “. That is, what is described as “... Unit” may be realized by firmware stored in the ROM 913. Alternatively, it may be implemented only by software, or only by hardware such as elements, devices, substrates, and wirings, by a combination of software and hardware, or by a combination of firmware. Firmware and software are stored as programs in a recording medium such as a magnetic disk, a flexible disk, an optical disk, a compact disk, a mini disk, and a DVD. The program is read by the CPU 911 and executed by the CPU 911. That is, the program causes the computer to function as “... Unit” in the first embodiment. Alternatively, the computer executes the procedure and method of “... Unit” in the first embodiment.
 このように、実施の形態1に示すサーバ装置201は、処理装置たるCPU、記憶装置たるメモリ、磁気ディスク等、入力装置たるキーボード、マウス、通信ボード等、出力装置たる表示装置、通信ボード等を備えるコンピュータであり、上記したように「・・・部」として示された機能をこれら処理装置、記憶装置、入力装置、出力装置を用いて実現するものである。 As described above, the server device 201 shown in the first embodiment includes a CPU as a processing device, a memory as a storage device, a magnetic disk, a keyboard as an input device, a mouse, a communication board, a display device as an output device, a communication board, and the like. As described above, the computer includes the functions indicated as “... Unit” using these processing devices, storage devices, input devices, and output devices.
実施の形態1に係るセキュアマルチキャストシステムの構成例を示す図。1 is a diagram illustrating a configuration example of a secure multicast system according to Embodiment 1. FIG. 実施の形態1に係るサーバ装置の構成例を示す図。FIG. 3 shows a configuration example of a server apparatus according to the first embodiment. 実施の形態1に係る端末装置の構成例を示す図。FIG. 3 shows a configuration example of a terminal apparatus according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係る端末装置が記憶するデータの例を示す図。FIG. 4 is a diagram illustrating an example of data stored in the terminal device according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係るサーバ装置の動作例を示すフローチャート図。FIG. 3 is a flowchart showing an operation example of the server apparatus according to the first embodiment. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係るCS法をベースにした状態決定規則の例を示す図。The figure which shows the example of the state determination rule based on CS method concerning Embodiment 1. FIG. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係るSD法をベースにした状態決定規則の例を示す図。The figure which shows the example of the state determination rule based on SD method concerning Embodiment 1. FIG. 実施の形態1に係る鍵管理構造の例を示す図。FIG. 3 is a diagram showing an example of a key management structure according to the first embodiment. 実施の形態1に係るCS法をベースにした状態決定規則の例を示す図。The figure which shows the example of the state determination rule based on CS method concerning Embodiment 1. FIG. 実施の形態1に係るSD法をベースにした状態決定規則の例を示す図。The figure which shows the example of the state determination rule based on SD method concerning Embodiment 1. FIG. 実施の形態1に係るサーバ装置の動作例を示すフローチャート図。FIG. 3 is a flowchart showing an operation example of the server apparatus according to the first embodiment. 実施の形態1に係るサーバ装置及び端末装置のハードウェア構成例を示す図。The figure which shows the hardware structural example of the server apparatus which concerns on Embodiment 1, and a terminal device.
符号の説明Explanation of symbols
 101 ネットワーク、201 サーバ装置、211 アルゴリズム記憶領域、212 鍵管理構造生成部、213 端末配置部、214 鍵管理構造記憶領域、215 集合導出部、216 通信部、217 暗号部、301 端末装置、311 アルゴリズム記憶領域、312 秘密情報記憶領域、313 鍵導出部、314 通信部、315 暗号部。 101 network, 201 server device, 211 algorithm storage area, 212 key management structure generation section, 213 terminal arrangement section, 214 key management structure storage area, 215 set derivation section, 216 communication section, 217 encryption section, 301 terminal apparatus, 311 algorithm Storage area, 312 secret information storage area, 313 key derivation section, 314 communication section, 315 encryption section.

