JP2001285274A - Encryption communication method and encryption communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an encryption communication method and an encryption communication system that can securely distribute a legal recipient against random distribution of decoding keys. SOLUTION: A transmission section 11 transmits secret information with respect to encryption to a key management server 41 and delivers information with respect to the encryption to a router 21 and succeeding sections. First when encrypted key request information is transmitted, routers 21-24 conduct similar encryption by using a specific encryption key to transmit the encrypted key to reception sections 31-34. The reception sections give the encryption including key request information to the key management server 41. The key management server 41 uses the secret information to generate and return decoding keys different from paths. The transmission section 11 and each router encrypt distribution information, and the reception sections use the decoding key to decode the encrypted information and to acquire the information.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

BACKGROUND OF THE INVENTION 1. Field of the Invention The present invention relates to an encryption communication system for distributing information encrypted at a transmission source to a plurality of destinations, and an encryption communication method therefor.

[0002]

2. Description of the Related Art In recent years, so-called multicast distribution for distributing information such as moving images and audio to a plurality of destinations on the Internet has been actively studied. Information such as moving images and voices has a high added value, and may be distributed for a fee. When distributing such paid information, only the recipient who paid the regular usage fee can receive the information, and it is necessary to prevent the other recipients from acquiring the content. For this purpose, a configuration has been considered in which information is encrypted and distributed, and decrypted at the destination to obtain the content of the information.

[0003] As described above, a number of proposals have been made as techniques for encrypting information so that only a specific recipient recognized by the distributor can receive the information and eliminate eavesdropping by others. ing. All of the techniques proposed so far encrypt the information to be distributed and distribute the decryption key only to authorized recipients.

However, in these techniques, when a withdrawal occurs, it is necessary to prevent the information to be distributed from being decrypted by the decryption key used by the withdrawal. Another problem is that by redistributing the decrypted information by a legitimate recipient, recipients other than the legitimate recipient can also receive the information distribution. Furthermore, there is a problem that a legitimate recipient can distribute a decryption key to other recipients, and even a recipient other than the legitimate recipient can decrypt the encrypted information and acquire the information.

[0005] To solve the problem of a key when a withdrawal occurs, for example, when a withdrawal occurs, a new decryption key is distributed to an authorized receiver by a secure method, and the authorized receiver is delivered. Thereafter, the encrypted information is decrypted using the new decryption key to obtain the content of the information. As a result, the unsubscriber cannot decrypt the encrypted information with the decryption key used so far, and can continue distributing the information only to the authorized recipient.

In order to deal with the problem of redistribution of decrypted information, redistribution of the originally distributed information requires heavy processing and a large communication band. Have difficulty. In addition, measures have been proposed to enable a redistributor to be located by a digital watermark.

[0007] On the other hand, an unauthorized act of distributing a decryption key by a legitimate recipient can be easily performed without any special large facilities. Further, with the current technology, if one of the groups receiving the information distribution distributes the decryption key, anyone can easily eavesdrop. On the other hand, a method has been proposed in which different decryption keys are distributed to individual recipients and the distributor of the decryption key is specified. However, this method only indirectly suppresses the distribution of an illegal decryption key.

As described above, conventionally, it is impossible to cope with illegal information acquisition due to scattering of decryption keys. For this reason, an encryption communication method and an encryption communication system that are secure against the dispersion of decryption keys are desired.

[0009]

SUMMARY OF THE INVENTION The present invention has been made in view of the above circumstances, and provides an encryption communication method capable of safely distributing information to authorized recipients even when the decryption key is scattered. It is an object to provide an encryption communication system.

[0010]

According to a first aspect of the present invention, there is provided an encrypted communication method and an encrypted communication system for distributing encrypted information from a source to a plurality of destinations. A different decryption key is assigned to each group of receivers according to the route from the source to the receiver, and the receiver decrypts the encrypted information using the assigned decryption key. is there. As described above, since the decryption key corresponding to the path from the transmission source to the reception destination is given to the reception destination, even if the decryption key is scattered, the information cannot be decrypted at the reception destination on another path. Therefore, even if the decryption key is scattered, the information can be safely delivered to the authorized recipient.

[0011] As described above, as a configuration in which a different decryption key is used for each path through which information is distributed, for example, a path from a transmission source to a reception destination as in the inventions according to claims 2 and 10 is provided. At the intermediate relay point, the encrypted information can be further encrypted. Accordingly, since the information is encrypted at the passing relay point, it is possible to perform different encryption processing on the information for each path. For this reason, the receiving destination cannot decrypt the information unless the decryption key is in accordance with the path. For example, it is possible to prevent the decryption of the information using the decryption key of another distributed path. For such a decryption key for each path, for example, a key management server is provided, and the receiving means obtains a decryption key corresponding to the path from the transmission means from the key management server. Can be configured.

Also, in order to obtain a decryption key for each path at the destination, the key request information is encrypted and distributed from the transmission source and transmitted to the destination, for example, as in the third and twelfth aspects of the invention. The decryption key may be configured to generate a decryption key from the encryption including the received key request information and the key request information. At this time, the encryption including the key request information received by the receiver is transferred to the key management server, and the key management server includes the key request information received from the receiver based on the key request information transferred from the transmitter. The decryption key may be calculated from the encryption and returned to the receiving unit. By using such key request information, for example, when encryption is performed at an intermediate point, a decryption key for each path can be calculated without acquiring information related to encryption performed at the intermediate point. . According to the invention described in claims 4 and 13, the key request information is different from each other at predetermined time intervals or at predetermined timings, and each time the key request information is changed, the key request information is encrypted from the transmission source. It can be configured to distribute key request information. As a result, it is possible to further improve the safety and to cope with, for example, the occurrence of a withdrawal member.

