The present invention relates to a limited broadcasting method and system for communication networks.
As societies become highly computerized, information service is now available through broadcast communications via a satellite, local area network (LAN), cable television (CATV) network, integrated services digital network (ISDN) or the like.
For information communications service, it is important that various information such as movies, news, market information, investment information, software, information within a company, and conference information between company departments, is required to be supplied correctly and sufficiently to subscribers. It is also important that secret information or highly value-added information should not be leaked at all to any third parties.
In communications having a broadcast function such as satellite communications and token broadcasting, signals transmitted at a physical level reach basically all receivers. In order to regulate information destinations in broadcast communications, it is effective if cryptographic technique is used.
As well known, in cryptographic communications, a sender enciphers a plaintext by using an encipher key and transmits a ciphertext. A receiver receives the ciphertext and deciphers it into the plaintext by using a decipher key to obtain the original information transmitted from the sender. The encipher key is in one-to-one correspondence with the decipher key, and only a person having the decipher key can decipher the ciphertext. In other words, the original information is provided only in such a case. A person not having the decipher key cannot decipher the ciphertext so that the original information will not be provided.
By using such characteristics of cryptographic communications, it becomes possible to regulate information destinations in broadcast communications. Namely, after a decipher key is given only to a plurality of limited destinations, a ciphertext is broadcast. With such an arrangement, original information is allowed to be accessed only by authorized destinations. Although physical signals are received by unauthorized third parties, they have not a decipher key so that the original information cannot be accessed. The limited broadcast in cryptographic communications has the following problem. In large information services, there are several to ten thousands receiving stations and a great number of types of information to be supplied. Different stations desire to receive different types of information at different service times. Therefore, an information service station is required to prepare a great number of reception patterns. Each time a different reception pattern is used, a decipher key at a receiving station must be changed, resulting in a large burden on the information service station.
A conventional technique dealing with such a problem is disclosed, for example, in JP-A-63-280530 which provides a secret key generator for unidirectional communications with a 1:N ratio between a sender and receivers.
In this conventional technique, as shown in FIG. 15, 1:N (N.ltoreq.2) communications are carried out in the following manner. In bi-directional secret communications among three or more receiving stations, each receiving station independently inputs all identification codes ID other than its own identification code ID to an input terminal 1501 of its own secret code generator CD. Assume now that the group members include users A, B, and C. User A inputs identification codes IDB and IDC of users B and C other than its own identification code IDA to the input terminal 1501 of the secret key generator CR. Using the identification codes IDB and IDC inputted from the input terminal 1501, the values F(IDB) and F(IDC) are calculated using a one way function F(*) generator 1502 having the structure common to all users. The calculated values are added at a modulo-2 adder 1509 to a random number R stored in a third memory 1508 and common to all users of the network or data communication system and a stored one way function value F(IDA) of the identification code IDA of user A, thereby obtaining a one way function value ro given by an equation (1): EQU r0=R.sym.F(IDA) .sym.F(IDB) .sym.F(IDC) (1)
The one way function value ro is inputted to another one way function f(*) generator 1506 having the structure common to all users to obtain a secret key K.sub.ABC =f(ro) which is outputted from an output terminal 1507. User A is permitted to carry out secret communications by using the secret key K.sub.ABC specific only to the group members A, B and C.
Similarly, user B inputs identification codes IDA and IDC of users A and C other than its own identification code IDB to the input terminal 1501 of the secret key generator CR. Using the identification codes IDA and IDC inputted from the input terminal 1501, the values F(IDA) and F(IDC) are calculated using a one way function F(*) generator 1502 having the structure common to all users. The calculated values are added at a modulo-2 adder 1509 to a random number R stored in a third memory 1508 and common to all users of the network or data communication system and a stored one way function value F(IDB) of the identification code IDB of user B, thereby obtaining a one way function value ro given by the equation (1). The one way function value ro is inputted to another one way function f(*) generator 1506 having the structure common to all users to obtain the secret key K.sub.ABC =f(ro) which is outputted from an output terminal 1507. User B is permitted to carry out secret communications by using the secret key K.sub.ABC specific only to the group members A, B and C.
Similarly, user C inputs identification codes IDA and IDB of users A and B other than its own identification code IDC to the input terminal 1501 of the secret key generator CR. In the same manner as described with users A and B, the secret key K.sub.ABC is given to user C.
The above-described conventional technique has the following two problems. For example, in the process executed on the side of user A, instead of inputting IDB and IDC to the secret code generator CR, it is assumed that user A intentionally inputs IDB, IDC, IDA, and IDD which is an ID for the fourth user. In this case, the calculation results by the adder 1509 are given by an equation (2): ##EQU1## The calculation of an exclusive logical sum has the same results even if the calculation order of respective terms is changed, and because of F(IDA).sym.F(IDA)=0. This r'o is a secret key for users B, C, and D. Therefore, user A can intentionally obtain a secret key for users B, C, and D and not for user A. Such a case is applicable to all users in the network. Accordingly, in conventional 1:N (N.gtoreq.2) communications, a user which is not permitted to participate secret communications can have a secret key, intercept the cryptographic communications, and decipher a ciphertext.
The above-described conventional technique does not disclose means for notifying N+1 users in 1:N cryptographic communications of whom they are in cryptographic communications with. For example, in the operation by user A, the secret key cannot be obtained unless user A is notified that it carries out cryptographic communications not with users E and F but with B and C. In such a case, it can be considered that one of users constituting a communication group is required to notify the other users of all user IDs. Accordingly, if a system has a large N (e.g., N=10,000), it is necessary to transmit beforehand data as along as N.times.ID, resulting in a large burden on the system.
In order to solve the above problems, the present inventors have proposed a technique of generating a limited broadcast encipher key as disclosed in the specification of U.S. Ser. No. 07/606898. According to this technique, in a secret broadcast communication system, it is possible to prevent interception and illegal tapping of a ciphertext by third parties, and to reduce a burden on the whole system by making it unnecessary to supply information of IDs of all users each time a secret communication is carried out using IC cards.
According to the earlier application technique of generating a limited broadcast encipher key, each system subscriber generates a secret key by using open ID information of all subscribers, in accordance with the data sent from a service center. This technique is associated, however, with the problems to be taken into consideration.
Each ID information has generally 4 to 32 bytes. If a system has N destinations, the ID information of 4 N to 32 N bytes is required. As the value N becomes larger, it takes a longer time to input the ID information to IC cards.
Each terminal station holds the ID information so that a burden on the terminal system increases as the number of system subscribers becomes large.