The present invention relates to a key providing system, a key providing apparatus, a terminal device, a key providing method, and a key generation method.
Information devices such as personal computer (hereinafter referred to as PC), portable telephone, and digital home electrical appliance are recently being widespread used in general. The technique related to such information devices and information communication connecting such devices is greatly advancing, and content distribution service such as music distribution and video distribution using such information device is being widely developed. Pay broadcasting using CATV (Community Antenna TeleVision), satellite broadcast or Internet, and content distribution using physical media such as CD (Compact Disc) or DVD (Digital Versatile Disc) are examples of the content distribution service.
However, in order to provide such content distribution service, a mechanism allowing only the contractant to acquire the content based on the contract made between the provider of the service (hereinafter referred to as system manager) and the viewer is necessary. With respect to such issue, a mechanism of providing a predetermined key from the system manager to the contractant, and distributing header information h for generating a content key mek used to encrypt content M with the predetermined key along with the encrypted content M is contrived.
A content distribution system called the broadcast encryption system is known as one specific means for realizing such mechanism. The broadcast encryption system is a system of corresponding each contract with an element of a set, and then dividing the contractant set representing the entire contractant into a plurality of subsets, and distributing the header h such that only the contractant belonging to a specific subset acquires the content key mek. That is, the content M can be distributed excluding the specific contractant specified by the system manager by applying such system. In reality, however, the broadcast encryption system of the related art is desirably more efficient in view of the calculation load associated with the generation of the content key mek at the server device (hereinafter referred to as center) on the system manager side and the terminal device on the contractant side, the communication load between the server device and the terminal device, and the like.
Specifically, when distributing the content, to what extent the amount of communication that increases according to the size of the header h distributed by the center, the amount of memory that increases according to the number of keys to be held by each terminal device, and the amount of calculation necessary for each terminal device to generate the content key mek can be reduced becomes an issue. Each amount greatly differs depending on the dividing method of the contractant set. Various broadcast encryption systems devising the dividing method of the contractant set have been proposed to realize efficient content distribution. For instance, Non-Patent Document 1 discloses a content distribution system called the Subset Incremental Chain Based Broadcast Encryption system by Nuttapong Attrapadung and Hideki Imai et al. as one means for reducing each amount (hereinafter referred to as AI05 system).
[Non-Patent Document 1] Nuttapong Attrapadung and Hideki Imai, “Subset Incremental Chain Based Broadcast Encryption with Shorter Ciphertext”, The 28th Symposium on Information Theory and Its Applications (SITA2005)
The applicant of the present invention developed a first improved system (hereinafter referred to as A06(A) system) in which the amount of memory for each terminal device to hold the key can be reduced, a second improved system (hereinafter referred to as A06(B) system) in which the amount of calculation for each terminal device to generate the content key can be reduced, and a third improved system (hereinafter referred to as A06(A+B) system) in which the amount of memory and the amount of calculation can be reduced than the content distribution system described in Non-Patent Document 1, and has already been filed for patent to Japanese Patent Office (A06(A) system: Japanese Application No. 2006-310182, A06(B) system: Japanese Application No. 2006-310213, A06(A+B) system: Japanese Application No. 2006-310226). The characteristics of each system lie in that when generating the content key mek utilizing a pseudo random sequence generator, the pseudo random sequence generation calculation is executed based on a key generation algorithm represented by a digraph unique to each system.
However, when generating a key corresponding to a subset from a key corresponding to another subset according to a certain system, not limited to each system above, if the set related information such as the digraph including information of a plurality of key generation paths are all to be held on the terminal device side, the storage capacity to hold the information of the plurality of key generation paths becomes large. If the terminal device is to acquire all the information of the key generation path held by the key providing apparatus, the capacity propagated for the terminal device to acquire the information of the plurality of key generation paths becomes large.
The present invention addresses the above-identified, and other issues associated with conventional methods and apparatuses, and it is desirable to provide a new and improved key providing system capable of reducing the capacity necessary for the terminal device to propagate or hold the information for key generation compared to when the terminal device propagates or holds all the key generation path information in advance, a key providing apparatus, a terminal device, a key providing method, and a key generation method.
According to an embodiment of the present invention, there is provided a key providing system including a plurality of terminal devices, and a key providing apparatus for providing key information used for encryption or decryption of information to the plurality of terminal devices.
Further, the key providing apparatus may include a set relationship information acquiring unit for acquiring set relationship information including a plurality of set information each indicating different combinations of the plurality of terminal devices, and a plurality of key generation path information indicating a key generation path necessary for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information, a key generation path information extracting unit for extracting the key generation path information of one part of the plurality of key generation path information from the plurality of key generation path information contained in the set relationship information, and a key generation path information providing unit for providing the key generation path information of one part extracted by the key generation path information extracting unit to the terminal device.
Furthermore, the terminal device may include a key generation path information acquiring unit for acquiring the key generation path information of one part, and a key information generation unit for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information based on the key generation path information of one part.
According to another embodiment of the present invention, there is provided a key providing apparatus for providing key information used for encryption or decryption of data to a plurality of terminal devices. The key providing apparatus includes a set relationship information acquiring unit for acquiring set relationship information including a plurality of set information each indicating different combinations of the plurality of terminal devices, and a plurality of key generation path information indicating a key generation path necessary for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information; a key generation path information extracting unit for extracting the key generation path information of one part of the plurality of key generation path information from the plurality of key generation path information contained in the set relationship information; and a key generation path information providing unit for providing the key generation path information of one part extracted by the key generation path information extracting unit to the terminal device.
Further, the key generation path information providing unit may include a communication unit for transmitting the key generation path information to the terminal device through a network.
Further, the key generation path information providing unit may include a recording unit for recording the key generation path information to a recording medium to provide to the terminal device.
Also, the key providing apparatus may further include an encryption unit for encrypting information using the key information corresponding to one of the plurality of set information; and an encrypted information providing unit for providing the encrypted information to the terminal device.
Further, the key generation path information acquiring unit may be configured to acquire, as the set relationship information, a digraph formed by directional branches connecting coordinate points with respect to a plurality of coordinate points corresponded to the plurality of set information each indicating different combinations of the plurality of terminal devices.
Further, the key generation path information extracting unit may be configured to extract, as the key generation path information of one part, one part of the digraph reaching a coordinate point corresponded to the set information to which the terminal device belongs.
Further, the key generation path information extracting unit may be configured to extract, as the key generation path information of one part, information indicating a terminating end position of the directional branch configuring one part of the digraph.
Further, the key generation path information extracting unit may be configured to extract, as the key generation path information of one part, information indicating a length of the directional branch configuring one part of the digraph.
Also, the key providing may further include a key information generation unit for generating the key information k(S1), . . . , k(Sm) corresponding to coordinate points S1, . . . , Sm of the terminating ends of all directional branches having a coordinate point S0 as the starting end according to the input of the key information k(S0) corresponding to the coordinate point S0.
Further, the key information may be configured by a set key k for encrypting or decrypting information, and an intermediate key t for generating the set key k. Furthermore, the key providing apparatus may further include a key information generation unit for generating the set key k(S0) corresponding to the coordinate point S0 and the intermediate key t(S1), . . . , t(Sm) corresponding to coordinate points S1, . . . , Sm of the terminating ends of all directional branches having a coordinate point S0 as the starting end according to the input of the intermediate key t(S0) corresponding to the coordinate point S0.
According to another embodiment of the present invention, there is provided a key providing apparatus for providing key information used for encryption or decryption of information to a plurality of terminal devices. The key providing apparatus includes: a set relationship information generation unit for generating set relationship information including a plurality of set information each indicating different combinations of the plurality of terminal devices, and a plurality of key generation path information indicating a key generation path necessary for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information; a key generation path information extracting unit for extracting the key generation path information of one part of the plurality of key generation path information from the plurality of key generation path information contained in the set relationship information; and a key generation path information providing unit for providing the key generation path information of one part extracted by the key generation path information extracting unit to the terminal device.
According to another embodiment of the present invention, there is provided a terminal device for generating key information used for encryption or decryption of information. The terminal device includes: a key generation path information acquiring unit for acquiring key generation path information of one part of a plurality of key generation path information extracted from set relationship information including a plurality of set information each indicating different combinations of the plurality of terminal devices, and a plurality of key generation path information indicating a key generation path necessary for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information; and a key information generation unit for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information based on the key generation path information of one part.
Further, the key generation path information acquiring unit may include a communication unit for receiving the key generation path information through a network.
Further, the key generation path information acquiring unit may include a readout unit for acquiring a recording medium recorded with the key generation path information and reading out the key generation path information from the recording medium.
Also, the terminal device may further includes: an encrypted information acquiring unit for acquiring information encrypted using the key information corresponding to another one of the plurality of set information; and an encrypted information decryption unit for decrypting the encrypted information using the key information corresponding to another one of the plurality of set information generated by the key information generation unit.
Further, the key generation path information acquiring unit may be configured to acquire, with respect to a plurality of coordinate points corresponded to the plurality of set information each indicating different combinations of the plurality of terminal devices, one part of a digraph reaching a coordinate point corresponded to the set information to which the terminal device belongs extracted from the digraph formed by directional branches connecting the coordinate points as the key generation path information of one part.
Further, the key generation path information acquiring unit may be configured to acquire, as the key generation path information of one part, information indicating a terminating end position of the directional branch configuring one part of the digraph.
Further, the key generation path information acquiring unit may be configured to acquire, as the key generation path information of one part, information indicating a length of the directional branch configuring one part of the digraph.
Also, the terminal device may further include a key information generation unit for generating the key information k(S1) corresponding to a coordinate point S1 of the terminating end of the directional branch according to an input of the key information k(S0) corresponding to a starting end S0 of the directional branch.
Further, the key information may be configured by a set key k for encrypting or decrypting information, and an intermediate key t for generating the set key k. Furthermore, the terminal device may further include a key information generation unit for generating the set key k(S0) corresponding to a starting end S0 of the directional branch and the intermediate key t(S1) corresponding to a terminating end S1 of the directional branch according to an input of the intermediate key t(S0) corresponding to the starting end S0 of the directional branch.
According to another embodiment of the present invention, there is provided a key providing method for providing key information used for encryption or decryption of data to a plurality of terminal devices. The key providing method includes the steps of: acquiring set relationship information including a plurality of set information each indicating different combinations of the plurality of terminal devices, and a plurality of key generation path information indicating a key generation path necessary for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information; extracting the key generation path information of one part of the plurality of key generation path information from the plurality of key generation path information contained in the set relationship information; and providing the key generation path information of one part extracted by the key generation path information extracting unit to the terminal device.
According to another embodiment of the present invention, there is provided a key generation method for generating key information used for encryption or decryption of information. The key generation method includes the steps of: acquiring key generation path information of one part of a plurality of key generation path information extracted from set relationship information including a plurality of set information each indicating different combinations of a plurality of terminal devices and a plurality of key generation path information indicating a key generation path for generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information; and generating, from the key information corresponding to one of the plurality of set information, key information corresponding to another one of the plurality of set information based on the key generation path information of one part.