As an encryption method in such an encryption communication method and an encryption communication system, for example, as in the invention according to claims 5 and 14, information obtained by encrypting a number obtained by raising a predetermined number x to the power of a is used. , And the remainder of the multiplication result by the number p is used as a cipher.
For example, if such encryption is performed on the key request information at the transmission source and the relay point, and an operation is performed based on the encryption including the key request information received at the destination and the original key request information,
The function of the encryption process in the path is known. By using this as a decryption key, a decryption key for each path can be given to the destination.

As another encryption method, for example, the information to be encrypted is multiplied by a number obtained by raising a predetermined number x to the power of a, and the multiplication result is obtained. In the encryption of the key request information, the number a is added to the information to be encrypted, and the remainder of the addition result by the number p can be ciphered. For example, if such encryption is performed on the key request information at the transmission source and the relay point, and an operation is performed based on the encryption including the key request information received at the reception destination and a predetermined number x, the The function of the encryption process is known. By using this as a decryption key, a decryption key for each path can be given to the destination.

As another encryption method, for example, as in the invention according to claims 7 and 16, a number obtained by raising a predetermined number x to the power of a is multiplied by information to be encrypted, and the result of the multiplication is calculated. The remainder of the number p is ciphered. In the encryption of the information, the information to be encrypted is multiplied by the number obtained by raising a predetermined number y to the power a, and the remainder of the multiplication result by the number p is ciphered. Can be. For example, when the predetermined number y is the predetermined number x raised to the power of z, such encryption is performed on the key request information at the transmission source and the relay point, and the encryption including the key request information received at the reception destination is performed. , And a predetermined number x and z, the function of the encryption process in the path can be known. By using this as a decryption key, a decryption key for each path can be given to the destination.

When these encryption methods are used, the information and the key request information are transmitted at the transmission source and at a relay point in the path from the transmission source to the reception destination. When performing the encryption for, the encryption can be performed using a unique value as the number a used in each encryption method. As described above, when generating a decryption key, the value a used at the transmission source and the relay point is unnecessary, and by using an arbitrary number, different encryption processing can be performed for each path. .

[0017]

FIG. 1 is a block diagram illustrating an embodiment of a cryptographic communication system according to the present invention. FIG. 1 is also an example of a system for realizing the encryption communication method of the present invention. In the figure, 11 is a transmitting unit, 21 to 28 are routers, 31 to 35 are receiving units, and 41 is a key management server. In the following description, it is assumed that information is distributed by multicast using the Internet. However, the present invention is not limited to the Internet, and can be applied to various types of communication in which information is relayed, for example, broadcast communication, and a closed network system connecting a plurality of LANs.

The transmitting unit 11 encrypts and distributes information to be distributed, such as the contents of a program such as a sound or a moving image. In addition, in order to generate a decryption key corresponding to the path to each of the authorized receiving units, the key request information is encrypted and distributed. Note that this key request information is distributed at regular time intervals or at predetermined timings, and a cipher including this key request information will be referred to as a pulsating packet in the following description.

In the system shown in FIG. 1, the encrypted information and the pulsating packet transmitted from the transmitting unit 11 are distributed to the receiving units 31 to 35 via one or a plurality of routers. For example, the routers 21, 22, 22
, 23 and 24, information is distributed. Information is distributed to the receiving unit 35 via the routers 21, 22,..., 23, 28. Here, an example is shown in which at least four routers are used. However, how many routers are used is arbitrary. Even when the same number of routers are used, the route on the way may be different. However, it is assumed that the beat packet and the encrypted information that follows follow the same route and reach the receiver. When the route is changed, the pulsation packet is always delivered.

The routers 21 to 28 send the following information to the next router or the receiving unit according to the destination of the transmitted information.
The transmitted information is encrypted and transferred. For example, the router 21 further encrypts the encrypted information sent from the transmission unit 11 and transfers the encrypted information to the routers 22 and 26 and the like. The router 22 further encrypts the information encrypted by the router 21 sent from the router 21 and transfers the information to the router 27 or another router for transfer to the router 23. As will be described later, each of the routers 21 to 28 arbitrarily selects a parameter used for encryption. For this reason, even if the same information is sent, different encryption processing is performed depending on which router passes. In this manner, encryption according to the path from the transmission unit 11 to the reception units 31 to 35 can be realized. Note that the routers 21 to 28 are “reliable for the transmission unit 11”.
Shall be. "Reliable for the transmission unit 11"
That is, the secret notified from the transmitting unit 11 is not leaked to other nodes.

FIG. 1 shows an encryption process using the encryption key a as f (I, a). Here, I is the received data, such as encrypted information or a beat packet. As described later, the encryption process f may be different between the case where the encrypted information is encrypted and the case where the beat packet is encrypted, or the same process may be performed. The encryption key a is unique to each router. Here, the parameters used for encryption are set for each router, but the parameters used for encryption may be set for each communication path to be transmitted. For example, if a parameter used for encryption is set for each communication channel when a router at the last stage (such as the router 24) transfers the data to the receiving unit, different encryption processing can be performed for each receiving unit. is there.

