Key distribution method and system in secure broadcast communication

Description

BACKGROUND OF THE INVENTION

The present invention relates to a key distribution method and system in secure broadcast communication.

Up to now, several methods have been proposed in regard to secure broadcast communication (or key management).

For example, a copied key method disclosed by S. J. Kent, “Security requirement and protocols for a broadcast scenario”, IEEE Trans. Commun., COM-29, 6, pp. 778-786 (1981) is fundamental. The copied key method is the simple extension of the conventional one-to-one cryptographic individual communication to a multi-address communication. The copy of one kind of key is distributed to a sender and a plurality of normal receivers. The sender enciphers information by use of the copied key and transmits the enciphered information. The normal receiver deciphers the information by use of the same copied key.

The other methods include (i) a secure broadcast communication method disclosed by K. Koyama, “A Cryptosystem Using the Master Key for Multi-Address Communication”, Trans. IEICE, J65-D, 9, pp. 1151-1158 (1982) which uses a master key alternative to RSA individual key, (ii) a key distribution system disclosed by Lee et al., “A Multi-Address Communication Using a Method of Multiplexing and Demultiplexing”, the Proc. of the 1986 Symposium on Cryptography and Information Security, SCIS86 (1986) which is based on the multiplexing and demultiplexing of information trains using the Chinese reminder theorem, and (iii) a system disclosed by Mambo et al., “Efficient Secure Broadcast Communication Systems”, IEICE Technical Report, ISEC93-34 (October 1993).

According to the system for performing the multiplexing and demultiplexing of information trains by use of the Chinese reminder theorem, the following processes are performed.

(1) Key Generating Process

For a receiver

i

(1≦i≦r) are generated

s

compromise integers g

1

, g

2

, . . . , g

s

(r≦s) and g

i

is distributed to the receiver

i

as confidential information of the receiver

i

beforehand.

(2) Enciphering Process

It is assumed that s information trains to be multiplexed are M

1

, M

2

, . . . , M

s

. A sender calculates a multiplexed transmit sentence F in accordance with

F = \sum_{i = 1}^{k} A_{i} G_{i} M_{i} \mod G

and makes the multi-address transmission of F, wherein G, G

i

and A

i

are the least integer A

i

which satisfies

G = \prod_{i = 1}^{k} g_{i},

G

i

=G/g

i

,

A

i

G

i

≡1(mod g

i

).

(3) Deciphering Process

The receiver

i

demultiplexes M

i

from F by use of g

i

in accordance with

M

i

=F

mod

g

i

According to the system disclosed by Mambo et al., “Efficient Secure Broadcast Communication Systems”, IEICE Technical Report, ISEC93-34 (October 1993), the following processes are performed.

(1) Key Generating Process

A reliable center generates the following information.

Confidential information:

P=

2

p+

1,

Q=

2

q+

1:prime number (p,q:prime number)

e

i

εZ,

0<

e

i

<L

(1

≦i≦m

)

Public information:

gεZ,

0

<g<N

N=PQ

v

i

=g

ei

mod N

(1

≦i≦m

).

The center calculates s

σ

satisfying

S_{σ} = \sum_{i = 1}^{k} e_{σ (i)} \equiv 1 (\mod L)

for σεS and distributes s

σ

as confidential information of a receiver U

σ

, wherein set S={f|one-to-one map f: A={1, 2, . . . , k}→B={1, 2, . . . , m}, m>k}.

(2) Key Distribution Process

(i) A sender randomly selects an integer

r

to calculate

z

i

=v

i

r

mod N

(1

≦i≦m

)

with the object of sharing a common key

K=g

r

mod N

in common with the receiver and makes the multi-address transmission of z

i

(1≦i≦m).

(ii) The receiver U

σ

calculates the common key K in accordance with

K = {(\prod_{i = 1}^{k} z_{σ (i)})}^{S_{σ}} \mod N .

In the above-mentioned key distribution based on the multiplexing method using the Chinese reminder theorem, the length of key distribution data becomes large in proportion to the number of receivers since the key distribution data for individual users are transmitted in a serially arranged manner. This offers a problem from an aspect of efficiency in the case where several millions of receivers are made an object as in a broadcasting satellite service.

On the other hand, in the system disclosed by Mambo et al., “Efficient Secure Broadcast Communication Systems”, IEICE Technical Report, ISEC93-34 (October 1993), the length of key distribution data can be reduced even in the case where the number of receivers is large. However, this system has a problem in security that if receivers conspire with each other, confidential information of another receiver can be calculated. Also, it is not possible to possess a key in common with only receivers which belong to any set of receivers.

SUMMARY OF THE INVENTION

Therefore, a principal object of the present invention is to provide a key distribution method and system for secure broadcast communication having the following features:

(1) receivers possess individual confidential key information to share a data enciphered key between the receivers;

(2) even in the case where the number of receivers is large, it is possible to reduce the length of key distribution data;

(3) even if receivers club their confidential information in conspiracy with each other, it is difficult to calculate key information of another receiver and confidential information of a key generator; and

(4) it is possible to possess the data enciphered key in common with only receivers which belong to any set of receivers.

To that end, a key generator generates a finite set S including a plurality of confidential information of the key generator and a finite set P including public information of the key generator, generates confidential key information s(x) of a receiver

x

from elements of a subset S

x

of the confidential information S on a space determined by a subset V

x

of the set S or P, and distributes the key information s(x) to the receiver

x

. A sender performs an operation of adding random numbers to elements in the public information corresponding to the elements of the set S and makes the multi-address transmission of a set R(P) including the elements which result from the operation. The receiver

x

selects a set R(P, x) of elements corresponding to S

x

from R(P) to calculate a common key between the sender and the receiver from each element of R(P, x) and the confidential key information s(x). The common key corresponds to a data enciphered key.

According to a method for possessing a key in common with only receivers which belong to any set of receivers (in this case, a broadcasting station is a key generator and a sender), the broadcasting station generates confidential key information s(x) of a receiver

x

from a subset S

x

of a finite set S including a plurality of elements and distributes the key information s(x) to the receiver

x

. The broadcasting station performs an operation of adding an arbitrarily selected random number to each element of a set P including values corresponding to the elements of the set S and makes the multi-address transmission of a set R(P) including the elements which result from the operation. The broadcasting station further transmits to only the limited receiver a value t(x) characteristic of the receiver

x

which corresponds to the confidential key information s(x) of the receiver

x

. The receiver

x

selects a set R(P, x) of elements corresponding to S

x

from R(P) to calculate a common key between the broadcasting station and the receiver from the elements of R(P, x), the key information s(x) and the value t(x) of the receiver

x

.

In the following, mention will be made of a specific realizing example of a method in which the length of key distribution data is short even in the case of a large number of receivers and the security against the conspiracy attack of receivers is improved.

As a preparatory process, a key generator generates

P,Q:

prime number

e

i

εZ,

0

<e

i

<L=lcm

(

P−

1,

Q−

1)(1

≦i≦m

)

as confidential information of the key generator and generates

N=PQ

g

i

εZ,

0

<g

i

<N

(1

≦j≦n

)

u_{ij} = g_{i}^{e_{i}} \mod N (1 \leq i \leq m, 1 \leq j \leq n)

n=kl, k,l

(>0)εZ

as public information of the key generator.