According to each configuration described above, the key generation path information of one part extracted by the key providing apparatus is provided to the terminal device, and the terminal device derives, from the key corresponding to one set, a key corresponding to another set, and thus the capacity necessary for propagating the key generation path information from the key providing apparatus to the terminal device can be limited compared to when receiving the provision of all the key generation path information held in the key providing apparatus. Furthermore, the capacity required by the terminal device for holding the key generation path information can be limited compared to when the terminal device holds all the key generation path information in advance.
According to the present invention described above, the capacity necessary for the terminal device to propagate or hold the information for key generation can be reduced compared to when the terminal device propagates or holds all the key generation path information in advance.
Hereinafter, preferred embodiments of the present invention will be described in detail with reference to the appended drawings. Note that, in this specification and the appended drawings, configuring elements that have substantially the same function configuration are denoted with the same reference numerals, and redundant explanation of these configuring elements will be omitted.
The configuration of a key providing system 100 according to a first embodiment of the present invention and the specific system related to key distribution will be described in detail below.
Prior to describing the configuration of the key providing system 100 according to the present embodiment in detail, the outline of the key distribution system according to the present embodiment will be briefly described.
The present embodiment can be applied to various key distribution systems, but a case of applying the present embodiment to the AI05 system and the A06(A+B) system will be described by way of example for the sake of convenience of the explanation. The basic idea of the AI05 system and the like to which the present embodiment can be applied will be briefly described.
In the AI05 system and the like, a set of the entire terminal device with each terminal device contained in the key distribution system corresponded to the element of the set is considered, similar to the normal broadcast encryption system. The key distribution is executed using a plurality of subsets obtained by dividing the set. That is, the subset represents the combination of the terminal devices. First, the key distribution server forms a binary tree (BT) and corresponds each terminal device to a leaf node. The key distribution server then generates a plurality of “sets of subsets” having the subset as the element according to a predetermined rule, and corresponds the each set of subsets to a root node and each intermediate node of the BT. The key distribution server associates the plurality of subsets contained in the set of subsets based on a predetermined rule (hereinafter sometimes referred to as jump). The relationship between the subsets is represented by a digraph or a directional branch. The set and the subset, which is the element of the set, are examples of set information. The digraph generated by the AI05 system and the like is an example of set relationship information. Furthermore, the directional branch configuring the same is an example of key generation path information. However, the key generation path information is information representing the key generation path configured by one or more directional branches or the digraph corresponding to an empty set.
The digraph is formed on a coordinate axis in which each subset contained in the set of subsets is corresponded to each coordinate point, and is configured by the directional branch connecting a plurality of coordinate points based on the jump. The key distribution server forms, for every set of subsets corresponded to the root node and each intermediate node contained in the BT, a digraph representing the relationship among the plurality of subsets contained in the set of subsets.
Further, the key distribution server selects a subset including a terminal device, which is the distributing destination, and specifies the digraph containing the relevant subset. The key distribution server generates a key by repeating a calculation by a pseudo random sequence generator (PRSG) based on the specified digraph. The feature of the AI05 system lies in dividing the set representing all terminal devices to subsets to reduce the amount of communication, the number of keys to be held by each terminal device, and the amount of calculation for each terminal device to generate the key compared to the broadcast encryption system of the related art. Therefore, in the key distribution system applied with the AI05 system and the like, the key to distribute to each terminal device can be generated using the digraph.
The A06(A) system is improved from the AI05 system such that the number of keys to be held by each terminal device is reduced by applying a process of shortening the length of the directional branch configuring the digraph. The A06(B) system is improved from the AI05 system such that the amount of calculation for each terminal device to generate the key is reduced by forming the digraph so that the length of the directional branch becomes long. Moreover, the A06(A+B) system is improved from the AI05 system such that the amount of calculation for the key generation and the number of keys to be held by each terminal device are reduced by replacing a predetermined directional branch with the short directional branch, similar to the A06(A) system, after forming the digraph of long directional branch, similar to the A06(B) system. Therefore, the load on the terminal device can be reduced than the AI05 system by applying each system of A06(A), A06(B), and A06(A+B).
However, in the AI05 system and the like, how to acquire the information of the digraph necessary for each terminal device to generate the key is not clearly disclosed, and there exists a silent assumption that each terminal device holds all information of the digraph in advance or that each terminal device generates digraph on its own based on an algorithm same as the key distribution server. However, in view of the realistic situation, the amount of information of the digraph to be held by each terminal device and the amount of calculation for generating the digraph are enormous assuming the number of terminal devices contained in the key providing system, and thus they are difficult to realize in a limited resource of the general terminal device.
More specifically, considering the case of the A06(B) system, the number n of terminal devices contained in the key providing system is normally about n=232, and thus the amount of information to be held by each terminal device is about 32 GByte even if the information of one directional branch is expressed with about 4 byte. When each terminal device generates the digraph, (n−1) directional branches are calculated with respect to the number n of terminal devices n=232, and thus the calculation load for each terminal device to generate the digraph is very large.
Each system merely suggests using the information of each digraph held by each terminal device in advance when each terminal device generates the content key mek, and specific means are not shown. As described above, if the number of contractant is large, the amount of information of the digraph to be held by each terminal device becomes enormous, and thus it is realistically difficult to store such information in the terminal device. When each terminal device calculates the digraph, the amount of calculation of each terminal device becomes enormous and becomes difficult to realize.
The key distribution server according to the present embodiment has a configuration of providing the information of the digraph necessary for each terminal device to generate the key. Further, each terminal device has a configuration of executing the pseudo-random sequence calculation based on the information of the digraph acquired from the key distribution server and generating the necessary key.
The key distribution system to which the present embodiment can be applied has been briefly described. It should be recognized that the key distribution system to which the present embodiment can be applied is not limited to each system of AI05, A06(A), A06(B), and A06(A+B), and the present embodiment may be applied to other key distribution systems. A case of applying the present embodiment to the AI05 system and the A06(A+B) system will be described in detail below for the sake of convenience of the explanation, but application means to other key distribution systems can be easily contrived by those skilled in the art based on the relevant description.
The configuration of the key providing system 100 according to the first embodiment of the present invention will be briefly described with reference to
With reference to
The network 10 is a communication line network for connecting the key distribution server 102 and the terminal device 122 in bidirectional communication or one-way communication. The network 10 is configured by a public line network such as Internet, telephone line network, satellite communication network, and broadcast communication path, and dedicated line network such as WAN (Wide Area Network), LAN (Local Area Network), IP-VPN (Internet Protocol-Virtual Private Network), and wireless LAN, and may be wired or wireless.
The key distribution server 102 can encrypt and distribute various electronic data in time of content distribution. For instance, the key distribution server 102 can generate a content key for encrypting or decrypting the content and distribute the same. The content key may be expressed with a random sequence (pseudo-random sequence) calculated by the pseudo-random sequence generator, a predetermined character string, numerical sequence, or the like. The content key may also be configured by an encryption content key and a decryption content key. The key distribution server 102 can also encrypt the content based on a predetermined encryption logic using the content key. Furthermore, the key distribution server 102 can distribute one or both of the content and the content key to an arbitrary terminal device 122.
The key distribution server 102 can generate a plurality of set keys for encrypting or decrypting the content key. In this case, the key distribution server 102 generates a plurality of set keys based on a predetermined digraph using the pseudo-random sequence generator. The key distribution server 102 encrypts the content key using each set key, and distributes the encrypted content key to a predetermined terminal device 122. Furthermore, the key distribution server 102 can distribute information of the digraph used to generate the predetermined set key to the predetermined terminal device 122. The set key is an example of the key information. The content key is an example of information encrypted/decrypted by the key information.
The plurality of set keys is corresponded to a subset group of a plurality of contractants selected from great number of contractants, and the key distribution server 102 generates a set key such that only the set of the contractant permitted the reproduction of the content (hereinafter referred to as permitted contractant) can decrypt the content key, encrypts the content key using the same, and distributes the encrypted content key to the terminal device 122 of all the contractants. The key distribution server 102 is thus configured to encrypt and distribute not only the content but also the content key. It should be recognized that a security level of a certain extent can be ensured by encrypting and distributing the content, but more advantageously, the content key is encrypted and distributed to flexibly respond to addition or deletion of the contractant permitted the use of the content from the great number of contractants.
According to the above configuration, only the predetermined terminal device 122 can decrypt the encrypted content key, and thus only the predetermined terminal device 122 can decrypt and view the content. When the set of permitted contractant is changed, the key distribution server 102 can respond to such change by changing the set key used in encrypting the content key.
The pseudo-random sequence generator is a device or a program capable of outputting a pseudo-random sequence of a long period by inputting a predetermined seed value, and is realized using logic such as linear congruential method and Mersenne Twister method. It should be noted that the pseudo-random sequence generator applicable to the present embodiment is not limited thereto, and may generate the pseudo-random sequence using other logics, or may be a device or a program capable of generating the pseudo-random sequence including special information or condition.
The key distribution server 102 is configured by an information processing device such as personal computer (PC) having a server function, and can transmit various types of information to an external device via the network 10. For example, the key distribution server 102 can generate an encryption key of the broadcast encryption system, and distribute the encryption key to the terminal device 122. Further, the key distribution server 102 may have a function serving as a content distribution server for providing content distribution service such as video distribution service, electronic music distribution service, and the like, or may have a function for distributing the content to the terminal device 122. The key distribution server 102 and the content distribution server may obviously be configured as different devices.
The content may be video content of moving image or still image such as movie, television program, video program, and, figures, audio content of music, lecture, and radio program, game content, document content, or arbitrary content data including software and the like. The video content may include not only the video data but also the audio data.
The terminal device 122 can receive various information from the key distribution server 102. For instance, the terminal device 122 can receive the content or the content key distributed by the key distribution server 102. The terminal device 122 can decrypt the encrypted content using the content key received from the key distribution server 102. However, since the content or the content key transmitted from the key distribution server 102 is encrypted by a predetermined set key, the content or the content key is to be decrypted. The terminal device 122 thus decrypts the encrypted content or the content key using the predetermined set key acquired from the key distribution server 102. The terminal device 122 can also use the set key, which it holds in advance, or an intermediate key for generating the predetermined set key to generate the set key used by the key distribution server 102 to encrypt the content or the content key. In this case, the terminal device 122 inputs the set key or the intermediate key, which it holds, to the pseudo-random sequence generator and generates the desired set key based on the information related to the digraph acquired from the key distribution server 102. The intermediate key is an example of key information.
According to such configuration, the terminal device 122 does not generate the digraph necessary for generating the desired set key, and thus the amount of information to be held can be reduced and the calculation load in generating the set key can be reduced.
The terminal device 122 is a terminal device that can data communicate with an external device by way of the network 10, and is owned by each contractant. The terminal device 122 is configured by an information processing device such as a personal computer (not shown), but is not limited thereto, and may be configured by information home electrical appliance such as PDA (Personal Digital Assistant), household game machine, DVD/HDD recorder, and television receiver, television broadcast tuner and decoder, and the like as long as it is a device having a communication function enabling information communication through the network 10. The terminal device 122 may also be a portable device that can be carried around by the contractant such as portable game machine, portable telephone, portable video/audio player, PDA, and PHS.
