JP2007020225A - Image data encryption apparatus and control method thereof - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an image data encryption technique which facilitates management of access keys in encrypting image data having a hierarchical structure in which the data of each layer can be specified by at least two parameters, and is also resistant against exchange of access keys between a plurality of users. <P>SOLUTION: In encrypting image data having a hierarchical structure in which a layer is specified by layer and resolution level, an access key K for the highest resolution and highest layer is set. Access keys are generated by using a one-way function in a direction which the level becomes low. At such a time, the access key for a given layer can be generated from either of the access keys of layer and resolution located at the higher level. The data of each layer are encrypted in accordance with a corresponding access key. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to image data encryption technology.

  In order to conceal and transmit image data and the like, the entire image data is encrypted and scrambled. This is also a technique in which the entire image data is previously encrypted using an encryption key, and only a computer having information on a decryption key corresponding to the encryption key can correctly decrypt the image data.

  On the other hand, when the image data is composed of a plurality of tiles, encryption processing is performed using a different encryption key for each tile for the purpose of controlling whether or not reproduction is possible for each tile.

  Also, in the case of image data having a hierarchical structure, encryption processing is performed using a different encryption key for each hierarchical structure for the purpose of controlling the reproduction of the image data according to the hierarchical structure.

  However, the hierarchy may be determined by a plurality of parameters. For example, in the technology called JPEG2000 standard standardized by ISO / IEC JTC 1 / SC29 / WG1, the resolution, the layer that is a set of codes for each bit plane, color components, etc. for one tile One hierarchical structure data is defined by determining the four parameters of the component representing the position and the precinct representing the position in the tile (Non-Patent Document 1)). Furthermore, when these are combined, the image data is composed of a plurality of tiles, and each tile has a hierarchical structure. For the purpose of controlling the reproduction of the image data according to the tile and the hierarchical structure, Encryption processing is performed using different encryption keys for the hierarchical structure.

  As described above, it is possible to control the reproduction of image data for each tile and hierarchical structure by encrypting the tiles and the hierarchical structure using different encryption keys. However, in order to decrypt a predetermined tile and hierarchical structure of the encrypted image data, all the encryption keys used for the encryption process are managed, and an appropriate decryption key is supplied during the decryption process. It is necessary to manage the key information on the encryption side and the decryption side easily.

  On the other hand, there is a technique in which keys for tiles, components, and precincts are generated independently to facilitate management of key information, and keys for resolution and layer are generated depending on the preceding and following resolutions and layer keys. This is because tiles, components, and precincts are likely to be accessed at random, so a key is generated according to an identifier that identifies each parameter, and high resolution or high layer images are reproduced with respect to resolution and layer. Always requires access to low-resolution or low-layer image data, so a key for encrypting low-resolution or low-layer data one key lower than the key for encrypting high-resolution or high-layer data is generated. This is a technique for reducing the key to be managed.

In this method, when the master key for one image is K, a key Ki for each tile, component, and precinct is generated as follows using a one-way function. Here, the one-way function is a function in which it is easy to obtain y from x in y = H (x), but it is difficult to obtain x from y. As one-way functions, hash functions such as MD5 (Message Digest 5) and SHA-1 (Secure Hash Algorithm 1) and encryption functions such as DES (Data Encryption Standard) and AES (Advanced Encryption Standard) are known. .
Ki = H (K || i) (1)
Here, H () represents a one-way function, x || y represents a concatenation of x and y, and i is a value (identification information) for identifying each tile, component, and precinct.

The key Ki for each resolution and layer is generated as follows.
Ki = H (Ki-1) (2)
Here, i is a value representing a target resolution or layer, and Ki-1 is a previous resolution (a resolution higher than the current resolution) or a previous previous layer (from the target layer). Is a key used for higher layers).

Therefore, if the encryption key Ktcprl for the specified tile and layered data is represented and the keys for the specified tile, component, precinct, resolution, layer are expressed as KT, KC, KP, KR, KL,
Ktcprl = H (KT || KC || KP || KR || KL) (3)
Is generated as

From the above, it is possible to control the reproduction of image data for tiles and hierarchical structures by performing encryption using different encryption keys for the target tiles and hierarchical structures.
Standard Recommendation (ISO / IEC 15444-1)

  However, when encryption is performed using different encryption keys for tiles and hierarchical structures in this way, the following problem of key leakage due to user collusion occurs with respect to resolution and layer.

  For example, as shown in FIG. 1, the key KRn for the highest resolution and the key KL0 for the lowest layer are given to the user A, and the key KR0 for the lowest resolution and the key KLm for the highest layer are given to the user B. Normally, user A cannot access high-layer data of KL0 or higher, and user B cannot access high-resolution data of KR0 or higher because of the relationship of equation (2).

  That is, in FIG. 1, user A can access (encryption / decryption) only R0L0, R1L0,..., RnL0, and user B can access only R0L0, R0L1,.

  However, if users A and B teach each other the keys KLn and KRn, each key can generate all keys of lower resolutions or layers. The layer image can be reproduced. That is, in FIG. 1, the entire range from R0L0 to RnLm can be accessed.

  Although the above example may be an extreme example, it must be said that such an unexpected situation can occur when an unspecified number of users such as the Internet are in an environment where they can communicate with each other.

  The present invention has been made in view of such a problem, and when encrypting image data having a hierarchical structure that can specify data of each hierarchy with at least two parameters, it is possible to manage a plurality of access keys while facilitating management of access keys. It is an object of the present invention to provide an image data encryption technique that is highly resistant to exchange of access keys by users.

In order to solve this problem, for example, the image data encryption control method of the present invention includes the following steps. That is,
A control method for an image data encryption device that encrypts image data using key information,
An input process for inputting image data having a hierarchical structure, in which data of each hierarchy can be specified by at least two parameters, and each parameter is expressed in multiple levels;
For the input image data, the key information for the data of the hierarchy specified by the two parameters originates from the key information for the data of the hierarchy specified by the two parameters at the maximum level. A generation step of generating key information using a predetermined one-way function that can be generated from any of the two pieces of key information for data in the hierarchy located one level higher;
An encryption step for encrypting the data of the corresponding layer input in the input step according to the key information set in the setting step and the key information generated in the generation step.