Further, the key generator calculates S

x, (π, σ)

=(S

x,π

1

(1)

, . . . , S

x,π

1

(h)

, . . . , S

x,π

l

(1)

, . . . , S

x, π

l

(h)

) satisfying

\sum_{j = 1}^{h} S_{x, π_{i} (j)} e_{π_{i} (j)} \equiv 1 (\mod L_{σ_{i}}) (1 \leq i \leq l)

for π=(π

1

, . . . , π

l

)εR

k, n

, σ=(σ

1

, . . . , σ

l

)εS

k, n

and distributes s

x, (π,σ)

as key information of a receiver

x

. Therein,

L_{σ i} = {ord}_{N} (\prod_{j = 1}^{k} g_{σ_{i} (j)}) (1 \leq i \leq l) .

Also, when σ=(σ

1

, . . . , σ

l

), σ′=(σ

1

, . . . , σ

l

)εS′

k, n

for set R

k, n

={π=(π

1

, . . . , π

l

)|one-to-one map π

i

: {1, 2, . . . , h)→(1, 2, . . . , m} (1≦i≦l, 1≦h≦m)}, set S′

k,n

={σ=(σ

1

, . . . , σ

l

)|one-to-one map σ

1

: A={1, 2, . . . , k}→B={1, 2, . . . , n} (1≦i≦l), σ

1

(A)U . . . Uσ

l

(A)=B}, a relation

σ ~ σ^{'} \overset{def}{⟺} σ_{i} (A) = σ_{τ (i)}^{'} (A) (1 \leq i \leq l)

is defined in regard to a proper permutation

τ

on a set {1, 2, . . . , l}. At this time, “˜” represents an equivalent relation on S′

k,n

and S

k,n

is S

k,n

=S′

k,n

/˜.

As a key distribution process,

(1) a sender randomly selects an integer

r

to calculate

y

ij

=u

ij

τ

mod N

(1

≦i≦m;

1

≦j≦n

)

from the public information with the object of sharing a common key K

K = \prod_{i = 1}^{n} g_{i}^{r} \mod N

and makes the multi-address transmission of y

ij

.

(2) The receiver

x

calculates the common key K in accordance with

K = \prod_{i = 1}^{l} \prod_{p = 1}^{h} \prod_{q = 1}^{k} y_{π_{i} (p) σ_{i} (q)}^{S_{x, π_{i} (p)}} \mod N

wherein Z represents a set of the whole of integers, lcm(a,b) represents the lowest common multiple of integers

a

and

b

, and the least positive integer

x

satisfying g

x

≡l(mod N) for an integer N is represented by ord

N

(g).

According to the key distribution method of the present invention, the length of key distribution data can be reduced even in the case where the number of receivers is large. Also, even if unfair receivers club their confidential information, it is difficult to perform irregular practices. Therefore, the data distribution can be performed with a high efficiency and a high security.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1

is a diagram showing the construction of a system in first and second embodiments of the present invention;

FIG. 2

is a diagram showing the internal construction of a center side apparatus in the first and second embodiments of the present invention;

FIG. 3

is a diagram showing the internal construction of a sender side apparatus in the first and second embodiments of the present invention;

FIG. 4

is a diagram showing the internal construction of a receiver side apparatus in the first and second embodiments of the present invention;

FIG. 5

is a diagram showing the construction of a system in third, fourth and eighth embodiments of the present invention;

FIG. 6

is a diagram showing the internal construction of a sender side apparatus in the third, fourth and eighth embodiments of the present invention;

FIG. 7

is a diagram showing the internal construction of a receiver side apparatus in the third, fourth and eighth embodiments of the present invention;

FIG. 8

is a diagram showing the internal construction of a server in the third, fourth and eighth embodiments of the present invention;

FIG. 9

is a diagram showing the internal construction of an IC card in sixth and seventh embodiments of the present invention;

FIG. 10

is a diagram showing the outline of the third and fourth embodiments of the present invention; and

FIG. 11

is a diagram showing the basic scheme of reduction in key distribution data amount in the embodiments of the present invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 11

is a diagram showing the basic scheme of reduction in key distribution data amount in the present invention.

According to

FIG. 11

, a key generator extracts k information from

m

confidential information a

1

, a

2

, . . . , a

m

and generates confidential key information of a receiver from the extracted information. At this time, it is possible to obtain combinations the number of which is efficiently large as compared with the value of

m

. For example, when (m, k)=(30, 15), the keys of one hundred and fifty million of receivers can be generated.

The key generator opens public information b

1

, b

2

, . . . , b

m

corresponding to the confidential information a

1

, a

2

, . . . , a

m

to the public. A sender selects random numbers

r

and transmits information c

1

, c

2

, . . . , c

m

obtained by applying the random numbers to the public information b

1

, b

2

, . . . , b

m

.

A receiver selects the same combination as that at the time of generation of the confidential information of the receiver from the information c

1

, c

2

, . . . , c

m

to perform the calculation of a common key by use of the confidential information of the receiver.

Thereby, the mere transmission of

m

data makes it possible to possess the key in common with receivers the number of which is not larger than m!/(m−k)!k!.

[Description of Symbols]

Prior to the description of embodiments of the present invention, explanation will be made of some symbols used in the description.

Z represents a set of the whole of integers, and lcm(a,b) represents the lowest common multiple of integers

a

and

b

. Also, ord

p

(g)=m for a prime number

p

and a positive integer

g

means that the least integer x>0 satisfying g

x

≡l(mod p) is

m

, and min{a

1

, a

2

, . . . , a

n

} represents the least value in a

1

, a

2

, . . . , a

n

(a

i

εZ).

(First Embodiment)

In a first embodiment, description will be made of a method in which a sender and a plurality of receivers share a common key information in order to perform a secure broadcast communication.

FIG. 1

is a diagram showing the construction of a system in the present embodiment. This system includes a center side apparatus

100

, a sender side apparatus

200

and receiver side apparatuses

300

.

FIG. 2

shows the internal construction of the center side apparatus

100

. The center side apparatus

100

is provided with a random number generator

101

, a prime number generator

102

, an arithmetic unit

103

, a power multiplier

104

, a residue operator

105

and a memory

106

.

FIG. 3

shows the internal construction of the sender side apparatus

200

. The sender side apparatus

200

is provided with a random number generator

201

, a power multiplier

202

, a residue operator

203

, a memory

204

and a communication unit

205

.

FIG. 4

shows the internal construction of the receiver side apparatus

300

. The receiver side apparatus

300

is provided with a communication unit

301

, a power multiplier

302

, a residue operator

303

and a memory

304

.

1. Preparatory Process

A reliable center generates the following information by use of the random number generator

101

, the prime number generator

102

, the arithmetic unit

103

, the power multiplier

104

and the residue operator

105

in the center side apparatus

100

shown in FIG.

2

.

Confidential information:

P

i

, Q

i

:prime number (1

≦i≦m

)

L

i

=lcm

(

ord

p

i

(

g

),

ord

Q

i

(

g

)) (1

≦i≦m

)

e

i

εZ,

0

<e

i

<L=lcm

(

L

1

, L

2

, . . . , L

m

)(1

≦i≦n

)

Public information:

N

i

=P

i

Q

i

(1

≦i≦m

)

gεZ,

0

<g<N

N = \prod_{i = 1}^{m} N_{i}

v_{i} = g^{h_{i} (e_{1}, \dots, e_{n})} \mod N (1 \leq i \leq M) .

The center opens only the public information to the public. The confidential information is stored into the memory

106

.