The configuration of the key providing system 100 according to the present embodiment has been briefly described above. A specific example of a hardware configuration of the key distribution server 102 and the terminal device 122 configuring the key providing system 100 will now be briefly described.
A hardware configuration of the key distribution server 102 and the terminal device 122 will be briefly described with reference to
With reference to
The controller 202 is connected to other configuring elements by way of a bus, and mainly controls each unit in the device based on the program and the data stored in the main storage unit 210. The controller 202 may be configured by calculation processing devices such as central processing unit (CPU).
The calculation unit 204 of the key distribution server 102 can execute encryption of content, encryption of content key, generation of digraph, generation of set key, and generation of intermediate key used to generate the set key. Therefore, the calculation unit 204 has the function as the pseudo-random sequence generator for generating the pseudo-random sequence based on predetermined data (seed value etc.) and at the same time, encrypts the content or the content key based on a predetermined algorithm. The predetermined algorithm may be stored in the main storage unit 210 as a program that is legible by the calculation unit 204. The predetermined data may be stored in the main storage unit 210 or the secure storage unit 208. The calculation unit 204 can record the output result obtained by executing various types of calculation processes in the main storage unit 210 or the secure storage unit 208. The calculation unit 204 is configured by a calculation processing device such as CPU. The calculation unit 204 may be integrally formed with the controller 202.
The calculation unit 204 of the terminal device 122 can execute decryption of content, decryption of content key, generation of set key, and generation of intermediate key used to generate the set key. Therefore, the calculation unit 204 has the function as the pseudo-random sequence generator for generating the pseudo-random sequence based on predetermined data (seed value etc.) and at the same time, decrypts the content or the content key based on a predetermined algorithm. The predetermined algorithm may be also stored in the main storage unit 210 as a program that is legible by the calculation unit 204. The predetermined data may be stored in the main storage unit 210 or the secure storage unit 208. The calculation unit 204 can record the output result obtained by executing various types of calculation processes in the main storage unit 210 or the secure storage unit 208. The calculation unit 204 is configured by a calculation processing device such as CPU. The calculation unit 204 may be integrally formed with the controller 202.
The input/output interface 206 is mainly connected to an input device for the user to input data, and an output device for outputting the content of the calculation result or the content. The input device may be keyboard, mouse, track ball, touch pen, keypad, touch panel, or the like. The input device may be wire or wirelessly connected to the input/output interface 206. The input device may be a wired or wirelessly connected portable electronic device such as portable telephone and PDA. The output device may be a display device such as display, an audio output device such as speaker, or the like. The output device may be wire or wirelessly connected to the input/output interface 206. The input/output device may be integrally formed with respect to the key distribution server 102 or the terminal device 122.
The input/output interface 206 is connected to other configuring elements by way of a bus, and can transmit data input through the input/output interface 206 to the main storage unit 210, and the like. To the contrary, the input/output interface 206 can output the data stored in the main storage unit 210 and the like, the data input through the network interface 212 and the like, the result obtained through calculation based on the relevant data by the calculation unit 204, or the like to the output device.
The secure storage unit 208 is a storage device for safely storing data requiring confidentiality such as mainly content key, set key, and intermediate key. The secure storage unit 208 may be configured including a magnetic storage device such as hard disc, an optical storage device such as optical disc, an magnetic-optical storage device, a semiconductor storage device, or the like. The secure storage unit 208 may be configured as a storage device having tamper resistance property.
The main storage unit 210 may store an encryption program for encrypting the content or the content key, a decryption program for decrypting the encrypted content or the content key, a key generation program for generating the set key or the intermediate key, or the like. The main storage unit 210 may temporarily or permanently store the calculation result output from the calculation unit 204, or store the data input from the input/output interface 206, the network interface 212, or the media interface 216. The main storage unit 210 may be configured by a magnetic storage device such as hard disc, an optical storage device such as optical disc, a magnetic-optical storage device, a semiconductor storage device, or the like.
The network interface 212 is an interface means connected to other communication devices by way of the network 10 for transmitting and receiving encrypted content or content key, set key, data such as intermediate key, parameter information used in encryption, and data related to the set of permitted contractant. The network interface 212 is connected to other configuring elements by way of the bus so as to transmit data received from the external device on the network 10 to other configuring elements or transmit data of other configuring elements to the external device on the network 10.
The media interface 216 is an interface for removably attaching an information media 218 to read or write data, and is connected to other configuring elements by way of the bus. The media interface 216 can read out the data from the attached information media 218 and transmit the same to other configuring elements, or write the data provided from other configuring elements to the information media 218. The information media 218 may be a portable storage medium (removable storage medium) such as optical disc, magnetic disc, and semiconductor memory, or may be a storage medium of an information terminal wire or wirelessly connected at a relatively close distance without the network 10.
One example of the hardware configuration capable of realizing the functions of the key distribution server 102 and the terminal device 122 according to the present embodiment has been described above. Each configuring elements above may be configured using a universal member or may be configured by a dedicated hardware specialized for the function of each configuring elements. Therefore, the hardware configuration to use can be appropriately changed according to the technical level at the time of implementing the present embodiment. The hardware configuration described above is merely an example, and is not limited thereto. For instance, the controller 202 and the calculation unit 204 may be configured by the same calculation device, or the secure storage unit 208 and the main storage unit 210 may be configured by the same storage device. The media interface 216, the input/output interface 206, or the like may be omitted depending on the usage mode.
The AI05 system and the A06(A+B) system will be described in detail as examples of the key distribution system to which the present embodiment can be applied. It should be recognized that the key distribution system to which the present embodiment can be applied is not limited thereto, and means for applying the present embodiment to other key distribution systems can be can be easily contrived by those skilled in the art from the following description.
The AI05 system to which the present embodiment can be applied will be described below. The AI05 system is a system for dividing the set of terminal devices 122, to which the content is distributed, to a plurality of subsets, and encrypting the content key with the set key corresponded to each subset and distributing the same. Each process described below is mainly executed by the key distribution server 102, but at least part of the algorithm below is used in the terminal device 122 to generate the key for decrypting the content or the content key.
In the AI05 system, review is made with the set of terminal devices 122, to which the content is distributed, divided into a plurality of subsets. The way of dividing into subsets according to the AI05 system will be described with reference to
Set N of all terminal devices (contractant)={1, . . . , n} (n is power of 2)
Regarding natural numbers i and j (where, I≦j)
The node positioned at the terminal end on the binary tree structure is called the leaf node, the node positioned at the vertex as the root node, and each node positioned between the root node and the leaf node as the intermediate node. Each leaf node is corresponded to each terminal device 122. In the example of
First, the BT is formed such that the number of leaf nodes is n (e.g., n=64). The numbers 1, . . . , n are corresponded from the left end towards the right with respect to each leaf node. That is, the numbers 1, . . . , n are corresponded to each terminal device 122. Indices lv and rv for defining the subset to assign to a certain intermediate node v is then defined. Among the leaf nodes positioned at the lower level of the certain intermediate node, the number of the leaf node at the most left is defined as lv and the number of the leaf node at the most right is defined as rv. Here, the intermediate node v indicates the intermediate node on the BT having v as the index.
Next, the intermediate nodes on the BT are classified into two sets. Among the intermediate nodes on the BT, the set of intermediate nodes positioned on the left side of a parent node is defined as BTL and the set of intermediate nodes positioned on the right side of the parent node is defined as BTR. Regarding the positional relationship between two nodes connected on the BT, the node positioned at the higher level is called the parent node, and the node positioned at the lower level is called the child node.
(Correspondence of Set with Respect to Root Node)
The set to correspond to the root node of the BT is then set. Since all leaf nodes are coupled to the root node at the lower level, a set having a subset including part of or all of the terminal devices 122 as an element is corresponded. That is, set (1→n) and set (2←n) are set as sets to be corresponded to the root node. For instance, in set (1→64) and set (2←64) are corresponded to the root node of
This correspondence is due to the following reasons. According to the above definition, the set (1→64) includes the subsets [1,1], . . . , [1,64] as elements, and thus a group of terminal devices 122 including all terminal devices 122 (numbers 1 to 64) can be represented as [1,64]={1, . . . , 64}. Similarly, all the terminal devices 122 excluding the terminal device 122 number 16 can be represented by using the subset [1,15] and the subset [64,17]. In this case, the subset [1,15] includes the set (1→64), and the subset [64,17] includes the set (2←64). That is, an arbitrary combination of the leaf node (i.e., terminal device 122) positioned at the lower level of the root node can be represented using the subset of the set corresponded to the root node.
(Correspondence of Set with Respect to Intermediate Node)
The subset is then corresponded to each intermediate node of the BT. First, the set (lv+1→rv) is corresponded to the intermediate node v belonging to the set BTL, for all v. Similarly, the set (lv→rv−1) is corresponded to the intermediate node v belonging to the set BTR for all v. In
For instance, with reference to the intermediate node corresponded with the set (2←4), the set (2←2) and the set (3→43) are corresponded to the two intermediate nodes positioned at the lower level of such intermediate node. The leaf nodes 1, . . . , 4 are coupled at the lower level of the two intermediate nodes. When representing the combination of the leaf nodes excluding number 3, a set of subsets of {[1,1], [2,2], [4,4]} or {[1,2], [4,4]} is corresponded. The subsets [1,1] and [1,2] are elements of the set (1→64) assigned to the root node, and the subsets [2,2] and [4,4] are elements of the sets (2←2) and (2←4), respectively. That is, the desired combination of the leaf node (terminal device 122) can be represented by using the subset of the set corresponded to each intermediate node.
In the AI05 system, the set of subsets representing the combination of the terminal devices 122 is defined using the BT. The whole set formed by the above subsets is referred to as a set system SS. The set system SS can be mathematically expressed as in the following Equation (1).
The method of forming the binary tree structure in the AI05 system has been described above. The fundamental concept of the AI05 system is to generate a plurality of set keys for encrypting the content or the content key with respect to each subset, encrypting the content or the content key with each set key, and distributing the same to a predetermined terminal device 122. Although not clearly implied from the description made above, means for efficiently classifying the combination of the terminal devices 122 can be provided by defining the subset according to the above rule. An algorithm for generating the set key using the subset will be described below.
The algorithm for generating the set key will be described with reference to
In the AI05 system, the pseudo-random sequence generator PRSG is used to generate the set key. When the intermediate key t(S0) corresponding to a certain subset S0 is input, the PRSG outputs the set key k(S0) corresponding to the subset S0 and the intermediate keys t(S1), t(S2), . . . , t(Sk) corresponding to the subsets S1, S2, . . . , Sk. The relationship between the subset S0 and other subsets S1, . . . , Sk is defined by the digraph, to be hereinafter described.
The sets S0, S1, . . . , Sk are one of the subsets configuring the set system SS, and represent the combination of the terminal devices 122, as described above. The feature of the AI05 system is in the shape of the digraph in which a logic defining the relationship between the input (e.g., t(S0)) and the output (e.g., k(S0), t(S1), . . . , t(Sk)) of the PRSG is expressed. The method of generating the digraph according to the AI05 system will be described. First, symbols and the like used will be defined below.