The receiving units 31 to 35 receive the information and the beat packet encrypted by the transmitting unit 11 and the router on the route. When the pulsation packet is received, the pulsation packet is sent to the key management server 41, and the decryption key is received. Then, using the decryption key received from the key management server 41,
The content of the information can be acquired by decrypting the received encrypted information.

In this example, the receiving units 31 to 34 are connected to the router 24.
Receive the same beat packet and the encrypted information from. Of course, when the router 24 performs encryption for each communication path as described above, different pulse packets and encrypted information will be received. Here, these receiving units 3
Assume that 1-34 are legitimate recipients. On the other hand, the receiving unit 35 receives a beat packet and encrypted information from the router 28. Since reception is performed via a different path from the receiving units 31 to 34, the beat packet and the encrypted information are subjected to different encryption processing.

The key management server 41 receives secret information related to encryption from the transmitting unit 11, generates a decryption key from the pulsating packet transmitted from the receiving units 31 to 35 and the secret information, and generates a decryption key of the pulsating packet. Reply to the sender's receiver. Since the pulsating packet has been subjected to encryption processing in each router, it includes the key request information sent from the transmission unit 11, but is subjected to different encryption processing depending on the route. Therefore, a decryption key that can be decrypted including the encryption processing performed by the router in the middle of the route is generated. As described later, the generation of the decryption key can be performed by calculation. This key management server 41 also
It is assumed to be "reliable for the transmission unit 11".

The key management server 41 generates and returns the same decryption key for the same beat packet. For example, the key management server 41 returns the decryption key to the receiving unit corresponding to the disseminated beat packet. However, information cannot be decrypted with the decryption key returned by a receiving unit having a different path. Further, even if the decryption keys obtained from the key management server 41 are scattered, information cannot be decrypted with the scattered decryption keys by the receiving units having different routes.

Next, the procedure of encryption in the above configuration will be described. FIG. 2 is a flowchart illustrating an operation of the transmission unit according to the embodiment of the present invention. First, in S51, the encryption unit in the transmission unit 11 and the key management server 41 is initialized. At this time, the key management server 41 receives, from the transmission unit 11, secret information regarding encryption, which is required when generating a decryption key. At this point, information necessary for encryption is transmitted to the routers 21 and 25.

In step S52, the transmitting unit 11 transmits a pulsating packet obtained by encrypting the key request information to the information distribution destination. Each router starts routing to the destination of the information, and at the same time, generates a unique encryption key, obtains information necessary for encryption sent from the transmission unit 11, and uses these to convert a pulsating packet. It encrypts and sends it to the next router or receiver.

After the path is established and the pulsating packet is distributed in this way, in S53, the information to be actually distributed is encrypted and transmitted. This encrypted information is also encrypted by the router each time it passes through each router, and is sent to the next router or receiving unit. At this time, S5
The distribution of information encrypted using the same encryption parameters as the pulse packet transmitted in step 2 must be performed via the same path as the pulse packet.

The pulsation packet shown in S52 can be transmitted, for example, at predetermined time intervals or at predetermined timings. Further, every time the pulsating packet is transmitted, the information is encrypted in S53 using the encryption parameter used at that time. Of course S
The initialization of the encryptor in 51 may also be executed at a predetermined time elapse or at a predetermined timing.

FIG. 3 is a flowchart showing the operation of the receiving unit according to the embodiment of the present invention. When the distributed information is received by the receiving unit, first, in S61, a request is made to the nearest router to receive the distributed information. At this time, for example, the presence / absence of subscription qualification may be checked with the key management server 41 in some cases.

When the reception request is accepted, a pulsating packet is received from the nearest router. The receiving unit in S62,
Sends the received pulsation packet to the key management server 41,
Request a decryption key. The key management server 41 generates an individual decryption key for each receiving unit according to the pulsating packet received from the receiving unit (and secret information previously sent from the transmitting unit), and sends the decryption key to the receiving unit in a secure manner. I will send it back.

In step S63, the receiving unit that has received the decryption key can use the received decryption key to decrypt the distributed encrypted information and acquire the content of the information. The request for the decryption key in S62 is made every time the pulsation packet is distributed, and the encrypted information after the pulsation packet distribution is decrypted using the decryption key received at that time.

Hereinafter, a specific encryption procedure will be described. FIG. 4 is an explanatory diagram of a first specific example of the encryption method. In the first specific example, information to be encrypted is multiplied by a number obtained by raising a predetermined number x to the power a, and the remainder of the multiplication result by the number p is ciphered. That is, if the information is I and the encryption is C, C = I · x ^a (mod p) (Equation 1). Here, the predetermined number x is transmitted from the transmission unit 11 to each router 21 as information necessary for encryption.
To 28. The number a may be a value unique to the transmission unit 11 and each of the routers 21 to 28. For example, each may be generated by a random number or the like. In the following description, the value of the number a in the transmitting unit 11 is a0,
Let the values of the number a in to 28 be a1 to a8. The numbers a (a0 to a8) are each generated by random numbers. The number p is a large prime number, and this value may be made public.

