JP4452105B2 - Decryption information generation device and program thereof, distribution content generation device and program thereof, and content decryption device and program thereof - Google Patents

Description

  The present invention relates to a decryption information generation apparatus, a program thereof, and distribution capable of identifying an unauthorized user of content and suppressing damage caused by leakage of user key information used when decrypting encrypted content The present invention relates to a content generation apparatus and its program, and a content decryption apparatus and its program.

In recent years, various contents such as video and audio have been distributed on the Internet (network).
However, when buying and selling content on the Internet, a legitimate user may circulate the content illegally, increasing the number of cases that damage the content provider. In order to address such a problem, there is a method of using an encryption technique called “trailer tracing method” as a method for specifying from which user the illegally distributed content has been distributed ( Non-patent document 1).

  In this unauthorized person tracking method, a secret key, which is a key for decrypting encrypted content, is generated using a user-specific identifier and a polynomial. That is, when the polynomial is f (x), f (ID) obtained by substituting the user-specific identifier ID into the variable x is the user's secret key. For this reason, when a user illegally creates a copy of a secret key, the identifier ID used to create the secret key f (ID) is determined to identify which user has made the fraud can do. The coefficient of the polynomial is confidential information of the content distributor (provider) and is information that is strictly managed and stored.

  Another problem when distributing content is that information that should be kept secret (private key) for users who use the content is leaked, and a third party impersonates the user with the private key. May cause damage. For such a problem, when a secret key is leaked, an encryption technique called “Key-Insulated Public-Key Cryptosystems” is used as a method of minimizing the damage. There is a method (see Non-Patent Document 2).

In this key isolation public key encryption method, the secret key is updated in the user terminal at a certain time, thereby preventing damage after the secret key update. In the key isolation public key encryption method, even when the secret key is updated, it is not necessary to update the public key.
Kaisa Nyberg, “Advanceds in Cryptology-EUROCRYPT '98”, Lecture Notes in Computer Science, vol 1403, pp. 145-157 Lars Knudsen, “Advanceds in Cryptology-EUROCRYPT 2002”, Lecture Notes in Computer Science, vol 2332, pp. 65-82

However, in the conventional fraud tracking method, it is possible to specify which user has performed fraud, but there are the following problems.
In this unauthorized person tracking method, when a user's private key is leaked to an unauthorized user, the unauthorized user can impersonate the authorized user. As a countermeasure, it is conceivable to update the coefficient of the polynomial for generating the secret key and update the secret key so that the user and the provider are not damaged after the update. However, when updating the coefficient of a polynomial, since the coefficient of the polynomial is provider's secret information, it is necessary to update the secret key of all authorized users on the provider side, and the update procedure is troublesome. There is.

In addition, in the conventional key isolation public key encryption method, it is possible to minimize damage to the user against leakage of the user's private key, but there are the following problems.
In this key isolation public key encryption method, the user's private key is updated according to the time, but since the public key is not updated, there is no need to exchange information between the user and the provider efficiently. The private key can be updated. However, unlike the unauthorized person tracking method, the key quarantine public key encryption method does not use the user identifier when decrypting the encrypted content, so it identifies the unauthorized user who distributed the content illegally. There is a problem that you can not.

  In addition, it is possible to identify the user who performed fraud by combining the conventional unauthorized person tracking method and the key isolation public key encryption method in series, and to prevent the damage of the user due to the leakage of the secret key. It is conceivable to keep it to a minimum. However, since these methods individually encrypt the contents, the provider side must perform encryption twice and the user side must perform decryption twice. In the CPU (Central Processing Unit) There is a problem that the calculation load becomes large.

  The present invention has been made in view of the above problems, and when distributing content, even if the user who illegally distributed the content is identified and the secret key of the user is leaked, the present invention is damaged. It is an object of the present invention to provide a decryption information generation device and program thereof, a distribution content generation device and program thereof, and a content decryption device and program thereof. Furthermore, the present invention provides a decryption information generation apparatus and its program, a distribution content generation apparatus and its program, which can suppress an increase in the amount of CPU computation when performing encryption on the provider side and decryption on the user side, It is another object of the present invention to provide a content decryption apparatus and its program.

  The present invention was created to achieve the above object. First, the decryption information generation device according to claim 1 is configured to provide public information disclosed for decrypting encrypted content; A decryption information generation apparatus that generates secret information that is secret information on the content decryption side as decryption information, and includes a public key generation unit, a secret key generation unit, and a key encryption unit .

According to such a configuration, the decryption information generation device is selected by the public key generation means from the multiplicative group that forms a group with respect to the multiplication of the order q for the prime numbers p and q whose value of (p−1) is divisible by q . The generator g is a power of (n + 1) × (m + 1) coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m} selected from the sequence {1, 2,..., Q−1}. As a result, a public key including the power value of the generation source for the coefficient is generated. Here, by calculating the power value of the generation source of the multiplicative group, it is possible to ensure the security of the encryption system due to the difficulty of the discrete logarithm calculation. Then, the decryption information generation device uses the secret key generation unit based on a plurality of coefficients used in the public key generation unit and identification information (for example, a user identifier) unique to each user who uses the content. A user initial secret key and a user master key are generated as secret information unique to each user. The secret information is information that is secretly stored in the terminal (user terminal) on the user side that uses the content.

Then, the decryption information generation device converts the encryption key obtained by encrypting the content by the key encryption unit into a public key generated by the public key generation unit, a value determined by the content distributor, and a random number . Based on this, it is encrypted and made public information. Here, the value that defines the delivery side of the content, a value of arbitrary, if the value of the content distribution side can manage may be used any value.

In this way, the decryption information generation device uses a key quarantine public key encryption method and a secret key used in the conventional fraud tracking method based on a value determined by the content distributor included in the public information. Similarly, it becomes possible to update. That is, even if there is no direct exchange between the content distributor side and the content user side, the secret key can be updated based on the value determined by the content distributor side .

According to a second aspect of the present invention, there is provided the decryption information generating apparatus according to the first aspect, wherein the value t used in the key encryption means is a value indicating time.

