A broadcast encryption method is an encryption method in which a plurality of receivers, which have individually a different secret key, receive an identical ciphertext, and decryption by each receiver results in the same plaintext. General broadcast encryption methods include, for example, an encryption method disclosed in NPL (Non Patent Literature) 1. FIG. 6 is a block diagram illustrating a broadcast encryption system which uses a general broadcast encryption method. The broadcast encryption system illustrated in FIG. 6 includes a setting unit 115, a key derivation unit 107, an encryption unit 106, and decryption unit 113.
The setting unit 115 generates a public key 101 and a master key 105. The encryption unit 106 generates a ciphertext 109 by using the public key 101, an allowable decryptor set 103 which is data specifying a set of allowable decryptors, and a text 102. The key derivation unit 107 generates a decryptor secret key 112 by using a master key 105, a public key 101, and a decryptor identifier 104. The decryption unit 113 generates a text 114 which is a result of decrypting the ciphertext 109 by using the public key 101, the ciphertext 109, an allowable decryptor set 110 which is data specifying a set of allowable decryptors, and a decryptor secret key 111.
In the broadcast encryption system illustrated in FIG. 6, if data specifying the allowable decryptor set 103 received by the encryption unit 106 and data specifying the allowable decryptor set 110 received by the decryption unit 113 are identical, the ciphertext 109 output by the encryption unit 106 and the ciphertext 109 received by the decryption unit 113 are identical, and the decryptor secret key 111 received by the decryption unit 113 is a secret key of a decryptor belonging to a set of allowable decryptors, which is specified by the allowable decryptor set 110 received by the decryption unit 113, the text 102 received by the encryption unit 106 and the text 114 output by the decryption unit 113 become identical.
In a data storage service which uses a cloud or the like, such the broadcast encryption method contributes to raising the safety of the service. For example, in a case that an organization such as a corporate enterprise saves data on a cloud or the like, the data which only the members of the organization should be able to read is encrypted by using the broadcast encryption method and saved on the cloud or the like. The members of the organization belong to the allowable decryptor set 103 and are provided with the secret key individually. The members of the organization access the cloud or the like when the members need the data, and retrieve the needed data. Although the data is encrypted, any member of the organization can decrypt the data by following the decryption method in the broadcast encryption method and use the decrypted data.
Although an authentication system on a cloud or the like can carry out proper access control for a request to retrieve data by limiting persons allowed to access the data to members of a predetermined organization through authentication, there is a risk that an error may take place in the access control. There is another risk that the management of the cloud or the like is inadequate, or a person without an access right obtains data due to misconduct by a manager of the cloud or the like. It is difficult for an outside user to confirm that the management of the cloud or the like is adequate and the manager of the cloud or the like does not conduct wrongdoing. However, because even if a person other than the members of the organization successfully obtains data, the person cannot decrypt the data, using the broadcast encryption method makes it possible to prevent the contents of the data from being disclosed to the outside of the organization.
Moreover, another benefit in using the broadcast encryption method lies in the fact that the allowable decryptor set can be changed in a case that a member change takes place. When a new member joins the organization, the key derivation unit 107 generates and provides the new member with the decryptor secret key 112 and adds the new member to the allowable decryptor set. Then, in subsequent data saving, data is encrypted by using the new allowable decryptor set. In an opposite case that the member leaves the organization, the leaving member is removed from the allowable decryptor set. Then, in subsequent data saving, data is encrypted by using the new allowable decryptor set. With these operations, it becomes possible that only the latest members belonging to the updated allowable decryptor set can decrypt newly saved data.