Claims (13)

  1.  m(m≧2)個の通信装置の中からマルチキャスト送信の対象として選択された2個以上のマルチキャスト対象通信装置に、秘密情報を用いて暗号化された暗号化メッセージをマルチキャスト送信する情報処理装置であって、
     配列されたn(n>m)個のノードが含まれる秘密情報管理構造を生成する秘密情報管理構造生成部と、
     前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記n個のノードのうち通信装置が割り当てられていないノードを未使用ノードとして指定する装置割当て部と、
     前記装置割当て部による前記秘密情報管理構造への端末装置の割り当て結果に基づいて、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択する秘密情報選択部とを有することを特徴とする情報処理装置。     Information processing apparatus for multicast transmission of encrypted message encrypted using secret information to two or more multicast target communication apparatuses selected as multicast transmission targets from m (m ≧ 2) communication apparatuses Because
    A secret information management structure generation unit that generates a secret information management structure including n (n> m) nodes arranged;
    The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and a node to which no communication device is allocated among the n nodes is designated as an unused node. A device allocation unit;
    A secret information selection unit that selects secret information used for encryption of an encrypted message to be multicast-transmitted to the multicast target communication device based on a result of assignment of the terminal device to the secret information management structure by the device assignment unit. An information processing apparatus characterized by that.
  2.  前記装置割当て部は、
     前記m個の通信装置以外の新たな通信装置がマルチキャスト対象通信装置として選択された場合に、前記新たな通信装置を未使用ノードに割り当てることを特徴とする請求項1に記載の情報処理装置。     The device allocation unit is
    2. The information processing apparatus according to claim 1, wherein when a new communication apparatus other than the m communication apparatuses is selected as a multicast target communication apparatus, the new communication apparatus is assigned to an unused node.
  3.  前記情報処理装置は、更に、
     n+1個以上の秘密情報を記憶する秘密情報記憶部と、
     前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ化された複数個のノードに共通に適用されるグループ秘密情報として管理する秘密情報管理部とを有し、
     前記装置割当て部は、
     前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記m個のノードのうちマルチキャスト対象通信装置が割り当てられているノードを正当ノードとして指定し、前記m個のノードのうちマルチキャスト対象通信装置以外の通信装置が割り当てられているノードを失効ノードとして指定し、
     前記秘密情報選択部は、
     前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断し、グループ化できる複数個の正当ノードに対してはグループ秘密情報を適用し、グループ化できない正当ノードに対しては対応付けられているノード秘密情報を適用して、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択することを特徴とする請求項1又は2に記載の情報処理装置。     The information processing apparatus further includes:
    a secret information storage unit for storing n + 1 or more secret information;
    Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit A secret information management unit that manages secret information other than node secret information among grouped secret information as group secret information that is commonly applied to a plurality of nodes grouped,
    The device allocation unit is
    The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node. And a node to which a communication device other than the multicast target communication device is allocated among the m nodes is designated as an invalid node,
    The secret information selection unit
    Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped. Secret information used for encryption of encrypted messages that are multicast-transmitted to the multicast target communication device by applying group secret information and applying corresponding node secret information to legitimate nodes that cannot be grouped The information processing apparatus according to claim 1, wherein the information processing apparatus is selected.
  4.  前記装置割当て部は、
     前記m個の通信装置以外の新たな通信装置がマルチキャスト対象通信装置として選択された場合に、前記新たな通信装置を未使用ノードに割り当て、前記新たな通信装置が割り当てられた未使用ノードを正当ノードに変更することを特徴とする請求項3に記載の情報処理装置。     The device allocation unit is
