There are numerous network systems, each including a specific large number of terminals and an apparatus that communicates with them. One such example is a sensor network with a huge number of sensors and an apparatus collecting data therefrom.
Such network systems generally have two requirements; first, they must provide secure communications; and second, there must be a lightweight encryption key sharing scheme and/or encryption scheme for the secure communications.
For example, the technology described in Patent Literature 1 (hereinafter called “conventional technology”) is available. In the conventional technology, a bit sequence representing a terminal ID is divided into multiple blocks of a given bit size and then an encryption key fragment is assigned to each of all the values that can be represented by each block on a one-to-one basis. The correspondence relationship between the value that can be represented by each block and the corresponding encryption key fragment is pre-shared among terminals that share the encryption keys. Each terminal restores the encryption key from the terminal ID for an encryption process. In other words, the conventional technology retains the relationship between terminal identification and encryption keys in a hierarchical structure. This allows a specific large number of apparatuses to share encryption keys only by specifying terminal IDs, without transmission or reception of encryption keys.