Intermediate key corresponding to subset Si: t(Si)
set key corresponding to subset Si: k(Si)
content key: mek
pseudo-random sequence generator: PRSG
directional branch: E
directional path (path): P
digraph: H
number of directional branches having coordinate point corresponding to subset Si as starting point: d
The digraph of the AI05 system corresponding to the set (i→j) or the set (i←j) is noted as H(i→j) or H(i←j). The directional path P is an example of the key generation path information. The input and output of the PRSG are noted as in the following Equation (2). This indicates that the set key k(S0) and the plurality of intermediate keys t(S1), . . . , t(Sd) are output as a result of the input of the intermediate key t(S0) to the PRSG.
[Equation 2]
t(S1)∥ . . . ∥t(Sd)∥k(S0)←PRSG(t(S0)) (2)
First, a parameter k (k is a natural number) is determined. However, k|log(n) (hereinafter, the base of log is 2) for the sake of simplification. The parameter k is related to the number of intermediate keys to be consequently held by the terminal device 122 and the amount of calculation necessary for the terminal device 122 to generate the set key. Therefore, the parameter k is a parameter to be appropriately set according to the embodiment. In the example of
The method of generating the digraph will be specifically described with regards to the digraph H(lv→rv−1) corresponding to a certain intermediate node v with reference to
The horizontal coordinate axis for configuring the digraph H(lv→rv−1) is first set. Each coordinate point of the horizontal coordinate axis is corresponded with each subset Si configuring the set (lv→rv−1). The subset Si corresponded to each coordinate point is arranged such that the inclusion relation becomes larger from the left towards the right. For instance, using the digraph H(5→7)=H({[5,5], [5,6], [5,7]}) by way of example, the subsets [5,5], [5,6], [5,7] are corresponded in order from the left to the coordinate points of the horizontal coordinate axis.
With reference to
After the horizontal coordinate axis is set according to the above rule, one temporary coordinate point is set on the left side of the coordinate point positioned at the most left on the horizontal coordinate axis. Furthermore, one temporary coordinate point is set on the right side of the coordinate point positioned at the most right on the horizontal coordinate axis. The temporary coordinate point at the left end is assumed as the starting point and the temporary coordinate point at the right end is assumed as the ending point. The length Lv from the temporary coordinate point positioned at the left end to the temporary coordinate point positioned at the right end is Lv=rv−lv+1.
The directional branch forming the digraph H(lv→rv−1) is set.
(2-1) An integer x satisfying n(x−1)/k<Lv≦nx/k is calculated. Here, the integer x is 1≦x≦k.
(2-2) The following operation is repeatedly executed while moving the counter i from 0 to x−1. Starting from the starting point on the horizontal coordinate axis, the rightward directional branch extending to the coordinate point distant by ni/k from the relevant coordinate point (i.e., jump to the coordinate point distant by ni/k from the relevant coordinate point) is repeatedly generated until the terminating end of the directional branch reaches the ending point on the horizontal coordinate axis or until the ending point of the directional branch formed next exceeds the ending point on the horizontal coordinate axis.
All directional branches having the temporary coordinate point as the starting point or the ending point are deleted.
If the directional branch reaching a certain coordinate point is in plurals, all directional branches excluding only the longest directional branch are deleted.
The digraph H(lv→rv−1) can be built by executing the above-described algorithm (step 1 to step 4).
The configuration of the digraph will be specifically described using the digraph H(33→63) of
The outlined arrow displayed on the upper side of the digraph H(33→63) indicates the direction of the directional branch. The digraph H(33→63) is obtained as a result of executing the above-described algorithm for the case of lv=33, rv=64, k=6, n=64. The black circle drawn at the lowermost stage in
The above-described algorithm is provided to generate the rightward digraph H(lv→rv−1), but the leftward digraph H(lv+1←rv) can be similarly generated by applying the algorithm. However, when setting the horizontal coordinate axis forming the digraphs H(lv+1←rv) and H(2←n), it is to be noted that the subset Si is arrayed such that the inclusion relation becomes larger from the right towards the left on the horizontal coordinate axis and that the direction of the directional branch is leftward.
The method of generating the digraph H according to the AI05 system has been described above. The logic for generating the set key using the digraph H will be described below.
In the AI05 system, the content key mek is encrypted using each set key k(Si) corresponding to each subset Si configuring the set system SS. Each coordinate point of the digraph H corresponds to the subset Si representing the combination of the terminal devices 122, as described above. The set key k(Si) and the intermediate key t(Si) are corresponded to each subset Si. The method of generating the set key k(Si) based on the digraph H will be described in view of such correspondence relationship.
The coordinate point indicated by the terminating end of one or more directional branches having the coordinate point S0 as the starting end is expressed as S1, S2, . . . , Sk in the order closer to the starting end S0 of the relevant directional branch (order of shorter directional branch). If the number of directional branches having the coordinate point S0 as the starting point is q (q<k), the coordinate points S(q+1), S(q+2), . . . , Sk are counted as dummies but are not actually used. Since the number of repetition processes in (step 2-2) is x (1≦x≦k), the number of directional branches having each coordinate point of the digraph H as the starting end is k at maximum.
According to the AI05 system, the set key k(Si) is generated using the PRSG that outputs (k+1)*λ bits with respect to the input of λ bits. When the intermediate key t(S0) corresponding to the coordinate point S0 is input, the PRSG outputs the intermediate key t(S1), t(S2), . . . , t(Sk) corresponding to each coordinate point (e.g., coordinate points S1, S2, . . . , Sk) to which the directional branch having the coordinate point S0 as the starting end reaches, and the set key k(S0) corresponding to the input intermediate key t(S0). That is, t(S1)∥ . . . ∥t(Sk∥k(S0)←PRSG(t(S0)). The intermediate keys t(S1), t(S2), . . . , t(Sk) and the set key k(S0) can be generated by sectionalizing the output of the PRSG by λ bits from the left.
For instance, with reference to
As described above, the intermediate key and the set key can be generated based on the digraph H if the predetermined intermediate key t(S0) is held. However, if the information of the digraph H is not referenced, the intermediate key or the set key generated by inputting the predetermined intermediate key t(S0) to the PRSG are not known, and thus the desired set key becomes difficult to generated. It is an object of the present embodiment to provide a solution to such issue. This will be hereinafter described.
The key generation method using the intermediate key has been described up to now, but the configuration of using the intermediate key is not essential in the existing AI05 system and in the present embodiment to be hereinafter described. The intermediate key is used for the purpose of enhancing safety, and another set key k(S1) etc. may be directly calculated from the set key k(S0) when significant attention is not paid to safety, when attempting to reduce the amount of calculation for generating the set key, or the like. For instance, when the set key k(S0) is input to the PRSG, the set keys k(S1), k(S2), k(S3), k(S4) corresponding to the reaching destinations of the directional branches extending from the coordinate point S0 may be output.
The method of generating the set key has been described above. As can be easily understood from the above example, if a certain intermediate key is being held, such intermediate key may be used and the PRSG may be iteratively executed to derive the intermediate key and the set key corresponding to all coordinate points that can he reached by a chain of directional branches extending from the coordinate point corresponding to the relevant intermediate key. Therefore, each terminal device 122 merely holds the minimum intermediate key that can derive all intermediate keys corresponding to the subset to which it is included as an element.
The key distribution server 102 uses the intermediate key corresponding to the head coordinate point (hereinafter referred to as route) of each digraph and repeatedly executes the calculation by the PRSG to derive the set key corresponding to all coordinate points to which the directional branches configuring each digraph can reach.
Therefore, the manager of the key providing system 100, for example, generates a random sequence of λ bits and sets as an intermediate key of the route of each digraph H in the key distribution server 102 in time of setup of the key providing system 100. The route of the digraph H refers to the coordinate point where the directional branch extends from the relevant coordinate point but the directional branch does not reach the relevant coordinate point. For instance, the route of the digraph H(1→64) of
The method of generating the set key has been described above. This method is used not only when generating the set key for the key distribution server 102, which is the transmitter side of the content or the content key, to encrypt the content or the content key and the intermediate key to distribute to each terminal device 122, but also to generate the desired set key using the intermediate key it holds in advance even in the terminal device 122 on the reception side.
A method in which the key distribution server 102 distributes a predetermined intermediate key to each terminal device 122 will now be described. A plurality of intermediate keys from which the set key corresponding to all subsets to which the relevant terminal device 122 is included can be derived is provided in advance to each terminal device 122. To the contrary, the intermediate key from which the set key corresponding to the subset to which the relevant terminal device 122 is not included can be derived is not provided to the terminal device 122, and the number of intermediate keys to be provided to the terminal device 122 is preferably a minimum.
The key distribution server 102 extracts all digraphs H that can reach the coordinate point corresponding to the subset in which the terminal device 122 of contractant u is included. If the terminal device 122 of the contractant u is included in the subset corresponding to the route of the digraph H, only the intermediate key corresponding to the relevant route is provided to the terminal device 122 of the contractant u.
If the terminal device 122 of the contractant u is included in one of the subsets corresponding to the coordinate points other than the route of the digraph H, the subset S0 where the terminal device 122 of the contractant u is included in the subset S0 and not included in the subset parent (S0) or the parent of the subset S0 is extracted. The intermediate key t(S0) corresponding to the subset S0 is provided to the terminal device 122 of the contractant u.
That is, if the terminal device 122 of the contractant u is included in the subset corresponding to a plurality of coordinate points other than of the route of the digraph H, the starting end of the directional branch reaching each coordinate point is referenced, and a coordinate point is selected such that the subset corresponding to the starting end of each coordinate point does not include the terminal device 122 corresponding to the contractant u. With the subset corresponding to such coordinate point as S0, and the subset corresponding to the starting end (parent) of the directional branch reaching the coordinate point S0as parent (S0), the intermediate key t(S0) corresponding to the coordinate point S0 not including the subset parent (S0) is provided to the terminal device 122 of the contractant u.
If the coordinate point S0 exists in plurals, the respective intermediate key t(S0) is provided to the terminal device 122 of the contractant u. The parent-child relationship of the coordinate point is defined by the directional branch. That is, the starting end of the directional branch becomes the parent of the terminating end, and the terminating end of the directional branch becomes the child of the starting end. The parent of the coordinate point S0 is noted as parent (S0). It can be recognized that the parent of the coordinate point S0 does not exist if the coordinate point S0 is the route of the digraph H. Only one parent of the coordinate point S0 exists if the coordinate point S0 is not the route of the digraph H.