    When a new communication device other than the m communication devices is selected as a multicast target communication device, the new communication device is assigned to an unused node, and the unused node to which the new communication device is assigned is valid. The information processing apparatus according to claim 3, wherein the information processing apparatus is changed to a node.
  5.  前記装置割当て部は、
     前記新たな通信装置がマルチキャスト対象通信装置として選択された際に前記秘密情報管理構造のn個のノードにおいて未使用ノードが1つだけ存在する場合に、前記新たな通信装置を未使用ノードに割り当て、前記新たな通信装置が割り当てられた未使用ノードを正当ノードに変更し、
     前記秘密情報選択部は、
     前記装置割当て部により前記未使用ノードが正当ノードに変更された後の前記n個のノードにおける正当ノードの位置と失効ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断することを特徴とする請求項4に記載の情報処理装置。     The device allocation unit is
    When the new communication device is selected as a multicast target communication device, if there is only one unused node among the n nodes of the secret information management structure, the new communication device is assigned to the unused node. , Changing the unused node to which the new communication device is assigned to a valid node,
    The secret information selection unit
    It is determined whether or not a plurality of valid nodes can be grouped based on the positions of valid nodes and invalid nodes in the n nodes after the unused node is changed to a valid node by the device allocation unit. The information processing apparatus according to claim 4, wherein:
  6.  前記秘密情報選択部は、
     前記新たな通信装置がマルチキャスト対象通信装置として選択された際に前記秘密情報管理構造のn個のノードにおいて未使用ノードが複数個存在する場合に、各々の未使用ノードに前記新たな通信装置が割り当てられた場合の前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、未使用ノードごとに、暗号化メッセージの暗号化に用いる秘密情報の数を算出し、算出した秘密情報の数が最小となる未使用ノードを選択し、
     前記装置割当て部は、
     前記秘密情報選択部により選択された未使用ノードに前記新たな通信装置を割り当てることを特徴とする請求項4に記載の情報処理装置。     The secret information selection unit
    When a plurality of unused nodes exist in n nodes of the secret information management structure when the new communication device is selected as a multicast target communication device, the new communication device is added to each unused node. Based on the position of the valid node, the position of the revoked node, and the position of the unused node in the n nodes when assigned, the number of secret information used for encrypting the encrypted message is calculated for each unused node. , Select an unused node that minimizes the calculated number of confidential information,
    The device allocation unit is
    The information processing apparatus according to claim 4, wherein the new communication apparatus is assigned to an unused node selected by the secret information selection unit.
  7.  前記秘密情報選択部は、
     前記n個のノードを配列の順に従ってk(2≦k<m)個のノードごとのブロックに分け、ブロックごとに、ブロック内のk個のノードにいずれの種類のノードが含まれているかを解析して、複数個の正当ノードをグループ化できるか否かを判断することを特徴とする請求項3に記載の情報処理装置。     The secret information selection unit
    The n nodes are divided into blocks for each k (2 ≦ k <m) nodes according to the order of arrangement, and for each block, which type of node is included in the k nodes in the block. 4. The information processing apparatus according to claim 3, wherein analysis is performed to determine whether or not a plurality of valid nodes can be grouped.
  8.  前記秘密情報選択部は、
     ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、
     ブロック内のk個のノードに失効ノードが含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、
     ブロック内のk個のノードに失効ノードが含まれる場合にk個のノードの親ノードとして失効ノードを指定し、
     以降、同様の処理を繰り返し、
     失効ノードが指定されるごとに、指定された失効ノードの子孫ノードにあたる複数個の正当ノードをグループ化することを特徴とする請求項7に記載の情報処理装置。     The secret information selection unit
    If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes;
    If the k nodes in the block do not contain revoked nodes, specify the legitimate node as the parent node of the k nodes,
    If the k nodes in the block contain an invalid node, specify the invalid node as the parent node of the k nodes,