  According to the present invention, when encrypting image data having a hierarchical structure that can specify data of each hierarchy with at least two parameters, access keys can be exchanged by a plurality of users while facilitating access key management. In contrast, it is possible to provide image data encryption technology having high tolerance.

  Embodiments according to the present invention will be described below with reference to the accompanying drawings.

<Description of overall configuration>
FIG. 6 shows an example of a system outline in the embodiment. In the figure, 60 is the Internet, and 61 is a device that performs compression coding and encryption processing on image data captured by a digital camera, an image scanner, a film scanner, or the like. 62 is a device that receives and decrypts image data, and 63 is an authentication server that stores an decryption key necessary for decryption. The devices 61 to 63 may be general-purpose devices such as personal computers. The flow of processing will be briefly described as follows.

  The apparatus 61 performs compression encoding and encryption processing on desired image data, and distributes it via the Internet 60. Distribution may be performed directly by the device 61 or may be distributed via an appropriate server. However, the key information necessary for the cancellation is registered in the DB of the authentication server 63 together with information (for example, ID) for specifying the image data because of the encrypted relationship. The image decryption device 62 receives a desired image, decrypts it, and browses it. To view the encrypted image data, notify the authentication server 63 of information specifying the image. Request decryption key information. As a result, since the decryption key information is received from the authentication server 63, the decryption is decrypted using the received decryption key information, and decryption is performed.

  In the embodiment, in order to simplify the description, the image (file) to be encrypted is encoded by a compression encoding method called JPEG2000, which is standardized in ISO / IEC JTC1 / SC29 / WG110918-1. Although described as data, the present invention is not limited to JPEG 2000, and it will be apparent from the following description that various compression encoding methods such as JPEG can be applied.

  Here, the configuration of the device 61 will be described.

  As described above, the device 61 may be a general-purpose information processing device such as a personal computer, but a specific configuration example is as shown in FIG.

  In the figure, 302 is an MPU that controls the entire apparatus, and 303 stores a main storage device (a work area and an OS of the MPU 302, a RAM for loading an encryption processing program in the embodiment, a boot program, a BIOS, and the like). It is composed of ROM. A hard disk device (HDD) 304 stores various files including an OS and an encryption processing program. Reference numeral 305 denotes a video memory, a controller that draws data in the memory according to the control of the MPU 302, and a video controller that outputs data drawn in the memory as a video signal to the monitor 306 serving as a display device. The monitor 306 may be integrated with the apparatus or may be externally attached. Reference numeral 307 denotes a system bus.

  308 is an interface for connecting the printer 316, 309 is a CDROM drive, 310 is a DVD drive, and 311 is a floppy (registered trademark) drive. Reference numeral 312 denotes an interface for connecting a pointing device 313 such as a mouse and a keyboard 314, and reference numeral 315 denotes an interface for connecting an image scanner 317. Reference numeral 318 denotes a network interface for connecting to the Internet 60.

  In the above configuration, in the embodiment, for example, the original is read and encrypted by the scanner 317, and the result is distributed as described above. However, the encryption target is not limited to the image scanner 317, but may be image data read from a storage medium such as a CDROM, or an image captured by connecting a digital camera. In short, the image data to be encrypted may be input by any means.

<Description of encryption key>
In the above configuration, in the embodiment, image data to be encrypted is an image data file compressed and encoded by a technique called JPEG2000 standard standardized by ISO / IEC JTC 1 / SC29 / WG1. Assumed to be performed. Since this compression technique itself is publicly known, detailed description thereof will be omitted.

  In JPEG2000, one layer is determined by determining four parameters of a resolution, a layer that is a set of codes for each bit plane, a component that represents a color component, and a precinct that represents a position in the tile. Structural data is defined. In the present embodiment, the compressed image data having such a hierarchical structure is encrypted.

  FIG. 7 shows frequency components when a wavelet transform is performed twice on a certain tile. When the first wavelet transform is performed, data of four subbands HL1, HH1, LH1, and LL1 are obtained. In the second time, the same processing is performed on LL1. Since only one LL component is always generated, it is often expressed without a subscript. Here, the data of the LL component is data of a low frequency component, and is also an image that is 1/4 each of the vertical and horizontal directions with respect to the original tile size. That is, it can be said that the illustrated LL component is data having a resolution (minimum resolution) of ¼ of the image indicated by the tile. By decoding the data of the LL component using {HL2 + HH2 + LH2} data, an image with a resolution higher by one step can be reproduced, and further, the original tile size can be reproduced by using the data represented by {HL1 + HH1 + LH1}. The same highest resolution image can be reproduced. That is, it can be said that the resolution is gradually higher in the order of LL, {HL2 + HH2 + LH2}, {HL1 + HH1 + LH1}. Actually, after the wavelet transform, quantization processing is performed, values in individual components are converted into a small number of bits, and entropy coding is performed.

FIG. 8 shows the data after the quantization. In the figure, for simplification, 4 × 4 data is shown as data after quantization. In this example, there are three quantization indexes, which have values of +13, −6, and +3, respectively. In entropy coding, the maximum value MAX is obtained, and the number of bits S required to express the maximum quantization index is calculated by the following equation.
S = ceil (log2 (abs (MAX)))
Here, ceil (x) is a function representing the smallest integer value among integers greater than or equal to x.

  In FIG. 8, since the maximum coefficient value is 13, S is 4, and the 16 quantization indexes in the sequence are processed in units of four bit planes as shown in FIG. First, the entropy encoding unit 114 performs entropy encoding (binary arithmetic encoding in the present embodiment) on each bit of the most significant bit plane (represented by MSB in the figure), and outputs the result as a bit stream. Next, the bit plane is lowered by one level, and similarly, each bit in the bit plane is encoded and output to the code output unit until the target bit plane reaches the least significant bit plane (denoted by LSB in the figure). At the time of the entropy encoding, the code of each quantization index is determined immediately after the non-zero bit to be encoded first (most significant) is detected in the bit-plane scan from upper to lower. It is assumed that binary arithmetic coding is performed by continuing 1 bit indicating the sign of the index. Thereby, the positive / negative sign of the quantization index other than 0 is efficiently encoded.