According to such a configuration, the decryption information generation device uses the value determined on the content distributor side used in the key encryption means as the time, so that the content user side (user terminal) can obtain the value at a certain time. It becomes possible to generate a secret key. Note that this time may be a value obtained by quantifying the time used as a reference for managing keys on the content distributor side. For example, a numerical value of “year / month / day / hour / minute / second” is used as the time.

  Furthermore, the decryption information generation program according to claim 3 uses, as decryption information, public information that is disclosed to decrypt the encrypted content and secret information that is secret information on the decryption side of the content. In order to generate it, the computer is caused to function as a public key generation unit, a secret key generation unit, and a key encryption unit.

According to such a configuration, the decryption information generation program is selected by the public key generation means from the multiplicative group that forms a group with respect to the multiplication of the order q for the prime numbers p and q whose value of (p−1) is divisible by q . The generator g is a power of (n + 1) × (m + 1) coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m} selected from the sequence {1, 2,..., Q−1}. As a result, a public key including the power value of the generation source for the coefficient is generated. Then, the decryption information generation program uses the secret key generation unit to generate a secret that is unique to each user based on the plurality of coefficients used by the public key generation unit and identification information that is unique to each user who uses the content. As information , a user initial secret key and a user master key are generated.

Then, the decryption information generation program converts the encryption key obtained by encrypting the content by the key encryption unit into a public key generated by the public key generation unit, a value determined by the content distributor, and a random number . Based on this, it is encrypted and made public information.
As a result, even if there is no direct exchange between the content distributor side and the content user side, the user secret key can be updated based on the value determined by the content distributor side .

  According to a fourth aspect of the present invention, there is provided a distribution content generating apparatus for generating distribution content including encrypted content and public information published to decrypt the encrypted content. The content generation apparatus includes an encryption key generation unit, a content encryption unit, and a public information synthesis unit.

  According to this configuration, the distribution content generation device generates an encryption key for encrypting the content by the encryption key generation unit. Then, the distribution content generation device encrypts the content with the encryption key by the content encryption unit, and generates the encrypted content.

Then, the distribution content generation device generates the distribution content by combining the public information generated by the decryption information generation device based on the encryption key and the encrypted content by the public information combining unit. For example, distribution content is generated by adding public information as header information of encrypted content. Thus, the distribution content is formed as a file or stream in which the encrypted content and the public information are integrated.
Note that the decryption information generation device that generates the public information may be provided in the distribution content generation device, or may be connected to each other via a network.

  Further, the distribution content generation program according to claim 5 is for generating the distribution content including the encrypted content and the public information disclosed for decrypting the encrypted content. The computer is caused to function as an encryption key generation unit, a content encryption unit, and a public information synthesis unit.

According to such a configuration, the distribution content generation program generates an encryption key for encrypting the content with the encryption key generation unit, and encrypts the content with the encryption key by the content encryption unit. Generate a structured content. This content encryption means encrypts content by a general encryption method, for example, a common key encryption method. Then, the distribution content generation program generates distribution content by combining the public information generated by the decryption information generation device based on the encryption key and the encrypted content by the public information synthesizing unit. Thus, the distribution content is formed as a file or stream in which the encrypted content and the public information are integrated.

Moreover, the content decryption device according to claim 6 is based on the public information and the secret information generated by the decryption information generation device according to claim 1 or 2 for decrypting the encrypted content. A content decrypting device for decrypting the encrypted content, comprising: a master key storage unit, a secret key storage unit, a partial key generation unit, a secret key update unit, an encryption key decryption unit, and a content decryption unit Means.

According to such a configuration, content decoding device stores a unique user master key SK ^* _uid for each user that is part of the secret information in the master key storage means, a part of the secret information on the secret key storage means it is stored as the initial value of the user's private key a unique user initial secret key SK _{uid, 0} for each user is. Then, the content decoder is the partial key generation unit, and the user master key SK ^* _uid stored in the master key storage means, based on the value that has been published as the public information t, the user secret key partial key SK _^'uid to be used for _update, to generate a _t. Then, the content decoder is the private key updating means, by adding the partial key and the user private key to generate the updated user private key, the user secret key stored in the secret key storage means Update. As a result, the user secret key is updated based on the value determined by the content distributor . For example, this value, by a value indicating the time, the private key update unit can generate a user secret key at a time specified.

Then, the content decryption device uses the encryption key decryption unit to encrypt the encrypted key based on the user secret key updated by the secret key update unit, the public information, and the user-specific identification information. Is decrypted. The content decrypting device decrypts the content encrypted with the decrypted encryption key by the content decrypting means.

  Furthermore, the content decryption device according to claim 7 is the content decryption device according to claim 6, wherein the master key storage unit and the partial key generation unit are included in a security module that is removable from the content decryption device. To prepare for.

  According to such a configuration, the content decryption apparatus includes the master key storage unit and the partial key generation unit in the removable security module, thereby generating the partial key in the security module and generating the secret key outside the security module. Update. For example, if the security module is a smart card having tamper resistance, it becomes difficult to leak the master key to the outside.

The content decryption program according to claim 8 is based on public information and secret information generated by the decryption information generation device according to claim 1 or 2 for decrypting encrypted content. In order to decrypt the encrypted content, the computer is caused to function as a secret key update unit, an encryption key decryption unit, and a content decryption unit.

According to such a configuration, content decryption program, the private key update unit, based on that published as public information value t, a user secret key stored in the secret key storage means as a part of the secret information Update. As a result, the user secret key is updated based on the value determined by the content distributor .
Then, the content decryption program uses the encryption key decryption unit to encrypt the encrypted key based on the user secret key updated by the secret key update unit, the public information, and the user-specific identification information. And the content decrypting unit decrypts the content encrypted with the decrypted encryption key.

According to the invention described in claim 1 or claim 3, the content distributor is referred to by referring to the decryption information (public information and secret information) generated by the decryption information generation device or the program in the user terminal. The secret key can be updated based on the value determined by the user and identification information unique to the user of the content. Thereby, even if the secret key is leaked, the previous secret key can be invalidated by updating the secret key, and damage to the user and the provider can be minimized.