Further, the center calculates S

x, τ

=(S

x,τ(1)

, S

x,τ(2)

, . . . , S

x,τ(d)

) satisfying

\sum_{i = 1}^{d} S_{x, τ (i)} h_{τ (i)} (e_{1}, \dots, e_{n}) \equiv 1 (\mod L_{σ_{x}})

for τ

x

εS and τεT by use of the arithmetic unit

103

and the residue operator

105

in the center side apparatus

100

and distributes S

x, τ

as key information of a receiver

x

. Therein,

L

τ

=lcm

(

L

τ(1)

, L

τ(2)

, . . . , L

τ(k)

).

Also, h

i

(X

1

, . . . , X

n

) (1≦i≦M) represents a monomial of X

1

, . . . , X

n

on Z. For set S′={f|one-to-one map f: A ={1, 2, . . . , k}→B={1, 2, . . . , m), m>k}, τ

1

, τ

2

εS′, a relation “˜” on S′ is defined as

σ_{1} ~ σ_{2} \overset{def}{⟺} σ_{1} (A) = σ_{2} (A),

and a quotient set of S′ concerning “˜” is defined as S. Further, set T={f|one-to-one map f: A={1, 2, . . . , d}→B=(1, 2, . . . , M}, M≧d}.

Here, S

x,τ

is generated so as to satisfy the condition of a secure key that π

x

≠g for

r_{x} = g {^{\sum_{i = 1}^{d} s_{x, τ (i)} h_{τ (i)} (e_{1}, \dots, e_{n})}}_{i = 1}^{d} \mod N .

2. Key Distribution Process

(1) A sender randomly selects an integer

r

by use of the random number generator

201

in the sender side apparatus

200

shown in

FIG. 3

to calculate a common key K by use of the power multiplier

202

and the residue operator

203

so that

0

<K=g

r

mod N,

π_{x}^{r} \mod N < \min {N_{σ} = \prod_{i = 1}^{k} N_{σ (i)} &RightBracketingBar; σ \in S}

is satisfied. K is stored into the memory

204

. Further, the sender calculates

z

i

=v

i

r

mod N

(1

≦i≦M

)

with the object of possessing the key K in common with the receiver and makes the multi-address transmission of data W obtained by multiplexing z

i

(1≦i≦M) by use of the communication unit

205

(in accordance with, for example, the multiplexing method using the Chinese reminder theorem mentioned in “BACKGROUND OF THE INVENTION”). The transmission is made through a communication network

400

.

(2) The receiver side apparatus

300

(see

FIG. 4

) of the receiver

x

demultiplexes Z

τ(i)

(1≦i≦d) from the transmit data w by use of the communication unit

301

and uses the power multiplier

302

and the residue operator

303

to calculate the common key K from S

x,τ

and N in the memory

304

in accordance with

K = \prod_{i = 1}^{d} z_{τ (i)}^{s_{x . τ (i)}} \mod N .

The calculated common key K is stored into the memory

304

.

According to the present embodiment, a space for generating the key information of a receiver is changed for each receiver. (The space is determined by the value of L

σx

.) Therefore, the security against the conspiracy attack of receivers is improved as compared with that in the system disclosed by Mambo et al., “Efficient Secure Broadcast Communication Systems”, IEICE Technical Report, ISEC93-34 (October 1993) mentioned in “BACKGROUND OF THE INVENTION”.

(Second Embodiment)

In a second embodiment, description will be made of a method in which a sender and a plurality of receivers share a common key information in order to perform a secure broadcast communication.

The construction of a system is the same as that shown in

FIG. 1

in conjunction with the first embodiment.

1. Preparatory Process

A reliable center generates the following information by use of the random number generator

101

, the prime number generator

102

, the arithmetic unit

103

, the power multiplier

104

and the residue operator

105

in the center side apparatus

100

shown in FIG.

2

.

Confidential information:

P

i

, Q

i

:prime number (1

≦i≦m

)

e

i

εZ,

0

<e

i

<L=lcm

(

L

1

, L

2

, . . . , L

m

)(1

≦i≦n

)

Public information:

N

i

=P

i

Q

i

(1

≦i≦m

)

g

i

εZ,

0

<g

i

<M

(1

≦i≦M

)

N = \prod_{i = 1}^{m} N_{i}

V = (v_{ij}), v_{ij} = g_{i}^{h_{j} (e_{1}, \dots, e_{n})} \mod N (1 \leq i, j \leq M) .

The center opens only the public information to the public. The confidential information is stored into the memory

106

.

Further, the center calculates S

σ

x

=((S

σ

x,1

(1)

, S

σ

x,1

(2)

, . . . , S

σ

x,1

(k)

), . . . (S

σ

x,a

(1)

, S

σ

x,a

(2)

, . . . , S

σ

x,a

(k)

)) satisfying

\sum_{i = 1}^{k} s_{σ_{x, j} (i)} h_{σ_{x, j} (i)} (e_{1}, \dots, e_{n}) \equiv 1 (\mod L_{&AutoLeftMatch; σ_{x, j}^{'} &AutoRightMatch; &AutoLeftMatch;}), (1 \leq j \leq a)

for σ

x

=(σ

x,1

, . . . , σ

x,a

) εS, σ′

x

=(σ′

x,1

, . . . , σ′

x,a

) εT by use of the arithmetic unit

103

and the residue operator

105

in the center side apparatus

100

and distributes S

σ

x

and

N_{&AutoLeftMatch; σ_{x, i}^{'} &AutoRightMatch;} = \prod_{j = 1}^{d} N_{σ_{x, i} (j)}, (i = 1, \dots, a)

as key information of a receiver

x

. Therein,

L_{σ_{x, i}^{'}} = {ord}_{N_{σ_{x, i}^{'}}} (\sum_{j = 1}^{k} g_{σ_{x, i} (j)}), (i = 1, \dots, a, a : positive integer) .

Also, h

i

(X

1

, . . . , X

n

) (1≦i≦m) represents a monomial of X

1

, . . . , X

n

on Z. For set S′(M)={σ=(σ

1

, . . . , σ

a

)|one-to-one map σ

i

: A={1, 2, . . . , k}→B={1, 2, . . . , M} (i=1, . . . , a), σ

1

(A) U . . . Uσ

a

(A)=B, M=ak}, σ=(σ

1

, . . . , σ

a

), σ′=(σ′

1

, . . . , σ′

a

) εS′(M), a relation

σ ~ σ^{'} \overset{def}{⟺} {σ_{1} (A), \dots, σ_{a} (A)} = {σ_{1}^{'} (A), \dots, σ_{a}^{'} (A)}

is defined and a quotient set of S′(M) concerning “˜” is defined as S. Further, a quotient set of m=ad, S′(m) concerning “˜” is defined as T.

2. Key Distribution Process

(1) A sender randomly selects an integer r by use of the random number generator

201

in the sender side apparatus

200

shown in

FIG. 3

to calculate a common key K

K = {(\prod_{i = 1}^{M} g_{i})}^{r} \mod N, 0 < {(\prod_{j = 1}^{k} g_{σ_{x, i}^{'} (j)})}^{r} \mod N \leq \min {N_{σ_{x, i}^{'}} &LeftBracketingBar; \forall x, σ_{x}^{'}} i = (1, \dots, a)

by use of the power multiplier

202

and the residue operator

203

and stores K into the memory

204

. Further, the sender calculates

W

=(

w

ij

),

w

ij

=v

ij

r

mod N

(1

≦i,j≦M

)

with the object of possessing the key K in common with the receiver and makes the multi-address transmission of the data W through the communication network

400

by use of the communication unit

205

.

