JP2007124055A - Content distribution apparatus, license issuing device, charging equipment and content viewing/listening terminal, and license request generation program, license generation program and charging program - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide a content distributing/charging system which can charge the viewing/listening rate of a content viewed/listened by a user correctly to the user while ciphering the viewing/listening record of content from persons other than the user. <P>SOLUTION: The system S includes: a content viewing/listening terminal 3 for generating a license request including an encryption content identifier obtained by encrypting the identifier of a content and the charge as ElGamal encrypted message and an encryption viewing/listening rate value based on public information; a license server 5 for generating a license including an encrypted decryption key obtained by encrypting a key for decrypting a key which encrypted the content based on an encrypted content identifier included in the license request and the public information; and a charging server 7 for calculating the sum total value of the viewing/listening rate of content based on an encrypted viewing/listening rate value included in the license request and the public information. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a content distribution apparatus, a license issuing apparatus, a charging apparatus, a content viewing terminal, a license request generation program, and a license generation program that can conceal the viewing history of a user who views the content and perform charge management. And billing programs.

In recent years, with the rapid spread of ADSL (Asymmetric Digital Subscriber Line) service and optical fiber high-speed communication service (FTTH: Fiber To The Home), a high-speed and broadband Internet always-on connection environment for homes is being prepared. This promotes the distribution of content such as video and music through the public network to the home.
On the other hand, in broadcasting, following the start of BS digital broadcasting in December 2000, a broadband CS broadcasting service using a communication satellite of 110 degrees east longitude has been started since April 2002. Digitalization of terrestrial broadcasting has also been underway since December 2003.

In addition, with the advancement of digitalization of broadcasting, advanced multimedia services such as server-type broadcasting in which broadcasting and communication are integrated are expected. This server-type broadcast is a new function that uses a storage function and a communication function of the receiver for a digital broadcast receiver that has a storage function for storing a large amount of data and a communication function for connecting to a communication network. Providing digital broadcasting services.
In this way, by utilizing the immediacy of broadcasting and the flexibility of the Internet, it is possible not only to watch and use high-definition programs and data content at home, but also to use on-demand services using communication networks. become.

  Here, when performing content distribution services such as video and music via the Internet and electronic commerce, various authentication techniques are used as means for proving that the service provider or user is a valid person. . Authentication is the act of confirming the identity of a user, that is, whether or not a user is exactly as reported, if the person to be authenticated is a user. Use secret information that you do not know. The same applies when the person to be authenticated is a service provider.

Hereinafter, a conventional representative authentication method will be described by taking the case where the person to be authenticated is a user as an example.
First, as the simplest authentication method, there is a method in which an authentication side confirms an identifier such as a user name and a password. In electronic commerce, a credit number, date of birth, telephone number, and the like are used as data for user authentication. In this method, the authentication side needs to communicate secret information itself between the user and the authentication side when sharing the secret information with the authentication target side and performing authentication.

Also, secret information is shared between the user and the authentication side, but there is a method in which the secret information itself does not have to be communicated between the user and the authentication side when performing authentication.
For example, a method using a one-way hash function. In this method, the user side converts the secret information into fixed-length data using a one-way hash function and sends it to the authentication side, and the authentication side converts the secret information shared by the same one-way hash function. The authentication is performed by judging the identity with the transmitted data. However, in this case, if the converted data transmitted from the user side is wiretapped on the communication path, the eavesdropper can impersonate the user.

  Therefore, there is a challenge / response authentication method in which transmission data is different for each authentication. In this authentication method, temporary data called “challenge” (challenge data: random data such as a pseudo-random number) is transmitted from the authentication side to the user side. Then, the user who has received the challenge data converts the data obtained by adding the challenge data to his / her secret information using a one-way hash function and sends it back to the authentication side as a “response”. On the authentication side, the same calculation as that performed on the user side is performed from the shared secret information, and the user is authenticated by comparing with the response sent from the user side. As a result, impersonation of the user can be prevented.

Furthermore, there is a method in which only the user side holds the secret information and does not transmit it to the authentication side.
For example, it is a method using public key cryptography such as RSA cryptography and ElGamal cryptography (see Non-Patent Document 1). In this method, temporary data transmitted from the authentication side is converted (encrypted) with a secret key on the user side, and transmitted to the authentication side as an electronic signature. On the authentication side, the transmitted data is verified by using the user's public key obtained in advance by the authentication side. In this case, the electronic signature can be generated only by the user who has the private key corresponding to the public key, so that the user can be authenticated. Even in this case, it is common to apply a one-way hash function to data converted by the user using a secret key.

In addition, when using public key cryptography, it is necessary to use a certificate authority (CA) that issues public key certificates in order to perform strict authentication while guaranteeing the validity of the public key. . By using the public key included in the public key certificate issued from this certification authority, the electronic signature added by the user can be verified.
The electronic signature described above has only one party involved in signature generation and verification, but there are a plurality of signers, or a third party is required in addition to the signer and the verifier. For example, a signature scheme extended so that a plurality of entities (authentication targets) are related has been proposed. For example, “1-out-of-n signature” (see Non-Patent Document 2), group signature (see Non-Patent Document 3), and the like.

Various systems for providing content distribution services using such an authentication method have also been proposed. For example, a service provider who owns content entrusts distribution and billing of the content to an Internet service provider (ISP), etc., and keeps the user's viewing history secret from other users while viewing the content. A consignment distribution system has been proposed that can guarantee the correctness of the charge amount of the associated fee (see Non-Patent Documents 4 and 5).
Kurosawa, Ogata, “Basic Mathematics of Modern Cryptography”, Corona, 2004 M.Abe, M. Ohkubo, K. Suzuki, “1-out-of-n Signatures from a Variety of Keys.”, ASIACRYPT2002, LNCS 2501, pp.415-432, Springer-Verlag, 2002 J. Camenisch, M. Stadler, “Efficient Group Signature Schemes for Large Groups.”, CRYPTO'97, LNCS1294, pp. 410-424, Springer-Verlag, 1997 Akira Fujiwara, Shingo Okamura, Maki Yoshida, Minoru Fujiwara, “Consignment Distribution System that Only Content Distribution Service Providers can Know Viewing Trends”, SCSI Proceedings, pp. 487-492, 2004 Akira Fujiwara, Shingo Okamura, Maki Yoshida, Jun Fujiwara, “Offline Consignment Distribution System with Marketing Information Protected”, CSS 2004 Proceedings, pp. 469-474, 2004

However, a method in which the authentication side confirms the identifier and password such as the user's name, a method using a one-way hash function, an authentication method such as a challenge / response authentication method, and a method using an electronic signature using public key cryptography. Neither is intended to prove the validity of the concealed transmission / reception data.
Further, it is assumed that the “1-out-of-n signature” and the group signature described above prove that the contents are correct when the user's viewing history associated with viewing or the like is concealed in content distribution or the like. It has not been.
That is, the conventional authentication method and electronic signature cannot be used for the purpose of verifying that the confidential transmission / reception data is correct, and thus there is a problem that the privacy protection of the user is lacking, such as which content the user has viewed. .

  On the other hand, the above-described consignment distribution system can conceal a user's viewing history from a person other than the user, and can guarantee the correctness of the charge amount associated with viewing the content. However, in this system, when the service provider and the content distributor are collaborated, since the viewing history and the information for specifying the user are easily associated, the viewing history is not strictly concealed. There is a problem that the user's anxiety cannot be dispelled.

In addition, the content distribution method used in this system is the case where the content distribution service provider and the license / billing management service provider perform content distribution service independently, or the case where the content distribution service is performed through cooperation between broadcasting and communication, etc. There is a problem that it cannot be applied to various business models and lacks versatility.
Furthermore, in this content distribution method, since communication from the user to the service provider such as a content distribution request needs to go through the content distribution provider side, signature verification in transmission / reception becomes complicated, and communication costs and servers are reduced. There is a problem that the load of the increase.

  The present invention has been made in view of the problems as described above, and can conceal the viewing history of the content from a person other than the user while correctly charging the viewed content, such as a server. It is an object of the present invention to provide a content distribution device, a license issuing device, a charging device and a content viewing terminal, a license request generation program, a license generation program, and a charging program.

  The present invention was devised to achieve the above object. First, the content viewing terminal according to claim 1 is a content viewing terminal for presenting content to a viewer. A request information encryption unit, a request certification signature generation unit, a license request transmission unit, a license reception unit, a distribution certification signature verification unit, a content key decryption unit, and a content decryption unit are provided.

In such a configuration, the content viewing terminal generates a terminal secret key that is a secret key and a terminal public key that is a public key based on public information that has been disclosed in advance by the terminal key generation unit. Then, the request information encryption means generates encryption request information obtained by encrypting a content identifier for identifying content to be viewed based on, for example, ElGamal encryption based on the terminal public key, the public information, and the pseudorandom number. To do. As a result, the content identifier becomes information that cannot be decrypted except by the content viewing terminal.
In addition, the content viewing terminal includes a license management public key that is a public key that is publicly disclosed in correspondence with a license management private key that is a private key generated by the license issuing device by the request proof signature generation unit. Based on the terminal public key, the public information, and the pseudorandom number, a request certification signature that is an electronic signature for proving the encryption request information generated by the request information encryption means is generated.