According to the second aspect of the present invention, by setting the value determined on the content distributor side as the value indicating the time, the user terminal can update the secret key based on the time. Accordingly, when the secret key is leaked, the secret key before a certain time can be invalidated, and the key update management on the content distributor side can be facilitated.

According to the invention described in claim 4 or claim 5, the content for distribution is formed as a file or stream in which the encrypted content and the public information are integrated, and the user terminal side supports the encrypted content. There is no need to search for public information. Further, the encryption key for decrypting the encrypted content can be decrypted only by the identification information and secret key unique to the user who uses the content. For this reason, even if encrypted content is distributed illegally, the information for decryption is generated from the identification information unique to the user, and it is specified which user has performed the fraud. It becomes possible to do. Further, even if the secret key is illegally copied, the secret key is different for each user, so that it is possible to identify the user who performed the fraud.
In addition, according to the present invention, compared to the case where the unauthorized person tracking method and the key quarantine public key encryption method are connected, it is only necessary to encrypt the content once. Can be reduced.

According to the invention described in claim 6 or claim 8, it is possible to update the secret key based on the value determined on the content distributor side and the secret information specific to the user of the content. As a result, even if the secret key is leaked, the previous secret key can be invalidated by updating the secret key, and damage to the user can be minimized.
Further, according to the present invention, compared to the case where the unauthorized person tracking method and the key quarantine public key encryption method are connected, the content only needs to be decrypted once, so that the calculation load for decryption by the CPU is reduced. be able to.

  According to the seventh aspect of the present invention, since the partial key is generated in the security module, it is possible to prevent leakage of secret information for generating a secret key due to carelessness of the user or a computer virus. it can. According to the present invention, the secret key can be recorded in a general-purpose memory device (external storage medium) such as a memory stick outside the security module, so that the user can carry the memory device. It can be managed independently for each user.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Content distribution system configuration]
First, the configuration of the content distribution system according to the embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a content distribution system. The content distribution system 1 includes a decryption information generation server 10, a content server 20, a content distribution server 30, and a gateway (GW) 5 connected to the content provider (distributor) side by an intranet 3. This is a system for distributing content to a user terminal 40 that is a terminal on the user side of the content via the.

The decryption information generation server (decryption information generation device) 10 generates decryption information that is information for decrypting the content for distribution generated by the content server 20. The decryption information generated here includes public information that is combined with the content encrypted by the content server 20 and published, and secret information that is managed on the user side.
The decryption information generation server 10 generates a public key (hereinafter referred to as an unauthorized person tracking public key) that is a key based on a traitor tracing method based on a coefficient of a randomly generated polynomial. In 20, public information is generated by encrypting the encryption key obtained by encrypting the content with the unauthorized person tracking public key. Furthermore, the decryption information generation server 10 generates user-specific secret information based on the polynomial coefficients used when generating the public information and the user-specific information (such as a user ID).

Note that the public information, the provider-defined value (e.g., time) are included in the user side, and its value, based on the user-specific secret information is encrypted with the public key A secret key for decrypting the encrypted key is generated. Thus, by changing the value that the provider shall be determined, it is possible to update the secret key.

  The content server (distribution content generation device) 20 generates content (distribution content) to be distributed to the user by encrypting the content and synthesizing it with the public information generated by the decryption information generation server 10. It is. The content server 20 holds a plurality of distribution contents in a storage unit (not shown), and transmits the distribution contents requested from the content distribution server 30 to the content distribution server 30.

  The content distribution server 30 acquires the content requested by the user terminal 40 (distribution content) from the content server 20 and transmits it to the user terminal 40.

  The user terminal (content decryption device) 40 requests the content distribution server 30 for content desired by the user (distribution content), and decrypts the distribution content acquired from the content distribution server 30. The user terminal 40 obtains user-specific secret information from the decryption information generation server 10 in advance and generates a secret key to decrypt the distribution content.

The gateway (GW) 5 is a device for connecting each network of the intranet 3 and the Internet 7. The gateway 5 is, for example, an IP router (IP: Internet Protocol), and has a firewall function that prevents unauthorized access to the intranet 3.
Hereinafter, each configuration of the decryption information generation server 10, the content server 20, and the content distribution server 30 that are devices on the provider side, and a configuration of the user terminal 40 that is a user side device will be sequentially described.

(Configuration of decryption information generation server)
First, the configuration of the decryption information generation server will be described with reference to FIG. 2 (see FIG. 1 as appropriate). FIG. 2 is a block diagram illustrating a configuration of the decryption information generation server. Here, the decryption information generation server 10 includes a public key generation unit 11, a secret key generation unit 12, a public information storage unit 13, an encryption key reception unit 14, a key encryption unit 15, and a public information transmission unit. 16.

The public key generation unit 11 generates an unauthorized person tracking public key that is made public. The public key for tracking the unauthorized person generated here is stored in the public information storage means 13.
This public key generation means 11 prepares in advance a value in which the value of (p−1) is divisible by q among the two prime numbers p and q, and from the sequence {1, 2,..., Q−1}. (N + 1) × (m + 1) values are selected at random, and the selected (n + 1) × (m + 1) values are set as coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m}. To do. Further, the public key generation means 11 randomly selects one generator g from a multiplicative group that forms a group with respect to the multiplication of the order q prepared in advance. Then, as shown in the following equation (1), the public key generating unit 11 selects the selected prime number p, the generator g, and a power value (y _{, j} ) that is the power of the generator g (y _{, j} ) _0,0 , _y0,1 , ..., yn _{, m} ) is generated. The coefficient used in the public key generation unit 11 is output to the secret key generation unit 12. All subsequent calculations are performed on a modulo p.