The method of distributing the intermediate key will now be specifically described with reference to the example of
The intermediate key distributed to the terminal device 122 of the contractant 1 will be considered. First, the digraph H that can reach the subset to which the terminal device 122 of the contractant 1 is included is extracted. With reference to
The intermediate key distributed to the terminal device 122 of a contractant 3 will be considered. First, the digraph H that can reach the subset to which the terminal device 122 of the contractant 3 is included is extracted. With reference to
However, the terminal device 122 of the contractant 3 is included in the subsets [1,3], [1,4], . . . , [1,64] after the third coordinate point. It can be seen with reference to the subset of the parent of such coordinate points that the coordinate points that do not include the terminal device 122 of the contractant 3 in the subset of the parent are only [1,3] and [1,4]. Therefore, the coordinate point [1,2] corresponding to the parents parent ([1,3]) and the parent ([1,4]) of the coordinate points [1,3], [1,4] does not include the terminal device 122 of the contractant 3.
As a result, the intermediate keys t([1,3]) and t([1,4]) corresponding to the digraph H(1→64) are distributed to the terminal device 122 of the contractant 3. Similarly, the intermediate key is selected for other digraphs H(2←64), H(2←32), H(2←16), H(2←8), H(2←4), H(3→3) and distributed to the terminal device 122 of the contractant 3. Consequently, a total of eight intermediate keys are distributed to the terminal device 122 of the contractant 3.
The process in which the key distribution server 102 distributes the intermediate key to each terminal device 122 will be briefly described with reference to
As shown in
The method of distributing the intermediate key has been described above. Through the use of such distribution method, the intermediate key for the terminal device 122 of each permitted contractant to generate the set key can be efficiently distributed, and the amount of communication between the key distribution server 102 and the terminal device 122 and the amount of memory for each terminal device 122 to hold the key can be saved.
A method of distributing the content key mek encrypted by the key distribution server 102 will now be described.
The key distribution server 102 first encrypts the content key mek using the set key that can be generated only by the terminal device 122 of the permitted contractant. The key distribution server 102 determines the set R including the terminal device 122 of the contractant to be eliminated (hereinafter referred to as eliminating contractant), and determines the set N/R obtained by excluding the set R from the set N including the terminal devices 122 of all contractant 1 to n.
One or a plurality of subsets Si(i=1, 2, . . . , m) is selected from the subset configuring the set system SS, and the set N/R=S1∪S2∪ . . . ∪Sm is expressed using the selected subset. In this case, the combination of the subset Si exists in great numbers, but the subset Si in which the m becomes a minimum is desirably selected.
The key distribution server 102 encrypts the content key mek using the set key k(Si) corresponding to each subset Si after selecting the subset Si, and generates m content keys mek encrypted by the set keys (S1), k(S2), . . . , k(Sm). The key distribution server 102 distributes the m encrypted content keys mek to the terminal devices 122 of all contractant 1 to n. In this case, the key distribution server 102 also distributes one or both of the information of the set N/R and the information of m subsets Si simultaneously to each terminal device 122.
The distribution process of the content key mek encrypted by the key distribution server 102 will be briefly described with reference to
With reference to
The encryption method and the distribution method of the content key mek by the key distribution server 102 have been described above. The subset Si can be selected such that the number of set keys necessary for encryption becomes a minimum by using the encryption method described above. Thus, the amount of calculation for the encryption can be reduced when encrypting the content key mek, the number of encrypted content keys mek to be distributed can be reduced, and the amount of communication can be reduced.
A decryption process of the content or the content key in each terminal device 122 will now be described. The terminal device 122 decrypts the content key mek based on the information of the set N/R or m subsets Si received from the key distribution server and the m encrypted content keys.
The terminal device 122 receives the encrypted content key mek and the information representing the set N/R or the information representing m subsets Si from the key distribution server 102. The terminal device 122 then analyzes the information, and judges whether or not it is included in one of the m subsets Si. When judging that it is not included in any subset, the terminal device 122 judges that it is the terminal device 122 of the eliminating contractant, and terminates the decryption process. When the subset Si in which it is included is found, the terminal device 122 derives the set key k(Si) corresponding to the relevant subset Si using the PRSG. The configuration of the PRSG used by the terminal device 122 is similar to the configuration of the PRSG used by the key distribution server 102 in encryption.
Assume that the terminal device 122 is distributed in advance with the intermediate key t(Si) corresponding to the subset Si or the intermediate key t(Si) from which the intermediate key t(Si) can be derived from the key distribution server 102 in time of system setup. The terminal device 122 inputs the intermediate key t(Si) or t(Sj), which it holds, to the PRSG so as to derive the set key k(Si) corresponding to the subset Si. In this case, the terminal device 122 repeatedly executes the process of the PRSG with reference to the information of the digraph, and calculates the set key k(Si). The terminal device 122 then decrypts the encrypted content key mek using the derived set key k(Si).
Reference is again made to
A process in which the terminal device 122 of the contractant 3 derives the set key corresponding to the subset [1,8] based on the digraph H shown in
First, with reference to the digraph H(1→64), a directional branch extending from the coordinate point [1,4] to the coordinate point [1,8] exists. The directional branch is the directional branch which distance is the third shortest of the directional branches having the coordinate point [1,4] as the starting end. The terminal device 122 of the contractant 3 then extracts the portion of λ bits third from the head of the output obtained by inputting the intermediate key t([1,4]) corresponding to the coordinate point [1,4] to the PRSG. The portion of λ bits third of the output is the intermediate key t([1,8]) corresponding to the subset [1,8]. After extracting the intermediate key t([1,8]) from the output of the PRSG, the terminal device 122 of the contractant 3 extracts the final λ bit of the output obtained by again inputting the intermediate key t(S[1,8]) to the PRSG. The final λ bit of the output is the desired set key k([1,8]). The terminal device 122 of the contractant 3 can generate the desired set key k([1,8]) through the above processes.
Similarly, a case where the terminal device 122 of the contractant 1 generates the set key k([1,8]) based on the digraph H of
A decryption process of the encrypted content key mek in each terminal device 122 will now be described with reference to
With reference to
If a subset Si to which it is included exists, the terminal device 122 uses the PRSG to derive the set key k(Si) corresponding to such subset Si (S126). The terminal device 122 then decrypts the encrypted content key mek using the derived set key k(Si) (S128).
If not included in any of the subsets Si, the terminal device 122 displays and outputs a notification of not being the terminal device 122 of the permitted contractant (notification of being eliminating contractor) (S130), and terminates the decryption process of the content key.
The decryption method of the content key in the terminal device 122 has been described above. The decryption method requires the information of the digraph and the PRSG on the terminal device 122 side. However, it is difficult for the terminal device 122 to hold all the information of the digraph as this oppresses the memory amount of the terminal device 122, and it is also difficult for the terminal device 122 to generate all digraphs as this increases the calculation load of the terminal device 122. It is also difficult to distribute all information of the digraph as this significantly increases the amount of calculation or oppresses the storage capacity of the distribution media. The key providing system 100 according to the present embodiment provides means for solving such issues, and the features will be hereinafter described.
The AI05 system to which the present embodiment can be applied has been described above. Through the use of the AI05 system, the number of intermediate keys to be held by each terminal device 122 can he suppressed to O(k*log(n)). The amount of calculation (number of operations of PRSG) necessary for the generation of the set key can be suppressed to lower than or equal to about (2k−1)*(n1/k−1). However, as already pointed by the applicant of the subject application, the AI05 system still needs some improvement from the standpoint of efficiency. For instance, the A06(A) system succeeded in reducing the number of keys to be held by the terminal device 122, and the A06(B) system succeeded in reducing the amount of calculation necessary for the terminal device 122 to generate the key. The A06(A+B) system succeeded in reducing the number of keys to be held by the terminal device 122 and the amount of calculation necessary for generating the key in a satisfactorily balanced manner. The feature of the present embodiment lies in how to provide the information of the digraph necessary when the terminal device 122 generates the key, and thus can be applied to at least all of the systems described above.
The A06(A+B) system to which the present embodiment can be applied will now be described. As described above, the A06(A+B) system is a system capable of realizing efficient key distribution compared to the AI05 system. Therefore, it is more efficient to apply the A06(A+B) system when applying the present embodiment.
Prior to describing the A06(A+B) system, the efficiency of key distribution will be briefly described. First, the amount of calculation for the terminal device 122 to generate the desired key depends on the number of times the PRSG is executed to derive the desired intermediate key. The worst value corresponds to the number of directional branches that exist until reaching the coordinate point at the end most distant from the route (leaf from which the directional branch does not extend). With reference to the digraph H(1→64), eleven directional branches are passed from the route [1,1] until reaching the coordinate point [1,64] at the end, which means that the PRSG is executed eleven times for the terminal device 122 holding the intermediate key t([1,1]) to derive the intermediate key t([1,64]). Therefore, the amount of calculation of the terminal device 122 can be reduced by reducing the number of directional branches configuring the longest path of the digraph while ensuring the path that can reach all the coordinate points on the horizontal coordinate axis. One approach on the issue is the A06(B) system, and A06(A+B) system is the more improved system. A case of applying the present embodiment to the A06(A+B) system will be described in detail by way of example.
The configuration of the key distribution server 102 according to the present embodiment will now be described with reference to
With reference to
First, the key generation logic building block will be described in detail.
First, the tree structure setting unit 104 will be described. The tree structure setting unit 104 can generate the binary tree structure (see
The coordinate axis setting unit 106 will be described. The coordinate axis setting unit 106 sets the horizontal coordinate axis based on a rule similar to the AI05 system. First, the coordinate axis setting unit 106 sets a plurality of horizontal coordinate axes. The coordinate axis setting unit 106 then corresponds the plurality of subsets contained in the set (1→n−1) to each coordinate point on one horizontal coordinate axis so that the inclusion relation becomes larger in order from the left side towards the right. Similarly, coordinate axis setting unit 106 corresponds the plurality of subsets contained in the set (lv→rv−1) to each coordinate point on another one horizontal coordinate axis so that the inclusion relation becomes larger in order from the left side towards the right. The coordinate axis setting unit 106 repeats a similar process for all the sets (lv→rv−1) corresponded to the intermediate nodes forming the binary tree.
The coordinate axis setting unit 106 then corresponds the plurality of subsets contained in the set (2←n) to each coordinate point on another further one horizontal coordinate axis so that the inclusion relation becomes larger in order from the right side towards the left. Similarly, the coordinate axis setting unit 106 corresponds the plurality of subsets contained in the set (lv+1←rv) to the coordinate point on another further one horizontal coordinate axis so that the inclusion relation becomes larger in order from the right side towards the left. The coordinate axis setting unit 106 repeats a similar process for all the sets (lv+1←rv) corresponded to the intermediate nodes forming the binary tree.
The coordinate axis setting unit 106 generates two temporary coordinate points on the right side of the coordinate point positioned at the right end of the horizontal coordinate axis corresponding to the set (1→n−1). The coordinate axis setting unit 106 then generates two temporary coordinate points on the right side of the coordinate point positioned at the right end of the horizontal coordinate axis corresponding to the set (lv→rv−1). The coordinate axis setting unit 106 also generates two temporary coordinate points on the left side of he coordinate point positioned at the left end of the horizontal coordinate axis corresponding to the set (2←n) and the horizontal coordinate axis corresponding to the set (iv+1←rv).