Then, the content viewing terminal requests a license for viewing the content by transmitting the license request with the request certification signature added to the encryption request information to the license issuing device by the license request transmitting means.
The content viewing terminal receives the license corresponding to the license request from the license issuing device by the license receiving unit, and verifies the distribution certification signature that is an electronic signature added to the license by the distribution certification signature verification unit. To do. As a result, the validity of the license distributor (license issuing device) can be authenticated.

  Then, the content viewing terminal uses the content key decrypting means to select an encryption / decryption key corresponding to the content identifier to be viewed from among the encryption / decryption keys for decrypting the plurality of encrypted content keys included in the license. Decrypt as content key. Then, the content viewing terminal decrypts the encrypted content with the decrypted content key by the content decrypting means. As a result, the content viewing terminal can acquire the content license and present the content to the user while keeping the content identifier secret.

  Further, in the content viewing terminal according to claim 2, in the content viewing terminal according to claim 1, the request information encryption means corresponds to a charging management secret key that is a secret key generated in advance by the charging apparatus. Based on the accounting management public key, which is a public key that has been released, and the public information and the pseudo-random number, the viewing fee value of the content requested to be viewed is encrypted with an encryption method having homomorphism An encrypted viewing fee value is added to the encryption request information.

  In such a configuration, the content viewing terminal uses a request information encryption unit to encrypt a content identifier that identifies content requested for viewing using, for example, ElGamal encryption, using a terminal public key, public information, and a pseudo-random number. The viewing fee value of the content requested to be viewed is encrypted and added to the encryption request information by using an encryption method having homomorphism, for example, ElGamal encryption, using the accounting management public key, the public information, and the pseudo random number. As a result, the content identifier becomes information that cannot be decrypted except by the content viewing terminal. Further, the value obtained by encrypting the content viewing fee value having homomorphism is information that can be decrypted only by the charging apparatus.

  Furthermore, a license issuing device according to claim 3 is a license issuing device for issuing a license for viewing content based on a request from the content viewing terminal according to claim 1, wherein the license management key is a license management key. The configuration includes a generation unit, a license request reception unit, a request authentication unit, an encryption / decryption key generation unit, a distribution certification signature generation unit, and a license transmission unit.

  In such a configuration, the license issuing device generates a license management private key that is a secret key and a license management public key that is a public key, based on public information that has been disclosed in advance, by a license management key generation unit. Then, the license issuing device receives the license request from the content viewing terminal by the license request receiving unit, and verifies the request certification signature, which is an electronic signature included in the license request, by the request authentication unit. Thereby, the license issuing device can authenticate the validity of the license request.

In addition, the license issuing device uses the encryption / decryption key generating means to include the encryption request information included in the license request, the public information published in advance, and the terminal public key disclosed in the content viewing terminal. Then, an encryption / decryption key obtained by encrypting a decryption key for decrypting a plurality of encrypted content keys is generated using the license management secret key.
Then, the license issuing device uses the distribution proof signature generating means to obtain the encryption / decryption key, the public information, the license management public information, the terminal public key, the license management private key, and the pseudo random number, A signature for delivery certification, which is an electronic signature for certifying the validity of the license delivery side, is generated.
Then, the license issuing device transmits the encryption / decryption key and the distribution proof signature to the content viewing terminal as a license by the license transmission unit.

  In addition, the billing device according to claim 4 is the content viewed at the content viewing terminal based on the encrypted viewing fee value included in the license request transmitted from the content viewing terminal according to claim 2. Charging apparatus for calculating the viewing fee value of the apparatus, comprising a charging management key generating means, a charge total value calculating means, and a signature adding means.

  In such a configuration, the charging apparatus generates a charging management private key that is a secret key and a charging management public key that is a public key based on public information that has been disclosed in advance by the charging management key generation unit. Then, the total charge value calculation means calculates the total view charge value for the number of contents viewed using the encrypted view charge value and the charge management secret key. As a result, the billing apparatus can calculate viewing fee values for the number of contents. Then, the charging device adds an electronic signature to the viewing fee value for the number of contents by the signature adding means. Thereby, the validity of the viewing fee value can be proved.

  Furthermore, a license issuing device according to claim 5 is a license issuing device that issues a license for viewing content based on a request from the content viewing terminal according to claim 2, and includes a license management key. Generating means, license request receiving means, request authenticating means, encryption / decryption key generating means, distribution certification signature generating means, license transmitting means, usage information summing means, usage information transmitting means, and sum of charges A value receiving unit and a signature verification unit are provided.

  In such a configuration, the license issuing device generates a license management private key that is a secret key and a license management public key that is a public key, based on public information that has been disclosed in advance, by a license management key generation unit. Then, the license issuing device receives the license request from the content viewing terminal by the license request receiving unit, and verifies the request certification signature, which is an electronic signature included in the license request, by the request authentication unit. Thereby, the license issuing device can authenticate the validity of the license request.

In addition, the license issuing device uses the encryption / decryption key generating means to include the encryption request information included in the license request, the public information published in advance, and the terminal public key disclosed in the content viewing terminal. Then, an encryption / decryption key obtained by encrypting a decryption key for decrypting a plurality of encrypted content keys is generated using the license management secret key.
Then, the license issuing device uses the distribution proof signature generating means to obtain the encryption / decryption key, the public information, the license management public information, the terminal public key, the license management private key, and the pseudo random number, A signature for delivery certification, which is an electronic signature for certifying the validity of the license delivery side, is generated.
Then, the license issuing device transmits the encryption / decryption key and the distribution proof signature to the content viewing terminal as a license by the license transmission unit.

  Furthermore, the license issuing device adds, as usage information, the encrypted viewing fee value included in the license request whose validity has been authenticated by the request authentication unit, as usage information, by the usage information summing unit. Then, the license issuing device transmits the usage information to the charging device according to claim 4 by the usage information transmitting means. Further, the license issuing device receives the total value of the viewing fee value for the number of contents viewed, calculated by the charging device, by the fee total value receiving means. Then, the license issuing device verifies the electronic signature added to the total viewing fee value by the signature verification unit. As a result, it is possible to authenticate the validity of the total viewing fee value.

  Further, the content distribution device according to claim 6 is a content distribution device that encrypts content and distributes the content to a content viewing terminal, wherein the content encryption means, the encrypted content transmission means, the content key encryption means, Content key transmitting means.

  In such a configuration, the content distribution apparatus encrypts the content by the content encryption unit with a content key that is an encryption key based on a block encryption method or a stream encryption method, and generates encrypted content. Then, the content distribution apparatus transmits the encrypted content to the content viewing terminal by the encrypted content transmission unit. Further, the content distribution device encrypts the content key by using a homomorphic encryption method with the license management secret key that is a secret key shared with the license issuing device according to claim 3 and obtains the encrypted content key. Generate. In this way, the content distribution device generates an encrypted content key using a license management secret key that is shared with the license issuing device. Therefore, the content viewing terminal decrypts the encrypted content key by acquiring the license. Can do.

  According to a seventh aspect of the present invention, there is provided a license request generation program for generating a license request for requesting a license for viewing a content in a content viewing terminal for presenting the content to a viewer. It is configured to function as a key generation unit, an encrypted identification information generation unit, an encrypted viewing fee value generation unit, and a request certification signature generation unit.

  In such a configuration, the license request generation program generates a terminal secret key that is a secret key and a terminal public key that is a public key, based on public information that has been disclosed in advance, by a terminal key generation unit. Then, the license request generation program uses the encryption identification information generation means to encrypt the content identifier for identifying the content requested to be viewed using, for example, ElGamal encryption, using the terminal public key, the public information, and the pseudo-random number. Generates identification information. As a result, the content identifier becomes information that cannot be decrypted except by the content viewing terminal.

Further, the license request generation program generates a charging management public key that is a public key that is publicly disclosed in correspondence with a charging management private key that is a private key generated by the charging device by the encrypted viewing fee value generation unit. Then, an encrypted viewing fee value obtained by encrypting the viewing fee value of the content requested to be viewed by the encryption method having homomorphism is generated by the public information and the pseudo random number. As a result, the encrypted viewing fee value becomes information that can be decrypted only by the billing apparatus.
Then, the license request generation program generates a license management public key that is a public key that is publicly disclosed by the request proof signature generation unit in correspondence with a license management private key that is a secret key generated in advance by the license issuing device. And a request certification signature, which is an electronic signature for certifying the encryption request information consisting of the encryption identification information and the encrypted viewing fee value, by using the terminal public key, the public information, and the pseudo random number, and encrypting it. A license request is generated by adding to the request information.

  Furthermore, the license generation program according to claim 8 generates a license management key generation for generating a license for viewing content based on a request from the content viewing terminal according to claim 2. Means, request authentication means, encryption / decryption key generation means, and distribution certification signature generation means.