The operation for performing such encryption processing will be described with reference to FIGS. 2 and 3 together with FIG. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number a is calculated using the random number generation system R.
Make 0. After the transmission unit 11 is initialized in this way, the numbers p and x are changed to the nearest router (the routers 21 and 22 in FIG. 1).
Send to 5). Further, the random number generation system R and the number p are transmitted to the key management server 41 in advance. Alternatively, the key request information h and the number p generated from the random number generation system R may be sent to the key management server 41.

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
Assuming that the key request information is h, the transmission unit 11 can generate the key request information h using, for example, the random number generation system R.
In the case of changing the key request information h is a predetermined time interval or a predetermined timing, so that the pseudo-random number sequence _{{h i} {i = 0} } ∽ is generated using a random number generation system R. Are shown here h _i is one of them as a key request information h.

The key request information h is encrypted in the transmitting unit 11 according to the above equation (1). That is, h · x ^a0 (m
od p) is calculated. Here, the key request information h may be any information such as a character string, but is used as an integer value during the encryption process. The key request information h (pulse packet) encrypted in this manner is transmitted.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers x and p from the immediately preceding router. Then, the transmitted beat packet is subjected to the encryption shown in Expression 1 and output. That is, in the router 21, (h · x ^a0 ) · x ^a1 (mod p) = h · x ^{a0 + a1} (m
od p) is calculated. Similarly, in the router 22, (h · x ^{a0 + a1} ) · x ^a2 (mod p) = h · x
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiving unit, H = h × ^{a0 + a1 + a2 +... + An} (mod p) (Equation 2).

After transmitting the pulsating packet in this manner, the transmitting section 11 encrypts and transmits the information to be distributed in S53 of FIG. When the information to be distributed is m,
In the same manner as in the case of the pulsating packet, m · x
^a0 (mod p) is calculated and transmitted as encryption of information to be distributed. Here, the distribution information m may be any information, such as a character string, but is used as an integer value when performing encryption. Each router also performs the same encryption processing as in the case of a pulsating packet. That is, the router 21
Then, ( ^mxa0 ) ^xa1 (mod p) = ^{mxa0 + a1} (m
od p) is calculated. Similarly, in the router 22, ( ^{mxa0 + a1} ) ^xa2 (mod p) = mx
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, M = ^{mxa0 + a1 + a2 + ... + an} (mod p) (Equation 3).

On the side of the receiving unit (the receiving unit 31 in FIG. 4), the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (the router 2n in FIG. 4) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts delivering the distributed encrypted information to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is the pulsation packet H represented by the above equation (2). When the pulsation packet H is received, S62 in FIG.
As shown by, the pulsating packet H is sent to the key management server 41 to request a decryption key.

Since the key management server 41 receives the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 obtains the decryption key K from the key request information h and the pulsation packet H sent from the receiving unit 31 as follows. That is, the calculation of K = ^{h.H -1} = x- ^{ao-a1 -...- an} (mod p) (Equation 4) may be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner.

The receiving unit 31 decrypts the encrypted information M using the decryption key K received from the key management server 41. Between the received encrypted data M, key K, and plaintext data m, M · K = m · x ^{a0 + a1 + ... + an} x ^{-a0-a1 -...- an} = m (mod p) ( Equation 5) holds. Therefore, the receiving unit 31 multiplies the received encrypted information M by the decryption key K to obtain the original information m
Can be obtained.

As described above, it is possible to obtain the decryption key corresponding to the information distribution route, to decrypt the distributed encrypted information using the decryption key, and to obtain the content of the information. become. In this example, since the number a is generated for each router and encryption is performed, a receiving unit (for example, receiving units 31 to 31 in FIG. 1) that receives information distribution from the same last-stage router via the same path is used. 34) uses the same decryption key. However, in a receiving unit (for example, the receiving unit 35 in FIG. 1) that receives information via a different path, even if a pulsating packet or a decryption key leaks, the encryption processing for each router cannot be decrypted. Can not get. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are respectively configured by the random number generation system R, the number x, and the number ak.
It is difficult for the receiver to estimate the key K alone as long as the key K is kept secret from the receiver.

On the other hand, if the pulsating packet flowing in the network one upstream is available, the encryption processing in the router 2n at the final stage can be estimated. That is, the beat packet input to the router 2n is h · x ^{a0 + a1 + a2 +... + A (n−1)} (mod p), and x ^an is estimated from the above (Equation 2). it can. A decryption key K received from the key management server 41 by the receiving section, the use of x ^an, estimated as described above, the decryption key-class on top of the network and the adjacent branches of the network would be easily estimated. Therefore, it is necessary to minimize collusion of recipients across the network. In order to counter such collusion, the router becomes strong against collusion if, for example, the encryption key an is set separately for each output destination.

FIG. 5 is an explanatory diagram of a second specific example of the encryption method. In the second specific example, the same encryption processing as that in the first specific example is performed on the information to be distributed, but the key request information (pulse packet) includes a number a in the information to be encrypted. Is added, and the remainder of the addition result by the number p is ciphered. That is, if the key request information (pulse packet) is I and the encryption is C, C = I + a (mod p) (Equation 6). Here, the numbers a and p are the same as those in the first specific example described above.