(2) The receiver side apparatus

300

(see

FIG. 4

) of the receiver

x

, from the transmit data W received by the communication device

301

and by use of the power multiplier

302

and the residue operator

303

, calculates the common key K from s

σ

x

and N in the memory

304

in accordance with

K = \prod_{i = 1}^{a} k_{i} \mod N

wherein

K_{t} = \prod_{i = 1}^{k} {(\prod_{j = 1}^{k} w_{σ_{x, t} (j) σ_{x, t} (i)})}^{s_{σ_{x, t} (i)}} \mod N_{σ_{x, t}^{'}} (1 \leq t \leq a) .

The calculated common key K is stored into the memory

304

.

In the second embodiment, one condition for generation of a secure key may be

\sum_{i = 1}^{k} s_{σ_{x, j} (i)} h_{σ_{x, j} (i)} (e_{1}, \dots, e_{n}) \equiv 1 (\mod {\tilde{L}}_{σ_{x, j}^{'}})

{\tilde{L}}_{σ_{x, j}^{'}} = lcm ({ord}_{N_{σ_{x, j}^{'}}} (g_{σ_{x, j} (1)}), \dots, {ord}_{N_{σ_{x, j}^{'}}} (g_{σ_{x, j} (k)}))

(j = 1, \dots, a)

According to the second embodiment, a space for generating the key information of a receiver is changed for each receiver. (This space is determined by the value of L

σ′

x,1

, . . . L

σ′

x,a

) Therefore, the security against the conspiracy attack of receivers is improved as compared with that in the system disclosed by Mambo et al., “Efficient Secure Broadcast Communication Systems”, IEICE Technical Report, ISEC93-34 (October 1993) mentioned in “BACKGROUND OF THE INVENTION”.

(Third Embodiment)

The present embodiment corresponds to the case where a limited secure broadcast communication method based on the key distribution method according to the first embodiment is applied to an information distribution service system using a satellite. Namely, a broadcast station makes the secure broadcast communication of information (including onerous data) such as multimedia information to receivers by use of a satellite and only receivers entitled to looking and listening (or receivers under agreement for the payment of counter values) can decipher transmit data.

FIG. 5

is a diagram showing the construction of a system in the present embodiment. This system includes a broadcasting station side apparatus

500

, receiver side apparatuses

600

and servers

700

.

FIG. 6

shows the internal construction of the broadcasting station side apparatus

500

. The broadcasting station side apparatus

500

is provided with a random number generator

501

, a prime number generator

502

, an arithmetic unit

503

, a power multiplier

504

, a residue operator

505

, a key generating unit

506

, an enciphering/deciphering unit

507

, a communication unit

508

and a memory

509

.

FIG. 7

shows the internal construction of the receiver side apparatus

600

. The receiver side apparatus

600

is provided with a memory

601

, a power multiplier

602

, a residue operator

603

, an arithmetic unit

604

, an authentication unit

605

, a communication unit

606

, a key generating unit

607

, an enciphering/deciphering unit

608

and an IC card connection unit

609

.

FIG. 8

shows the internal construction of the server

700

. The server

700

is provided with a communication unit

701

, an enciphering/deciphering unit

702

, a memory

703

, an authentication unit

704

and an accounting unit

705

.

FIG. 9

shows the internal construction of an IC card

800

possessed by a receiver. The IC card

800

is provided with a memory

801

, a power multiplier

802

, a residue operator

803

and an authentication information generating unit

804

.

FIG. 10

is a diagram showing the outline of transfer of information between the broadcasting station side apparatus

500

, the receiver side apparatus

600

and the server

700

.

A set R of receivers is R=U

λεΛ

R

80

for a family {R

λ

}

λεΛ

of subsets and a server S

λ

is provided corresponding to each subset R

λ

.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator

501

, the prime number generator

502

, the arithmetic unit

503

, the power multiplier

504

and the residue operator

505

in the broadcasting station side apparatus

500

and stores in the memory

509

(see FIG.

6

).

Confidential information:

P

i

, Q

i

: prime number (1≦

i≦m

)

L

i

=lcm

(

ord

p

i

(g),

ord

Qi

(g)) (1≦

i≦m

)

e

i

εZ,

0<

e

i

<L=lcm

(

L

1

, L

2

, . . . , L

m

)(1≦

i≦n

)

Public information:

N

i

=P

i

Q

i

(1≦

i≦m

)

gεZ,

0<

g<N

N = \prod_{i = 1}^{m} N_{i}

v_{i} = g^{h_{i} (e_{1}, \dots, e_{n})} \mod N (1 \leq i \leq M) .

The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S

x,τ

=(S

x,τ(1)

, S

x,τ(2)

, . . . S

x,τ(d)

) (S

x,τ(i)

εZ, 0<

S

x,τ(i)

<L, τεT) by use of the random number generator

501

and distributes s

x,τ

as key information of a receiver

x

. Therein, h

i

(X

1

, . . . , X

n

) (1≦i≦M) represents a monomial of X

1

, . . . , X

n

on Z. Also, set T={f|one-to-one map f: A={1, 2, . . . , d}→B={1, 2, . . . , M}, M≧d}.

The broadcasting station generates a random number r′ (0≦r′≧L) for σ

x

εS by use of the random number generator

501

in the broadcasting station side apparatus

500

and calculates U

x,σ

=(U

x,τ(1)

, U

x,τ(2)

, . . . , U

x,τ(d)

) satisfying

\sum_{i = 1}^{d} u_{x, τ (i)} s_{x, τ (i)} h_{τ (i)} (e_{1}, \dots, e_{n}) \equiv r^{'} (\mod L_{σ_{x}})

by use of the arithmetic unit

503

and the residue operator

505

, wherein

Lσ=lcm

(

L

σ(1)

, L

σ(2)

, . . . , L

σ(k)

) (σε

S

).

Also, for set S′={f|one-to-one map f: A={1, 2, . . . , k}→B={1, 2, . . . , m}, m≧K}, σ

1

, σ

2

εS′, a relation “˜” on S′ is defined as

σ_{1} ~ σ_{2} \overset{def}{⟺} σ_{1} (A) = σ_{2} (A),

and a quotient set of S′ concerning “˜” is defined as S.

Here, s

x,τ

is generated so as to satisfy the condition of a secure key that π

x

≠g for

p_{x} = g^{\sum_{i = 1}^{d} s_{x, τ (i)} h_{τ (i)} (e_{1}, \dots, e_{n})} \mod N .

2. Enciphering/Deciphering Process

(1) The broadcasting station randomly selects an integer

r

(0≦r≦L) by use of the random number generator

501

in the broadcasting station side apparatus

500

so that

0<

g

rr′

mod N,

π_{x}^{{rr}^{'}} \mod N < \min {N_{σ} = \prod_{i = 1}^{k} N_{σ (i)} &RightBracketingBar; σ \in S}

is satisfied, and generates a data enciphered key K=f(g

rr′

mod N) by use of the power multiplier

504

, the residue operator

505

and the key generating unit

506

. Further, the broadcasting station calculates

z

i

=v

i

r

mod N

(1≦

i≦M

)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit

507

and data W obtained by multiplexing z

i

(1≦i≦M) by use of the communication unit

508

(in accordance with, for example, the multiplexing method using the Chinese reminder theorem mentioned in “BACKGROUND OF THE INVENTION”). Herein,

f

is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

V

λ

={u

x,τ

=(

u

x,τ(1)

, . . . , u

x,τ(d)

) |

xεR

λ

}

for each λεΛ by use of the arithmetic unit

503

and the residue operator

505

in the broadcasting station side apparatus

500

, obtains an enciphered sentence C

λ

=E(K(S

λ

): V

λ

) by enciphering V

λ

by a key K(S

λ

) by use of the enciphering/deciphering unit

507

and transmits C

λ

to the server

700

(S

λ

) by use of the communication unit

508

. The key K(S

λ

) is shared between the broadcasting station and the server

700

(S

λ

) beforehand.

