Information devices such as personal computer (hereinafter referred to as PC), portable telephone, and digital home electrical appliance are recently being widespread used in general. The technique related to such information devices and information communication connecting such devices is greatly advancing, and content distribution service such as music distribution and video distribution using such information device is being widely developed. Pay broadcasting using CATV (Community Antenna TeleVision), satellite broadcast or Internet, and content distribution using physical media such as CD (Compact Disc) or DVD (Digital Versatile Disc) are examples of the content distribution service.
However, in order to provide such content distribution service, a mechanism allowing only the contractant to acquire the content based on the contract made between the provider of the service (hereinafter referred to as system manager) and the viewer is desired. With respect to such issue, a mechanism of providing a predetermined key from the system manager to the contractant, and distributing encrypted content C and also head information h for generating a content key mek used to encrypt the content C with the predetermined key is contrived.
A content distribution system called the broadcast encryption system is known as one specific means for realizing such mechanism. The broadcast encryption system is a system of corresponding each contractant with an element of a set, dividing the contractant set representing the entire contractant into a plurality of subsets, and distributing the header h such that only the contractant belonging to a specific subset can acquire the content key mek. That is, with the application of such system, the distribution of the content C excluding the specific contractant specified by the system manager can be realized. In reality, however, higher efficiency of the broadcast encryption system of the related art is desired in view of the calculation load associated with the generation of the content key mek at the server device (hereinafter referred to as center) on the system manager side and the terminal device on the contractant side, the communication load between the server device and the terminal device, and the like.
Specifically, when distributing the content, how to reduce the amount of communication that increases according to the size of the header h distributed by the center, the amount of memory that increases according to the number of keys to be held by each terminal device, and the amount of calculation for each terminal device to generate the content key mek becomes an issue. Each amount greatly differs depending on the method of dividing the contractant set. Various broadcast encryption systems in which efforts are made in the method of dividing the contractant set have been proposed to realize efficient content distribution. For instance, non-patent document 1 discloses a content distribution system called the Subset Incremental Chain Based Broadcast Encryption system (hereinafter referred to as AI05 system) by Nuttapong Attrapadung and Hideki Imai et al. as one means for reducing each amount.
[Non-patent document 1] Nuttapong Attrapadung and Hideki Imai, “Subset Incremental Chain Based Broadcast Encryption with Shorter Ciphertext”, The 28th Symposium on Information Theory and Its Applications (SITA2005)