    Thereafter, the same processing is repeated,
    8. The information processing apparatus according to claim 7, wherein each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
  9.  前記秘密情報管理構造生成部は、
     最下位階層に前記n個のノードが配置される複数階層のk分木構造の秘密情報管理構造を生成し、
     前記秘密情報記憶部は、
     前記秘密情報管理構造に含まれるノード数分の秘密情報を記憶し、
     前記秘密情報管理部は、
     前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ秘密情報として前記n個のノード以外のノードに対応付けて管理し、
     前記秘密情報選択部は、
     グループ化された複数個の正当ノードに対して、祖先ノードである失効ノードの子ノードにあたる正当ノードに対応付けられているグループ秘密情報を適用することを特徴とする請求項8に記載の情報処理装置。     The secret information management structure generation unit
    Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
    The secret information storage unit
    Storing secret information corresponding to the number of nodes included in the secret information management structure;
    The secret information management unit
    Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
    The secret information selection unit
    9. The information processing according to claim 8, wherein group secret information associated with a legitimate node corresponding to a child node of an invalid node that is an ancestor node is applied to a plurality of legitimate nodes grouped. apparatus.
  10.  前記秘密情報選択部は、
     所定の条件に合致するノードをSD(Subset Difference)ノードとして指定し、
     ブロック内のk個のノードのすべてが未使用ノードである場合にk個のノードの親ノードとして未使用ノードを指定し、
     ブロック内のk個のノードに失効ノードもSDノードも含まれていない場合にk個のノードの親ノードとして正当ノードを指定し、
     ブロック内のk個のノードに失効ノードとSDノードが合わせて1個だけ含まれている場合にk個のノードの親ノードとしてSDノードを指定し、
     ブロック内のk個のノードに失効ノードとSDノードが合わせて2個以上含まれている場合にk個のノードの親ノードとして失効ノードを指定し、
     以降、同様の処理を繰り返し、
     失効ノードが指定されるごとに、指定された失効ノードの子孫ノードにあたる複数個の正当ノードをグループ化することを特徴とする請求項7に記載の情報処理装置。     The secret information selection unit
    Designate a node that meets a given condition as an SD (Subset Difference) node,
    If all k nodes in the block are unused nodes, specify an unused node as the parent node of k nodes;
    If the k nodes in the block contain neither the revoked node nor the SD node, the legitimate node is designated as the parent node of the k nodes,
    When k nodes in the block include only one invalid node and SD node in total, the SD node is designated as the parent node of k nodes,
    If the k nodes in the block include two or more revocation nodes and SD nodes in total, specify the revocation node as the parent node of the k nodes,
    Thereafter, the same processing is repeated,
    8. The information processing apparatus according to claim 7, wherein each time an invalid node is designated, a plurality of valid nodes corresponding to descendant nodes of the designated invalid node are grouped.
  11.  前記秘密情報管理構造生成部は、
     最下位階層に前記n個のノードが配置される複数階層のk分木構造の秘密情報管理構造を生成し、
     前記秘密情報記憶部は、
     前記秘密情報管理構造に含まれるノード数分の秘密情報を記憶し、
     前記秘密情報管理部は、
     前記秘密情報記憶部に記憶されている秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶部に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ秘密情報として前記n個のノード以外のノードに対応付けて管理し、
     前記秘密情報選択部は、
     グループ化された複数個の正当ノードに対して、祖先ノードである失効ノードの子ノードにあたる正当ノード及びSDノードのいずれかに対応付けられているグループ秘密情報を適用することを特徴とする請求項10に記載の情報処理装置。     The secret information management structure generation unit
    Generating a secret information management structure having a k-ary tree structure of a plurality of hierarchies in which the n nodes are arranged in the lowest hierarchy;
    The secret information storage unit
    Storing secret information corresponding to the number of nodes included in the secret information management structure;
    The secret information management unit
    Of the secret information stored in the secret information storage unit, n secret information is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage unit Managing secret information other than node secret information among the secret information associated with the nodes other than the n nodes as group secret information,