In such a configuration, the license generation program generates a license management private key that is a secret key and a license management public key that is a public key based on publicly disclosed information by a license management key generation unit. Further, the license generation program verifies the request proof signature, which is an electronic signature included in the license request received from the content viewing terminal, by the request authentication unit.
Then, the license generation program uses the encryption / decryption key generation means to generate the encryption request information included in the license request, the public information disclosed in advance, and the terminal public key disclosed in the content viewing terminal. Then, an encryption / decryption key is generated by encrypting the decryption key for decrypting the encrypted content key with the license management private key.
Then, the license generation program uses the distribution certification signature generation means to obtain the encryption / decryption key, the public information, the license management public information, the terminal public key, the license management private key, and the pseudo random number, A license is generated by generating a distribution proof signature, which is an electronic signature for certifying the validity of the license distribution side, and adding the signature to the encryption / decryption key.

  In addition, the billing program according to claim 9 is based on the encryption request information included in the license request transmitted from the content viewing terminal according to claim 2, and the content viewed at the content viewing terminal. In order to calculate the viewing fee value, the computer is configured to function as a charge management key generating unit and a fee total value calculating unit.

  In such a configuration, the charging program generates a charging management private key that is a secret key and a charging management public key that is a public key, based on public information that has been disclosed in advance, by the charging management key generation unit. Then, the billing program calculates the viewing fee value for the number of contents viewed by the fee total value calculating means.

The present invention has the following excellent effects.
According to the first, third, or sixth aspect of the present invention, the user can acquire the license of the content while keeping the history of the content viewed by the user secret, and decrypt the content at the content viewing terminal. And can be presented to the user. Thereby, the privacy of the user can be protected. According to the present invention, it is not necessary to notify the license issuing device of a license request via the content distribution device in order to conceal the viewing history of the content, thereby reducing the load on the content distribution device. Can be made. In addition, since the license request does not pass through the content distribution apparatus, the content distribution apparatus can distribute the content by broadcasting that is unidirectional as a content transmission medium. Can be realized.

  According to the invention of claim 2, claim 4 or claim 5, while keeping the history of the content viewed by the user secret, the total value of the viewing fees of the content corresponding to the history is calculated, and You can charge. Thereby, the privacy of the user can be protected.

According to the seventh aspect of the present invention, it is possible to generate a license request for viewing the content while the content viewed by the user is kept secret. Thereby, the privacy of the user can be protected.
According to the eighth aspect of the present invention, it is possible to generate a license for content viewed by the user without recognizing the content viewed by the user.
According to the ninth aspect of the present invention, it is possible to calculate the total value of content viewing charges while keeping the history of the content viewed by the user secret.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Content distribution / billing system configuration]
First, the configuration of the content distribution / billing system according to the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a content distribution / billing system. The content distribution / billing system S is a system that distributes contents such as video and music via the broadcast wave W and the network N, and charges the user according to the viewing contents. Here, the content distribution / billing system S is a broadcast content distribution apparatus 1A or a content server 1B for distributing content, a content viewing terminal 3 for viewing content, and a license for issuing a license for viewing content. A server 5 and a billing server 7 for billing the viewed content are provided.
The broadcast content distribution apparatus 1A and the content server 1B may be either one or a plurality of each.

  The broadcast content distribution apparatus (content distribution apparatus) 1A is arranged on the broadcast provider side and distributes content to the content viewing terminal 3 via a broadcast wave W such as satellite / terrestrial broadcast.

  The content server (content distribution device) 1B is disposed on the content distribution provider side and distributes content to the content viewing terminal 3 via the network N such as the Internet.

  The content viewing terminal 3 acquires content from the broadcast content distribution apparatus 1A or the content server 1B and presents it to the user. At this time, the content viewing terminal 3 decrypts the content by acquiring a license corresponding to the content desired to be viewed from the license server 5 via the network N such as the Internet.

  The license server (license issuing device) 5 is arranged on the license management company side, and responds to a license request transmitted from the content viewing terminal 3 via the network N such as the Internet for content that the user desires to view. A license is issued. The license server 5 and the content viewing terminal 3 are preferably performed on a secure communication path such as SSL (Secure Sockets Layer).

  The billing server (billing device) 7 is arranged on the billing management provider side and calculates the viewing fee of the content viewed by the user corresponding to the license issued by the license server 5 via the network N. . The billing server 7 and the license server 5 are desirably performed on a secure communication path such as SSL.

In the configuration described above, the content distribution / billing system S adds a function of concealing information related to the content viewed by the user, and is provided to persons other than the user (for example, a content distribution company, a license management company, etc.). While concealing the user's viewing history, it is possible to correctly provide the license to the user and to charge the user correctly for the total usage fee.
The content distribution / billing system S publishes public information necessary for encryption, electronic signature, etc. as an initial procedure in order to perform processing such as encryption, electronic signature, etc. in each device. Therefore, here, public information will be described before the configuration of each device is described.

(Public information)
The license management company (license server 5) sets two large prime numbers p and q that (p-1) is divisible by q, and a set Z _{p of} whole integers that are relatively prime to p and smaller than _p. The generation source g of the subgroup of the order q of ^* , the one-way hash function H, and the pseudo random number generator G are disclosed as system parameters. Note that the one-way hash function H and the pseudo-random number generator G are disclosed as system parameters when the same hash value, the same function that can generate the same pseudo-random number, etc. are generated for the same input value. It is to make it public.

Further, the license management company (license server 5) selects the pseudo random number w as a secret key (license management secret key) from the residue class Z _q (0, 1,..., Q−1) modulo the prime number q. In addition to sharing with the content distributor (content distribution apparatuses 1A and 1B), a public key (license management public key h _L (h _L = g ^w mod p)) is generated and disclosed.
Further, the charge management business operator (charge server 7) obtains the pseudo random number a from the residue class Z _q (0, 1,..., Q−1) modulo the prime number q disclosed by the license management business operator as a secret key. It was selected as the (accounting management for the secret key), to generate a public key (accounting management for the public key ^{_{h M (h M = g a}} mod p)) to publish.

Further, the user (content viewing terminal 3) obtains the pseudo random number x from the remainder class Z _q (0, 1,..., Q−1) modulo the prime number q disclosed by the license management company as a secret key (terminal Private key), a public key (terminal public key h _T (h _T = g ^x mod p)) is generated and published together with user identification information Uid which is information for identifying the user.
These public keys (license management public key h _L , billing management public key h _M and terminal public key h _T ) are Elgamal public keys.
In the following description, unless otherwise specified, the four arithmetic operations are performed on the remainder class Z _p (0, 1,..., P−1) modulo the prime number p.
Hereinafter, each configuration of the content distribution / billing system S will be described in detail.

(Configuration of content distribution device)
First, referring to FIG. 2 (refer to FIG. 1 as appropriate), the configuration of the content server 1B, which is a content distribution apparatus, will be described. FIG. 2 is a block diagram showing the configuration of the content server (content distribution device) according to the present invention. The broadcast content distribution apparatus 1A and the content server 1B basically differ only in whether a broadcast wave W or a network N is used as a route when distributing content or the like to the content viewing terminal 3. It is. Therefore, here, the configuration of the content distribution apparatus will be described by taking the content server 1B as an example, and the difference from the broadcast content distribution apparatus 1A will be described each time. It is assumed that the public information is received by a receiving unit (not shown).

  Here, the content server 1B includes a content input unit 10, a content key generation unit 11, a content encryption unit 12, an encrypted content transmission unit 13, a secret key storage unit 14, and a content key encryption unit 15. The encrypted content key transmission means 16, the content list generation means 17, and the content list transmission means 18 are provided.

  The content input means 10 inputs content for distribution such as video and audio from the outside. The content input by the content input unit 10 is output to the content encryption unit 12.

  The content key generation means 11 generates a key (content key) for encrypting the content. The content key generated by the content key generation unit 11 is output to the content encryption unit 12 and the content key encryption unit 15. The content key generation means 11 generates a key used in a common common key encryption method as a content key by, for example, AES (Advanced Encryption Standard) in the block encryption method, RC4 in the stream encryption method, or the like. .

  The content encryption unit 12 encrypts the content for distribution input by the content input unit 10 with the content key generated by the content key generation unit 11 to generate encrypted content. The encrypted content generated by the content encryption unit 12 is output to the encrypted content transmission unit 13.

The encrypted content transmission unit 13 transmits the encrypted content generated by the content encryption unit 12 to the content viewing terminal 3. The encrypted content transmitting means 13 transmits the encrypted content as communication data via the network N to the content viewing terminal 3 registered in advance as a user.
Here, when the encrypted content transmission unit 13 is provided in the broadcast content distribution apparatus 1A, the encrypted content transmission unit 13 distributes the encrypted content as broadcast data via the broadcast wave W.

The secret key storage unit 14 stores in advance the secret key generated by the license server 5 (the license management secret key w used to generate the license management public key h _L described above). This is a general storage device such as a semiconductor memory.

The content key encryption unit 15 generates an encrypted content key by encrypting the content key generated by the content key generation unit 11 with the license management secret key stored in the secret key storage unit 14. It is. Here, the distribution content identifier (content _{identifier) C i (i = 1,2,} ..., n), when the content key to the Kc _i corresponding to each content identifier _{C i,} the content key encryption means 15 generates an encrypted content key E _i (i = 1, 2,..., N) by the following equation (1).

  The encrypted content key generated by the content key encryption unit 15 is output to the encrypted content key transmission unit 16.