(2) In order to see the data P, a receiver

x

uses the communication unit

606

in the receiver side apparatus

600

shown in

FIG. 7

to make access to a server

700

in an area to which the receiver belongs. And, the receiver uses the authentication unit

605

in the receiver side apparatus

600

(and the server

700

uses the authentication unit

704

) to make the authentication by demonstrating the possession of the confidential information s

x,τ

. If the authentication is materialized, the server

700

transmits U

x,τ

=(U

x,τ(1)

, U

x,τ(2)

, . . . , U

x,τ(k)

) in the memory

703

to the receiver side apparatus

600

of the receiver

x

by use of the communication unit

701

.

At this time, in the case where the data P is onerous, the server

700

performs a process for account to the receiver

x

by use of the accounting unit

705

.

(3) The receiver side apparatus

600

of the receiver

x

calculates a data enciphered key K from s

x,τ

in the memory

601

by use of the power multiplier

602

, the residue operator

603

and the key generating unit

607

in accordance with

K = \prod_{i = 1}^{d} z_{τ (i)}^{u_{x, τ (i)} s_{x, τ (i)}} \mod N

and deciphers the data P from the enciphered sentence by use of the enciphering/deciphering unit

608

.

Also, a method for authentication by the receiver

x

for the server

700

in the step (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver

x

does not know s

x,τ

.

In the following, a method using a signature as disclosed by RSA (R. L. Rivest, A. Shamir and L. Adleman, “A method for obtaining digital signatures and public key cryptosystems”, Commun. of the ACM, Vol. 21, No. 2, pp. 120-126 (1987)) will be mentioned as an example of the method for authentication by the receiver

x

for the server

700

.

The broadcasting station distributes (y

x

, n

x

) satisfying

S′

x

y

x

≡1 (

mod lcm

(

p

x

−1,

q

x

−1)),

n

x

=p

x

q

x

(

p

x

,q

x:

prime number)

for each receiver

x

to a server

700

in an area to which the receiver belongs, wherein s′

x

=π(s

x,τ

) for a function π opened to the public.

(i) The receiver

x

uses the authentication unit

605

in the receiver side apparatus

600

to generate a signature

sgn

x

(

h

(

W

))=

h

(

W

)

s′

×mox n

x

for h(W) (0<h(W)<n

x

) by use of a confidential key s′

x

, wherein W is the multi-address transmitted data and

h

is a one-way hash function which is public information. The generated signature is transmitted to the server

700

by use of the communication unit

606

. The signature is transmitted together with a data name for which the looking and listening are desired.

(ii) The server

700

checks a relation of

sgn

x

(

h

(

W

))

y

x

≡h

(

W

) (

mod n

x

)

by use of the authentication unit

704

and transmits u

x,τ

in the memory

703

to the receiver side apparatus

600

of the receiver

x

by use of the communication unit

701

if the relation is satisfied. At this time, in the case where the data desired by the receiver for the looking and listening is onerous, the server

700

performs a process for account to the receiver

x

by use of the accounting unit

705

. Also, in the case where the receiver

x

possesses an IC card

800

having confidential information s′

x

and connects the IC card

800

to the IC card connection unit

609

in the receiver side apparatus

600

to obtain data from the broadcasting station, the calculation by the receiver using the confidential information s′

x

is performed using the authentication information generating unit

804

in the IC card

800

shown in FIG.

9

. For instance, in the above example, the calculation of sgn

x

(W) is performed using the authentication information generating unit

804

in the IC card

800

.

According to the present embodiment, the identification of a set of receivers sharing a key is made by distributing u

x,τ

to only limited receivers. Thereby, the key distribution for a limited secure broadcast communication becomes possible.

(Fourth Embodiment)

The present embodiment corresponds to the case where a limited secure broadcast communication method based on the key distribution method according to the second embodiment is applied to an information distribution service system using a satellite. Namely, a broadcast station makes the secure broadcast communication of information (including onerous data) such as multimedia information to receivers by use of a satellite and only receivers entitled to looking and listening (or receivers under agreement for the payment of counter values) can decipher transmit data.

The construction of a system in the present embodiment is the same as that shown in

FIG. 5

explained in conjunction with the third embodiment.

FIGS. 6

to

10

are also applied to the present embodiment.

A set R of receivers is R=U

λεΛ

R

λ

for a family {R

λ

}

λεΛ

of subsets and a server S

λ

is provided corresponding to each subset R

λ

.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator

501

, the prime number generator

502

, the arithmetic unit

503

, the power multiplier

504

and the residue operator

505

in the broadcasting station side apparatus

500

(see FIG.

6

).

Confidential information:

P

i

, Q

i

:prime number (1≦

i≦m

)

e

i

εZ,

0<

e

i

<L=lcm

(

L

1

, L

2

, . . . , L

m

)(1

≦i≦n

)

Public information:

N

i

=P

i

Q

i

(1≦

i≦m

)

N = \prod_{i = 1}^{m} N_{i}

V = (v_{ij}), v_{ij} = g_{i}^{h_{j} (e_{1}, \dots, e_{n})} \mod N (1 \leq i, j \leq M) .

The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S

σ

x

=((S

σ

x,1

(1)

, S

σ

x,1

(2)

, S

σ

x,1

(k)

), . . . , (S

σ

x,a

(1)

, S

σ

x,a

(2)

, S

σ

x,a

(k)

)) S

σ

x,a

(i)

, . . . , S

σ

x,a

(i)

, εZ, 0<S

x,τ(i)

<L, σ

x

=(σ

x,1

, . . . , σ

x,a

) εS) by use of the random number generator

501

and distributes s

σx

together with

N_{σ_{x, i}^{'}} = \prod_{j = 1}^{d} N_{σ x, i (j)} : (i - 1, \dots, a)

as key information of a receiver

x

. Therein, h

i

(X

1

, . . . , X

n

) (1≦i≦M) represents a monomial of X

1

, . . . , X

n

on Z. Also, for set S′(M)={σ=(σ

1

, . . . , σ

a

)|one-to-one map σ

i

: A={1, 2, . . . , k}→B={1, 2, . . . , M} (i=1, . . . . , a), σ

1

(A) U . . . U

σ

a

(A)=B, M=ak}, σ=(σ

1

, . . . , σ

a

), σ′=(σ′

1

, . . . , σ′

a

) εS′(M), a relation

σ ~ σ^{'} \overset{def}{\Leftrightarrow} {σ_{1} (A), \dots, σ_{a} (A)} = {σ_{1}^{'} (A), \dots, σ_{a}^{'} (A)}

is defined and a quotient set of S′(M) concerning “˜” is defined as S. Further, a quotient set of m=ad, S′(m) concerning “˜” is defined as T.

The broadcasting station generates a random number r′(0≦r′≦L) for σ

x

=(σ

x,1

, . . . , σ

x,a

)) εS, σ′

x

=(σ′

x,1

, . . . , σ′

x,a

) εT by use of the random number generator

501

in the broadcasting station side apparatus

500

and calculates u

σ

x

=((u

σ

x,1

(1)

, u

σ

x,1

(2)

, . . . , u

σ

x,1

(k)

), . . . , (u

σ

x,a

(1)

, u

σ

x,a

(2)

, . . . , u

σ

x,a

(k)

)) satisfying

\sum_{i = 1}^{k} u_{σ_{x, j} (i)} s_{σ_{x, j} (i)} h_{σ_{x, j} (i)} (e_{1}, \dots, e_{n}) \equiv r^{'} (\mod L_{σ_{x, j}^{'}})

(1 \leq j \leq a)

by use of the arithmetic unit

503

and the residue operator

505

, wherein L satisfies (i=1, . . . , a).