Through the above processes, the coordinate axis setting unit 106 can set the horizontal coordinate axis for forming the digraph with respect to the set corresponded to all the nodes forming the binary tree. Means for forming the digraph on each horizontal coordinate axis generated by the coordinate axis setting unit 106 will now be described below.
The temporary digraph generation unit 108 will be described. The temporary digraph generation unit 108 generates a temporary digraph I′ through a method similar to the method of generating the digraph H in the AI05 system. First, the temporary digraph generation unit 108 sets a predetermined integer k as a parameter. The temporary digraph generation unit 108 determines the integer x satisfying n(x−1)/k<rv−lv+1≦nx/k. The temporary digraph generation unit 108 forms a rightward directional branch having a length of ni/k(i=0˜x−1) on the horizontal coordinate axis corresponding to the set (1→n−1) and the set (lv→rv−1). The temporary digraph generation unit 108 forms a leftward directional branch having a length of ni/k(i=0˜x−1) on the horizontal coordinate axis corresponding to the set (2←n) and the set (lv+1←rv).
As described above, the generation of the directional branch starts from the temporary coordinate point arranged adjacent to the coordinate point corresponding to the subset (i.e., subset including one user) having the least number of elements of the subsets in the AI05 system. It is to be noted that in the A06(A+B) system, the generation of the directional branch starts from the coordinate point corresponding to the subset (i.e., subset including one user) having the least number of elements of the subsets.
The temporary digraph generation unit 108 then erases all directional branches having the temporary coordinate point on the horizontal coordinate axis as the starting end or the terminating end for the directional branches on all the horizontal coordinate axes. With respect to all coordinate points on all horizontal coordinate axes, if the directional branch reaching one coordinate point exists in plurals, the temporary digraph generation unit 108 erases all directional branches other than the directional branch of longest length from the plurality of directional branches reaching the relevant coordinate point. The temporary digraph generation unit 108 adds the rightward directional branch having length of one with the temporary coordinate point positioned on the left side as the terminating end of the temporary coordinate points generated on the horizontal coordinate axis corresponding to the set (1→n−1). That is, the temporary digraph generation unit 108 executes the process of following Equation (3) to generate the temporary digraph I′(1→n) corresponding to the set (1→n) corresponded to the root node.
[Equation 3]
E(I′(1→n−1))∪{([1, n−1], [1, n])} (3)
Through the above processes, the temporary digraph generation unit 108 can form the temporary digraph I′ configured by the directional branch longer than in the AI05 system. This algorithm is based on the fundamental concept of the A06(B) system. The amount of calculation for the terminal device 122 to generate the key can be reduced by applying such algorithm.
A flow of the process executed by the coordinate axis setting unit 106 and the temporary digraph generation unit 108 will be briefly organized with reference to
(S140) First, the elements of the set (lv→rv−1) are lined so that the inclusion relation becomes larger from the left to the right on the horizontal line. The left most coordinate point is the starting point. Two temporary coordinate points are arranged on the right of the right most coordinate point. The length from the starting point to the right most temporary coordinate point is Lv=rv−lv+1. An integer x (1≦x≦k) satisfying n(x−1)/k<Lv≦nx/k is then calculated.
(S142) The following operation is then performed while moving the counter i from 0 to x−1. Starting from the starting point, jump is continuously made from such coordinate point to the coordinate point spaced apart by ni/k until reaching the temporary coordinate point or when the next jump exceeds the temporary coordinate point. The directional branch corresponding to each jump is thereafter generated.
(S144) All the directional branches reaching the temporary coordinate point are then erased.
(S146) If a plurality of directional branches reach a certain coordinate point T, the directional branches other than the directional branch having the longest jump distance are erased.
The temporary digraph I′ shown in
The digraph generation unit 110 will now be described. The digraph generation unit 110 generates the digraph I by replacing some of the plurality of directional branches configuring the temporary digraph I′. First, the digraph generation unit 110 selects the directional path in which the number of directional branches configuring the directional path is the largest of the directional paths contained in the temporary digraph I′. Such directional path is referred to as the longest directional path LP (Longest Path). The digraph generation unit 110 replaces the directional paths contained in the temporary digraph I′ to the directional paths configured by a set of shorter directional branches under the condition that the number of directional branches of all directional paths does not exceed the number of directional branches of the longest directional path LP.
The algorithm for generating the digraph I will be described in detail with reference to
As shown in
Each step shown in
First, the step (S160) in which the longest directional path LP is extracted will be described in detail with reference to
DDT: Number of directional branches of the longest directional path LP
J(a, b): a directional branches of length b exist continuously
First, t=nl/k−1. The directional path P([1,1], [1,n]) from the coordinate point [1,1] to the coordinate point [1,n] of the temporary digraph I′(1→n) is then considered. The directional path P([1,1], [1,n]) is expressed as J(t,n(k−1)/k), J(t,n(k−2)/k), . . . , J(t,n1/k), J(t,n0/k). This directional path is referred to as longest directional path LP. The number of directional branches DDT of the longest directional path LP becomes DDT=k*(n1/k−1). An active mark is set on all the directional branches configuring the longest directional path LP.
The process (S162 to S176) of extracting the directional path PLP of longest length for the temporary digraph I′ corresponding to all the subsets other than the temporary digraph I′ including the longest directional path LP will be described below with reference to
CP(Current Path): Directional path in reference (current path)
#JP(CP): number of directional branches of current path
A current path CP from the starting point to the ending point of the digraph I′ is first determined. If the current path is included in the digraph I′(a→b), the directional path P([a,a], [a,b]) is the current path CP, and if included in the digraph I′(a←b), the directional path P([b,b], [b,a]) is the current path CP (S162). The longest directional branch of the directional branches configuring the current path CP is selected, and the length thereof is set as J (S164). Whether or not J≦1 is determined (S166).
If J≦1, the current path CP is determined as the directional path PLP of longest length, and the active mark is set to all the directional branches included in the current path CP (S176). If J>1, whether or not #JP(CP)+t≦DDT is determined (S168). If not #JP(CP)+t≦DDT, the current path CP is determined as the directional path PLP, and the active mark is set to all the directional branches included in the current path (S176). If #JP(CP)+t≦DDT, a natural number j satisfying J=nj/k is calculated (S170).
The directional branch most distant from the stating point of the current path CP in the directional branches having length J included in the current path CP is extracted (S172). One directional branch having a length of n(j−1)/k is added immediately after the t directional branches having length n(j−1)/k extending from the starting point of the directional branch extracted in step S172, and the directional branch extracted in step S172 is removed (S174), and the process returns to step S162 to repeatedly execute the above processes.
A loop process between step S162 and step S174 is terminated when all the directional paths from the starting point to the ending point of the digraph I′ are configured by directional branches having length of one, or when the number of directional branches configuring the directional path exceeds DDT by executing the replacement of greater number of directional branches.
The process (S180 to S202) of replacing the directional branch included in the temporary digraph I′ with the short directional branch will be described in detail below with reference to
First, the directional branch having the longest length J′ is extracted from the active and non-performed (without done mark) directional branch in the graph. If the maximum directional branch exists in plurals, the directional branch most distant from the starting point of the temporary digraph I′ is selected (S180). The selected directional branch is referred to as WJ (Working Jump). The starting point of the directional branch WJ is WJS and the ending point is WJE. The number of directional branches included in the directional path from the starting point to the WJE of the temporary digraph I′ is noted as D.
Whether the length J′ of the directional branch is J′≦1 is determined (S182). If J′≦1, all the directional branches without the active mark are erased, and a collection of all the directional branches with the active mark are set as E(I(a→b)) or E(I(a←b)) (S202). On the other hand, if not J′≦1, the directional path from WJS to WJE−1 is set as the current path CP (S184). Here, WJE−1 represents the element one before WJE.
The longest directional branch is selected from the directional branches included in the current path CP, and the length thereof is set as J (S186). Whether or not the length J of the directional branch is J≦1 is determined (S188). If J≦1, the active mark is given to all the directional branches included in the current path CP (S198). The done mark is given to the WJ (S200), and the process returns to the process of step S180. If not J≦1, whether or not #JP(CP)+t≦DDT−D is determined (S190). If not #JP(CP)+t≦DDT−D, the process returns to step S180 after the processes of steps S198 and S200. If #JP(CP)+t≦DDT−D, j satisfying J=nj/k is calculated (S192).
If the directional branch having length J included in the current path CP exists in plural, the directional branch at a position most distant from the starting point of the current path CP is extracted (S194). One directional branch having a length of n(j−1)/k is added immediately after the n1/k−1 directional branches having length of n(j−1)/k extending from the starting point of the directional branch extracted in step S194, and the directional branch extracted in step S194 is erased (S196). The process returns to the process of step S184.
A loop process between step S184 and step S196 is terminated when all the directional paths from the WJS to the WJE−1 are configured by directional branches having length of one, or when the number of directional branches included in the directional path from the WJS to the WJE−1 exceeds DDT by replacing greater number of directional branches. The loop process between steps S180 and S200 is terminated at the point the directional branch not set with done and having a length of greater than or equal to two are all erased from the directional branches included in the temporary digraph I′.
The digraph I shown in
The details of the key generation block will be described below with reference again to
The initial intermediate key setting unit 112 generates an intermediate key corresponding to the route of the digraph I of all the intermediate nodes and the root nodes included in the logical binary tree. For instance, the initial intermediate key setting unit 112 may set the intermediate key corresponding to each route by generating the pseudo-random sequence by the PRSG, or may set the intermediate key of each route by a predetermined numerical value.
The key generation unit 114 generates the intermediate key or the set key using the PRSG. The key generation unit 114 can generate the desired intermediate key or the set key by executing the pseudo-random sequence generation calculation based on the digraph H of the AI05 system, the digraph I of the A06(A+B) system, the digraph of the A06(A) system, the digraph of the A06(B) system, or the digraph of other systems. As described above, when the intermediate key corresponding to the starting end of the directional branch configuring the digraph is input, the PRSG outputs the set key corresponding to such intermediate key and the intermediate key corresponding to the terminating end of such directional branch. If a plurality of directional branches extends from a certain coordinate point on the horizontal coordinate axis of the digraph, a plurality of intermediate keys can be derived by inputting the intermediate key corresponding to such coordinate point.
In the AI05 system, the input and output of the PRSG have been defined with Equation (2), but in the present embodiment, the input and output of the PRSG are defined by t(S1)∥ . . . ∥t(Sk)∥k(S0)←PRSG(t(S0)). In other words, the output of the PRSG by the AI05 system is such that the output of (d+1)λ bits with respect to the input of λ bits is output when the number of directional branches having the coordinate point corresponding to the input intermediate key as the starting point is d. The PRSG according to the present embodiment, on the other hand, the output of (k+1)λ bits is output irrespective of the value of d. Here, k is a system parameter.