The operation when such an encryption process is performed will be described with reference to FIGS. 2 and 3 together with FIG. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number a is calculated using the random number generation system R.
Make 0. After the transmission unit 11 is initialized in this way, the numbers p and x are changed to the nearest router (the routers 21 and 22 in FIG. 1).
Send to 5). Further, the random number generation system R and the numbers p and x are transmitted to the key management server 41. Alternatively, the random number generation system R
May be sent to the key management server 41.

When such a preparation is completed, the process goes to S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
Assuming that the key request information is h, the transmission unit 11 can generate the key request information h using, for example, the random number generation system R.
In the case of changing the key request information h is a predetermined time interval or a predetermined timing, so that the pseudo-random number sequence _{{h i} {i = 0} } ∽ is generated using a random number generation system R. Are shown here h _i is one of them as a key request information h.

The key request information h is encrypted in the transmitting section 11 according to the above equation (6). That is, h + a0 (m
od p) is calculated. Here, the key request information h may be any information such as a character string, but is used as an integer value during the encryption process. The key request information h (pulse packet) encrypted in this manner is transmitted.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers x and p from the immediately preceding router. (The number x is used when encrypting the distributed information.)
The transmitted pulsation packet is subjected to encryption shown in Expression 6 and output. That is, the router 21 calculates (h + a0) + a1 (mod p). Similarly, the router 22 calculates (h + a0 + a1) + a2 (mod p). Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, H = h + a0 + a1 + a2 +... + An (mod p) (Equation 7).

After transmitting the pulse packet in this manner, in step S53 of FIG. 2, the transmitting section 11 encrypts and transmits the information to be distributed. When the information to be distributed is m,
This time, in the same manner as in the first specific example, according to the above-described equation 1,
^{mx a0} (mod p) is calculated and transmitted as encryption of information to be distributed. Here, the distribution information m may be any information, such as a character string, but is used as an integer value when performing encryption. Similar encryption processing is performed in each router. That is, in the router 21, ( ^mxa0 ) ^xa1 (mod p) = ^{mxa0 + a1} (m
od p) is calculated. Similarly, in the router 22, ( ^{mxa0 + a1} ) ^xa2 (mod p) = mx
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiving unit, becomes M = ^{mxa0 + a1 + a2 + ... + an} (mod p) (Equation 8).

On the side of the receiving unit (the receiving unit 31 in FIG. 5), when receiving the information distribution, the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (router 2n in FIG. 5) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts delivering the distributed encrypted information to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is the pulsation packet H represented by the above equation (7). When the pulsation packet H is received, S62 in FIG.
As shown by, the pulsating packet H is sent to the key management server 41 to request a decryption key.

Since the key management server 41 has received the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 decodes the key request information h, the numbers p and x sent from the transmission unit 11 and the pulsation packet H sent from the reception unit 31, The key K is obtained as follows. That is, the ^{calculation of} K = x ^(hH) = x ^{-a0-a1 -...- an} (mod p) (Equation 9) may be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner.

The receiving unit 31 decrypts the encrypted information M using the decryption key K received from the key management server 41. Between the received encrypted data M, key K, and plaintext data m, M · K = m · x ^{a0 + a1 + ... + an} x ^{-a0-a1 -...- an} = m (mod p) ( Expression 10) holds. Therefore, the receiving unit 31 multiplies the received encrypted information M by the decryption key K to obtain the original information m
Can be obtained.

In this way, it is possible to obtain the decryption key corresponding to the information distribution route, to decrypt the distributed encrypted information using the decryption key, and to obtain the contents of the information. become. In this example, since the number a is generated for each router and encryption is performed, a receiving unit (for example, receiving units 31 to 31 in FIG. 1) that receives information distribution from the same last-stage router via the same path is used. 34) uses the same decryption key. However, in a receiving unit (for example, the receiving unit 35 in FIG. 1) that receives information via a different path, even if a pulsating packet or a decryption key leaks, the encryption processing for each router cannot be decrypted. Can not get. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths. Of course, if the router performs encryption by making the value a different for each output, the security can be further improved.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are respectively configured by the random number generation system R, the number x, and the number ak.
It is difficult for the receiver to estimate the key K alone as long as the key K is kept secret from the receiver.

Also, by monitoring the pulsating packets flowing in the network one upstream, an can be easily estimated. However, since the number x is secret to all receivers, x ^an is unknown. Therefore, a decryption key is not generated even if the key holder of the upstream network and the key holder of the adjacent network are colluded. Also,
It is as safe because there is x ^-an do not know even if collusion with the key holder of the downstream of the network.

Further, it is examined whether a malicious receiver can know the key request information h. The receiver receives the number p, the decryption key K, the pulsating packet h + a0 + a1 +... + An (mo
dp). To find the key request information h from the decryption key K, a0 + a1 +... + An must be found. However, in order to obtain a0 + a1 +... + An from the decryption key K, the receiver must obtain the secret number x by some method and then solve the discrete logarithm problem. This is very difficult. Therefore, it is possible to prevent the receiver having the decryption key K from spreading the key request information h.

Also, by monitoring the pulse packet one upstream, an can easily be estimated, but since the number x is secret to the receiver, it is necessary to collaborate with the key holder of the upstream network. No decryption key can be created.