  In the illustrated case, four planes of bits 0 to 3 are generated, but it can be seen that the higher-order bit plane is more dominant. This corresponds to the highest resolution (bit 3 plane in the figure) corresponding to the low resolution data previously shown, and the bit 0 plane corresponding to what is used to reproduce the highest resolution data. . A processing unit (bit plane) in which entropy-encoded entropy codes are collected to have a predetermined code amount is called a layer. By configuring a plurality of layers, it is possible to reproduce images corresponding to various code amounts at the time of decoding.

  A code stream of JPEG 2000-compressed encoded data has a main header, and includes one or more tile parts indicated by the above four parameters of the resolution, the layer, the component representing the color component, and the precinct. The data called will follow. The tile part further includes a tile part header and at least one code block.

  In the code block in this embodiment, information indicating which resolution level it is and which layer is indicated in the tile part header, and the encryption key information to be used is specified by referring to this. Encrypt.

In FIG. 2, KRLij represents access key information to RiLj representing hierarchized data corresponding to a predetermined resolution and layer. For the access key KRLij corresponding to a certain resolution and layer, the key is updated as follows.
KRLi-1, j = F (a, KRLij) (4)
KRLi, j-1 = F (b, KRLij) (5)
Where F () is a one-way function using the key a or b,
F (a, F (b, K)) = F (b, F (a, K)) (6)
This relationship holds.

  The above relational expression (6) is a hash function such as MD5 (Message Digest 5) or SHA-1 (Secure Hash Algorithm 1) described above, or an encryption function such as DES (Data Encryption Standard) or AES (Advanced Encryption Standard). Is not realized.

Therefore, in order to satisfy this relationship, it was realized by the following calculation. Here, N = (p−1) (q−1) (p and q are prime numbers), and a and b are open to the public.
(K ^ b) ^ a mod N = (K ^ a) ^ b mod N (7)
Here, “x ^ y” represents x raised to the power of y, and “x mod y” is a function that returns the remainder when x is divided by y (“^” has a stronger operational coupling strength than “mod”. ).

  Equation (7) is the same principle as RSA cryptography, and even if a and b are made public, if a 'and b' corresponding to the secret key are not known, the inverse operation cannot be performed and one-way is guaranteed. Is.

  Thereby, the following problem which is a problem of the conventional method is solved.

  i. The access key KRLn0 is passed to the user A who can access the data of the highest resolution and the lowest layer. User A can generate access keys KRLn-1,0 to KRL00 from equation (4) using public key a. However, even if Expression (5) is executed using another public key b, the reverse computation in the layer direction cannot be realized from the one-way property of F (), and a higher layer access key cannot be obtained.

  ii. Further, the access key KRL0m is passed to the user B who can access the data of the lowest resolution and the highest layer. User B can generate access keys KRL0, m-1 to KRL00 from equation (5) using the public key b. Similarly, user B cannot generate an access key for high resolution due to the unidirectionality of F ().

  iii. Here, it is assumed that user A and user B have collaborated and taught each other's access keys KRLn0 and KRL0m. However, KRLn0 and KRL0m can only generate keys in the above-described range, and cannot generate other keys. The above principle is illustrated using equation (7) as shown in FIG.

  FIG. 4 has the following meaning. An access key K is set for the maximum resolution and the highest layer (bit 0 plane) of a certain tile. Using this access key K as the origin, access key information in the direction of the arrow shown (one-way) is generated.

  As a result, for example, user A acquires the key “K ^ mb” (maximum resolution, lowest layer (MSB bit plane), user B acquires the key “K ^ nb”, and exchanges the key information with each other. However, it can be substantially impossible to generate the key K. It can be seen that a high strength is maintained against the collusion of a plurality of users, far from the prior art described in FIG.

  The above-described processing can be realized by the configuration shown in FIG. Note that each processing unit in the figure can be read as a software function.

  Here, for simplicity, it is assumed that tiles and components are not hierarchized.

  First, when the image data 500 is input, the hierarchization unit 501 hierarchizes the image 500 into various data from high resolution to low resolution and from high layer to low layer as shown in FIG. . Here, it is assumed that RnLm, Rn-1Lm, RnLm-1, Rn-2Lm,.

  On the other hand, the access key information for the hierarchized data RnLm of the highest resolution and highest layer is K. This key is K = KRLnm, and the encryption unit 502 encrypts RnLm using the key. The encryption method used in the encryption unit 502 is not limited here, but various encryption methods such as DES and AES can be used. As a result, CRnLm obtained by encrypting RnLm is output (CRiLj indicates data obtained by encrypting RiLj).

  The key K is updated in the resolution direction by the equation (4) in the R key conversion unit 503, and the key in the layer direction is updated by the equation (5) in the L key conversion unit 504. Therefore, KRLn-1, m = K ^ a is calculated and output from the key K = KRLnm in the R key conversion unit. Similarly, KRLn, m-1 = K ^ b is calculated and output from the key K = KRLnm in the L key conversion unit. However, it is assumed that a and b are set in the conversion units 503 and 504 in advance. Using this, the encryption unit 502 encrypts the encoded data of Rn-1Lm and RnLm-1 output from the hierarchizing unit 501.

  Thereafter, in the resolution direction, the key for the previous resolution is input, and the calculation of Equation (4) is performed in the R key conversion unit. Is executed and the key is updated. Using the updated key, the subsequent hierarchical structure data is encrypted. However, the calculation of the key for the data in the oblique direction, for example, the calculation of K ^ (a + b) in FIG. 4 corresponding to KRLn-1, m-1 is performed by using the key K ^ b in the previous resolution direction as an input. The same result can be obtained even if the calculation is performed by the above-described method and the L key conversion unit calculates the key K ^ a in the previous layer direction as an input.