The secret key generation unit 12 uses the coefficients (a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m}) used by the public key generation unit 11 and user-specific information (for example, user ID). Based on this, secret information unique to the user is generated. This secret information includes a user initial secret key and a user master key. This user initial secret key is a decryption key that is paired with an unauthorized person tracking public key, and is used as a user secret key in the initial stage. The user master key is information for generating a user secret key at the next time from a user secret key at a certain time.
The secret key generation means 12 generates a user initial secret key SK _{uid, 0 according} to the following equation (2). Here, a _{i, 0} is a coefficient used in the public key generation means 11, and uid is user-specific information (user ID, etc.).

Also, the secret key generation means 12 generates the user master key SK ^* _uid by the following equation (3). Here, a _{i, 1} , a _{i, 2} ,..., A _{i, m} are coefficients used in the public key generation means 11, and uid is user-specific information (user ID, etc.).

The user initial secret key SK _{uid, 0} is stored in a general-purpose storage medium (external storage medium) such as a floppy (R) disk, memory stick, etc., by the secret information generated by the secret key generation means 12, and the user The master key SK ^* _uid is stored in a security module such as a smart card and distributed to users. The secret information may be transmitted to the user terminal 40 via a network (Internet 7 or the like), or may be delivered to the user by mail or other delivery means. In order to prevent leakage of secret information, the user master key SK ^* _uid is preferably written and distributed inside the security module.

  The public information storage means 13 stores the public key (illegal person tracking public key) generated by the public key generation means 11, and is a general storage device such as a hard disk. The unauthorized person tracking public key stored in the public information storage unit 13 is read from the key encryption unit 15.

  The encryption key receiving unit 14 receives the encryption key used when the content server 20 encrypts the content via the intranet 3. The encryption key received here is output to the key encryption unit 15.

The key encryption means 15 encrypts the encryption key received by the encryption key receiving means 14 with the public key for illegal person tracking generated by the public key generation means 11. The key encryption unit 15 performs encryption based on a value determined by the provider. This value is the information for updating the user's private key. The value of this, for example, by the use of time, can be managed in association with the time to update the management of the user's private key, it is easy to manage.
The key encryption unit 15 generates a random number r by a random number generation unit (not shown), and generates public information head (t) at time t as shown in the following equation (4). Here, K _s is the encryption key, g is the generator of the multiplicative group used in the public key generation means 11, and (n + 1) and (m + 1) are the sequences {1, 2,..., Q− in the public key generation means 11. 1} indicates the number of coefficients selected from 1}.

The public information (head (t)) generated by the key encryption unit 15 is output to the public information transmission unit 16.
The public information transmission unit 16 transmits the public information generated by the key encryption unit 15 to the content server 20 via the intranet 3.

  By configuring the decryption information generation server 10 in this way, the decryption information generation server 10 can generate decryption information (secret information, public information) that is information for decrypting the content for distribution.

  Note that the decryption information generation server 10 can also be realized as a decryption information generation program that causes a general computer to function as each of the means described above. The decryption information generation program can be distributed via a communication line, or can be distributed by writing on a recording medium such as a CD-ROM.

(Content server configuration)
Next, the configuration of the content server will be described with reference to FIG. 3 (refer to FIG. 1 as appropriate). FIG. 3 is a block diagram showing the configuration of the content server. Here, the content server 20 includes an encryption key generation unit 21, an encryption key transmission unit 22, a content reception unit 23, a content encryption unit 24, a public information reception unit 25, and a public information synthesis unit 26. , Distribution content storage means 27, content request reception means 28, and distribution content transmission means 29.

  The encryption key generation unit 21 generates an encryption key for encrypting content. The encryption key generated here is transmitted to the encryption key transmission unit 22 and the content encryption unit 24. The encryption key is an encryption key used by the content encryption unit 24, and is randomized using a pseudo random number generation unit, a hash function (not shown), and the like, and the key lengths are made uniform. Is.

The encryption key transmission unit 22 transmits the encryption key generated by the encryption key generation unit 21 to the decryption information generation server 10 via the intranet 3.
The content receiving unit 23 receives content for distribution. The content received here is output to the content encryption means 24. For example, the content receiving unit 23 may read content from a recording medium (not shown), or may acquire content as communication data via a network (Internet 7 or the like). .

  The content encryption unit 24 encrypts the content for distribution received by the content reception unit 23 with the encryption key generated by the encryption key generation unit 21 to generate encrypted content. The encrypted content generated here is output to the public information synthesizing means 26. Note that the content encryption unit 24 encrypts the content using a common key encryption method using the encryption key. Note that the content to be encrypted is assumed to be information with a large amount of data such as video, so here, the common key encryption method, which is faster than the public key encryption method, is used. I will do it. For example, a common common key encryption method such as AES (Advanced Encryption Standard) may be used.

  The public information receiving means 25 receives public information via the intranet 3 among the decryption information generated by the decryption information generation server 10. The public information received here is output to the public information synthesis means 26.

  The public information synthesizing unit 26 synthesizes the encrypted content generated by the content encrypting unit 24 and the public information received by the public information receiving unit 25 (see the above formula (4)) to generate a distribution content. To do. The distribution content generated here is stored in the distribution content storage unit 27 with unique content identification information (for example, a file name).

  The public information synthesizing unit 26 generates the distribution content by synthesizing the public information as the header information of the encrypted content. However, the public information and the encrypted content only need to be associated with each other, and can be managed as individual data. However, in order to simplify the management, it is preferable to combine the public information and the encrypted content into one data (file, stream).

  The distribution content storage unit 27 stores the distribution content generated by the public information synthesis unit 26, and is a general storage device such as a hard disk. The distribution content stored in the distribution content storage unit 27 is read from the distribution content transmission unit 29.

  The content request receiving unit 28 receives a content request (content request) including content identification information for specifying content for distribution transmitted from the content distribution server 30 via the intranet 3. The content request receiving unit 28 outputs the identification information included in the content request to the distribution content transmitting unit 29.

  The distribution content transmitting unit 29 reads out the distribution content corresponding to the content identification information output from the content request receiving unit 28 from the distribution content storage unit 27 and transmits it to the requested content distribution server 30. It is.

