1. Field of the Invention
The present invention relates to a key generating device, an encrypting device, a receiving device, a key generating method, an encrypting method, a key processing method, and a program.
2. Description of the Related Art
In recent years, with the spread and development of mobile phones or digital home appliances as well as personal computers (PC), a business that is related to distributing contents, such as music or video, has become important more and more. As the content distribution business, a CATV or satellite broadcasting, pay broadcasting utilizing the Internet, and content sales utilizing physical media, such as a CD or DVD, exist. In all of the cases, it is necessary to construct a scheme where only a contractor can acquire contents. As a method that realizes the content distribution system, there is a cipher technology that is called Broadcast Encryption. In the Broadcast Encryption, a manager (hereinafter, referred to as center) of the content distribution system provides a key to only a contractor (hereinafter, referred to as user) in advance, and at the time of distributing the contents, a cipher text where the contents are encrypted with a session key and a header that enables only a user belonging to a designated set to acquire the session key are distributed, thereby enabling only a specific contractor to acquire the contents.
In the Broadcast Encryption, common key Broadcast Encryption that configures a common key cipher as a main constituent and public key Broadcast Encryption that configures a public key cipher as a main constituent exist. In the case of the former, since a process of acquiring a session key from a header is executed using a common key cipher, the processing speed can be greatly increased. However, since the center and each user need to share the same key or an intermediate key needed when deriving the same key in advance, only the center can distribute the contents. Accordingly, the former is a system suitable for pay broadcasting or content distribution using physical media such as a DVD and next-generation DVD. In actuality, the former is used in the standard such as AACS.
In the case of the latter, since the entire system or a public key of each user, or both the entire system and the public key are opened, there is an advantage in that anyone can distribute contents to a specific user set. However, since a process of acquiring a session key from a header is executed using a public key cipher, there is a disadvantage in that the process is delayed as compared with the case of the former. Accordingly, different from the former, the latter is suitable for an environment where it is difficult to share a key in advance (for example, a content distribution on the Internet or the dynamic configuration of a safe network).
As such, in the Broadcast Encryption, a plurality of applicable methods exist according to each situation, but even when any method is used, efficiency of three points that include a size of a header, the number of keys that a user holds, and the amount of calculation needed to acquire a session key becomes important. The header size affects capacities of physical media in the case of the physical media, and affects the amount of transmission information of a network in the case of the network. The number of keys that the user holds affects a memory size that needs to be obtained for keys, when an apparatus that each user holds is designed. The amount of calculation affects time that is needed until the user reproduces encrypted contents or power consumption of an apparatus that the user holds. In addition, in the public key Broadcast Encryption, since the public key is used when encryption or decryption is performed or both the encryption and the decryption are performed, the size of the public key also becomes an important indicator. Accordingly, in the Broadcast Encryption, it is important to maximally reduce the above values.
Among methods that have attracted attention as public key Broadcast Encrypting methods, a method (hereinafter, referred to a method according to the related art) is disclosed in the following Document 1. This method is similar to the methods used until now. Specifically, the method is a safe method with respect to a coalition and the size of the public key is the same as the size in the methods used until now, but the configuration where the public key is not used at the time of decryption is realized, thereby succeeding in reducing the amount of information that each apparatus holds. Further, even after the system is set, a new user can be freely added.
[Document 1]
C. Delerablee, P. Paillier, and D. Pointcheval, “Fully Collusion Secure Dinamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys” Pairing-Based Cryptography-Pairing 2007, Lecture Notes in Computer Science 4575, pp. 39-59, Springer, 2007.
[Document 2]
F. Hess, N. Smart, and F. Vercauteren, “The Eta Pairing Revisited” IEEE TRANSACTIONS ON INFORMATION THEORY, VOL. 52, NO. 10, pp. 4595-4602, October 2006.
However, in the related art that is described in the above Document 1, in regards to a calculation amount that is needed when an encryption process is executed, when the number of revoked users is r, addition of points on an elliptic curve and scalar multiplication are needed by about r2 times, and multiplication, a power, and an inverse element operation on a cyclic group where a bit length is long are needed by about r2 times. As r increases, an operation load of a transmitter greatly increases.