  It is obvious that the decryption process for this can be realized by a configuration in which the decryption unit is a decryption unit for the encryption method using the encryption unit 502 of FIG.

In the above embodiment, the tiles, precincts, and components are not hierarchized for the sake of simplicity. However, even if the tiles, precincts, and components are hierarchized, the access keys KT, KC, and KP are represented by Expression (1) The entire access key can be generated by the following formula instead of formula (3).
Ktcprl = H (KT || KC || KP || KRL) (8)
Here, KRL is a key for the resolution and layer shown in the present embodiment.

  In addition, when correlating other components such as tiles, precincts, and components, a key c, d, and e are set for each of the tiles, precincts, and components, and the same technique is used as multidimensional hierarchical data. This can also prevent user collusion.

  In the embodiment, the expression (7) is shown as a method for establishing the relations of the expressions (4) to (6), but it is obvious that the present invention is not limited to this. For example, an elliptic curve-like power residue calculation may be used.

In the first embodiment, the update of the access key for the resolution and layer is indicated by the public keys a and b.
KRLi-1, j = E (KRLij) (9)
KRLi, j-1 = G (KRLij) (10)
E (G (K)) = G (E (K)) (11)
It may satisfy the relationship.

  As described above, according to the present embodiment, even when image data having a plurality of tiles and a hierarchical structure is encrypted using different encryption keys for each tile and the hierarchical structure, key information by a plurality of users is obtained. Thus, it is possible to solve the leakage due to the exchange or the unauthorized access and eliminate the need to manage a plurality of keys.

  In the embodiment, the example in which the resolution and the layer are applied to the two axes shown in FIG. 4 has been described. However, tiles, precincts, and components may be assigned to one axis or both. However, in the case of tiles and precincts, the multistage level will be treated as position information.

<Second Embodiment>
Opportunities for the distribution of digital content such as documents and image data through large-capacity recording media such as communication lines and DVDs are increasing. In such content distribution services, there are content providers that distribute content. The content provider needs to set different access control information for each of a plurality of contents, and encryption with different keys for each content, each user, and each user action (for example, browsing, copying, etc.) It is assumed that processing will be performed. In this process, management related to key information such as key generation, key holding, and key distribution is often very burdensome in content providers. Therefore, research is being conducted on more efficient management methods for key management without lowering the security level. Some of them will be explained. In particular, the first embodiment has described the case where the hash function is not used, but in the present embodiment, a method using the hash function as a one-way function will be described.

[Tree structure management method]
The tree structure management method is used in offline content playback devices such as a DVD player, and is suitable for invalidating a user. In this method, the encrypted data is distributed simultaneously with the key information used for encryption and the encrypted content or stored in a medium so that only authorized users can decrypt the encrypted data. Although it is necessary to distribute key information in advance in an appropriate combination to each user, a vast amount of user key information can be efficiently managed by using a tree structure.

  In this management method, there are the following indicators for determining the quality of the method: 1) the data size of the key information distributed simultaneously with the content, 2) the pre-distributed key information held by the user Data size, 3) The data size of key information that the content provider needs to manage, and the above three indicators correspond to it. In the case of an online distribution service, the index 1) that influences network traffic will be emphasized, but from the standpoint of the content provider, the management cost of the index 3) will be the most important. It should be noted that the weight of the index changes depending on the situation.

  As a typical tree structure management method, there is a content distribution model (for example, “Digital Content Protection Management Method” SCIS2001, pp.213-218). In this model, a key distribution tree structure as shown in FIG. 22 is used, and different keys are arranged at each node. It is assumed that the user key (assuming a key held by a player such as a DVD in the paper) is identified with the end node (leaf node) and holds all key data from the root to the end node. In this model, it is assumed that updates occur frequently, and this arrangement improves the efficiency of key revocation.

[Hierarchical key management method]
On the other hand, the key management assumed in the hierarchical key management method is the same in that the key is arranged in each node, but the user is not limited to the terminal node, but the key located in all nodes including the root. Is significantly different (for example, CH Lin. “Dynamic key management schemes for access control in a hierarchy” Computer Communications, 20: 1381-1385, 1997, or J.-C. Birget, X. Zou, G. Noubir, B. Ramamurthy, “Hierarchy-Based Access Control in Distributed Environments” in the Proceedings of IEEE ICC, June 2001, etc.).

  In addition, an access structure as shown in FIGS. 23 and 24 is assumed instead of the n-ary tree structure as shown in FIG. 22, and when viewed locally, a portion having a relationship as shown in FIG. 25 can be seen. . In this case, it is necessary to provide a mechanism that can generate a key that the node n3 should have from both the key arranged at the node n1 and the node n2. The following two methods have been proposed as a method for providing this mechanism.

[(1) User multiple keying]
Each node holds a plurality of keys, and the parent node is configured to hold all the keys of the child nodes. FIG. 26 shows an example of this, which describes a set of key data distributed to each node. For example, it can be seen that the key data k5 is included in the parent node of the node to which {k5} is distributed. Similarly, in other nodes, it can be seen that the parent node includes all the key data of the child nodes.

[(2) One-way function based keying schemes]
This is an extended version of Lin et al.'S proposal. By using a one-way hash function, the key information held by each node can be reduced. However, when generating key data of a child node from key data of a plurality of parent nodes as shown in FIG. 25, the following operation is necessary. This operation will be described with reference to FIG.

In FIG. 27, to generate k3 from key data k1 or k2.
k3: = F (k1, n3) XOR r13
k3: = F (k2, n3) XOR r23
Perform the operation. Here, XOR is a bitwise exclusive OR. F () is a one-way hash function, and details will be described later. n3 is the identifier of the node to which the key data k3 is associated, r13 and r23 are the random data associated by the node n1 (key data k1) and the node n3, and the node n2 (key data k2) and the node n3, respectively. It is random data and is data that is open to the public.

