The present invention relates to a key distribution method and system in secure broadcast communication.
Up to now, several methods have been proposed in regard to secure broadcast communication (or key management).
For example, a copied key method disclosed by S. J. Kent, "Security requirement and protocols for a broadcast scenario", IEEE Trans. Commun., COM-29, 6, pp. 778-786 (1981) is fundamental. The copied key method is the simple extension of the conventional one-to-one cryptographic individual communication to a multi-address communication. The copy of one kind of key is distributed to a sender and a plurality of normal receivers. The sender enciphers information by use of the copied key and transmits the enciphered information. The normal receiver deciphers the information by use of the same copied key.
The other methods include (i) a secure broadcast communication method disclosed by K. Koyama, "A Cryptosystem Using the Master Key for Multi-Address Communication", Trans. IEICE, J65-D, 9, pp. 1151-1158 (1982) which uses a master key alternative to RSA individual key, (ii) a key distribution system disclosed by Lee et al., "A Multi-Address Communication Using a Method of Multiplexing and Demultiplexing", the Proc. of the 1986 Symposium on Cryptography and Information Security, SCIS86 (1986) which is based on the multiplexing and demultiplexing of information trains using the Chinese reminder theorem, and (iii) a system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993).
According to the system for performing the multiplexing and demultiplexing of information trains by use of the Chinese reminder theorem, the following processes are performed.
(1) Key Generating Process
For a receiver i (1.ltoreq.i.ltoreq.r) are generated s coprime integers g.sub.1, g.sub.2, . . . , g.sub.s (r.ltoreq.s) and g.sub.i is distributed to the receiver i as confidential information of the receiver i beforehand.
(2) Enciphering Process
It is assumed that s information trains to be multiplexed are M.sub.1, M.sub.2, . . . , M.sub.s. A sender calculates a multiplexed transmit sentence F in accordance with ##EQU1## and makes the multi-address transmission of F, wherein G, G.sub.i and A.sub.i are the least integer A.sub.i which satisfies ##EQU2## G.sub.i =G/g.sub.i, A.sub.i G.sub.i .tbd.1 (mod g.sub.i).
(3) Deciphering Process
The receiver i demultiplexes M.sub.i from F by use of g.sub.i in accordance with EQU M.sub.i =F mod g.sub.i
According to the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993), the following processes are performed.
(1) Key Generating Process
A reliable center generates the following information.
Confidential information:
P=2p+1,Q=2q+1:prime number (p,q:prime number) PA1 e.sub.i .di-elect cons.Z,0&lt;e.sub.i &lt;L (1.ltoreq.i.ltoreq.m) PA1 g.di-elect cons.Z, 0&lt;g&lt;N PA1 N=PQ PA1 v.sub.i =g.sup.ei mod N (1.ltoreq.i.ltoreq.m). PA1 (1) receivers possess individual confidential key information to share a data enciphered key between the receivers; PA1 (2) even in the case where the number of receivers is large, it is possible to reduce the length of key distribution data; PA1 (3) even if receivers club their confidential information in conspiracy with each other, it is difficult to calculate key information of another receiver and confidential information of a key generator; and PA1 (4) it is possible to possess the data enciphered key in common with only receivers which belong to any set of receivers. PA1 P,Q:prime number PA1 e.sub.i .di-elect cons.Z,0&lt;e.sub.i &lt;L=lcm (P-1, Q-1) (1.ltoreq.i.ltoreq.m) PA1 N=PQ PA1 g.sub.i .di-elect cons.Z, 0&lt;g.sub.i &lt;N (1.ltoreq.j.ltoreq.n) PA1 u.sub.ij =g.sub.i.sup.e.sbsp.i mod N (1.ltoreq.i.ltoreq.m, 1.ltoreq.j.ltoreq.n) PA1 n=kl, k,l (&gt;0).di-elect cons.Z
Public information:
The center calculates so satisfying ##EQU3## for .sigma. .di-elect cons.S and distributes s.sub..sigma. as confidential information of a receiver U.sub..sigma., wherein set S={f.vertline.one-to-one map f:A={1, 2, . . . , k}.fwdarw.B={1, 2, . . . , m}, m&gt;k}.
(2) Key Distribution Process
(i) A sender randomly selects an integer r to calculate EQU z.sub.i =v.sub.i.sup.r mod N (1.ltoreq.i.ltoreq.m)
with the object of sharing a common key EQU K=g.sup.r mod N
in common with the receiver and makes the multi-address transmission of z.sub.i (1.ltoreq.i.ltoreq.m).
(ii) The receiver U.sub..sigma. calculates the common key K in accordance with ##EQU4##
In the above-mentioned key distribution based on the multiplexing method using the Chinese reminder theorem, the length of key distribution data becomes large in proportion to the number of receivers since the key distribution data for individual users are transmitted in a serially arranged manner. This offers a problem from an aspect of efficiency in the case where several millions of receivers are made an object as in a broadcasting satellite service.
On the other hand, in the system disclosed by Mambo et al., "Efficient Secure Broadcast Communication Systems", IEICE Technical Report, ISEC93-34 (October 1993), the length of key distribution data can be reduced even in the case where the number of receivers is large. However, this system has a problem in security that if receivers conspire with each other, confidential information of another receiver can be calculated. Also, it is not possible to possess a key in common with only receivers which belong to any set of receivers.