By configuring the content server 20 in this way, the content server 20 encrypts the content with the encryption key, and associates the encrypted encrypted content with the public information generated by the decryption information generation server 10. Content for distribution can be generated.
The content server 20 can also be realized as a distribution content generation program that causes a general computer to function as each of the above-described means. This distribution content generation program can be distributed via a communication line, or can be distributed by writing on a recording medium such as a CD-ROM.

(Content distribution server configuration)
Next, the configuration of the content distribution server will be described with reference to FIG. 4 (refer to FIG. 1 as appropriate). FIG. 4 is a block diagram showing the configuration of the content distribution server. Here, the content distribution server 30 includes a user request receiving unit 31, a content request transmitting unit 32, a distribution content receiving unit 33, and a distribution content transmitting unit 34.

The user request receiving unit 31 receives a request (content request form) transmitted from the user terminal 40 and indicating the content desired by the user via the network. The content request includes at least content identification information for specifying the content and terminal identification information (for example, an IP address) indicating from which user terminal 40 the request is made. The user request receiving unit 31 outputs the content identification information to the content request transmission unit 32, and outputs the terminal identification information to the distribution content transmission unit 34.

The content request transmitting unit 32 transmits a content request (content request) including content identification information output from the user request receiving unit 31 to the content server 20 via the intranet 3.
The distribution content receiving unit 33 receives the distribution content corresponding to the content identification information transmitted from the content request transmission unit 32 from the content server 20 via the intranet 3. The distribution content receiving unit 33 outputs the received distribution content to the distribution content transmitting unit 34.

  The distribution content transmitting unit 34 transmits the distribution content received by the distribution content receiving unit 33 to the user terminal 40 corresponding to the terminal identification information output from the user request receiving unit 31.

By configuring the content distribution server 30 in this way, the content distribution server 30 acquires the distribution content requested from the user terminal 40 from the content server 20 and distributes it to the requested user terminal 40. can do.
The content distribution server 30 can also be realized as a content distribution program that causes a general computer to function as each of the above-described units. This content distribution program can be distributed via a communication line, or can be written on a recording medium such as a CD-ROM for distribution.

The configuration of each device on the provider side in the content distribution system 1 has been described above, but the present invention is not limited to this. For example, the decryption information generation server 10 may be incorporated into the content server 20 and newly configured as a content server 20B (not shown). Alternatively, the content server 20B (not shown) may be incorporated in the content distribution server 30 and newly configured as the content distribution server 30B (not shown).
For example, in order to distribute the load in the content distribution system 1, a plurality of content servers 20 (content servers 20B, 20C, etc .: not shown) may be provided depending on the type of content. In this case, the content distribution server 30 transmits the content request by switching the content server that requests the content depending on the type of content.

(User terminal configuration)
Next, the configuration of the user terminal will be described with reference to FIG. 5 (refer to FIG. 1 as appropriate). FIG. 5 is a block diagram showing the configuration of the user terminal. Here, the user terminal 40 includes a distribution content request unit 41, a distribution content reception unit 42, a public information separation unit 43, a unique information separation unit 44, a security module 45, and a secret key storage unit 46. , A secret key update unit 47, an encryption key decryption unit 48, and a content decryption unit 49.

  The distribution content request means 41 transmits a request (content request) indicating the content desired by the user (distribution content) to the provider-side content distribution server 30 via the Internet 7. For example, the distribution content request unit 41 includes the content identification information by inputting content identification information (for example, a file name) for specifying the content desired by the user by an input unit (not shown). A content request is generated and transmitted to the content distribution server 30.

  The distribution content receiving means 42 receives the distribution content requested by the user from the provider-side content distribution server 30 via the Internet 7. The distribution content received here is output to the public information separating means 43. It should be noted that public information head (t) (see equation (4) above) is added (synthesized) as header information to the encrypted content (encrypted content) in the distribution content received here.

  The public information separating unit 43 separates the distribution content received by the distribution content receiving unit 42 into public information and encrypted content. The public information separated here is output to the unique information separation unit 44 and the encryption key decryption unit 48, and the encrypted content is output to the content decryption unit 49.

The unique information separating unit 44 separates the value (unique information) determined by the provider from the public information separated by the public information separating unit 43. Here, it is assumed that time is used as the unique information determined by the provider, and the unique information separating means 44 separates the time t from the public information head (t) shown in the equation (4). To do. The unique information (time t) separated here is output to the secret key update means 47.

  The security module 45 is a smart card (IC (Integrated Circuit) card) having tamper resistance, which is incorporated in the user terminal 40 so as to be detachable and prevents leakage of secret information. In the security module 45, a master key (user master key) which is a part of secret information unique to the user is written in advance on the provider side and distributed to the user. The security module 45 includes a master key storage unit 45a and a partial key generation unit 45b.

The master key storage unit 45a stores a master key unique to the user and is a storage device such as a semiconductor memory. In the master key storage unit 45a, the user master key SK ^* _uid (see the above formula (3)) generated by the secret key generation unit 12 (see FIG. 2) of the decryption information generation server 10 is stored as secret information. The

The partial key generation unit 45b generates a partial key used for updating the user-specific secret key (user secret key) based on the unique information output from the secret key update unit 47 described later. . The partial key generation unit 45b generates a partial key SK′uid _{, t} at time t based on the user master key stored in the master key storage unit 45a.
The partial key generation unit 45b generates a partial key SK′uid _{, t} at time _t by the following equation (5) when generating a partial key. Here, uid is user-specific information (such as a user ID).

  The secret key storage means 46 is a general-purpose storage medium (external storage medium) such as a floppy (R) disk or a memory stick, and is a secret key (user) that is a part of secret information unique to the user on the provider side in advance. Initial secret key) is written and distributed to users. When the secret key is updated by the secret key update means 47 described later, the updated secret key (user secret key) is stored in the secret key storage means 46.

The secret key update unit 47 updates the secret key (user secret key) based on the unique information separated by the unique information separation unit 44. The updated user secret key is output to the encryption key decryption means 48.
The secret key update unit 47 compares the unique information (time) separated by the unique information separation unit 44 with the unique information (time) when the secret key stored in the secret key storage unit 46 is generated. If the unique information is equal, the user secret key is output to the encryption key decryption unit 48 without updating the user secret key.