The encrypted content key transmission unit 16 transmits the encrypted content key E _i (i = 1, 2,..., N) generated by the content key encryption unit 15 to the content viewing terminal 3. The encrypted content key transmission means 16 transmits the encrypted content key as communication data to the content viewing terminal 3 that has been registered in advance through the network N.
Here, when the encrypted content key transmission means 16 is provided in the broadcast content distribution apparatus 1A, the encrypted content key transmission means 16 distributes the encrypted content key as broadcast data via the broadcast wave W. To do.

The content list generation unit 17 generates a list (content list) indicating content information, which is a pair of at least a content identifier for identifying the content and the viewing fee value. This content list is output to the content list transmission means 18.
Here, the content list generation means 17 generates a content list as shown in FIG. 9 by inputting a content identifier, title, time, fee, etc. corresponding to the content transmitted from the outside as content information. This content list is, for example, data described so as to be displayed as a Web page by XML (eXtensible Markup Language) or the like.
Note that the content list generation unit 17 generates the content list shown in FIG. 9 using a content description language such as BML (Broadcast Markup Language), for example, when provided in the broadcast content distribution apparatus 1A.

The content list transmitting unit 18 transmits the content list generated by the content list generating unit 17 to the content viewing terminal 3. The content list transmitting means 18 transmits the content list as communication data via the network N to the content viewing terminal 3 registered in advance as a user.
Here, when the content list transmission unit 18 is provided in the broadcast content distribution apparatus 1A, the content list transmission unit 18 distributes the content list as broadcast data via the broadcast wave W.

  By configuring the content server 1B (broadcast content distribution device 1A) in this way, the content server 1B (broadcast content distribution device 1A) decrypts the encrypted content (encrypted content) and the encrypted content. The encrypted content key obtained by encrypting the content key to be transmitted and the content list are transmitted to the content viewing terminal 3. Note that the content server 1B (broadcast content distribution apparatus 1A) may transmit the content according to the content distribution time, or may transmit the content for one month once a month. The distribution form is not particularly limited.

The configuration of the content server 1B (broadcast content distribution device 1A) has been described above, but the present invention is not limited to this configuration.
For example, here, the content key encryption means 15 encrypts the content key with the license management private key. This license management private key is a content distribution company ( A different private key may be used for each broadcaster).
Further, it is not necessary for the content server 1B (broadcast content distribution apparatus 1A) to share the license management secret key with the license server 5, and from the license server 5, the content identifier C _i , the content identifier C _i and the license management license key are used. The intermediate key C _i ^w generated with the secret key w may be acquired, and the content key encryption unit 15 may generate the encrypted content key according to the equation (1).
Here, the content server 1B (broadcasting content distribution apparatus 1A) generates a content key, but the content key generation unit 11, the content key encryption unit 15, and the encrypted content key transmission unit 16 The license server 5 may be provided. In this case, it is assumed that the content server 1B (broadcast content distribution apparatus 1A) acquires a content key and a content identifier from the license server 5.

(Content viewing terminal configuration)
Next, the configuration of the content viewing terminal 3 will be described with reference to FIG. 3 (refer to FIG. 1 as appropriate). FIG. 3 is a block diagram showing the configuration of the content viewing terminal according to the present invention. Here, the content viewing terminal 3 includes a content information receiving unit 30, a content information storage unit 31, a content list display unit 32, a terminal key generation unit 33, a content selection unit 34, and a license request generation unit 35. License request transmission means 36, license reception means 37, distribution proof signature verification means 38, content key decryption means 39, content decryption means 40, content presentation means 41, and accounting information reception means 42. ing. It is assumed that the public information is received by a receiving unit (not shown).

The content information receiving unit 30 receives encrypted content, an encrypted content key, and a content list transmitted from a content distribution device (broadcast content distribution device 1A, content server 1B) as content information. The content information received by the content information receiving unit 30 is stored in the content information storage unit 31.
Here, the content information receiving means 30 receives content information from the broadcast content distribution apparatus 1A via the broadcast wave W, or receives content information from the content server 1B via the network N. The content information receiving unit 30 may receive content information from either the broadcast wave W or the network N.

  The content information storage unit 31 stores the content information (encrypted content, encrypted content key, and content list) received by the content information receiving unit 30, and is a general storage device such as a hard disk.

  The content list display means 32 displays the content list on a display device (not shown). The content list display means 32 reads the content list stored in the content information storage means 31, analyzes XML, BML, etc., and outputs it as a video signal for display to a display device (not shown). The content list display means 32 may directly input the content list from the content information receiving means 30 and display the content list in real time.

The terminal key generation unit 33 generates a terminal private key that is a user-side secret key and a terminal public key that is a public key based on public information published by the license management company. Specifically, the terminal key generation unit 33 simulates the remainder class Z _q (0, 1,..., Q−1) modulo the prime number q disclosed by the license management company (license server 5). selects a random number x with the (x ∈ _{R Z q)} to the private key for the terminal, based on the secret key terminal thereof, a generator g of a subgroup of order q on public and prime p, By calculating “g ^x mod p”, the terminal public key h _T is generated. The terminal private key x generated by the terminal key generation means 33 is output to the license request generation means 35, the distribution certification signature verification means 38, and the content key decryption means 39, and the terminal public key h _T is The data is transmitted to the license server 5 via the network N by a transmission unit (not shown).

The content selection means 34 is an operation signal output from the input means as a result of the user operating an input means (not shown) such as a mouse or a remote control device on the content list displayed by the content list display means 32. The content to be viewed is selected based on the above. For example, the content selection unit 34 selects content to be viewed based on operation signals such as a mouse click and a determination button on the remote control device. Identification information (content identifier) for specifying the content selected by the content selection unit 34 is output to the license request generation unit 35.
In the following description, the content list shown in FIG. 10 that is a generalization of the content list shown in FIG. 9 is used as the content list. That is, as shown in FIG. 10, when the number of contents is n, the content list includes n pairs of content identifiers and charges (C ₁ , V ₁ ), (C ₂ , V ₂ ). ,... (C _n , V _n ) are included.

  The license request generation unit 35 includes public information published by the license management company or the charge management company, the content identifier and fee selected by the content selection unit 34, and the content stored in the content information storage unit 31. Based on the list, a license request to be transmitted to the license server 5 is generated. Here, the license request generation unit 35 includes a request information encryption unit 35a, a request certification signature generation unit 35b, and a user authentication signature generation unit 35c.

The request information encryption means (encrypted identification information generation means, encrypted viewing fee value generation means) 35a generates a license request by encrypting the content identifier and the fee selected by the content selection means 34. .
Here, the request information encryption unit 35a selects a pseudo-random number r from the remainder class Z _q (0, 1,..., Q−1) modulo the prime number q disclosed by the license management company (rε _R Z _q ), and encryption request information (X, Y, Z) is generated by the following equation (2).

Here, (X, Y) denotes, a terminal public key _{h T,} it is ElGamal ciphertext obtained by encrypting the selected content identifier _{C j} (encryption identification information). In addition, a (X, Z) is a public accounting management key _{h M,} encryption to the power of _{V j} of g the ElGamal cipher text (encrypted viewing fee value). As a result, the content identifier C _j becomes information that cannot be decrypted except by the content viewing terminal 3. The content fee V _j is information that can be decrypted only by the accounting server 7.

Then, the request information encryption unit 35a generates a license request (Uid, X, Y, Z) including user identification information (Uid) for identifying the user and encryption request information (X, Y, Z). .
The license request (Uid, X, Y, Z) generated by the request information encryption unit 35a is output to the request certification signature generation unit 35b.

The request proof signature generating unit 35b generates and adds an electronic signature (request proof signature) that certifies the request to the license request generated by the request information encryption unit 35a.
The request proof signature σ ₁ generated by the request proof signature generation means 35b proves the knowledge of the pseudorandom number r that is secret on the signer side (PK: Proof of Knowledge) as shown in the following equation (3). ).

Specifically, the request proof signature generating unit 35b generates the request proof signature σ ₁ by performing the following expressions (4) and (5).
First, the request proof signature generating means 35b selects a pseudo random number r ₂ (r ₂ ∈ _R Z _q ) from the remainder class Z _q modulo the prime number q published by the license management company, and the following equation: According to (4), the verification data c _{j + 1} corresponding to the selected pair (C _j , V _j ) of the content identifier and the charge is calculated.

Further, the request proof signature generation means 35b selects a pseudo random number s _i from a remainder class Z _q modulo a prime number q for i = j + 1,..., N, 1, j−1 (s _i ∈ _R Z _q ), and verification data c _{j + 1} corresponding to the pair (C _i , V _i ) (i = j + 1,..., N, 1, j−1) of the content identifier and the charge according to the following equation (5) Are calculated sequentially.

_Here, the _{c n + 1} and _{c 1.} Then, the request proof signature generation means 35b calculates “s _j = r ₂ −rc _j mod q” using the pseudorandom number r that is secret on the signature side, thereby request signature σ ₁ = ( c ₁ , s ₁ ,..., s _n ). (X, Y, Z) is correctly calculated by the request proof signature σ ₁ , and the content identifier / charge pair (C _j , V _j ) of the content selected by the user is any of the content list pairs. You can prove that there is.
Then, the request proof signature generation unit 35b adds the request proof signature σ ₁ to the license request (Uid, X, Y, Z) input from the request information encryption unit 35a. Y, Z, σ ₁ ) is generated and output to the user authentication signature generation means 35c.