FIG. 6 is an explanatory diagram of a third specific example of the encryption method. In the third specific example, the pulsation packet is subjected to the same encryption processing as in the first specific example, but the information to be distributed is obtained by encrypting the number x raised to the z-th power and the number a raised to the a-th power. The information to be converted is multiplied, and the remainder of the multiplication result by the number p is ciphered. That is, if the information to be encrypted I, the encryption C, the those obtained as ^{C = I · y a (mod} p) ( Equation 11) y = x ^z. Here, the numbers x, a, and p are the same as those in the first specific example. The number z is an arbitrary number larger than 1, and may be a random number, for example. Numbers y, z
Is also secret information.

The operation for performing such an encryption process will be described with reference to FIGS. 2 and 3 together with FIG. First, at the initialization stage in S51, the transmission unit 11 prepares a random number generation system R and a large prime number p. Next, the primitive element x of the set of integers Z ^* _p consisting of the remainder by the number p
∈ Choose Z ^* _p appropriately. The number z is calculated using the random number generation system R.
(> 1), a0 is created, and y = ^xz is stored. After the transmission unit 11 is initialized in this way, the numbers p, x, and y are transmitted to the nearest router (the routers 21 and 25 in FIG. 1). The random number generation system R and the numbers p, x, and z are transmitted to the key management server 41. Alternatively, the key request information h and the numbers p, x, and z generated from the random number generation system R are stored in the key management server 41.
May be sent to

When such a preparation is completed, next, S in FIG.
At 52, the transmitting unit 11 sends out a beat packet.
Assuming that the key request information is h, the transmission unit 11 can generate the key request information h using, for example, the random number generation system R.
In the case of changing the key request information h is a predetermined time interval or a predetermined timing, so that the pseudo-random number sequence _{{h i} {i = 0} } ∽ is generated using a random number generation system R. Are shown here h _i is one of them as a key request information h.

The key request information h is encrypted in the transmitting section 11 according to the above-described equation 1 in the first specific example. That is, h · x ^a0 (mod p) is calculated. Here, the key request information h may be any information such as a character string, but is used as an integer value during the encryption process. The key request information h (pulse packet) encrypted in this manner is transmitted.

At each router receiving the pulsation packet,
Routing to the distribution destination is performed, and a unique number ak corresponding to the number a is generated. For example, the router 21 generates the number a1, and the router 22 generates the number a2. In addition, routers other than the nearest router of the transmission unit 11 also acquire the numbers p, x, and y from the immediately preceding router. (The number y is used when performing encryption processing on the information to be distributed.) Then, the transmitted pulsating packet is subjected to the encryption shown in Expression 1 and output. That is, the router 21 calculates ( ^{h.x a0} ) ^{.x a1} = ^{h.x a0 + a1} (mod p). Similarly, in the router 22, (h · x ^{a0 + a1} ) · x ^a2 = h · x ^{a0 + a1 + a2} (mod
p) will be calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when arriving at the receiver, H = h × ^{a0 + a1 + a2 +... + An} (mod p) (Equation 12).

After transmitting the pulsating packet in this manner, the transmitting section 11 encrypts and transmits the information to be distributed in S53 of FIG. When the information to be distributed is m,
This time, m · ^ya0 (mod p) is calculated according to the above equation 11, and is transmitted as encryption of information to be distributed. Here, the distribution information m may be any information such as a character string.
At the time of encryption, it is regarded as an integer value and used for the operation.
Similar encryption processing is performed in each router. That is, in the router 21, (m · ^ya0 ) · ^ya1 (mod p) = ^{mya0 + a1} (m
od p) is calculated. Similarly, in the router 22, (m · ^{ya0 + a1} ) · ^ya2 (mod p) = my
^{a0 + a1 + a2} (mod p) is calculated. Therefore, the routers 21, 22, 2
3,. . . , 2n, when it arrives at the receiver, M = m · ^{ya0 + a1 + a2 +... + An} (mod p) (Equation 13).

On the side of the receiving unit (the receiving unit 31 in FIG. 6), when receiving the information distribution, the key management server 41
Request the address to which the information will be delivered. The key management server 41 confirms whether or not the receiving unit 31 that has requested the distribution is eligible to join the group, and returns the address of the information to be distributed. Of course, in some cases, the address of the information to be distributed can be obtained without performing such authentication.
The receiving unit 31 requests the nearest router (the router 2n in FIG. 6) to distribute the information based on the address of the information to be distributed. In response to this request, the router starts delivering the distributed encrypted information to the receiving unit (or a router serving as a route to the receiving unit).

When distribution of information from the router starts, first, a pulsating packet is received. The pulsation packet received by the receiving unit 31 is a pulsation packet H represented by the above equation (12).
It is. When the pulsation packet H is received, S6 in FIG.
2, the pulsating packet H is transferred to the key management server 41.
To request a decryption key.

Since the key management server 41 receives the random number generation system R from the transmission unit 11 in advance, the key request information h generated from the random number generation system R can be obtained. Alternatively, the key request information h is directly received from the transmission unit 11. When the key request information h is generated from the random number generation system R, the key request information h can be generated without performing communication with the transmission unit 11.