If the unique information is different, the secret key updating unit 47 outputs the unique information separated by the unique information separating unit 44 to the partial key generating unit 45b of the security module 45, and the part generated by the partial key generating unit 45b. The secret key (user secret key) is updated using the key and the secret key stored in the secret key storage means 46. Note that, when updating the user secret key, the secret key update unit 47 generates the user secret key SK _{uid, t} at time _{t according} to the following equation (6). Here, uid is user-specific information (such as a user ID).

The user secret key SK _{uid, t} at the desired time t can be generated by sequentially calculating the user secret key from time 0 to time t using the above-described equations (5) and (6). .
If the user secret key SK _{uid, tk at time tk} is stored in the secret key storage means 46, the following formulas (7) and (6) are substituted for the formulas (5) and (6). The user secret key SK _{uid, t} at time t may be generated by equation (8).

That is, the user secret key SK _{uid, t at} time t is generated from the following equation (9).

Also, the secret key update unit 47 stores the generated user secret key SK _{uid, t} in the secret key storage unit 46 as an updated new user secret key. The secret key storage unit 46 and the secret key update unit 47 may be arranged inside the security module 45.

The encryption key decryption means 48 decrypts and extracts the encryption key from the public information separated by the public information separation means 43 based on the user secret key corresponding to the unique information separated by the unique information separation means 44. To do. The decrypted encryption key is output to the content decrypting means 49. In the encryption key decryption means 48, the public information separated by the public information separation means 43 is head (t) = <t, (x, x ₀ , x ₁ , x ₂ ,..., X _n )>. In this case, the encryption key K _s is decrypted by the following equation (10). Here, uid is information unique to the user (user ID), and SK _{uid, t} is the user secret key at time t (see equation (8) above). The validity of decryption of the encryption key K _{s in} equation (10) will be proved later.

  The content decrypting means 49 decrypts the encrypted content using the encryption key decrypted by the encryption key decrypting means 48. The content decrypting means 49 decrypts the encrypted content after the public information is separated by the public information separating means 43 using the encryption key. As a result, the encrypted content is decrypted into content that can be viewed and the like.

By configuring the user terminal 40 in this way, the user terminal 40 can independently update the user secret key by the secret key update means 47 without making a contact such as an inquiry to the provider side. Can do. Thus, for example, even if the user secret key is leaked due to carelessness of the user, computer virus, etc., the user secret key SK _{uid, t} at time t is leaked, but other than time t Therefore, the user's damage can be limited to the damage at time t.

In addition, since the user terminal 40 holds the user master key in the security module 45 and generates a partial key for updating the user private key in the security module 45, the user master key is There is no leakage to the outside. This makes it difficult for a third party who does not have the user master key to update the user private key, and the security of the user private key other than the time t can be further enhanced.
Further, when the user terminal 40 decrypts the encryption key, even if the encrypted content and the key information used for the decryption are illegally distributed, as shown in the equation (10), Since it is necessary to use user-specific information (uid: user ID) when decrypting the encryption key, it is possible to identify the user who performed illegal distribution.

  The user terminal 40 can also be realized as a content decryption program that causes a general computer to function as each of the above-described means. This content decryption program can be distributed via a communication line, or can be distributed by writing on a recording medium such as a CD-ROM.

<Decryption of encryption key in user terminal>
Here, it is proved that the user terminal 40 can decrypt the encryption key by the expression (10) by the encryption key decryption means 48.
First, the public information head (t) = <t, (x, x ₀ , x ₁ , x ₂ ,..., X _n )> separated by the public information separation means 43 is the public information head of the above equation (4). (T) = <t, (y, K _s y ₀ (t) ^r , y ₁ (t) ^r ,..., Y _n (t) ^r )>, the right side of the equation (10) is The relationship of the following formula (11) is satisfied.

Furthermore, since y, y ₀ (t), y ₁ (t),..., Y _n (t) in the expression (11) are the conditions shown in the proviso of the expression (4), the expression (10) The right side of can be transformed into the following equation (12).

Then, by modifying the equation (12) according to the relationship of the equation (9), the right side of the equation (10) is equal to the encryption key K _s. Become.

[Operation of content distribution system]
Next, the operation of the content distribution system according to the embodiment of the present invention will be described with reference to FIGS.

(Decryption information generation operation)
First, with reference to FIG. 6 (refer to FIGS. 1 and 2 as appropriate), an operation of generating decryption information that is information for decrypting distribution content in the content distribution system 1 will be described. FIG. 6 is a flowchart showing an operation in which the decryption information generation server generates decryption information in the content distribution system.

First, the decryption information generation server 10 selects prime numbers p and q by which the value of (p-1) is divisible by q by the public key generation means 11 (step S1), and the sequence {1, 2, ..., q-1 }, (N + 1) × (m + 1) values are selected as coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m} (step S2). Then, the decryption information generation server 10 uses the public key generation means 11 to select one generation source g of the multiplicative group that forms a group with respect to the multiplication of the order q (step S3). Further, the decoding information generation server 10, the public key generation unit 11, a prime number p that is selected, and the origin g, coefficient its origin g (a _{i, j)} raised to the power of exponent values (y _0,0, y _0,1 ,..., y _{n, m} ) are generated (step S4) and stored in the public information storage means 13 (step S4). S5). The unauthorized person tracking public key e stored in the public information storage means 13 is used in the distribution content generation operation described later.

Subsequently, the decryption information generation server 10 uses the secret key generation means 12 based on the coefficient a _{i, j} selected in step S2 and the user-specific information (for example, user ID), and the user initial secret. A key (see equation (2)) is generated (step S6). Further, the decryption information generation server 10 generates a user master key (see the above formula (3)) by the secret key generation means 12 (step S7).