The user authentication signature generation means 35c generates an electronic signature (user authentication signature) for authenticating the user and adds it to the license request. Note that the signature for authenticating the user may be a general electronic signature, such as a DSA signature.
Then, the user authentication signature generation means 35c applies the user authentication signature to the license request (Uid, X, Y, Z, σ ₁ ) to which the request certification signature is output, which is output from the request certification signature generation means 35b. A license request (Uid, X, Y, Z, σ ₁ , σ ₂ ) assigned with the signature σ ₂ is generated and output to the license request transmission unit 36.

  The license request transmission unit 36 transmits the license request generated by the license request generation unit 35 to the license server 5 via the network N. Based on this license request, the license server 5 verifies the signature (signature for request certification, signature for user authentication), and the license is sent to the content viewing terminal 3 that has transmitted the license request whose validity is recognized. Sent.

The license receiving unit 37 receives a license from the license server 5 via the network N. In this license, the license server 5 encrypts the selected content identifier C _j with the license management private key w and the pseudo random number γ in the license server 5 as shown in the following equation (6). It includes an encryption / decryption key K ′ generated by encrypting the encryption identification information (X, Y) and decrypting the decryption key for decrypting the encrypted content key, and is an electronic signature on the license issuing side. The signature for delivery certification σ ₃ is added.

The license (K ′, σ ₃ ) received by the license receiving unit 37 is output to the distribution certification signature verification unit 38.

The distribution certification signature verification means 38 verifies the distribution certification signature σ ₃ in the license received by the license reception means 37. The method for verifying the distribution certification signature σ ₃ in the distribution certification signature verification means 38 will be described in the description of the distribution certification signature generation means 54 b in the license generation means 54 of the license server 5 described later. ₃ will be described together with the method for generating ₃ .
The distribution proof signature verification means 38 obtains the encryption / decryption key K ′ from the content key decryption means only when the license is verified as a license from the valid license server 5 by the verification of the distribution proof signature σ _3. Output to 39.

The content key decrypting means 39 decrypts the encrypted content key stored in the content information storage means 31 based on the encrypted decryption key output from the distribution certification signature verifying means 38. Here, the content key decrypting unit 39 corresponds to the content identifier C _j of the content to be viewed from the encrypted content key E _i (i = 1, 2,..., N) stored in the content information storage unit 31. The encrypted content key E _j is read, and based on the encryption / decryption key K ′ (= (X ′, Y ′)) and the terminal secret key x generated by the terminal key generation means 33, the following formula The encrypted content key E _j is decrypted into the content key Kc _j by (7).

Y ′ / (X ′) ^x is the same as “(C _j ) ^w mod p”.
The content key decrypted by the content key decrypting means 39 is output to the content decrypting means 40.

  The content decrypting unit 40 decrypts the encrypted content stored in the content information storage unit 31 with the content key decrypted by the content key decrypting unit 39. The content decrypted by the content decrypting means 40 is output to the content presenting means 41.

  The content presentation unit 41 converts the content decoded by the content decoding unit 40 into a signal such as video or audio and outputs it to a display device (not shown). For example, when the content is encoded by an encoding method such as MPEG-2, the content presenting means 41 decodes the content by the encoding method and outputs it as a video signal and an audio signal.

  The billing information receiving means 42 receives billing information indicating the fee for the viewed content from the license server 5 via the network N. The billing information received by the billing information receiving means 42 is used by the user as information for payment by credit card or transfer to a bank or the like.

By configuring the content viewing terminal 3 in this way, when the content viewing terminal 3 obtains a license from the license server 5, the content viewing terminal 3 obtains a license corresponding to the content while keeping the content viewed by the user secret. Can do.
Although the configuration of the content viewing terminal 3 has been described above, the content viewing terminal 3 can be realized by a program that causes a general computer to function as each of the above-described means. It should be noted that the license request generation program that causes the computer to function as at least the terminal key generation unit 33, the request information encryption unit 35a, and the request certification signature generation unit 35b can be realized separately from other programs. .

(License server configuration)
Next, the configuration of the license server 5 will be described with reference to FIG. 4 (refer to FIG. 1 as appropriate). FIG. 4 is a block diagram showing the configuration of the license server (license issuing device) according to the present invention. Here, the license server 5 includes a license management key generation unit 50, a license request reception unit 51, a user authentication unit 52, a request authentication unit 53, a license generation unit 54, a license transmission unit 55, and usage information. The storage unit 56, the usage information summing unit 57, the usage information transmission unit 58, the charge total value reception unit 59, the signature verification unit 60, and the charging information transmission unit 61 are provided. It is assumed that the public information is received by a receiving unit (not shown).

The license management key generation means 50 obtains a license management private key that is a secret key on the license management business side and a license management public key that is a public key based on public information published by the license management business. Is to be generated. Specifically, the license management key generating means 50, the coset _{Z q (0,1, ..., q} -1) modulo prime number q that publishes select a pseudo-random number w from (w ∈ _R Z _q ) to obtain a license management private key, and based on the license management private key and the generator g and prime number p of the subgroup of order q that has been made public, the “g ^w mod p” by performing the operation, to produce a license for the management public key h _L. The license management private key w generated by the license management key generation unit 50 is output to the request authentication unit 53 and the license generation unit 54, and the license management public key h _L is transmitted by a transmission unit (not shown). It is transmitted to the content viewing terminal 3 via the network N. The license management private key w is shared with the content server 1B (broadcast content distribution apparatus 1A).

The license request receiving means 51 receives a license request (Uid, X, Y, Z, σ ₁ , σ ₂ ) from the content viewing terminal 3 via the network N. The license request received by the license request receiving unit 51 is output to the user authentication unit 52.

The user authentication means 52 verifies the user authentication signature σ ₂ added to the license request, thereby authenticating whether or not the license request is from a legitimate user (content viewing terminal 3). Only the license request whose user authenticity is authenticated by the user authentication means 52 is output to the request authentication means 53. The user authentication means 52 performs verification by a signature method corresponding to the signature generated by the user authentication signature generation means 35c (FIG. 3).

The request authentication unit 53 verifies the request proof signature σ ₁ added to the license request output from the user authentication unit 52, so that the encryption request information (X, Y, Z) is correctly calculated. It authenticates whether or not.
The request authenticating means 53 uses the request proof signature σ ₁ (= (c ₁ , s ₁ ) generated by the request proof signature generating means 35b (FIG. 3) according to the equations (4) and (5). ,..., S _n )) are verified. Specifically, the request authentication unit 53 sequentially calculates the following formula (8) for variables i = 1,..., N corresponding to the number of contents.

Here, if the verification data c ₁ = c _{n + 1,} it can be determined that the encryption request information (X, Y, Z) is correctly calculated.
This request authenticating means 53 outputs a license request to the license generating means 54 only when the verification data c ₁ = c _{n + 1} and the license request (Uid, X, Y, Z, σ ₁ , σ ₂ ). Among them, a part or all including Uid, X, and Z is stored in the usage information storage unit 56 as user usage information.

  The license generation unit 54 generates a license for viewing content on the content viewing terminal 3. Here, the license generation means 54 includes an encryption / decryption key generation means 54a and a distribution certification signature generation means 54b.

The encryption / decryption key generation unit 54 a is based on the encryption request information included in the license request output from the request authentication unit 53 and the license management private key generated by the license management key generation unit 50. An encrypted decryption key is generated by encrypting a decryption key for decrypting an encrypted content key (see the above formula (1)). Here, the encryption / decryption key generation unit 54a selects a pseudorandom number γ from the remainder class Z _q (0, 1,..., Q−1) modulo the prime number q that is public information (γ∈ _R Z _q ). and, by using the secret key w and the public key h _T terminal license management, to generate an encrypted decryption key K'from the equation (6) by the encryption identification information (X, Y). The encryption / decryption key K ′ generated by the encryption / decryption key generation unit 54a is output to the distribution certification signature generation unit 54b.

The distribution proof signature generation unit 54b generates and adds an electronic signature (distribution proof signature) that certifies the key to the encryption / decryption key generated by the encryption / decryption key generation unit 54a.
The distribution proof signature σ ₃ generated by the distribution proof signature generation means 54b proves knowledge of the license management secret key w and the pseudorandom number γ that are secret on the signature side, as shown in the following equation (9). It is a signature to do.

Specifically, the distribution certification signature generation means 54b selects pseudo-random numbers α ₁ and α ₂ (α ₁ , α ₂ ∈) from the remainder class Z _q modulo the prime number q published by the license management company. _R Z _q), and (a 10), the delivery certificate signature _{σ 3 (σ 3 = (c} σ3, s σ3, s2 σ3) the following equation to produce a).

With this distribution certification signature σ ₃ , the license server 5 can prove that the calculation of the formula (10) is correctly performed by using the license management private key w, and shows the validity of the license server 5. Is possible.
The authenticity of the delivery certification signature σ ₃ (σ ₃ = (c _σ3 , s _σ3 , s2 _σ3 )) is verified if the verification side satisfies the following expression (11).