The key management server 41 stores the key request information h and the numbers p, x,
From z and the pulsating packet H sent from the receiving unit 31, a decryption key K is obtained as follows. That is, K = (h · H ⁻¹ ) ^z = (x ^{−a0−a1 −...− an} ) ^z (mod p) = y ^{−a0−a1 −...− an} (mod p) (Equation 14) ) May be performed. At this time, a
0, a1,. . . , An are unnecessary, and the key management server 4
One does not need to know these. The obtained decryption key K is transmitted to the receiving unit 31 in a secure manner.

The receiving unit 31 decrypts the encrypted information M using the decryption key K received from the key management server 41. Between the received encrypted data M, key K, and plaintext data m, ^MK = ^{mya0 + a1 + ... + any-a0-a1 -...- an} = m (mod p) ( Equation 15) holds. Therefore, the receiving unit 31 multiplies the received encrypted information M by the decryption key K to obtain the original information m
Can be obtained.

As described above, it is possible to obtain the decryption key corresponding to the information distribution route, to decrypt the distributed encrypted information using the decryption key, and to obtain the content of the information. become. In this example, since the number a is generated for each router and encryption is performed, a receiving unit (for example, receiving units 31 to 31 in FIG. 1) that receives information distribution from the same last-stage router via the same path is used. 34) uses the same decryption key. However, in a receiving unit (for example, the receiving unit 35 in FIG. 1) that receives information via a different path, even if a pulsating packet or a decryption key leaks, the encryption processing for each router cannot be decrypted. Can not get. In this way, security can be maintained for the distribution of the decryption key to the receiving units having different paths. Of course, if the router performs encryption by making the value a different for each output, the security can be further improved.

For example, it is conceivable that the receiver alone estimates the decryption key K. However, the transmission unit 11, the key management server 41, and the routers 21 to 2n are respectively configured by the random number generation system R, the numbers x, y,
As long as z and the number ak are kept secret from the recipient, it is difficult for the recipient to estimate the key K alone.

Further, an can be easily estimated by monitoring the pulsating packets flowing in the upstream network. However, since the number z is secret to all receivers, y ^an is unknown. Therefore, a decryption key is not generated even if the key holder of the upstream network and the key holder of the adjacent network are colluded.

Further, it is examined whether a malicious receiver can know the key request information h. The recipient is the number p, the decryption key K, the beat packet h · x ^{a0 + a1 + ... + an} (mod
Know p). To find the key request information h from the decryption key K,
a0 + a1 +... + an must be obtained. However, it is very difficult to obtain a0 + a1 +... + An from the decryption key K because it is necessary to obtain the number z which is kept secret for all the recipients by some method. For this reason, the receiver having the decryption key K is able to obtain the key request information h.
Can be prevented.

Further, by monitoring the pulsating packet one upstream, x ^an can be easily estimated, but since the number z is secret to the receiver, the number z is collated with the key holder of the upstream network. No decryption key can be created.

Further, it is examined whether or not the key holders of the neighboring networks collude with each other and reveal the number y. Now
Beat packet H1 = h · x ^{a0 + a1 + a2 + ... + a (n-1) + an1} (mod p) H2 = h · x ^{a0 + a1 + a2 + ... + a (n-1) + It is assumed that an2} (mod p) is obtained. From these two beat packets, H12 = H1 / H2 = x ^an1-an2 is obtained. From K1 = y ^{-a0-a1-a2 -...- an1} (mod p) K2 = y ^{-a0-a1-a2 -...- an2} (mod p), K1 / K2 = y- ^{(an1) -an2)} (mod p) is obtained. An1-an after knowing the number z or the number y
The problem of finding 2 directly is a discrete logarithm problem and difficult,
Since all recipients do not know the numbers x, y, an1-an
It is more difficult to ask for 2. Also, the problem of finding the number z from these is a discrete logarithm problem, which is also difficult. Therefore, even if key holders of adjacent networks collude, it is difficult to obtain information illegally, and security is ensured.

As described above, three methods have been described as methods of the encryption processing. In the above three specific examples, it is described that encryption is performed in each router from the transmission unit to the reception unit. However, a router that does not perform encryption may exist in the middle of course. As an extreme example,
Some degree of confidentiality can be maintained even if different encryption processes are performed only by the final stage router that distributes to the transmission unit and the reception unit.

The present invention is not limited to the encryption schemes shown in the above three specific examples, but includes various means that can be decrypted with different decryption keys according to the path from the transmitting section to the receiving section. To provide. For example, even when encryption is performed in a router, the present invention is not limited to the above-described encryption method, and various methods can be applied.

[0082]

As is apparent from the above description, according to the present invention, different decryption keys can be set according to the path from the transmission source to the destination, so that the decryption key can be decrypted to the destination having a different path. Even if the key is scattered, the encrypted information cannot be decrypted. Therefore, there is an effect that the security of the information against the illegality of dispersing the decryption key can be ensured.

[Brief description of the drawings]

FIG. 1 is a block diagram illustrating an embodiment of a cryptographic communication system according to the present invention.

FIG. 2 is a flowchart illustrating an operation of a transmission unit according to the embodiment of the present invention.

FIG. 3 is a flowchart illustrating an operation of a receiving unit according to the embodiment of the present invention.

FIG. 4 is an explanatory diagram of a first specific example of an encryption method.

FIG. 5 is an explanatory diagram of a second specific example of the encryption method.

FIG. 6 is an explanatory diagram of a third specific example of the encryption method.

[Explanation of symbols]

11: transmission unit, 21 to 28, 2n: router, 31 to 35
... Receiving unit, 41 ... Key management server.