The user initial secret key and user master key generated in steps S6 and S7 are distributed to the user terminal 40 (step S8). Here, the user initial secret key is stored in a general-purpose storage medium (external storage medium) such as a memory stick, and the user master key is stored in the security module and distributed to the user. It shall be incorporated in
With the above operation, the decryption information generation server 10 can generate user-specific secret information as information for decrypting the distribution content and distribute it to the user (user terminal 40).

(Delivery content generation operation)
Next, with reference to FIG. 7 (refer to FIGS. 1 to 3 as appropriate), an operation of generating content for distribution in the content distribution system 1 will be described. FIG. 7 is a flowchart showing an operation of generating distribution content in the content distribution system.

  First, the content server 20 receives content to be distributed from the outside (recording medium or the like) by the content receiving unit 23 (step S10). Then, the content server 20 generates an encryption key for the common key encryption method by using the encryption key generation unit 21 (step S11). Then, the content server 20 uses the content encryption unit 24 to encrypt the content using the encryption key, and generates encrypted content (step S12). Further, the content server 20 transmits the encryption key to the decryption information generation server 10 by the encryption key transmission unit 22 (step S13).

Also, the decryption information generation server 10 receives the encryption key generated in step S11 from the content server 20 by the encryption key receiving unit 14 (step S14). Then, the decryption information generation server 10 selects a random number by the key encryption unit 15 (step S15). Then, the decryption information generation server 10 receives the random number selected in step S15, the public key for tracking the unauthorized person stored in the public information storage means 13 (see the above formula (1)), and the value determined by the provider (here Then, the encryption key is encrypted based on the time) to generate public information (see the above equation (4)) (step S16). The public information generated in step S16 is transmitted to the content server 20 by the public information transmitting means 16 (step S17).

Subsequently, the content server 20 receives the public information from the decryption information generation server 10 by the public information receiving unit 25 (step S18), and the public information synthesizing unit 26 adds the public information to the encrypted content generated at step S12. By synthesizing it as header information, content for distribution is generated (step S19). The distribution content is stored in the distribution content storage unit 27.
Through the above operation, the content server 20 can synthesize the public information generated by the decryption information generation server 10 with the encrypted encrypted content, and generate distribution content.

(Content distribution operation for distribution)
Next, with reference to FIG. 8 (refer to FIGS. 1 and 3 to 5 as appropriate), an operation of distributing content (distribution content) in the content distribution system 1 will be described. FIG. 8 is a flowchart showing an operation of distributing distribution content in the content distribution system.
First, the user terminal 40 generates a content request including content identification information indicating the content desired by the user by the distribution content request means 41 (step S20), and transmits it to the content distribution server 30 (step S20). S21).

  Further, the content distribution server 30 receives the content request from the user terminal 40 by the user request receiving means 31 (step S22), and the content request transmitting means 32 receives the content request described in the content request. The identification information (content identification information such as a file name) is transmitted to the content server 20 as a content request (step S23).

  Then, the content server 20 receives the content request from the content distribution server 30 by the content request receiving unit 28 (step S24), and the distribution content transmitting unit 29 stores the corresponding content (distribution content) in the distribution content storage. The data is read from the means 27 (step S25) and transmitted to the content distribution server 30 (step S26).

Then, the content distribution server 30 receives the distribution content from the content server 20 by the distribution content receiving unit 33 (step S27), and the distribution content transmission unit 34 uses the distribution content requested. Is transmitted to the person terminal 40 (step S28).
Then, the user terminal 40 receives the distribution content by the distribution content receiving means 42 (step S29).
With the above operation, the content distribution server 30 can transmit (distribute) the distribution content to the user terminal 40 that requested it.

(Decoding content for distribution)
Next, referring to FIG. 9 (refer to FIGS. 1 and 5 as appropriate), an operation of decrypting content (content for distribution) in the content distribution system 1 will be described. FIG. 9 is a flowchart showing an operation in which the user terminal decrypts the distribution content.

  First, the user terminal 40 receives distribution content from the content distribution server 30 by the distribution content receiving means 42 (step S30). Then, the user terminal 40 separates the distribution content into the public information and the encrypted content by the public information separating means 43 (step S31). Furthermore, the user terminal 40 separates the unique information (time) determined by the provider from the public information separated in step S31 by the unique information separation means 44 (step S32).

Then, the user terminal 40 uses the secret key update unit 47 to store the user secret key stored in the secret key storage unit 46 and the user master key stored in the master key storage unit 45a in the security module 45. Then, the user private key is updated based on the unique information (time) (see the formulas (5) and (6) or the formulas (7) and (8)) (step S33).
Further, the user terminal 40 decrypts the encryption key from the public information separated in step S31 using the user secret key updated in step S33 by the encryption key decrypting means 48 (see the above formula (10)). (Step S34).

Then, the user terminal 40 decrypts the encrypted content by the content decrypting means 49 using the encryption key decrypted in step S34 (step S35). At this stage, the user can view the decrypted content.
Through the above operation, the user terminal 40 decrypts the encryption key with the user secret key updated only with the secret information (user initial secret key and user master key) held in each terminal, and the encryption The encrypted content can be decrypted with the encryption key.

It is a block diagram which shows the structure of the content delivery system which concerns on this invention. It is a block diagram which shows the structure of a decoding information generation server (decoding information generation apparatus). It is a block diagram which shows the structure of a content server (content production apparatus for delivery). It is a block diagram which shows the structure of a content delivery server. It is a block diagram which shows the structure of a user terminal (content decoding apparatus). It is a flowchart which shows the operation | movement which a decoding information generation server produces | generates decoding information in a content delivery system. It is a flowchart which shows the operation | movement which produces | generates the content for delivery in a content delivery system. It is a flowchart which shows the operation | movement which distributes the content for delivery in a content delivery system. It is a flowchart which shows the operation | movement which a user terminal decodes the content for delivery.