  The function F () consists of F (k_i, n_j) = g ^ {k_i + n_j} mod p (where p is a prime number and g is a primitive element), and r12 and r13 above are F (k1, n3) XOR r13 = F (k2, n3) is generated so as to satisfy XOR r23.

  As described above, when there are two or more parent nodes locally in the hierarchical key management method (FIG. 25 is an example in which two parent nodes exist), the same key data from different parent nodes. Is generated in the first embodiment described above.

  However, in (1) User multiple keying, each node must have many keys, and there is a problem that the key data to be held increases in proportion to the total number of nodes as the hierarchy becomes deeper. However, in (2) One-way function based keying schemes, the amount of key data held by each node is reduced by using a one-way hash function, but public random data such as r12 and r13 is held separately. As in (1), there is a problem that data to be held increases as the hierarchy becomes deeper.

  Further, in (2), a power operation is used for the one-way hash function. Although a configuration using a hash function with a trapdoor is conceivable, in any case, an operation requiring a power operation is included, and the calculation cost is enormous. In particular, a device such as a PDA with a small amount of calculation resources spends a lot of time for key calculation, and as a result, there is a possibility that interactive processing cannot be performed at the time of data decryption.

  In view of this problem, the second embodiment will explain an example in which a key management method having an access structure similar to the hierarchical key management method can be configured safely with a small amount of calculation.

  FIG. 9 is a block diagram schematically showing the configuration of the key information processing apparatus according to the second embodiment of the present invention.

  Note that it is not essential to use all the functions shown in FIG. 9 in realizing the present invention.

  9, a key information processing apparatus 100 includes a modem 118 such as a public line, a monitor 102 as a display unit, a CPU 103, a ROM 104, a RAM 105, an HD (hard disk) 106, a network connection unit 107, a CD 108, and an FD (flexible disk). ) 109, a DVD (Digital Video Disk or Digital Versatile Disk) 110, an interface (I / F) 117 of the printer 115, and an interface (I / F) 111 such as a mouse 112 or a keyboard 113 as an operation unit. These are connected to each other via a bus 116 so as to communicate with each other.

  The mouse 112 and the keyboard 113 are operation units for the user to input various instructions to the key information processing apparatus 100. Information (operation information) input via the operation unit is taken into the key information processing apparatus 100 via the interface 111.

  Various information (character information, image information, etc.) in the key information processing apparatus 100 can be printed out by the printer 115.

  The monitor 102 displays various instruction information to the user and various information such as character information or image information.

  The CPU 103 controls operation of the entire key information processing apparatus 100, and controls the entire information processing apparatus 100 by reading and executing a processing program (software program) from the HD (hard disk) 106 or the like. In particular, in the second embodiment, the CPU 103 reads out and executes a processing program that realizes key generation from the HD 106 or the like, thereby performing information processing to be described later.

  The ROM 104 stores a processing program for key generation, various data (such as a key generation graph) used in the program, and the like.

  The RAM 105 is used as a work area or the like for temporarily storing a processing program and information to be processed for various processes in the CPU 103.

  The HD 106 is a component as an example of a large-capacity storage device, and stores various data or a processing program for information conversion processing that is transferred to the RAM 105 or the like when various processing is executed.

  The CD (CD drive) 108 has a function of reading data stored in a CD (CD-R) as an example of an external storage medium and writing data to the CD.

  Similar to the CD 108, the FD (floppy (R) disk drive) 109 reads data stored in the FD 109 as an example of an external storage medium. It also has a function of writing various data to the FD 109.

  Similar to the CD 108 and the FD 109, the DVD (digital video disk) 110 has a function of reading data stored in the DVD 110 as an example of an external storage medium and writing data to the DVD 110.

  For example, when an editing program or a printer driver is stored in an external storage medium such as CD 108, FD 109, or DVD 110, these programs are installed in the HD 106, and if necessary, You may comprise so that it may transfer to RAM105.

  An interface (I / F) 111 is used to receive input from the user via the mouse 112 or the keyboard 113.

  The modem 118 is a communication modem, and is connected to an external network through an interface (I / F) 119 through, for example, a public line.

  The network connection unit 107 is connected to an external network via an interface (I / F) 114.

  Hereinafter, key generation / management by the above-described apparatus will be described.

[Key generation overview]
First, a description will be given of generation of node keys for each node in the hierarchical key management method according to the second embodiment.

  In the second embodiment, it is assumed that the hierarchical relationship is expressed as a directed graph having no loops and cycles as shown in FIGS. When there are places where a plurality of different nodes are connected to each other in a directed graph, such as nodes n1 and n2 in FIG. 36, by handling these nodes as one node, It can be reduced when there is no node with connection relation. FIG. 37 is a directed graph in which n1 and n2 are identified with one node n1 '. Hereinafter, it is assumed that there is no node having such a bidirectional connection relationship.

  For convenience of explanation, the present embodiment handles a lattice graph having two layers as shown in FIG. In FIG. 11 and FIG. 12, three numbers described in each cell represent the number of hash functions to be applied to the three initial keys x, y, and z. For example, in a cell marked [2, 2, N], it is assumed that H (H (x)) and H (H (y)) are held as node keys. N means “none” and means that no information about the initial key z is held. In the future, when a hash operation is performed n times, it will be expressed as H ^ n (). Based on this notation, a cell written as [2, 2, N] has two node keys H ^ 2 (x) and H ^ 2 (y). The tree structure in the hierarchical key management method can also be described by replacing it with a matrix as shown in FIG. FIG. 11 shows an example of a tree structure having nine nodes. The numbers written in each node in FIG. 11 and the numbers written in each cell in FIG. 12 indicate the same correspondence.

  First, in the tree structure as shown in FIG. 11, the root node (the node indicated by [0, 0, 0] in the figure) is associated with the upper right cell in the matrix. Then, the node located on the left and the node located on the right among the child nodes of each node in the tree structure are associated with the left cell and the lower cell of the matrix, respectively. By performing this association for all nodes and cells in order, the tree structure shown in FIG. 11 can be replaced with the matrix shown in FIG.