    The secret information selection unit
    The group secret information associated with any one of a valid node and an SD node corresponding to a child node of an invalid node that is an ancestor node is applied to a plurality of valid nodes grouped together. The information processing apparatus according to 10.
  12.  前記装置割当て部は、
     正当ノードと失効ノードと未使用ノードが分散して配置されるように、前記m個の通信装置を前記m個のノードに割り当てることを特徴とする請求項3に記載の情報処理装置。     The device allocation unit is
    4. The information processing apparatus according to claim 3, wherein the m communication apparatuses are allocated to the m nodes so that legitimate nodes, invalid nodes, and unused nodes are arranged in a distributed manner.
  13.  m(m≧2)個の通信装置の中からマルチキャスト送信の対象として選択された2個以上のマルチキャスト対象通信装置に、秘密情報を用いて暗号化された暗号化メッセージをマルチキャスト送信するコンピュータに、
     配列されたn(n>m)個のノードが含まれる秘密情報管理構造を生成する秘密情報管理構造生成処理と、
     秘密情報記憶領域に記憶されているn+1個以上の秘密情報のうちn個の秘密情報をノード秘密情報として前記秘密情報管理構造のn個のノードに対応付けて管理し、前記秘密情報記憶領域に記憶されている秘密情報のうちノード秘密情報以外の秘密情報をグループ化された複数個のノードに共通に適用されるグループ秘密情報として管理する秘密情報管理処理と、
     前記秘密情報管理構造のn個のノードのうちのm個のノードに前記m個の通信装置を割り当てるとともに、前記m個のノードのうちマルチキャスト対象通信装置が割り当てられているノードを正当ノードとして指定し、前記m個のノードのうちマルチキャスト対象通信装置以外の通信装置が割り当てられているノードを失効ノードとして指定し、前記n個のノードのうち通信装置が割り当てられていないノードを未使用ノードとして指定する装置割当て処理と、
     前記n個のノードにおける正当ノードの位置と失効ノードの位置と未使用ノードの位置に基づき、複数個の正当ノードをグループ化できるか否かを判断し、グループ化できる複数個の正当ノードに対してはグループ秘密情報を適用し、グループ化できない正当ノードに対しては対応付けられているノード秘密情報を適用して、前記マルチキャスト対象通信装置にマルチキャスト送信する暗号化メッセージの暗号化に用いる秘密情報を選択する秘密情報選択処理とを実行させることを特徴とするプログラム。     To a computer that multicasts an encrypted message encrypted using secret information to two or more multicast target communication devices selected from among m (m ≧ 2) communication devices as multicast transmission targets,
    A secret information management structure generation process for generating a secret information management structure including n (n> m) nodes arranged;
    N secret information among n + 1 or more secret information stored in the secret information storage area is managed as node secret information in association with n nodes of the secret information management structure, and stored in the secret information storage area Secret information management processing for managing secret information other than node secret information among stored secret information as group secret information that is commonly applied to a plurality of nodes grouped;
    The m communication devices are allocated to m nodes among the n nodes of the secret information management structure, and the node to which the multicast target communication device is allocated among the m nodes is designated as a valid node. Then, a node to which a communication device other than the multicast target communication device is assigned among the m nodes is designated as an invalid node, and a node to which no communication device is assigned among the n nodes is designated as an unused node. A device allocation process to be specified;
    Based on the position of the valid node, the position of the invalid node and the position of the unused node in the n nodes, it is determined whether or not a plurality of valid nodes can be grouped. Secret information used for encryption of encrypted messages that are multicast-transmitted to the multicast target communication device by applying group secret information and applying corresponding node secret information to legitimate nodes that cannot be grouped And a secret information selection process for selecting the program.
PCT/JP2008/061400 2008-06-23 2008-06-23 Information processing device and program WO2009157050A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
PCT/JP2008/061400 WO2009157050A1 (en) 2008-06-23 2008-06-23 Information processing device and program
JP2010517608A JPWO2009157050A1 (en) 2008-06-23 2008-06-23 Information processing apparatus and program