Claims (17)

[Claims] An encrypted communication method for distributing encrypted information from a transmission source to a plurality of reception destinations, wherein each of the reception destinations or a group of the reception destinations corresponds to a path from the transmission source to the reception destination. A cryptographic communication method, wherein a different decryption key is provided, and the receiver decrypts the encrypted information using the provided decryption key. 2. The encryption communication method according to claim 1, further comprising encrypting the encrypted information at a relay point in a path from the transmission source to the reception destination. 3. The method according to claim 2, wherein the key request information is encrypted and distributed from the transmission source in the same manner as the information, and the decryption key is generated based on the encryption including the key request information received by the reception destination. The encryption communication method according to claim 1 or 2, wherein 4. The key request information differs at predetermined time intervals or at predetermined timings, and distributes the encrypted key request information from the transmission source every time the key request information is changed. 4. The encryption communication method according to claim 3, wherein: 5. The encryption of the information and the key request information is performed by multiplying information to be encrypted by a predetermined number x raised to the power of a and encrypting the remainder of the multiplication result by the number p. 5. The encryption communication method according to claim 3, wherein the decryption key is generated from an encryption including the key request information and the key request information received at the destination. 6. The encryption for the information is performed by a predetermined number x.
Is multiplied by the information to be encrypted by the number a, and the remainder of the multiplication result by the number p is ciphered. In the encryption for the key request information, the number a is added to the information to be encrypted. And generating the decryption key from the encryption including the predetermined number x and the key request information received at the receiving destination, wherein the remainder of the addition result by the number p is ciphered. The cryptographic communication method according to claim 3 or 4. 7. The encryption of the key request information is performed by multiplying information to be encrypted by a number obtained by multiplying a predetermined number x to the power of a and encrypting a remainder of the multiplication result by the number p,
The encryption of the information is performed by multiplying the information to be encrypted by a number obtained by raising a predetermined number y to the power a and encrypting the remainder of the multiplication result by the number p, wherein the predetermined number y is the predetermined number y. 5. The decryption key according to claim 3, wherein, when the number x is the power of z, the decryption key is generated from an encryption including the predetermined number x and z and the key request information received at the destination. 6. Encryption communication method. 8. When the encryption of the information and the key request information is performed at the transmission source and a relay point in a path from the transmission source to the reception destination, a unique value is used as the number a. The encryption communication method according to claim 5, wherein the encryption is performed by performing encryption. 9. A cryptographic communication system for distributing encrypted information from a transmitting means to a plurality of receiving means, wherein the receiving means responds to a path from the transmitting means for each of the receiving means or a group to which the receiving means belongs. A cryptographic communication system characterized in that the encrypted information is decrypted using a decryption key assigned to the encrypted information. 10. A method according to claim 1, wherein one or a plurality of relay means are provided in a path from said transmitting means to said receiving means, and said encrypted information received is further encrypted in all or a part of said relay means. The cryptographic communication system according to claim 9, wherein: 11. The key management server according to claim 9, further comprising a key management server, wherein the reception unit acquires a decryption key corresponding to a path from the transmission unit from the key management server. Cryptographic communication system. 12. The transmitting means encrypts the key request information in the same manner as the information and distributes the encrypted key request information to the receiving means, and transfers the key request information to the key management server. The encryption including key request information is transferred to the key management server, a decryption key is requested, and the encrypted information is decrypted using the decryption key returned from the key management server. 12. The method according to claim 11, wherein a decryption key is calculated from a cipher including the key request information received from the receiving unit based on the key request information transferred from a transmitting unit, and the decryption key is returned to the receiving unit. Cryptographic communication system. 13. The apparatus according to claim 12, wherein said transmitting means performs encryption with a different key at a predetermined time interval or at a predetermined timing, and distributes the key request information when the key is changed. A cryptographic communication system as described. 14. The encryption of the information and the key request information is performed by multiplying the information to be encrypted by a number obtained by raising a predetermined number x to the power of a and encrypting the remainder of the multiplication result by the number p. 14. The cryptographic communication system according to claim 12, wherein the key management server generates the decryption key from an encryption including the key request information and the key request information received at the destination. . 15. The encryption of the information is performed by multiplying information to be encrypted by a number obtained by multiplying a predetermined number x to the power of a and encrypting the remainder of the multiplication result by the number p. Is to add the number a to the information to be encrypted, and to encrypt the remainder of the addition result by the number p, and the key management server receives the predetermined number x and the 14. The encryption communication system according to claim 12, wherein the decryption key is generated from the encryption including the key request information. 16. The encryption of the key request information is performed by multiplying information to be encrypted by a predetermined number x raised to the power a, and encrypting a remainder of the multiplication result by the number p. Is obtained by multiplying information to be encrypted by a number obtained by raising a predetermined number y to the power a, and encrypting the remainder of the multiplication result by the number p. The key management server performs the predetermined number y Is the z-th power of the predetermined number x, and generates the decryption key from the encryption including the predetermined numbers x and z and the key request information received at the destination. The cryptographic communication system according to claim 12 or claim 13. 17. The transmission unit and the relay unit, when performing the encryption on the information and the key request information, perform encryption using a unique value as the number a. The cryptographic communication system according to any one of claims 14 to 16.