  Next, a method for generating key generation data shown in FIG. 11 or 12 will be described.

[Split Node]
In order to generate key generation data, nodes are divided so as to satisfy the following condition in a given key distribution graph G. Here, the notation method of Node G is used as the set of all nodes, the size of the set of subsets is N, and the divided subsets are SubG_1, SubG_2,..., SubG_N.

・ SubG_1∪ SubG_2∪… ∪ SubG_N = Node (G),
That is, the entire subset covers all nodes.

Any two different nodes n_a, n_b included in SubG_i are
n_a <n_b or n_a> n_b
Is established. That is, n_a and n_b have a descendant relationship, and one is always the other descendant node.

  The number N of the divided subsets is called a key distribution order of the key distribution graph G and is denoted as Ord (G).

[Assign Node Key]
One initial key K_i is calculated for each subset SubG_i and assigned as the node key of the root node. Descendant nodes under the root node are assigned node keys according to the following rules.

  i) Each node is assigned a number associated with N initial keys K_i (1 ≦ i ≦ N). This number is the number of times the one-way function is executed for the initial key K_i, and “N” meaning “none” may be assigned. When the number of the initial key K_i is “N”, it means that the key related to the initial key K_i is not held.

  ii) The nodes included in SubG_i are sorted in descending order according to the descendant relationship on the directed graph in each set, and numbers incremented by one from 0 are assigned. This number is a number associated with the initial key K_i.

  iii) The number associated with the initial key K_j (i ≠ j) of the node included in SubG_i is N if it is not an ancestor node of the node included in SubG_j (which is a subset of the initial key K_j). (None), and the number of the node that is the ancestor node is the minimum value of the assigned numbers among the nodes included in SubG_j as descendant nodes.

  FIG. 19 is a flowchart of the above node key assignment processing. Hereinafter, the description of FIG. 119 will be given. Here, it is assumed that all node sets are already prime and are divided into non-empty subsets {SubG_i} (1 ≦ i ≦ N), and initial keys K_i for the respective subsets are calculated. . Further, the number of nodes included in the subset SubG_i is described as #N (i), and the nodes included in the subset SubG_i are sorted in descending order according to the descendant relationship on the directed graph, and SubG_i = {n (i, 1), n (i, 2),. . . , N (i, #N (i))}. Further, the node key for the node n (i, j) is obtained by applying a one-way hash function to the initial key K_k (1 ≦ k ≦ N) a specified number of times, and this specified number of times is h (i, j, k). Is written.

  Step S1101 is a variable i loop that varies from 1 to N, step S1102 is a variable j loop that varies from 1 to N, and step S1103 is a variable k loop that varies from 1 to #N (i). In step S1104, it is evaluated whether or not the variable i matches the variable k. If they match, the process proceeds to step S1105, and if they do not match, the process proceeds to step S1106. In step S1105, j-1 is substituted for h (i, j, k), and the process returns to the loop process. Step S1106 evaluates whether n (k, m) <n (i, j), that is, n (i, j) is an ancestor node of n (k, m), and if not, If not, the process proceeds to step S1108. In step S1107, “N” is substituted for h (i, j, k), and the process returns to the loop process.

  In step S1108, h (i, j, k) is changed to min {h (k, m, k) | n (k, m) <n (i, j)}, that is, n (i, j) is n (k, Among the nodes that are ancestor nodes of m), the minimum value of h (k, m, k) is substituted, and the process returns to the loop processing.

  Specific examples will be described below with reference to FIGS. 13 to 16, FIGS. 17 to 18, and FIGS. 28 to 34.

  FIG. 13 is an example of node division in the key generation graph shown in FIG. 10 and is divided into three subsets SubG_1 to SubG_3. That is, SubG_1 = {n0, n2, n5}, SubG_2 = {n1, n4, n7}, SubG_3 = {n3, n6, n8}. FIG. 14 shows only h (i, j, i) displayed at this time. For example, {h (1, 1, 1), h (1, 2, 1), h (1, 3, 1)} = {0, 1, 2}, which corresponds to steps S1104 and S1105. Further, FIG. 15 shows a part that becomes “N” from the descendant relationship of the node. For example, h (1,1,3) = “N”, but this is because there is no m satisfying n (3, m) <n (1,1) = n3. Actually, n (3,1) = n0, n (3,2) = n2, n (3,3) = n5 and this can be confirmed, which corresponds to steps S1106 and S1107. FIG. 16 shows the result of checking and reflecting all i, j satisfying n (3, m) <n (i, j). For example, h (2,1,1) = 0. This is because m (n, 1, m) <n (2,1) = n1 may be 1,2,3. Of (1,1,1) = 0, h (1,2,1) = 1, and h (1,3,1) = 2, 0 which is the minimum value is selected. Further, checking is performed with all i, j satisfying n (2, m) <n (i, j), and finally FIG. 12 is obtained.

  Further, the configuration method by node division shown in FIG. 17 different from FIG. 13 can be configured in the same manner as FIG. 12 by the flowchart of FIG. 12 and FIG. 18, the total hash calculation amount increases in FIG.

  Next, a node key configuration method in the key generation graph shown in FIG. 28 will be described. FIG. 29 shows an example of node division in the key generation graph shown in FIG. 28, in which three subsets SubG_1 to SubG_3 are divided. That is, SubG_1 = {n0, n1, n4, n7}, SubG_2 = {n3, n6}, SubG_3 = {n2, n5}. At this time, the node keys configured based on the flowchart shown in FIG. 19 are as shown in FIG. The configuration up to FIG. 30 will be described below. First, FIG. 31 shows only h (i, j, i). For example, {h (1, 1, 1), h (1, 2, 1), h (1, 3, 1), h (1, 4, 1)} = {0, 1, 2, 3} This corresponds to steps S1104 and S1105. Further, FIG. 32 shows a part that becomes “N” from the descendant relationship of the node. For example, h (1,2,3) = “N”, but this is because there is no m satisfying n (3, m) <n (1,2) = n1. Actually, n (3,1) = n3, n (3,2) = n6 and this can be confirmed, which corresponds to steps S1106 and S1107. Further, FIG. 33 shows a result of checking and reflecting n (1, m) <n (i, j) with all i, j. For example, h (2,1,1) = 2, which is 3 or 4 in m where n (1, m) <n (2,1) = n3, but h (1 , 3, 1) = 2, and h (1,4,1) = 3, 2 which is the minimum value is selected. Similarly, the result of checking and reflecting n (2, m) <n (i, j) with all i, j is FIG. 34 and finally FIG. 30 is obtained.