Therefore, the distribution certification signature verification means 38 of the content viewing terminal 3 verifies the distribution certification signature σ ₃ by this equation (11).
The distribution proof signature generation unit 54b adds the distribution proof signature σ ₃ to the encryption / decryption key K ′ generated by the encryption / decryption key generation unit 54a, thereby obtaining a license (K ′, σ ₃ ). Is output to the license transmission means 55.

  The license transmission unit 55 transmits the license generated by the license generation unit 54 to the content viewing terminal 3 that has requested the license via the network N.

The usage information storage unit 56 identifies the user among the license request information (Uid, X, Y, Z, σ ₁ , σ ₂ ) for which the request certification unit σ ₁ has been verified by the request authentication unit 53. A part or all of the information including the user identification information Uid and the encrypted viewing fee value (X, Z) is stored in the usage information storage means 56 as user usage information, and is stored in a general storage device such as a hard disk. is there.

  The usage information summing unit 57 adds the usage information stored in the usage information storage unit 56 by the number of contents. Specifically, the usage information summing unit 57 performs the calculation of the following expression (12) on k pairs of encrypted viewing fee values (X, Z) to obtain usage information for the number of contents. B is calculated. The usage information for the number of contents is output to the usage information transmission means 58.

  The usage information transmitting unit 58 transmits usage information for the number of contents calculated by the usage information summing unit 57 to the charging server 7 via the network N. This usage information transmission means 58 transmits usage information for each user to the accounting server 7 in units of a fixed number (every viewing, every month, etc.).

  The charge total value receiving unit 59 receives the total value (charge total value) of the viewing fee of the content viewed by the user calculated by the charging server 7 via the network N. The fee total value received by the fee total value receiving means 59 is output to the signature verification means 60.

  The signature verification means 60 verifies the signature added to the charge total value received by the charge total value receiving means 59, so that it is a charge total value from a valid charge management company (charging server 7). This is to authenticate. Only the charge total value for which the validity of the charge management company is authenticated by the signature verification means 60 is output to the charge information transmission means 61. The signature verifying means 60 performs verification by a signature method corresponding to the signature generated by the signature adding means 73 (FIG. 6) of the accounting server 7 described later.

  The charging information transmission unit 61 transmits information (billing information) for charging the user to the content viewing terminal 3 via the network N based on the total fee value authenticated by the signature verification unit 60. To do. In the case where the charging information is transmitted by mail or the like, the charging server 61 need not be provided in the license server 5.

By configuring the license server 5 in this way, the license server 5 can issue a license for the content without recognizing the content viewed by the user.
Although the configuration of the license server 5 has been described above, the license server 5 can be realized by a program that causes a general computer to function as each of the above-described means. In addition, the computer is realized separately from other programs as a license generation program that causes the computer to function as at least the license management key generation unit 50, the request authentication unit 53, the encryption / decryption key generation unit 54a, and the distribution certification signature generation unit 54b. It is also possible to do.

(Billing server configuration)
Next, the configuration of the accounting server 7 will be described with reference to FIG. FIG. 5 is a block diagram showing a configuration of a billing server (billing device) according to the present invention. Here, the accounting server 7 includes accounting management key generation means 70, usage information reception means 71, charge total value calculation means 72, signature addition means 73, and charge total value transmission means 74. It is assumed that the public information is received by a receiving unit (not shown).

The charging management key generation means 70 generates a charging management private key that is a charging management company side private key and a charging management public key that is a public key based on public information published by the license management company. Is to be generated. Specifically, the charge management key generation means 70 selects a pseudo-random number a (a∈ _R Z) from the residue class Z _q (0, 1,..., Q−1) modulo the public prime number q. _q ) to be a charging management secret key, and based on the charging management secret key and the generation source g and prime number p of the public subgroup of order q, the “g ^a mod p” by performing the operation, to generate a public key h _M for billing management. The accounting management private key a generated by the accounting management key generation unit 70 is output to the total charge value calculation unit 72, and the accounting management public key h _M is transmitted via the network N by a transmission unit (not shown). Is transmitted to the content viewing terminal 3 and the license server 5.

  The usage information receiving unit 71 receives usage information of content viewed by the user from the license server 5 via the network N. The usage information received by the usage information receiving means 71 is output to the charge total value calculating means 72.

  The fee total value calculating means 72 calculates the total value (total fee value) of the viewing fee of the content viewed by the user based on the usage information. Here, the charge total value calculation means 72 includes a viewing charge total value calculation means 72a and a logarithm calculation means 72b.

The viewing fee total value calculating means 72a includes a value obtained by adding the encrypted viewing fee values (X, Z) included in the usage information for the number of contents (see the above equation (12)), and a charging management key generating means. Based on the accounting management private key a generated at 70, the viewing charge value corresponding to the number of contents viewed is used as an index to calculate the combined viewing charge value obtained by raising the generation source g.
That is, the viewing fee total value calculating means 72a calculates the viewing fee total value A by performing the following equation (13) on k pairs of encrypted viewing fee values (X, Z). To do.

  The viewing fee sum value A calculated by the viewing fee sum value calculation means 72a is output to the logarithm calculation means 72b.

The logarithm calculation means 72b calculates the viewing charge value for the number of contents by performing a logarithmic operation with the generation source g as a base on the viewing charge total value A calculated by the viewing charge total value calculation means 72a. Is. That is, the logarithm calculation means 72b can calculate the log _g A to calculate the total charge value U of the content viewed by the user shown in the following equation (14). The charge total value calculated by the logarithmic calculation means 72 b is output to the signature adding means 73. In general, it is difficult to calculate a discrete logarithm, but log _g A is a relatively small value (at most 10 ⁵ = about 100,000 yen in total), so that the calculation is relatively easy. Is possible.

  The signature adding means 73 generates an electronic signature for authenticating the charge management business operator and adds it to the charge total value. Note that the signature for authenticating the billing management company may be a general electronic signature, such as a DSA signature. The charge total value to which the electronic signature is added is output to the charge total value transmission means 74.

  The fee total value transmitting unit 74 transmits the fee total value to which the electronic signature has been added by the signature adding unit 73 to the license server 5 via the network N.

By configuring the billing server 7 in this way, the billing server 7 can calculate the total charge for the content without recognizing the content viewed by the user.
Although the configuration of the accounting server 7 has been described above, the accounting server 7 can be realized as a program (charging program) that causes a general computer to function as each of the above-described means.

The configuration of the content distribution / billing system S has been described above, but the present invention is not limited to this. For example, here, the license management business and the charge management business are separate businesses, and the license server 5 and the billing server 7 are configured separately, but if they are the same business, 7 may be incorporated.
Note that the ElGamal encryption and knowledge proof described in this embodiment can be generalized as a problem on a finite group in which the discrete logarithm problem is difficult. Therefore, since the encryption and the signature can be configured on this group, it can be implemented on an elliptic curve with a lighter load.

[Operation of Content Distribution / Billing System]
Next, the operation of the content distribution / billing system according to the present invention will be described. Here, in this case, the license management company preliminarily has two prime numbers p and q in which (p−1) is divisible by q, and a part of the order q of the whole integer set Z _p ^* that is relatively prime to p and smaller than _p ^. Assume that the group generator g, the one-way hash function H, and the pseudo-random number generator G are disclosed as system parameters.
Further, the content viewing terminal 3 uses the terminal public key h _T generated by the terminal key generation unit 33, the license server 5 uses the license management public key h _L generated by the license management key generation unit 50, and the charging server 7. shall the public key h _M for accounting management generated by the billing management key generating means 70, published respectively.

(Content distribution operation)
First, the content distribution operation in the content distribution / billing system S will be described with reference to FIG. 6 (refer to FIG. 1, FIG. 2, or FIG. 3 as appropriate for the configuration). FIG. 6 is a flowchart showing a content distribution operation in the content distribution / billing system according to the present invention.

  First, the content server 1B (broadcast content distribution apparatus 1A; hereinafter omitted) inputs content to be distributed from the outside by the content input means 10 (step S1). In addition, the content server 1B generates a key (content key) for encrypting the content by using the content key generation unit 11 (step S2). Then, the content server 1B generates encrypted content by encrypting the content input in step S1 with the content key generated in step S2 by the content encryption unit 12 (step S3).

Furthermore, the content server 1B uses the content key encryption unit 15 to store the license management private key, which is stored in the private key storage unit 14 in advance and used by the license server 5 to generate the license management public key h _L. The content key is encrypted using w to generate an encrypted content key (step S4).
In addition, the content server 1B generates a content list including a content identifier, a fee, and the like by the content list generating unit 17 (step S5).
Then, the content server 1B transmits the encrypted content generated in step S3 by the encrypted content transmission unit 13 and the content list transmitted by the encrypted content key transmission unit 16 in step S4. The means 18 transmits the content list generated in step S5 to the content viewing terminal 3 (step S6). Here, although the encrypted content, the encrypted content key, and the content list are individually transmitted, they may be transmitted together.

Then, the content viewing terminal 3 receives the encrypted content, the encrypted content key, and the content list transmitted from the content server 1B by the content information receiving unit 30 (step S7), and the content information storage unit 31 stores the content information. (Step S8).
Through the above operation, the content distribution / billing system S visually displays a plurality of contents (encrypted content and encrypted content key) that the user can select and view on the content viewing terminal 3 and the user visually. Distribute a selectable list (content list).