L_{σ_{x, i}^{'}} = {ord}_{N_{σ_{x, i}^{'}}} (\prod_{j = 1}^{k} g_{σ_{x, i} (j)}) (i = 1, \dots, a) .

0 < {(\prod_{j = 1}^{k} g_{σ_{x, i}^{'} (j)})}^{{rr}^{'}} \mod N \leq \min {N_{σ_{x, i}^{'}} &LeftBracketingBar; \forall x, σ_{x}^{'}} (i = 1, \dots, a)

is satisfied, and generates a data enciphered key K=f(g

1

g

2

. . . g

m

)

rr′

mod N) by use of the power multiplier

504

, the residue operator

505

and the key generating unit

506

. Further, the broadcasting station calculates

W=

(

w

ij

),

w

ij

=v

ij

r

mod N

(1≦

i,j≦M

)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit

507

and the data W. Therein,

f

is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

V

80

={u

σ

x

|xεR

λ

}

for each λεΛ by use of the arithmetic unit

503

and the residue operator

505

in the broadcasting station side apparatus

500

, obtains an enciphered sentence C

λ

=E(K(S

λ

):V

λ

) by enciphering V

λ

by a key K(S

λ

) by use of the enciphering/deciphering unit

507

and transmits C

λ

to the server

700

(S

λ

) by use of the communication unit

508

. The key K(S

λ

) is shared between the broadcasting station and the server

700

(S

λ

) beforehand.

(2) In order to see the data P, a receiver

x

uses the communication unit

606

in the receiver side apparatus

600

(see

FIG. 7

) to make access to a server

700

in an area to which the receiver belongs. And, the receiver uses the authentication unit

605

in the receiver side apparatus

600

(and the server

700

uses the authentication unit

704

) to make the authentication by demonstrating the possession of the confidential information s

σ

x

. If the authentication is materialized, the server

700

transmits u

σ

x

in the memory

703

to the receiver side apparatus

600

of the receiver

x

by use of the communication unit

701

.

At this time, in the case where the data P is onerous, the server

700

performs a process for account to the receiver

x

by use of the accounting unit

705

.

(3) The receiver side apparatus

600

of the receiver

x

calculates a data enciphered key K from s

σ

x

in the memory

601

by use of the power multiplier

602

, the residue operator

603

and the key generating unit

607

in accordance with

K = \prod_{i = 1}^{a} k_{i} \mod N

and deciphers the data P from the enciphered sentence C by use of the enciphering/deciphering unit

608

, wherein

K_{t} = \prod_{i = 1}^{k} {(\prod_{j = 1}^{k} u_{σ_{x, t} (j) σ_{x, t} (i)})}^{s_{σ_{x, t} (i)}} \mod N_{σ_{x, t}^{'}} (1 \leq t \leq a) .

Like the third embodiment, a method for authentication by the receiver

x

for the server

700

in (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver

x

does not know s

σ

x

.

In the fourth embodiment, one condition for generation of a secure key may be

\sum_{i = 1}^{k} u_{σ_{x, j} (i)} s_{σ_{x, j} (i)} h_{σ_{x, j} (i)} (e_{1}, \dots, e_{n}) ≢ r^{'} (\mod {\tilde{L}}_{σ_{x, j}^{'}})

{\tilde{L}}_{σ_{x, j}^{'}} = lcm ({ord}_{N_{σ_{x, j}^{'}}} (g_{σ_{x, j} (1)}), \dots, {ord}_{N_{σ_{x, j}^{'}}} (g_{σ_{x, j} (k)}))

(j = 1, \dots, a)

According to the present embodiment, the identification of a set of receivers sharing a key is made by distributing u

σ

x

to only limited receivers. Thereby, the key distribution for a limited secure broadcast communication becomes possible.

(Fifth Embodiment)

In a fifth embodiment, the data enciphered key K in the third and fourth embodiments is updated by changing the value of

r

in the data enciphered key K=f(g

rr′

mod N) for each short time period.

Further, the identification of transmit data subjected to multi-address transmission by a broadcasting station is made by taking a value characteristic of transmit data as the value of r′. Namely, information u

x,τ

(or u

σ

x

) obtained by a receiver

x

from a server

700

in order to looking and listening certain broadcast data is characteristic of that broadcast data information and it is necessary to obtain another information u′

x,τ

(or u′

σ

x

) from the server

700

in order to look and listen another broadcast data. Thereby, the identification of broadcast data subjected to an accounting process is made.

(Sixth Embodiment)

In the present embodiment, description will be made of a method in which in the case where in the third embodiment the receiver possesses an IC card

800

(see FIG.

9

) having key information and connects the IC card

800

to the IC card connection unit

609

in the receiver side apparatus

600

(see

FIG. 7

) to obtain data from the broadcasting station, the calculation of

K = \prod_{i = 1}^{d} z_{τ (i)}^{u_{x, τ (i)} s_{x, τ (i)}} \mod N

by the receiver

x

in the step (3) of the enciphering/deciphering process in the third embodiment is performed with a high efficiency.

The receiver side apparatus

600

(see

FIG. 7

) calculates

ξ_{x, τ (i)} = z_{τ (i)}^{u_{x, τ (i)}} \mod N (1 \leq i \leq d)

by use of the residue operator

603

and the arithmetic unit

604

and outputs ξ

x,τ(i)

(1≦i≦d) to the IC card

800

(see FIG.

9

).

The IC card

800

calculates

η_{x, τ (i)} = ξ_{x, τ (i)}^{s_{x, τ (i)}} \mod N (1 \leq i \leq d)

by use of the power multiplier

802

and the residue operator

803

and outputs η

x,τ(i)

(1≦i≦d) to the receiver side apparatus

600

.

The receiver side apparatus

600

calculates

K = \prod_{i = 1}^{d} η_{x, τ (i)} \mod N .

by use of the power multiplier

602

, the residue operator

603

and the arithmetic unit

604

.

(Seventh Embodiment)

The present embodiment is an example in which in the case where in the fourth embodiment the receiver

x

possesses an IC card

800

(see

FIG. 9

) having key information and connects the IC card

800

to the IC card connection unit

609

in the receiver side apparatus

600

(see

FIG. 7

) to obtain data from the broadcasting station, means for improving the efficiency of the calculation of the data enciphered key in the step (3) of the enciphering/deciphering process in the fourth embodiment is provided as in the sixth embodiment. Namely, a processing for calculation using confidential information is performed in the IC card

800

while a processing for calculation using no confidential information is performed in the receiver side apparatus

600

.

(Eighth Embodiment)

The present embodiment corresponds to a specific case of the fourth embodiment.

A set R of receivers is R=U

λεΛ

R

λ

for a family {R

λ

}

λεΛ

of subsets and a server S

λ

is provided corresponding to each subset R

λ

.

1. Preparatory Process

A broadcasting station generates the following information by use of the random number generator

501

, the prime number generator

502

, the arithmetic unit

503

, the power multiplier

504

and the residue operator

505

in the broadcasting station side apparatus

500

(see FIG.

6

).