  Further, consider a case where a key is not distributed to a terminal node. This can create a state where data can be accessed without limitation, such as a thumbnail image in image data. FIG. 35 shows an example of this, and the end node means that there is no node key as described as [N, N, N]. This can be obtained by applying to the flowchart of FIG. 19 from a state where only the terminal node is not included in any subset at the time of node division. Although an example in which the node key is not distributed to only one terminal node is shown here, it is obvious that the same configuration can be achieved even when a plurality of nodes are used.

[Conditions to be satisfied by the generated key]
The above key generation method is configured to satisfy the following conditions.

a. Generation possibility: The target node can generate keys of its grandchild nodes.
b. Collusion attack avoidance: Even if an entity located at any two or more nodes is collocated (unless the one-way function becomes weak), the key of the ancestor node located above each node cannot be generated. Under these conditions, a hierarchical key management system that can securely generate and distribute keys can be realized.

[Key distribution]
A key distribution method to each node by the root key distributor (entity of the root node) and a key distribution method to lower nodes by an entity holding an individual key other than the root key distributor will be described. First, the root key distributor generates the key distribution order Ord (G) parameters {x_i} (1 ≦ i ≦ Ord (G)) determined according to the key distribution graph G at random and securely, and generates the parameters themselves. As an individual key. Further, a plurality of keys are arranged at each node by the key generation procedure described above. The root key distributor securely distributes the key of each node to the entity located at each node. Also, the key distribution graph is made public, and data that can identify the location of the distributed key in the graph is distributed to each entity. For example, when the grid graph is a key distribution graph, this data may be constituted by coordinates when expressed in a matrix.

[Key generation / distribution processing in information processing equipment]
A procedure for performing the above key generation / distribution processing in the information processing apparatus 100 will be described. Data to be managed such as images is acquired through the CD 108 or the network connection unit 107 of the network and stored in the HD 106 or selected from data already stored in the HD 106. Here, the user selects from the list displayed on the monitor 102 using the mouse 112 or the keyboard 113.

  When the user selects an access control structure such as how many hierarchy axes to have for the management target data using a similar method, a key generation graph corresponding to the structure is calculated using the CPU 103, The data is stored in the RAM 105, the HD 106, or the like.

  Random data is generated from data such as the operation of the ROM 104, RAM 105, HD 106, or mouse 112, and a plurality of original keys are generated using the random data and stored in the RAM 105, HD 106, or the like. Further, the individual key of each node in the key generation graph is calculated from the original key and stored in the RAM 105, HD 106, or the like.

  The individual keys stored in the RAM 105, HD 106, etc. are read out to other information processing apparatuses and distributed via the network through the network connection unit 107.

<Third Embodiment>
A preferred example of access control using key data having a hierarchical structure generated by the key distribution method in the second embodiment will be described. The lattice key generation graph represented in FIG. 10 has two hierarchical axes. FIG. 20 shows an example in which one of the resolutions (lower left direction) is the resolution and the other (lower right direction) is the image area.

  There are three levels of resolution, high, medium, and low, which indicate the resolution of the image that can be acquired. There are also three levels in the image area, and the authority to view all areas, sub-area A, and sub-area B (narrower than sub-area A) is given. At this time, the node having the highest authority located in the root is assigned (resolution = high, image region = all), and the lowest node is assigned (resolution = low, image region = region B).

  The key distribution method and the image encryption method will be described by taking as an example the case of performing key distribution according to FIG. 11 or FIG. The target image data IMG is image data IMG1 of region B, region A difference data is IMG_2, and difference data for obtaining all image data is IMG_3. That is, IMG = IMG_1 + IMG_2 + IMG_3. Each IMG_i is defined as IMG_i (L) for low resolution data, IMG_i (M) for medium resolution difference data, and IMG_i (H) for high resolution difference data. That is, IMG_i = IMG_i (L) + IMG_i (M) + IMG_i (H).

  First, the root key distributor randomly generates original keys x, y, and u. Key Key (<High, All>) used for encryption: = H (x || y || u), and IMG — 3 (H) is encrypted with this key. However, || is data concatenation. Each child node concatenates the acquired three data in the same way as the root node to generate an encryption key, and encrypts the data shown in FIG.

  For example, in the <Mid, All> node, H (x), H ^ 3 (y), u are given as key data, but the encryption key Key (<Mid, All>): = H (H (x ) || H ^ 3 (y) || u), and IMG — 3 (M) is encrypted with this key. When decrypting the encrypted data, the same processing is performed to calculate the encryption key, and decryption processing is performed to obtain appropriate image data.

  In this embodiment, a method of concatenating and hashing keys is used as a method for generating an encryption key, but other key concatenation methods (methods for calculating one key from a plurality of key data) may be used.

  Further, in the present embodiment, the resolution and the image area are taken as a hierarchical axis, but the present invention is not limited to this, and from the hierarchy that should be subject to access control such as image quality, time axis, and usage control information, It is also possible to select and use any two or more hierarchies.

<Other embodiments using software, etc.>
Even if the present invention is applied as a part of a system composed of a plurality of devices (for example, a host computer, an interface device, a reader, a printer, etc.), a part of a device composed of a single device (for example, a copying machine, a facsimile machine). You may apply to.

  Further, the present invention is not limited to the apparatus and method for realizing the above-described embodiment and the method performed by combining the methods described in the embodiment, but is not limited to the computer (CPU or MPU) in the system or apparatus. This is also the case when the above-described embodiment is realized by supplying software program code for realizing the above-described embodiment and causing the computer of the system or apparatus to operate the various devices according to the program code. It is included in the category of the invention.