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/JP2008/061400 WO2009157050A1 (en) 2008-06-23 2008-06-23 Information processing device and program

Publications (1)

Publication Number Publication Date
WO2009157050A1 true WO2009157050A1 (en) 2009-12-30

Family

ID=41444128

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/JP2008/061400 WO2009157050A1 (en) 2008-06-23 2008-06-23 Information processing device and program

Country Status (2)

Country Link
JP (1) JPWO2009157050A1 (en)
WO (1) WO2009157050A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017108451A (en) * 2017-02-21 2017-06-15 株式会社東芝 Communication control device, communication control method, program and communication system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001186119A (en) * 1999-12-22 2001-07-06 Nippon Telegr & Teleph Corp <Ntt> Key management method using tree structure and key management system, and recording medium
JP2003204321A (en) * 2001-10-26 2003-07-18 Matsushita Electric Ind Co Ltd Literary work protective system and key management system
JP2005333241A (en) * 2004-05-18 2005-12-02 Pioneer Electronic Corp Key management system and reproducing apparatus
WO2005122464A1 (en) * 2004-06-07 2005-12-22 National Institute Of Information And Communications Technology Communication method and communication system using decentralized key managing scheme

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001186119A (en) * 1999-12-22 2001-07-06 Nippon Telegr & Teleph Corp <Ntt> Key management method using tree structure and key management system, and recording medium
JP2003204321A (en) * 2001-10-26 2003-07-18 Matsushita Electric Ind Co Ltd Literary work protective system and key management system
JP2005333241A (en) * 2004-05-18 2005-12-02 Pioneer Electronic Corp Key management system and reproducing apparatus
WO2005122464A1 (en) * 2004-06-07 2005-12-22 National Institute Of Information And Communications Technology Communication method and communication system using decentralized key managing scheme

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
DALIT NAOR ET AL.: "Revocation and Tracing Schemes for Stateless Receivers", LNCS, vol. 2139, 28 August 2001 (2001-08-28), pages 41 - 62 *

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2017108451A (en) * 2017-02-21 2017-06-15 株式会社東芝 Communication control device, communication control method, program and communication system

Also Published As

Publication number Publication date
JPWO2009157050A1 (en) 2011-12-01

Similar Documents

Publication Publication Date Title
US7340603B2 (en) Efficient revocation of receivers
KR100543630B1 (en) Method for broadcast encryption and key revocation of stateless receivers
US20070133806A1 (en) Information processing method, decryption method, information processing device, and computer program
JP2001358707A (en) Information processing system and method using cryptographic key block and program providing medium
JP2006086568A (en) Information processing method, decryption processing method, information processing apparatus, and computer program
KR101485460B1 (en) Method of tracing device keys for broadcast encryption
JP2006115464A (en) Information processing method, decoding method, information processing device, and computer program
JP4561074B2 (en) Information processing apparatus, information processing method, and computer program
JP2008131072A (en) Information processor, terminal device, information processing method, and key generation method
JP4161859B2 (en) Information processing apparatus, information recording medium, information processing method, and computer program
WO2009157050A1 (en) Information processing device and program
JP2004229128A (en) Encryption data distribution system, information processor and information processing method, and computer program
JP2007189597A (en) Encryption device, encryption method, decoding device, and decoding method
JP2008092514A (en) Information processing apparatus, information processing method, and computer program
JP5279824B2 (en) Information processing apparatus and program
JP4635459B2 (en) Information processing method, decoding processing method, information processing apparatus, and computer program
JP2007020025A (en) Information processing device, information processing method, and computer program
JP2005191805A (en) Encryption message distribution method, information processing device, information processing method, and computer program
JP5052207B2 (en) Broadcast encryption system capable of tracking unauthorized persons, center device and user device thereof, program thereof and recording medium thereof
Zhang et al. Cloud-Aided Scalable Revocable Identity-Based Encryption with Ciphertext Update from Lattices
JP4576824B2 (en) Information processing apparatus and information processing method
JP2008131079A (en) Information processor, terminal device, information processing method, and key generation method
JP2005109753A (en) Method and apparatus for processing key information, and program
JP2005252916A (en) Information processing method and apparatus, decoding processing method, and computer program
KR20210117733A (en) Method and apparatus for decryption using externaldevice or service on revocation mechanism, method andapparatus for supporting decryption therefor

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 08790561

Country of ref document: EP

Kind code of ref document: A1

ENP Entry into the national phase

Ref document number: 2010517608

Country of ref document: JP

Kind code of ref document: A

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 08790561

Country of ref document: EP

Kind code of ref document: A1