In recent years, with the development of the information-oriented society, it has become popular to use content data distribution systems which distribute content data, i.e., digitalized books, newspapers, music, motion pictures, etc., to user terminals and allow the content data to be enjoyed.
However, the easily-replicable nature of the digital content data often invites misconducts violating the copyrights. So-called pirate content, i.e., copies generated and distributed by such unauthorized activities, are widespread. From the viewpoint of protecting content data from such pirate content, the content data is encrypted, and in addition, sometimes affixed with signature data indicating that the content data is certified by an authorized provider. For example, such signature data is generated in a content distributor's server or a certifier's server by encrypting a hash value of the content data by an encryption key which is based on an asymmetric algorithm according to which different keys are used for encrypting and decrypting data. Here, the encryption key is referred to as a private key, and the decryption key a public key. The signature data is affixed to the content data and distributed to a user terminal. In order to verify the signature data, the user terminal decrypts the signature data by using the public key paired with the private key described above. If the hash value obtained by the decryption is identical with the hash value of the content data, the signature data is verified as a certified one (see Patent Document 1).
However, such a verification system requires that a decryption algorithm using the public key be implemented on the user terminal, which raises a problem that the load on the user terminal is increased. That is, a terminal such as a mobile phone, etc. having a low data processing capacity requires a long time for decryption. Meanwhile, another conceivable signature system is a system using an encryption/decryption key which is based on a symmetric algorithm imposing a less load than imposed by an asymmetric algorithm. Here, this encryption/decryption key is referred to as a secret key. Specifically, different secret keys are prepared for different user terminals, and a set of encrypted data obtained by encrypting a hash value of a content data by the respective secret keys is used as signature data. When verifying the signature data, a user terminal decrypts the signature data by its own secret key, and if the obtained result is identical with the hash value of the content data, verifies the signature data as a certified one. However, in this case, it is necessary to prepare secret keys that are different from user terminal to user terminal. Therefore, when building a content data distribution system for a large total number of user terminals, the signature data will have an enormous data size and cause faults when being distributed or recorded.