Confidential information:

P, Q

:prime number

e

i

εZ

, 0

<e

i

<L=lcm

(

P−

1

, Q−

1 )(1≦

i≦m

)

Public information:

N=PQ

The broadcasting station opens only the public information to the public.

Further, the broadcasting station generates S

x(π,σ)

=(S

x,π

1

(1)

, . . . , S

x,π

1

(h)

, . . . , S

x,π

l

(1)

, . . . , S

x,π

l

(h)

) by use of the random number generator

501

and distributes s

x,(π,σ)

as key information of a receiver

x

. The broadcasting station generates a random number r′ (0≦r′≦L) for π=(π

1

, . . . , π

l

) εR

k,n

, σ=(σ

1

, . . . , σ

l

) εS

k,n

by use of the random number generator

501

in the broadcasting station side apparatus

500

and calculates r

x, (π,σ)

=(r

x,π

1

(1)

, . . . , r

x,π

1

(h)

, . . . , r

xπ

l

(1)

, . . . , r

x,π

l

(h)

) satisfying

\sum_{i = 1}^{k} r_{x, π_{i} (j)} s_{x, π_{i} (j)} e_{π_{i} (j)} \equiv r^{'} (\mod L_{σ_{i}})

(1 \leq i \leq l)

by use of the arithmetic unit

503

and the residue operator

505

. Therein, L

σ

i

satisfies

L_{σ_{i}} = {ord}_{N} (\prod_{j = 1}^{k} g_{σ_{i} (j)}) (1 \leq i \leq l) .

Also, when σ=(σ

1

, . . . , σ

l

) σ′=(σ′

1

, . . . , σ′

l

) εS′

k,n

for n=kl, set R

k,n

={π=(π

1

, . . . , π

l

)|one-to-one map π

i

:{1, 2, . . . , h}→{1, 2, . . . , m} (1≦i≦l, 1≦h≦m)}, set S′

k,n

={σ=(σ

1

, . . . , σ

l

)|one-to-one map σ

i

:A={1, 2, . . . , k}→B={1, 2, . . . , n} (1≦i≦l), σ

1

(A)U . . . Uσ

l

(A)=B}, a relation

σ ~ σ^{'} \overset{def}{\Leftrightarrow} σ_{i} (A) = σ_{τ (i)}^{'} (A) (1 \leq i \leq l)

is defined in regard to proper permutation τ on a set {1, 2, . . . , l}. At this time, “˜” represents an equivalent relation on S′

k,n

and S

kn

is S

k,n

=S′

k,n

/˜.

2. Enciphering/Deciphering Process

(1) The broadcasting station randomly selects an integer

r

(0≦r≦L) by use of the random number generator

501

in the broadcasting station side apparatus

500

to generate a data enciphered key K=f(g

1

g

2

−g

n

)

rr′

mod N) by use of the power multiplier

504

, the residue operator

505

and the key generating unit

506

. Further, the broadcasting station calculates

W=(

y

ij

),

y

ij

=u

ij

r

mod

N

(1

≦iμ

m, 1

≦j≦n

)

and makes the multi-address transmission of an enciphered sentence C=E(K:P) obtained by enciphering data P by the key K by use of the enciphering/deciphering unit

507

and the data W. Therein,

f

is a key generation function of a confidential key enciphering system opened to the public. Further, the broadcasting station generates

V

λ

={r

x

,(π,σ)|

xεR

λ

}

for each λεΛ by use of the arithmetic unit

503

and the residue operator

505

in the broadcasting station side apparatus

500

, obtains an enciphered sentence C

λ

=E(K(S

λ

):V

λ

) by enciphering V

λ

by a key K(S

λ

) by use of the enciphering/deciphering unit

507

and transmits C

λ

to the server

700

(S

λ

) by use of the communication unit

508

. The key K(S

λ

) is shared between the broadcasting station and the server

700

(S

λ

) beforehand.

(2) In order to see the data P, a receiver

x

uses the communication unit

606

in the receiver side apparatus

600

to make access to a server

700

(see

FIG. 8

) in an area to which the receiver belongs. And, the receiver uses the authentication unit

605

in the receiver side apparatus

600

(and the server

700

uses the authentication unit

704

) to make the authentication by demonstrating the possession of the confidential information s

σ

. If the authentication is materialized, the server

700

transmits r

x,(π,σ)

in the memory

703

to the receiver side apparatus

600

of the receiver

x

by use of the communication unit

701

.

At this time, in the case where the data P is onerous, the server

700

performs a process for account to the receiver

x

by use of the accounting unit

705

.

(3) The receiver side apparatus

600

of the receiver

x

calculates a data enciphered key K from s

x,(π,σ)

in the memory

601

by use of the power multiplier

602

, the residue operator

603

and the key generating unit

607

in accordance with

K = f (\prod_{i = 1}^{l} \prod_{p = 1}^{h} \prod_{q = 1}^{k} y_{π_{i} (p) σ_{i} (q)}^{r_{x, π_{i} (p)} s_{x, π_{i} (p)}} \mod N)

and deciphers the data P from the enciphered sentence C by use of the enciphering/deciphering unit

608

.

Like the third embodiment, a method for authentication by the receiver

x

for the server

700

in (2) of the above-mentioned enciphering/deciphering process can rely upon a known authentication system, so far as it is a method with which the authentication is not materialized if the receiver

x

does not know s

x,(π,σ)

.

The present invention is applicable to a multi-channel broadcasting satellite digital communication system, a TV conference system using a satellite, a CATV, a multi-media information distribution system, and so forth.

Accordingly, the present invention is not limited to the disclosed embodiments and includes various modifications in the scope of Claims.