  In this case, the program code of the software itself realizes the function of the above embodiment, and the program code itself and means for supplying the program code to the computer, specifically, the program code Is included in the scope of the present invention.

  As a storage medium for storing such a program code, for example, a floppy (R) disk, a hard disk, an optical disk, a magneto-optical disk, a CD-ROM, a magnetic tape, a nonvolatile memory card, a ROM, or the like can be used.

  The computer controls various devices according to only the supplied program code so that the functions of the above-described embodiments are realized, and the OS (operating system) on which the program code is running on the computer is also provided. Such program code is also included in the scope of the present invention when the above embodiment is realized in cooperation with a system) or other application software.

  Further, after the supplied program code is stored in the memory of the function expansion board of the computer or the function expansion unit connected to the computer, the program code is stored in the function expansion board or function storage unit based on the instruction of the program code. The case where the above-described embodiment is realized by a part or all of the actual processing performed by the CPU or the like is also included in the scope of the present invention.

It is a figure for demonstrating the problem of the key information in the resolution and a layer in a prior art. It is a figure which shows the correlation of the resolution in 1st Embodiment, and the key information in a layer. It is a figure which shows the structural example of the apparatus in 1st Embodiment. It is a figure which shows the correlation of the key at the time of using the RSA encryption in 1st Embodiment. It is a figure which shows the structural example which concerns on encryption and key generation in 1st Embodiment. It is a figure which shows the system configuration example which embodiment applies. It is a figure which shows the example of wavelet transformation. It is a figure for demonstrating the layer at the time of entropy encoding. It is a block diagram which shows roughly the structure of the key information processing apparatus which concerns on this 2nd, 3rd embodiment. It is a figure explaining the example of the directed graph which concerns on 2nd Embodiment. It is a figure which shows the example of the key distribution graph which concerns on 2nd Embodiment. It is a figure which shows the example of the key distribution matrix which concerns on 2nd Embodiment. It is a figure explaining the example of the node division | segmentation in the key distribution graph of FIG. 10 which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows another example of the node division | segmentation in the key distribution graph of FIG. 10 which concerns on 2nd Embodiment. It is a figure which shows the example of the key distribution matrix which concerns on 2nd Embodiment. It is a flowchart showing the node key production | generation procedure which concerns on 2nd Embodiment. It is a conceptual diagram explaining the hierarchical access structure which concerns on 3rd Embodiment. It is a figure which shows the table showing the image list which each node which concerns on 3rd Embodiment should encrypt. It is a conceptual diagram explaining the binary tree access structure in a tree structure management system. It is a conceptual diagram explaining the access structure in a hierarchical access control system. It is a conceptual diagram explaining the access structure in a hierarchical access control system. It is a conceptual diagram explaining the local structure in a hierarchical access control system. It is a figure explaining the example of User multiple keying. It is a figure explaining One-way function based keying schemes. It is a figure which shows the example of the directed graph which concerns on 2nd Embodiment. It is a figure explaining the example of the node division | segmentation in the key distribution graph of FIG. 10 which concerns on 2nd Embodiment. It is a figure which shows the example of the key distribution graph which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the key distribution matrix showing the state of the middle stage which comprises the key distribution matrix which concerns on 2nd Embodiment. It is a figure which shows the example of the key distribution graph which concerns on 2nd Embodiment. It is a figure which shows the example of the directed graph with which the node which has a bidirectional connection relation which concerns on 2nd Embodiment exists. FIG. 37 is a diagram illustrating an example of a directed graph that is changed so that a node having a bidirectional connection relationship does not exist in the directed graph illustrated in FIG. 36 according to the second embodiment.

Claims (10)

A control method for an image data encryption device that encrypts image data using key information,
An input process for inputting image data having a hierarchical structure, in which data of each hierarchy can be specified by at least two parameters, and each parameter is expressed in multiple levels;
For the input image data, the key information for the data of the hierarchy specified by the two parameters originates from the key information for the data of the hierarchy specified by the two parameters at the maximum level. A generation step of generating key information using a predetermined one-way function that can be generated from any of the two pieces of key information for data in the hierarchy located one level higher;
An encryption step for encrypting the data of the corresponding hierarchy input in the input step according to the key information set in the setting step and the key information generated in the generation step. Control method of data encryption apparatus.   The image data encryption according to claim 1, wherein the image data input in the input step is JPEG 2000 compression encoded data, and the parameters include tile, precinct, component, resolution, and layer. Control method.   The method of controlling an image data encryption apparatus according to claim 1, wherein in the generation step, the key information is generated according to a public key encryption method.   The method of controlling an image data encryption apparatus according to claim 1, wherein the generating step generates the key information by elliptic multiplication.   The method for controlling an image data encryption apparatus according to claim 1, wherein the one-way function used in the generation step is a hash function. An image data encryption device that encrypts image data using key information,
Input means for inputting image data having a hierarchical structure, in which data of each hierarchy can be specified by at least two parameters, and each parameter is expressed in multiple levels;
For the input image data, the key information for the data of the hierarchy specified by the two parameters originates from the key information for the data of the hierarchy specified by the two parameters at the maximum level. Generating means for generating key information using a predetermined one-way function that can be generated from any of the two pieces of key information for data in the hierarchy located one level higher;
An encryption unit configured to encrypt data of a corresponding layer input by the input unit in accordance with the key information set by the setting unit and the key information generated by the generation unit. Data encryption device.   The image data according to claim 6, wherein the image data input by the input unit is JPEG 2000 compression encoded data, and the parameters include tile, precinct, component, resolution, and layer. Encryption device.   The image data encryption apparatus according to claim 6 or 7, wherein the one-way function used in the generation unit is a hash function.   A computer program for causing a computer to function each unit of the image data encryption device according to any one of claims 6 to 8.   A computer-readable storage medium storing the computer program according to claim 9.

Images