(License acquisition / content viewing operation)
Next, with reference to FIG. 7 (refer to FIG. 1, FIG. 3, or FIG. 4 as appropriate for the configuration), license acquisition and content viewing operation in the content distribution / billing system S will be described. FIG. 7 is a flowchart showing a license acquisition / content viewing operation in the content distribution / billing system according to the present invention.

First, the content viewing terminal 3 outputs the content list as a video signal for display to the display device (not shown) by the content list display means 32 (step S10).
Then, as a result of the user operating the input means (not shown) such as a mouse or a remote control device by the content selection means 34, the content viewing terminal 3 displays the content to be viewed based on the operation signal output from the input means. Is selected (step S11).
Subsequently, the content viewing terminal 3 encrypts the content identifier and fee of the content selected in step S11 by the request information encryption unit 35a of the license request generation unit 35 by encrypting the content identifier and the fee according to the equation (2). Request information (X, Y, Z) is generated (step S12).

Then, the content viewing terminal 3 selects the pseudo-random number r ₂ (r ₂ ∈ _R Z _q ) by the request proof signature generation unit 35b, and the content identifier and fee pair (C _j , V _j ) corresponding to the verification data c _{j + 1} is calculated. Further, a pseudo-random number s _i is selected (s _i ∈ _R Z _q ) by the request proof signature generation means 35b, and a pair (C _i , V _i ) (i = Verification data c _{i + 1} corresponding to (j + 1,..., N, 1, j−1) is sequentially calculated.
Here, the request proof signature generation means 35b sets cn _{+ 1} to c ₁ and calculates “s _j = r ₂ −rc _j mod q”, whereby the request proof signature σ ₁ = (c ₁ , s ₁ ,..., S _n ) are generated (step S13).

Then, the content viewing terminal 3 generates an electronic signature (user authentication signature σ ₂ ) for authenticating the user by the user authentication signature generation unit 35c (step S14).
Then, the content viewing terminal 3 uses the license request transmission unit 36 to identify user identification information (Uid) for identifying the user, encryption request information (X, Y, Z), request proof signature σ ₁ , and user authentication. A license request (Uid, X, Y, Z, σ ₁ , σ ₂ ) composed of the signature for use σ ₂ is transmitted to the license server 5 via the network N (step S15). As a result, the content viewing terminal 3 requests a license from the license server 5.

Further, the license server 5 receives the license request by the license request receiving means 51 (step S16).
Then, the license server 5 verifies the user authentication signature σ ₂ added to the license request by the user authentication means 52 (step S17). If the user authentication signature σ ₂ proves the validity of the user (“valid” in step S17), the process proceeds to step S18, and if the user validity cannot be proved (step S17). ”Illegal”), the operation ends.

Further, the license server 5 verifies the request proof signature σ ₁ added to the license request information by the request authentication means 53 (step S18). Here, if the request proof signature σ ₁ proves that the license request information is correct (calculation is correctly performed) (“valid” in step S18), the process proceeds to step S19, and the license request information If it cannot be proved that it is correct (“illegal” in step S18), the operation is terminated. The verification of the request proof signature σ ₁ is performed by sequentially calculating the verification data as shown in the equation (8) for the variables i = 1,..., N corresponding to the number of contents. Verification is performed based on whether or not the data c ₁ = c _{n + 1} .
Then, when all of the verification results in step S17 and step S18 are valid, the request authentication unit 53 includes at least user identification information Uid for identifying the user and user usage information including the encrypted viewing fee value (X, Z). Is stored in the usage information storage means 56 (step S19).

Then, the license server 5 selects the pseudorandom number γ (γ∈ _R Z _q ) by the encryption / decryption key generation unit 54a of the license generation unit 54, and the encrypted content key (the above formula ( An encrypted decryption key K ′ obtained by encrypting the decryption key for decrypting 1) is generated (step S20).
Further, the license server 5 selects the pseudo-random numbers α ₁ and α ₂ (α ₁ , α ₂ ∈ _R Z _q ) by the distribution proof signature generation unit 54b, and the distribution proof signature σ by the equation (10). ₃ (σ ₃ = (c _σ3 , s _σ3 , s2 _σ3 )) is generated (step S21).
Then, the license server 5 transmits the license (K ′, σ ₃ ) composed of the encryption / decryption key K ′ and the delivery certification signature σ ₃ to the content viewing terminal 3 via the network N by the license transmission means 55. (Step S22). Accordingly, the license server 5 generates a license for viewing the content without specifying the content that the user wants to view and transmits the license to the content viewing terminal 3.

Further, the content viewing terminal 3 receives the license transmitted from the license server 5 by the license receiving means 37 (step S23).
Then, the content viewing terminal 3 uses the distribution certification signature verification means 38 to determine whether the distribution certification signature σ ₃ included in the license satisfies the expression (11), and whether the license is valid. It is verified whether or not it is transmitted from (step S24). If the distribution proof signature σ ₃ is authenticated as a license from the valid license server 5 (“valid” in step S24), the process proceeds to step S25, where the license is from the valid license server 5. Is not authenticated ("illegal" in step S24), the operation is terminated.

Then, the content viewing terminal 3 decrypts the encrypted content key stored in the content information storage unit 31 by the above formula (7) by the content key decrypting unit 39 when the verification result in step S24 is valid. The content key is used (step S25).
Thereafter, the content viewing terminal 3 decrypts the encrypted content stored in the content information storage unit 31 with the content key decrypted in step S25 by the content decrypting unit 40 (step S26), and the content presenting unit 41 The video signal and the audio signal are output to a display device (not shown) (step S27).
With the above operation, the content distribution / billing system S can distribute the license for viewing the content to the content viewing terminal 3 while keeping the content that the user wants to view confidential.

(Billing operation)
Next, referring to FIG. 8 (refer to FIGS. 1 and 3 to 5 as appropriate for the configuration), the charging processing operation in the content distribution / charging system S will be described. FIG. 8 is a flowchart showing a charging processing operation in the content distribution / charging system according to the present invention.

  First, the license server 5 adds the usage information stored in the usage information storage unit 56 by the usage information summing unit 57 by the number of contents (step S30), and the usage information transmission unit 58 adds the number of contents. The usage information is transmitted to the accounting server 7 via the network N (step S31). The usage information storage unit 56 stores user usage information including at least user identification information Uid for identifying the user and encrypted viewing fee values (X, Z) in step S19 described with reference to FIG. Yes.

Then, the billing server 7 receives the usage information transmitted from the license server 5 by the usage information receiving means 71 (step S32).
Then, the billing server 7 uses the sum of the viewing fee total value calculation means 72a of the charge total value calculation means 72 and the value obtained by adding the encrypted viewing charge values (X, Z) included in the usage information for the number of contents (described above). For the k pairs of encrypted viewing fee values (X, Z) based on the formula (12)) and the accounting management private key a generated by the accounting management key generation means 70, the above-mentioned By calculating the equation (13), the viewing fee total value A is calculated (step S33).

Further, the billing server 7 uses the logarithm calculation means 72b to perform a logarithm calculation (log _g A) with the generation source g as a base on the viewing fee total value A calculated in step S33. The viewing fee value (total fee value) is calculated (step S34).
Then, the billing server 7 adds an electronic signature to the fee total value by the signature adding unit 73 (step S35), and the fee total value to which the electronic signature has been added by the fee total value transmitting unit 74 via the network N. To the license server 5 (step S36).

The license server 5 receives the total fee value from the accounting server 7 by the total fee value receiving unit 59 (step S37), and verifies the electronic signature added to the total fee value by the signature verification unit 60 (step S37). Step S38). If the validity of the accounting server 7 is authenticated by the electronic signature (“valid” in step S38), the process proceeds to step S39. If the validity is not authenticated (“invalid” in step S38), the operation ends. .
Then, the license server 5 sends the charge total value to the content viewing terminal 3 via the network N as information (billing information) for charging the user with the charge information transmission means 61 (step S39). ).
Then, the content viewing terminal 3 receives the billing information by the billing information receiving means 42 (step S40).
With the above operation, the content distribution / billing system S can charge the user for the fee of the content viewed while keeping the viewing history secret from the content viewing terminal 3.

It is a block diagram which shows the structure of the content delivery and charging system which concerns on this invention. It is a block diagram which shows the structure of the content server (content delivery apparatus) which concerns on this invention. It is a block diagram which shows the structure of the content viewing terminal which concerns on this invention. It is a block diagram which shows the structure of the license server (license issuing apparatus) based on this invention. It is a block diagram which shows the structure of the accounting server (charging apparatus) which concerns on this invention. It is a flowchart which shows the content delivery operation | movement in the content delivery / billing system based on this invention. 6 is a flowchart showing a license acquisition / content viewing operation in the content distribution / billing system according to the present invention. It is a flowchart which shows the accounting process operation in the content delivery / accounting system which concerns on this invention. It is a figure which shows an example of the content list produced | generated by a content list production | generation means. It is the figure which generalized the content list as n pairs of a content identifier and a charge.