Claims

1. A cipher communication system comprising:a server; a plurality of receiver units connected to said server; and a broadcasting station which performs communications with designated receiver units of said plurality of receiver units, via said server, wherein said broadcasting station comprises: a unit for generating confidential key information and preliminarily distributing said confidential key information to said plurality of receiver units; a unit for encrypting data (P) to be transmitted with encrypting common key (K) and generating encrypted text (C); a unit for generating key distribution data (W) necessary for calculation of said common key (K); a unit for broadcasting said encrypted text (C) and said key distribution data (W); a unit for generating individual information per individual receiver unit to be transmitted to said designated receiver units; and a unit for transmitting said individual information to said server, wherein said server comprises: a unit for receiving said individual information from said broadcasting station; a unit for receiving authentication data from a receiver unit and performing authentication; and a unit for transmitting said individual information to a corresponding receiver unit when authentication is made, and wherein said receiver units each comprises: a unit for transmitting authentication data to said server; and a unit for calculating said common key (K) on a basis of said individual information transmitted from said server, said confidential key information preliminarily distributed from said broadcasting station and said key distribution data (W) broadcasted from said broadcasting station, and for decoding said data (P) from said encrypted text (C).
2. A cipher communication system according to claim 1, wherein said unit for distributing said confidential key information, at said broadcasting station, to said plurality of receiver units comprises a unit for generating confidential key information of a receiver unit in association with a subset inclusive of at least two elements of a finite set (S) of confidential key information of said receiver unit; and a unit for distributing said confidential key information to said plurality of receiver units, and wherein said key distribution data (W) is generated in association with each element of said finite set (S).
3. A cipher communication system according to claim 1, wherein said individual information at the broadcasting station is encrypted with said common key before transmission to said designated receiver units.
4. A cipher communication system according to claim 1, wherein said receiver units each further includes a unit for generating authentication data including said confidential key information which is preliminarily distributed from said broadcasting station.
5. A cipher communication system according to claim 1, wherein said server includes an accounting unit for charging a fee for data (P) for a receiver unit when said data (P) encrypted using said common key (K) is onerous indicating that a fee is required.
6. A cipher communication system according to claim 1, wherein said broadcasting station further includes a unit for modifying a value of said common key (K) by modifying said key distribution data (W).
7. A cipher communication system according to claim 2, wherein said key distribution data (W) is generated by adding an arbitrarily selected random number with a value corresponding to the element of said finite set (S).
8. A cipher communication system according to claim 1, wherein said broadcasting station further includes an arbitrarily selected random number used for generating said common key (K).
9. A cipher communication system according to claim 7, wherein said broadcasting station further includes a unit for modifying said common key (K) by varying the value of said random number.
10. A cipher communication system according to claim 7, wherein said broadcasting station further includes a unit for performing identification of transmission data by comparing a value of said random number to a value unique for said transmission data.
11. A cipher communication system, comprising:a broadcasting station; a server; and a plurality of receiver units connected to said server, each configured to decode an encrypted data broadcasted from said broadcasting station by obtaining permission information from said server, wherein said server comprises: a unit for storing individual information per receiver unit transmitted from a broadcasting station; a unit for receiving authentication data from a receiver unit and performing authentication; and a unit for transmitting said individual information to a corresponding receiver unit when authentication is made, wherein said receiver units each comprises: a unit for transmitting authentication data to said server; and a unit for decoding said encrypted data on a basis of said individual information transmitted from said server and key information transmitted from said broadcasting station.
12. A cipher communication system according to claim 11, wherein said key information transmitted from said broadcasting station includes confidential key information preliminarily transmitted and broadcasted key information.
13. A cipher communication system according to claim 11, wherein said server includes an accounting unit for charging a fee for said encrypted data for a receiver unit when said encrypted data is onerous indicating that a fee is required.
14. A cipher communication method including a server, a plurality of receiver units connected to said server, a broadcasting station which performs communications with designated receiver units, comprising:generating, at said broadcasting station, confidential key information and preliminarily distributing said confidential key information to said plurality of receiver units; generating, at said broadcasting station, encrypted text (C) by encrypting data (P) to be transmitted with encrypting common key (K), and generating key distribution data (W) necessary for calculation of said common key (K); broadcasting, at said broadcasting station, said encrypted text (C) and said key distribution data (W); generating, at said broadcasting station, individual information per individual receiver unit to be transmitted to said designated receiver units, and transmitting said individual information to said server; receiving, at said server, said individual information transmitted from said broadcasting station; receiving, at said server, authentication data from a receiver unit and performing authentication; and transmitting, at said server, said individual information to a corresponding receiver unit when authentication is made; transmitting, at said receiver unit, said authentication data to said server; and calculating, at said receiver unit, said common key (K) on a basis of said individual information transmitted from said server, said confidential key information preliminarily distributed from said broadcasting station and said key distribution data (W) broadcasted from said broadcasting station, and decoding said data (P) from said encrypted text (C).
15. A cipher communication method according to claim 14, wherein said individual information is generated and transmitted from said broadcasting station to said server before said key distribution data (W) is generated and broadcasted from said broadcasting station.
16. A cipher communication method according to claim 14, wherein said key distribution data (W) is generated and broadcasted from said broadcasting station before said individual information is generated and transmitted from said broadcasting station to said server.
17. A cipher communication method according to claim 14, wherein said step of preliminarily distributing said confidential key information in said broadcasting station side to said plurality of receiver units includes:generating confidential key information of a receiver unit in association with a subset inclusive of at least two elements of a finite set (S) of confidential key information of said receiver unit; and distributing said confidential key information to said plurality of receiver units, wherein said key distribution data (W) is generated in association with each element of said finite set (S).
18. A cipher communication method according to claim 14, wherein said individual information at the broadcasting station is encrypted with said common key before transmission to said designated receiver units.
19. A cipher communication method according to claim 14, further comprising a step of generating, at said receiver unit, authentication data including said confidential key information which is preliminarily distributed from said broadcasting station.
20. A cipher communication method according to claim 14, further comprising a step of accounting, at said server, for charging a fee for data (P) for a receiver unit when said data (P) encrypted using said common key (K) is onerous indicating that a fee is required.
21. A cipher communication method according to claim 14, further comprising a step of modifying, at said broadcasting station, a value of said common key (K) by modifying said key distribution data (W).
22. A cipher communication method according to claim 17, wherein said key distribution data (W) is generated by adding an arbitrarily selected random number for a value corresponding to the element of said finite set (S).
23. A cipher communication method according to claim 14, further comprising a step of generating, at said broadcasting station, said common key (K) including an arbitrarily selected random number.
24. A cipher communication method according to claim 23, further comprising a step of modifying, at said broadcasting station, said common key (K) by varying the value of said random number.
25. A cipher communication method according to claim 23, further comprising a step of performing, at said broadcasting station, identification of transmission data by comparing a value of said random number to a value unique for said transmission data.
26. A cipher communication method including a broadcasting station, a server and a plurality of receiver units connected to said server, each adapted to decode an encrypted data broadcasted from said broadcasting station by obtaining permission information from said server, comprising:storing, at said server, individual information per receiver unit transmitted from said broadcasting station; receiving, at said server, authentication data from a receiver unit for performing authentication; transmitting, at said server, said individual information to a corresponding receiver unit when authentication is made; transmitting, at said receiver unit, authentication data to said server; and decoding, at said receiver unit, said encrypted data on a basis of said individual information transmitted from said server and key information transmitted from said broadcasting station.
27. A cipher communication method according to claim 26, further comprising a step of decoding, at said receiver unit, said encrypted data on a basis of said individual information transmitted from said server, confidential key information preliminarily transmitted from said broadcasting station and broadcasted key information.
28. A cipher communication method according to claim 26, further comprising a step of accounting, at said server, for charging a fee for said encrypted data for a receiver unit when said encrypted data is onerous indicating that a fee is required.

Priority Claims (4)

Number	Date	Country
8-168975	Jun 1996	JP
8-210811	Aug 1996	JP
8-217050	Aug 1996	JP
8-269613	Oct 1996	JP

Parent Case Info

This application is a Continuation Application of U.S. patent application Ser. No. 08/882,339 filed on Jun. 25, 1997, now U.S. Pat. No. 6,041,408.

US Referenced Citations (7)

Number	Name	Date	Kind
4850017	Matayas et al.	Jul 1989	A
5369705	Bird et al.	Nov 1994	A
5592552	Fiat	Jan 1997	A
5663896	Aucsmith	Sep 1997	A
5708714	Lopez et al.	Jan 1998	A
5729608	Janson et al.	Mar 1998	A
6041408	Nishioka et al.	Mar 2000	A

Non-Patent Literature Citations (5)

Entry
IEEE Trans Commun., COM-29, No. 6, pp. 778-786, 1981.
Trans. IEICE, J65-D, No. 9, pp. 1151-1158, 1982.
Lee et al., SCIS86, 1986.
IEICE Technical Report, ISEC93-34, Oct. 1993.
Commun. of the ACM, Vol. 21, No. 2, pp. 120-126, 1987.

Continuations (1)

	Number	Date	Country
Parent	08/882339	Jun 1997	US
Child	09/520627		US

Key distribution method and system in secure broadcast communication

Information

Patent Number

Date Filed

Date Issued

Inventors

Original Assignees

Examiners

Agents

CPC

US Classifications

Field of Search

US

International Classifications