Explanation of symbols

1 Content Distribution System 10 Decryption Information Generation Server (Decryption Information Generation Device)
DESCRIPTION OF SYMBOLS 11 Public key generation means 12 Private key generation means 13 Public information storage means 14 Encryption key reception means 15 Key encryption means 16 Public information transmission means 20 Content server (content generation apparatus for distribution)
DESCRIPTION OF SYMBOLS 21 Encryption key production | generation means 22 Encryption key transmission means 23 Content reception means 24 Content encryption means 25 Public information reception means 26 Public information composition means 27 Distribution content storage means 28 Content request reception means 29 Distribution content transmission means 30 Content Distribution server 31 User request reception means 32 Content request transmission means 33 Distribution content reception means 34 Distribution content transmission means 40 User terminal (content decryption device)
41 distribution content request means 42 distribution content reception means 43 public information separation means 44 unique information separation means 45 security module 45a master key storage means 45b partial key generation means 46 secret key storage means 47 secret key update means 48 encryption key decryption Means 49 Content Decoding Means

Claims (8)

A decryption information generation device that generates, as decryption information, public information that is disclosed for decrypting encrypted content and secret information that is secret information on the decryption side of the content,
For prime numbers p and q whose value of (p-1) is divisible by q, a generator g selected from a multiplicative group forming a group with respect to the multiplication of the order q is obtained from the sequence {1, 2, ..., q-1}. The public key e including the power value of the coefficient is obtained by raising the power by the selected (n + 1) × (m + 1) coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m}.

And the public key generating means for generating by,
Based on the plurality of coefficients used in the public key generation means and identification information uid unique to each user who uses the content, a user initial secret key is provided as secret information unique to each user. the SK _{uid, 0}

As well as generated by, the user master key ^SK _{* uid}

And the secret key generation means for generating by,
The encryption key K _s obtained by encrypting the content, the public key e generated by the public key generation unit, the value t which defines the delivery side of the content, based on the random number r

A key encrypting means for generating encrypted said public information head (t) by,
A decryption information generation device comprising: The decryption information generation apparatus according to claim 1, wherein the value t used in the key encryption means is a value indicating time. In order to generate, as decryption information, public information that is disclosed for decrypting encrypted content and secret information that is secret information on the content decryption side,
For prime numbers p and q whose value of (p-1) is divisible by q, a generator g selected from a multiplicative group forming a group with respect to the multiplication of the order q is obtained from the sequence {1, 2, ..., q-1}. The public key e including the power value of the coefficient is obtained by raising the power by the selected (n + 1) × (m + 1) coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m}.

Public key generation means for generating by,
Based on the plurality of coefficients used in the public key generation means and identification information uid unique to each user who uses the content, a user initial secret key is provided as secret information unique to each user. the SK _{uid, 0}

As well as generated by, the user master key ^SK _{* uid}

Secret key generation means for generating by,
The encryption key for encrypting the content is based on the public key e generated by the public key generation means, the value t determined on the content distributor side, and the random number r.

Key encrypting means for encrypting, generating the public information head (t) by,
A decryption information generation program characterized by being made to function as: A distribution content generation device that generates distribution content including encrypted content and public information that has been released to decrypt the encrypted content,
An encryption key generating means for generating an encryption key for encrypting the content;
Content encryption means for generating encrypted content by encrypting the content based on the encryption key generated by the encryption key generation means;
By combining the encrypted content generated by the content encryption unit and the public information generated by the decryption information generation apparatus according to claim 1 or 2 with the encryption key, Public information synthesis means to generate;
A content generating apparatus for distribution, comprising: In order to generate content for distribution that includes encrypted content and public information that has been published to decrypt the encrypted content,
An encryption key generating means for generating an encryption key for encrypting the content;
Content encryption means for generating encrypted content by encrypting the content based on the encryption key generated by the encryption key generation means;
By combining the encrypted content generated by the content encryption unit and the public information generated by the decryption information generation apparatus according to claim 1 or 2 with the encryption key, Public information synthesis means to generate,
A content generation program for distribution, characterized in that it is made to function as: A content decryption device for decrypting the encrypted content based on public information and secret information generated by the decryption information generation device according to claim 1 or 2 for decrypting the encrypted content Because
Master key storage means for storing a user master key SK ^* _uid which is a part of the secret information;
Secret key storage means for storing a user initial secret key SK _{uid, 0} which is a part of the secret information as an initial value of the user secret key;
Updates and user master key SK ^* _uid, which is stored in the master key storage means, on the basis of the published have that value t as the public information, the user secret key that the stored in the secret key storage means part used when the key SK _^'uid, the _t

A partial key generation unit for generating a,
By adding the partial key generated by the partial key generation unit and the user private key to generate the updated user secret key, and updates the user secret key the stored in the secret key storing unit secret Key renewal means;
The user secret key updated by this secret key update means is SK _{uid, t} , and the public information is head (t) = <t, (x, x ₀ , x ₁ , x ₂ ,..., X _n )>, When the identification information unique to the user is uid, the encrypted encryption key K _s is

And an encryption key decoding means for decoding by,
Content decrypting means for decrypting the encrypted content based on the encryption key decrypted by the encryption key decrypting means;
A content decrypting apparatus comprising:   7. The content decryption apparatus according to claim 6, wherein the master key storage unit and the partial key generation unit are provided in a security module that is removable from the content decryption apparatus. In order to decrypt the encrypted content based on the public information and the secret information generated by the decryption information generation device according to claim 1 or 2 for decrypting the encrypted content, Computer
A user master key SK ^* _uid that is a part of the secret information stored in the master key storage means in the security module by the partial key generation means in the security module, and a value t disclosed as the public information From the user initial secret key SK _{uid, 0} which is a part of the secret information stored in the secret key storage means as the initial value of the user secret key ,

By adding partial key SK _{^'uid generated,} a user private key _t by, generates the updated user secret key, and updates the user secret key the stored in the secret key storing unit secret Key renewal means,
The user secret key updated by this secret key update means is SK _{uid, t} , and the public information is head (t) = <t, (x, x ₀ , x ₁ , x ₂ ,..., X _n )>, When the identification information unique to the user is uid, the encrypted encryption key K _s is

Encryption key decoding means for decoding by,
Content decrypting means for decrypting the encrypted content based on the encryption key decrypted by the encryption key decrypting means;
A content decryption program that is made to function as:

Images