In the present embodiment, when the intermediate key t(S0) corresponding to the subset S0 is input to the PRSG, the output is t(S1)∥ . . . ∥t(Sk)∥k(S0). The portion of t(S1)∥ . . . ∥t(Sk) contained in the output is the intermediate key of the corresponding subset S1, . . . , Sk for each coordinate point or the ending point of the directional branch having the coordinate point corresponding to the subset S0 as the starting point. The length of the directional branch connecting the coordinate point corresponding to the subset S0 and the coordinate point corresponding to the subset Si becomes n(i−1)/k. For instance, if the length of the directional branch connecting the coordinate point corresponding to the subset S0 and the coordinate point corresponding to the subset Si is n2/k, the portion of λ bits third from the beginning of the output of the PRSG (t(S0)) becomes t(Si). If the directional branch having length of n(i−1)/k does not extend from the coordinate point corresponding to the subset S0, the portion of t(Si) will be output from the PRSG but will not be used.
For instance, when the intermediate key t(S0) corresponding to the coordinate point S0 on the digraph I is input to the PRSG, the key generation unit 114 can derive the intermediate keys t(S1), t(S2), . . . , t(Sm) corresponding to the coordinate points S1, S2, . . . , Sm of the terminating end and the set key k(S0) for a plurality of directional branches having the coordinate point S0 as the starting end. Here, m indicates the number of directional branches extending from the coordinate point S0. If the intermediate key is not used, the set key k(S0) may be input to the PRSG to derive a plurality of set keys k(S1), k(S2), . . . , k(Sm).
The encryption unit 116 encrypts the content or the content key using the set key, and generates an encrypted text. The encryption unit 116 encrypts the content or the content key using one or more set keys corresponding to a predetermined subset of all the subsets configuring the set system SS. Therefore, a plurality of encrypted texts may be generated with respect to one content or content key.
The details of the information generation block will be described with reference again to
The subset determination unit 120 determines the set key for encrypting the content or the content key. That is, the subset determination unit 120 extracts at least one subset including the terminal device 122 of a predetermined permitted contractant, and determines the type of set key to be distributed to each terminal device 122. For instance, the subset determination unit 120 determines the set (R) of the eliminating contractant not permitted to reproduce the content or the content key, and the set (N/R) of the permitted contractant excluding the set (R) of the eliminating contractant from the set (N) of all the contractant. That is, the set (S1, S2, . . . , Sm) of subsets configuring the set (N/R=S1∪S2∪ . . . ∪Sm) of permitted contractant is determined by the subset contained in the set system SS.
The path information generation unit 121 references the information of the directional branches included in the digraph to extract the information of the directional path reaching a predetermined coordinate point from the starting point of the digraph. The predetermined coordinate point is a coordinate point corresponding to each subset selected by the subset determination unit 120. The path information generation unit 121 is an example of a key generation path information extracting unit.
As previously described, the key distribution system such as the AI05 system assumes that all terminal devices 122 hold the information of the digraph or each terminal device 122 calculates the digraph based on the algorithm of each key distribution system. However, this assumption oppresses the memory amount of the terminal device 122 and significantly increases the calculation load, and thus is not realistic.
For instance, in the case of the digraph H (see
However, as shown with the following Equation (4), since (n−1) directional branches exist on the digraph H(1→n), the information of all directional branches becomes difficult to hold when n becomes large. For instance, suppose the information of one directional branch can be expressed with the information amount of about 8 Bytes, about 32 GByte of storage capacity is required only for the information of the digraph H(1→n) since the realistic number of contractant is n=232=4,294,967,296.
The applicant of the subject application thus proposed a method of distributing, in addition to the information of the selected subset ([1,8] in the above example), to the terminal device 122 also the information of the directional path reaching the coordinate point corresponding to the subset from the starting point of the digraph. For instance, similar to the above example, if the subset [1,8] is selected, the information of the directional path (heavy line of
In the following description, the encrypted text in which the content key mek is encrypted with the set key k(S0) is noted as C(k(S0), mek). Furthermore, SPi, TPi, Si of the subset Si=[SPi, TPi] are defined as below.
Here, SPi and TPi are values greater than or equal to one and smaller than or equal to n. SPi represents the number of the vertical line (number of the contractant) intersecting the starting point of the digraph, and TPi represents the number of the vertical line (number of the contractant) intersecting the coordinate point of the selected subset.
First, the path information generation unit 121 generates the information of the directional path necessary to derive the subset Si and adds the same to the information of the contractant included in the subset Si, as shown with the following Equation (5). The path information generation unit 121 according to the present embodiment adds the information (number of the intersecting vertical line IPij; 1≦IPij≦n) representing the terminating end of each directional branch contained in the directional path as information of the directional path. Assume that p (p≦DDT) directional branches exist in the directional path connecting the coordinate point [SPi,SPi] and the coordinate point [SPi,TPi] on the digraph.
[Equation 5]
S
i=(SPi, IPil, . . . , IPi(p−1), TPi) (5)
For instance, consider a case where the subset determination unit 120 selects the subset S=[1,8] in the AI05 system in which the number of contractant is n=64 and the parameter is k=6. The path information generation unit 121 generates (see heavy line (directional path) of
In another example, consider a case where the contractant 45 and the contractant 55 are eliminated in the AI05 system in which the number of contractant is n=64 and the parameter is k=6. In this case, if the subset determination unit 120 selects the subsets S1=[1,44], S2=[48,46], S3=[49,54], S4=[64,56], the path information generation unit 121 generates (see heavy line (directional path) of
In another further example, consider a case where the contractant 45 and the contractant 55 are eliminated in the A06(A+B) system in which the number of contractant is n=64 and the parameter is k=6. In this case, if the subset determination unit 120 selects the subsets S1=[1,44], S2=[48,46], S3=[49,54], S4=[64,56], the path information generation unit 121 generates (see heavy line (directional path) of
As described above, the information of the directional path is expressed by p+1 number IPij for one subset. Since p≦DDT and a memory region of log(n) bits is required to express each number IPij, it can be recognized that a maximum of (DDT+1)*log(n) bits is required to represent one subset. However, the value of DDT differs for every key distribution system adopted. For instance, DDT=(2k−1)*(n1/k−1) in the AI05 system, and DDT=k(n1/k−1) in the A06(A+B) system.
The communication unit 118 distributes the content or the content key encrypted by the encryption unit 116 to all terminal devices 122 corresponding to the leaf nodes. The communication unit 118 also distributes a predetermined intermediate key to the terminal device 122 based on the digraph I. In this case, the communication unit 118 distributes the minimum intermediate key such that each terminal device 122 can derive all the intermediate keys corresponding to the subset to which it is included. The communication unit 118 also distributes information of a predetermined digraph to each terminal device 122. Furthermore, the communication unit 118 also distributes the information of the subsets (S1, S2, . . . , Sm) configuring the set configuring the set (N/R) of permitted contractant or the set (N/R=S1∪S2∪ . . . ∪Sm) of the permitted contractant to each terminal device 122. In this case, the communication unit 118 also distributes the information of the directional path added by the path information generation unit 121.
The configuration of the terminal device 122 according to the present embodiment will now be described with reference to
With reference to
The communication unit 124 receives the information distributed from the key distribution server 102. For instance, the communication unit 124 receives information related to content, content key, intermediate key, and digraph, information related to permitted contractant, or the like distributed from the key distribution server 102. The communication unit 124 may also be configured to acquire information from a plurality of information sources (e.g., key distribution server 102) connected to wire or wireless network or an information source (e.g., information media such as optical disc device, magnetic disc device, or portable terminal device) directly or indirectly connected without through the network.
The judgment unit 126 judges whether or not it is included as an element in one of the subsets corresponding to the set key. The judgment unit 126 judges whether or not it is included in one of the subsets selected by the subset determination unit 120 of the key distribution server 102. In this case, the judgment unit 126 references the information of the subset acquired from the key distribution server 102.
The key generation unit 128 generates the desired intermediate key or the set key using the intermediate key distributed in advance and the PRSG. In this case, the key generation unit 128 references the information of the directional path acquired from the key distribution server 102, and generates the desired intermediate key or the set key based on the relevant information. If judged that a subset to which it is included does not exist by the judgment unit 126, the generation process of the intermediate key or the set key is terminated. The PRSG is substantially the same as the PRSG held by the key distribution server 102, where when the intermediate key corresponding to the starting end of the directional branch is input based on a predetermined digraph, the set key corresponding to the relevant intermediate key and the intermediate key corresponding to the terminating end of the relevant directional branch are output. It is to be noted that if a plurality of directional branches extends from one coordinate point, a plurality of intermediate keys corresponding to the terminating end of each directional branch is obtained when the intermediate key corresponding to the coordinate point is input.
The key deriving algorithm by the terminal device 122 of the contractant u will now be described with reference to
First, the terminal device 122 of the contractant u is provided with information representing m subsets (S1, . . . , Sm) selected by the subset determination unit 120 of the key distribution server 102, and information Sj=(SPj,IPj,1, . . . , IPj,(p−1),TPj) (here, j=1, . . . , m) of the directional added for every subset by the path information generation unit 121. Suppose the judgment unit 126 judges that it is included in the subset Si=[SPi, TPi]. Therefore, the key generation unit 128 references the information Si=(SPi,IPi,1, . . . , IPi,(p−1), TPi) of the directional path in the process of generating the desired intermediate key or the set key. The process will be specifically described along the flowchart showing in
With reference to
The intermediate key t([sp,ep]) is then set to the variable tcurrent (S412). Whether or not ep=TPi is then judged (S414). If ep=TPi, tcurrent is input to the PRSG, the set key k(correspond to [SPi,TPi])) of the k+1th portion (subset[SPi,TPi] of when the output PRSG (tcurrent) is sectionalized by λ bits is taken out (S424), and the generation process of the set key is terminated.
If not ep=TPi, the variable logd (see Equation (6)) is calculated (S416). In other words, logd is a numerical value indicating to what power of n1/k the length of the directional branch from IPi,j to IPi,j+1 is. The counter j is then incremented (S418), and IPi,j is set to the ep (S420). Then, tcurrent is input to the PRSG, and the logd+1th portion of when the output PRSG (tcurrent) is sectionalized by λ bits is set as the new tcurrent (S422). The process thereafter returns to step S414.
[Equation 6]
log d=logn
The decryption unit 130 decrypts the content or the content key using the set key generated by the key generation unit 128. The decryption unit 130 can also execute the process of decrypting the content using the content key.
The configuration of the terminal device 122 according to the present embodiment has been described above. According to the above configuration, the terminal device 122 can generate the desired set key using the information of the directional path acquired from the key distribution server 102. As a result, the terminal device 122 may not hold or generate all the enormous amount of information of the digraph, and the memory amount and the calculation load can be suppressed to a realistic level.
The configuration of the key providing system and the specific system related to the key distribution according to the second embodiment of the present invention will be described in detail below. The same reference numerals are denoted for the structural elements having substantially the same function configuration as the first embodiment, and the detailed description thereof will be omitted.
Description has been made that the characteristic of the key providing system 100 according to the first embodiment is in the information of the digraph provided from the key distribution server 102 to the terminal device 122. In particular, the characteristic lies in means for providing to the terminal device 122 the information of all directional branches included in the directional path reaching a predetermined coordinate point as the information of the digraph. In the first embodiment, information representing the terminating end of each directional branch has been considered as the information of the directional branch, but it is not limited thereto as long as the terminal device 122 can recognize the path that can reach the predetermined coordinate point.