Explanation of symbols

S Content Distribution / Billing System 1A Broadcast Content Distribution Device (Content Distribution Device)
1B content server (content distribution device)
DESCRIPTION OF SYMBOLS 10 Content input means 11 Content key generation means 12 Content encryption means 13 Encrypted content transmission means 14 Private key storage means 15 Content key encryption means 16 Encrypted content key transmission means 17 Content list generation means 18 Content list transmission means 3 Content Viewing terminal 30 Content information receiving means 31 Content information storage means 32 Content list display means 33 Terminal key generation means 34 Content selection means 35 License request generation means 35a Request information encryption means (encrypted identification information generation means, encrypted viewing fee) Value generation means)
35b Request proof signature generation means 36 License request transmission means 37 License reception means 38 Distribution certification signature verification means 39 Content key decryption means 40 Content decryption means 41 Content presentation means 42 Billing information reception means 5 License server (license issuing device)
50 license management key generation means 51 license request reception means 52 user authentication means 53 request authentication means 54 license generation means 54a encryption / decryption key generation means 54b distribution proof signature generation means 55 license transmission means 56 usage information storage means 57 usage information Summation means 58 Usage information transmission means 59 Total charge value reception means 60 Signature addition means 61 Billing information transmission means 7 Billing server (billing device)
70 charge management key generation means 71 usage information reception means 72 charge total value calculation means 72a viewing charge total value calculation means 72b logarithm calculation means 73 signature addition means 74 charge total value transmission means

Claims (9)

In a content viewing terminal that presents content to viewers,
A terminal key generating means for generating a terminal private key that is a secret key and a terminal public key that is a public key based on publicly disclosed information;
Based on the terminal public key generated by the terminal key generation means, the public information and the pseudo-random number, request information encryption for generating encrypted request information in which a content identifier for identifying content to be viewed is encrypted And
A license management public key that is a public key that is publicly disclosed corresponding to a license management private key that is a secret key generated in advance by the license issuing device, the terminal public key, the public information, and the pseudo A request proof signature generating means for generating a request proof signature which is an electronic signature for certifying the encrypted request information based on a random number;
A license request transmitting means for transmitting a license request with the request certification signature added to the encryption request information to a license issuing device;
A license receiving means for receiving a license corresponding to the license request transmitted from the license request transmitting means from the license issuing device;
A delivery certification signature verification means for verifying a delivery certification signature which is an electronic signature attached to the license received by the license reception means;
An encryption / decryption key corresponding to the content identifier is selected from an encryption / decryption key for decrypting a plurality of encrypted content keys included in the license whose validity has been authenticated by the signature verification unit for distribution certification. Content key decryption means for decrypting as a content key;
Content decrypting means for decrypting the content based on the content key decrypted by the content key decrypting means;
A content viewing terminal comprising:   The request information encryption means includes a charging management public key that is a public key that is publicly disclosed in correspondence with a charging management private key that is a private key generated in advance by the charging device, the public information, and the pseudo information. The encrypted viewing fee value obtained by encrypting the viewing fee value of the content that requires viewing based on a random number by an encryption method having homomorphism is added to the encryption request information. The content viewing terminal according to 1. A license issuing device that issues a license for viewing content based on a request from the content viewing terminal according to claim 1,
A license management key generating unit that generates a license management private key that is a secret key and a license management public key that is a public key based on publicly disclosed information;
License request receiving means for receiving the license request from the content viewing terminal;
Request authentication means for verifying the request proof signature, which is an electronic signature included in the license request received by the license request receiving means;
Encryption request information included in the license request whose validity is authenticated by the request authentication means, public information disclosed in advance, a terminal public key disclosed in the content viewing terminal, and the license An encryption / decryption key generating means for generating an encryption / decryption key obtained by encrypting a decryption key for decrypting the encrypted content key based on the management secret key;
Based on the encryption / decryption key generated by the encryption / decryption key generation means, the public information, the license management public information, the terminal public key, the license management private key, and a pseudo-random number. A distribution proof signature generating means for generating a distribution proof signature that is an electronic signature for certifying the validity of the distribution side of the license;
A license transmission means for transmitting the encryption / decryption key and the delivery certification signature to the content viewing terminal as the license;
A license issuing device comprising: A charging device that calculates a viewing fee value of content viewed at a content viewing terminal based on an encrypted viewing fee value included in a license request transmitted from the content viewing terminal according to claim 2. ,
Accounting management key generation means for generating an accounting management private key that is a secret key and an accounting management public key that is a public key based on publicly disclosed information;
Charge total value calculation calculating means for calculating a total value of the viewing charge values for the number of content viewed based on the encrypted viewing charge value and the charging management private key;
A signature adding means for adding an electronic signature to the total value of the viewing charge value calculated by the charge total value calculation calculating means;
A charging device comprising: A license issuing device that issues a license for viewing content based on a request from the content viewing terminal according to claim 2,
A license management key generating unit that generates a license management private key that is a secret key and a license management public key that is a public key based on publicly disclosed information;
License request receiving means for receiving the license request from the content viewing terminal;
Request authentication means for verifying the request proof signature, which is an electronic signature included in the license request received by the license request receiving means;
Encryption request information included in the license request whose validity is authenticated by the request authentication means, public information disclosed in advance, a terminal public key disclosed in the content viewing terminal, and the license An encryption / decryption key generating means for generating an encryption / decryption key obtained by encrypting a decryption key for decrypting the encrypted content key based on the management secret key;
Based on the encryption / decryption key generated by the encryption / decryption key generation means, the public information, the license management public information, the terminal public key, the license management private key, and a pseudo-random number. A distribution proof signature generating means for generating a distribution proof signature that is an electronic signature for certifying the validity of the distribution side of the license;
A license transmission means for transmitting the encryption / decryption key and the delivery certification signature to the content viewing terminal as the license;
Usage information summing means for summing up the number of contents viewed, using the encrypted viewing fee value included in the license request whose validity is authenticated by the request authentication means,
Usage information transmitting means for transmitting the usage information added by the usage information adding means to the charging device according to claim 4;
Charge total value receiving means for receiving a total value of viewing charge values for the number of contents viewed, calculated by the charging device;
A signature verification unit that verifies an electronic signature added to the total value of the viewing fee value received by the total fee value reception unit;
A license issuing device comprising: In a content distribution device that encrypts content and distributes it to a content viewing terminal,
Content encryption means for encrypting the content with a content key to generate encrypted content;
Encrypted content transmission means for transmitting the encrypted content generated by the content encryption means to the content viewing terminal;
Content key encryption for generating an encrypted content key by encrypting the content key with a homomorphic encryption method using a license management secret key that is a secret key shared with the license issuing device according to claim 3 Means,
Encrypted content key transmission means for transmitting the encrypted content key generated by the content key encryption means to the content viewing terminal;
A content distribution apparatus comprising: In a content viewing terminal for presenting content to a viewer, in order to generate a license request for requesting a license for viewing the content,
A terminal key generating means for generating a terminal private key that is a secret key and a terminal public key that is a public key based on public information that has been made public in advance;
An encryption for generating encrypted identification information obtained by encrypting a content identifier for identifying content to be viewed based on the terminal public key generated by the terminal key generation means, the public information, and a pseudo-random number Identification information generating means,
Based on the accounting management public key that is publicly disclosed corresponding to the accounting management private key that is a secret key generated in advance by the accounting device, the public information, and the pseudo-random number An encrypted viewing fee value generating means for generating an encrypted viewing fee value obtained by encrypting a viewing fee value of the requested content by an encryption method having homomorphism;
A license management public key that is a public key that is publicly disclosed corresponding to a license management private key that is a secret key generated in advance by the license issuing device, the terminal public key, the public information, and the pseudo-random number, Based on the encryption identification information and the encrypted viewing fee value, generating a request proof signature that is an electronic signature for certifying the encryption request information, and adding it to the encryption request information A request proof signature generating means for generating a license request;
A license request generation program characterized in that it functions as: In order to generate a license for viewing content based on a request from the content viewing terminal according to claim 2,
A license management key generating unit that generates a license management private key that is a secret key and a license management public key that is a public key based on publicly disclosed information;
Request authentication means for verifying the request proof signature, which is an electronic signature included in the license request received from the content viewing terminal;
Encryption request information included in the license request whose validity is authenticated by the request authentication means, public information disclosed in advance, a terminal public key disclosed in the content viewing terminal, and the license An encryption / decryption key generating means for generating an encryption / decryption key obtained by encrypting a decryption key for decrypting the encrypted content key based on the management secret key;
Based on the encryption / decryption key generated by the encryption / decryption key generation means, the public information, the license management public information, the terminal public key, the license management private key, and a pseudo-random number. Generating a distribution certification signature that is an electronic signature for proving the validity of the distribution side of the license, and adding the signature to the encryption / decryption key to generate the license,
A license generation program characterized by functioning as: Based on the encryption request information included in the license request transmitted from the content viewing terminal according to claim 2, in order to calculate the viewing fee value of the content viewed at the content viewing terminal,
Accounting management key generation means for generating an accounting management private key that is a secret key and an accounting management public key that is a public key based on publicly disclosed information,
Charge total value calculating means for calculating a total value of the viewing fee values for the number of contents viewed based on the encrypted viewing fee value included in the encryption request information and the charging management private key;
A billing program characterized by functioning as

Images