In the second embodiment, means (path information generation unit 121) for providing to the terminal device 122 the information LDi,j representing the length of each directional branch included in the directional path as the information of the directional path reaching the coordinate point Si with respect to the coordinate point Si corresponding to a predetermined subset Si=[SPi,TPi] selected by the subset determination unit 120 arranged in the key distribution server 102 will be described.
The length LDij of each directional branch is a value represented by Equation (7) with respect to the length leni,j of the directional branch positioned jth on the directional path reaching from the coordinate point [SPi,SPi] to the coordinate point [SPi,TPi] on a certain digraph. That is, the length of each directional branch is expressed as LDi,j power of n1/k (where, 0≦LDi,j<k).
[Equation 7]
LD
i,j=logn
The path information generation unit 121 arranged in the key distribution server 102 expresses the subset Si as in Equation (8) using the information LDi,j representing the length of each directional branch. That is, the path information generation unit 121 generates information of the directional path expressed by Equation (8) with respect to the subset Si. The information of the directional path is similarly generated for all selected subsets Si(i=1, . . . , m).
[Equation 8]
S
i=(SPi, LDi,1, . . . , LDi,p−1, LD1,p) (8)
For instance, consider a case where the contractant 45 and the contractant 55 are eliminated in the AI05 system in which the number of contractant is n=64 and the parameter is k=6. In this case, if the subset determination unit 120 selects the subsets S1=[1,44], S2=[48,46], S3=[49,54], S4=[64,56], the information generated by the path information generation unit 121 according to the first embodiment is expressed as below (see
Under the condition same as the first embodiment, the information generated by the path information generation unit 121 according to the second embodiment based on the length of the directional branch is expressed as below.
In another example, consider a case where the contractant 45 and the contractant 55 are eliminated in the A06(A+B) system in which the number of contractant is n=64 and the parameter is k=6. In this case, if the subset determination unit 120 selects the subsets S1=[1,44], S2=[48,46], S3=[49,54], S4=[64,56], the information generated by the path information generation unit 121 according to the first embodiment is expressed as below (see
Under the condition same as the first embodiment, the information generated by the path information generation unit 121 according to the second embodiment based on the length of the directional branch is expressed as below.
As described above, when the second embodiment is applied, the information of the directional path related to one subset is represented by one starting point information SP1(1≦SPi≦n) and p length information IPi,j(0≦IPi,j≦k−1). Furthermore, p≦DDT, and each subset is represented by the data of log(n)+DDT*log(k) bits. In the case of the first embodiment, (DDT+1)*log(n) bits are necessary to represent one subset. Since k|log(n), log(k)≦log(log(n))<log(n), and the relationship of log(n)+DDT*log(k)<(DDT+1)*log(n) is obtained. Therefore, the information for representing each subset Si can be reduced by applying the second embodiment than by applying the first embodiment. As a result, the amount of information provided from the key distribution server 102 to the terminal device 122 can be reduced (save amount of communication or save capacity of recording medium).
Consideration is not made on how to represent the subset if the subset including one user such as Si=[3,3] is selected as the subset. In this case, Si=(3,3) is represented in the system of the first embodiment. Various representation methods can be contrived in the system of the second embodiment, and a method of representing with simply one numerical value such as Si=(3) can be considered as one representation method. Another representation method includes representing as Si=(3,⊥) using a special symbol ⊥. If the latter method is adopted, the second and subsequent users in the subset in which the number of users is two or more is typically an integer of greater than or equal to zero, and thus the number of users can be recognized as being one.
An algorithm in which the terminal device 122 according to the second embodiment generates a key using the information of each subset acquired from the key distribution server 102 will now be described with reference to
First, the terminal device 122 of the contractant u is provided with information representing m subsets (S1, . . . , Sm) selected by the subset determination unit 120 of the key distribution server 102, and information Sj=(SPj,LDj,1, . . . , LDj,p−1,LDj,p) (here, j=1, . . . , m) of the directional path added for every subset by the path information generation unit 121. Suppose the judgment unit 126 judges that it is included in the subset Si=[SPi,TPi]. Therefore, the key generation unit 128 references the information Si=(SPi,LDi,1, . . . , LDi,p) of the directional path in the process of generating the desired intermediate key or the set key. The process will be specifically described along the flowchart showing in FIG. 21.
With reference to
[Equation 9]
IP
i,j
=IP
i,j−1+sign*nLD
Whether or not the terminal device 122 of the contractant u is included in the subset [SPi, IPi,j] is judged (S440). If the terminal device 122 of the contractant u is not included in the subset [SPi,IPi,j], the counter j is incremented and the process again returns to step S440 (S442). If the terminal device 122 of the contractant u is not included in the subset [SPi,IPi,j], the value of SPi is set to the variable sp, and the value of Ii,j is set to the variable ep (S444). The intermediate key t([sp,ep]) is then selected from the intermediate keys held in advance by the terminal device 122 of the contractant u and sets the same to tcurrent (S446).
Whether or not ep is IPi,p is then judged (S448). If ep=IPi,p, tcurrent is input to the PRSG, the k+1th portion (correspond to set key k([SPi,IPi,p]) of when the output PRSG (tcurrent) is sectionalized by λ bits is extracted (S456), and the generation process of the set key is terminated. If not ep=IPi,p, the counter j is incremented (S450). The value of is set to the variable ep (S452). The tcurrent is input to the PRSG, LDi,j+1th portion of when the output PRSG (tcurrent) is sectionalized by λ bits is extracted and set to tcurrent (S454). The process then returns to step S448.
The desired key can be generated using the algorithm described above. The key generation unit 128 according to the present embodiment is obviously not limited thereto, and the information IPi,j representing the terminating end of each directional branch may be calculated in advance from the information LDi,j representing the length of each directional branch contained in the information Si of the directional path acquired from the key distribution server 102, and the key may be calculated using the algorithm similar to the first embodiment.
Through application of the configuration according to each embodiment of the present invention, in the broadcast encryption system represented by AI05 system and the like, the terminal device 122 may not hold in advance the information of the digraph for generating the key when deriving the set key corresponding to each subset selected by the key distribution server 102, and thus the load on the amount of memory of the terminal device 122 can be reduced.
In the first embodiment, the information indicating the terminating end of all directional branches included in the directional path is added and distributed as the information of the directional path necessary for the terminal device 122 to generate the key. In the second embodiment, the information indicating the length of all directional branches included in the directional path is added and distributed as the information of the directional path necessary for the terminal device 122 to generate the key. The amount of information to distribute to the terminal device 122 can be reduced compared to the first embodiment by adopting the second embodiment.
Lastly, the application example of the key providing system according to each embodiment will be briefly described with reference to
First, the configuration of a broadcast encryption system 300 will be described as one application example of the key providing system 100.
With reference to
First, the satellite broadcast station 302 is arranged with the management center (broadcast trusted center) 304 for transmitting data such as cipher text via the broadcast satellite 306. The management center 304 selects the key for encryption, and executes encryption of data and distribution control of data. That is, the management center 304 is one example of the key distribution server 102 according to each embodiment above. The receiver 310 installed in the residence 308 is one example of the terminal device 122 according to each embodiment above.
The broadcast satellite 306 broadcasts data such as cipher text to the receiver 310 through the management center 304 and the receiver 310 arranged in each residence 308. The receiver 310 is a satellite broadcast receiver and the like, and receives data broadcasted through the broadcast satellite 306. As shown in
The broadcast encryption system 300 serving as one application example of the key providing system 100 has been described above. In
A configuration of a broadcast encryption system 400 will be described as another application example of the key providing system 100.
With reference to
First, the medium manufacturer 402 is arranged with the management center 404 for providing data such as cipher text to the residence 412 via the distribution outlet 408 using the recording medium 406. The management center 404 merely records data such as cipher text in the recording medium 406, and indirectly provides data such as cipher text using the recording medium 406. The recording medium 406 is a read-only medium (e.g., CD-ROM, DVD-ROM etc.), rewritable medium (e.g., CD-RW, DVD-RW, etc.), or the like. Similar to the application example 1, the management center 404 corresponds to the key distribution server 102 according to each embodiment above. There is a slight difference in that the data such as cipher text is recorded and provided in the recording medium, but the key distribution server according to the embodiment of the present invention can appropriately change a section for distributing information such as cipher text according to the embodiment as in this application example.
The medium manufacturer 402 sends the recording medium 406 recorded with data such as cipher text to the distribution outlet 408 such as retailer. The distribution outlet 408 then provides the medium 406 to each residence 412. For instance, the distribution outlet 408 sells the recording medium 406 to the individual corresponding to each residence 412. The individual brings home the recording medium 406 to the residence 412, and reproduces the data recorded on the recording medium 406 using the receiver 414. The receiver 414 is one example of the terminal device 122 according to each embodiment, and slightly differs in acquiring the data such as cipher text through the recording medium. However, the terminal device according to the embodiment of the present invention can appropriately change the section for acquiring the information such as cipher text according to the embodiment as in this application example. The receiver 414 is a CD player, a DVD player, or a computer equipped with the DVD-RW drive, and is configured by a device capable of reading out and reproducing the data recorded on the recording medium 406.
The broadcast encryption system 400 serving as one application example of the key distribution system 100 has been described above. In
The most suitable embodiments of the present invention have been described above with reference to the accompanied drawings, but it should be recognized that the present invention is not limited to such examples. It is apparent by those skilled in the art that various modifications and alterations can be contrived within the scope described in the Claims, which are understood to belong to the technical scope of the invention.
For instance, the logical binary tree Bt described above is assumed to have a structure in which the branches spread from the top to the bottom, but is not limited thereto, and may be configured such that the branches spread from the bottom to the top, from the left to the right, or from the right to the left. The changes related to such arrangement are realized by simply rotating and arranging the logical binary tree, and the configurations related to such changes also fall within substantially the same technical scope. The changes for mirror reversing the horizontal coordinate axis for forming the temporary digraph and the digraph also fall within the technical scope.
The key distribution server 102 according to each embodiment includes components for generating the digraph on its own, but is not limited thereto. The key distribution server 102 according to the embodiment of the present invention may include an acquiring unit for acquiring information related to a predetermined digraph, in which case some of or all of the tree structure setting unit 104, the coordinate axis setting unit 106, the temporary digraph generation unit 108, and the digraph generation unit 110 may not be arranged.
The key distribution server 102 according to each embodiment above includes the communication unit 118 for distributing content, content key, set key, intermediate key, information of subset corresponding to the permitted contractant, information of digraph, or the like to the terminal device 122, but the network is not necessarily used at all times to provide such information, as shown in application example 2. The key distribution server 102 may include a recording unit for recording information on a recording medium in place of the communication unit 118. In this case, the terminal device 122 may include a readout unit for reading the recording medium recorded with the information in place of the communication unit 124.
Number | Date | Country | Kind |
---|---|---|---|
2007-073172 | Mar 2007 | JP | national |
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2008/051745 | 2/4/2008 | WO | 00 | 9/18/2009 |