JP4559868B2 - Security module, content receiving apparatus, contract information generating apparatus, contract information verifying apparatus, and contract information verifying method - Google Patents

Description

  The present invention relates to a security module, a content receiving device, a contract, and the like that can be received and viewed (used) by any content receiving device connected to a network as long as it is a legitimate user in a conditional access system. The present invention relates to an information generation device, a contract information verification device, and a contract information verification method.

In recent years, content such as video and audio has been distributed over the Internet (network). In this case, in order to protect the copyright of the content, charge, etc., the content is encrypted and distributed. It is common.
Since content is generally large in size, it is once encrypted using a common key encryption method, and the encryption key used in the common key encryption method is encrypted using a public key encryption method. . For encryption of this encryption key, a public key unique to the user is used. Then, the encrypted content and the encrypted encryption key are distributed to each user's content receiving device.

Then, the content receiving device on the user side decrypts the encrypted encryption key using the secret key stored in the device. This secret key is paired with a public key unique to the user used when encrypting the encryption key. In the content receiving apparatus, the encrypted content is decrypted using the encryption key, so that the user can view the content.
In such a content distribution mode, a place where the user views the content (content receiving device) is fixed. In this case, the user's private key is safely managed using a tamper-resistant device, for example, a security module such as an IC card. By using this security module, the content receiving device prevents leakage of the secret key, and as a result, protects the copyright of the content.

As another distribution form of content, a form in which a content distribution service can be enjoyed anywhere as long as it can be connected to the Internet is considered. In order to enjoy such a distribution service, the user needs to carry a secret key. In this case, it is conceivable to carry the device with the secret key stored in the tamper-resistant device. However, the tamper-resistant device is generally expensive, and damage due to breakage, loss, etc. increases.
Therefore, a method has been proposed in which a secret key is stored in a general-purpose device such as a flash memory, and the device can be used to enjoy a content distribution service anywhere that can be connected to the Internet by carrying the device. (See Non-Patent Document 1).

In this method, a number is assigned to the content to be distributed in advance, and the public key encryption of the content is performed using the number. The user's private key in this public key encryption is generated using the content number and a master key owned by the user.
In this case, the content can be decrypted by using a secret key having the same content number, but other content having a different number cannot be decrypted.

Therefore, when viewing the content, the user generates a secret key corresponding to the content number in advance in the content receiving device. Then, the secret key is stored in a general-purpose storage device, and the user can use the storage device to enjoy the content distribution service anywhere that can be connected to the Internet.
Further, for example, in order to enjoy a distribution service at a business trip destination (an apparatus other than the content receiving apparatus fixed to the user) for a long period of time when the user goes on a business trip, a plurality of secret keys are generated in advance, By storing the information in the storage device, the user can view (use) the content even with other content receiving apparatuses.
“An unauthorized person tracking method with key leakage resistance”, IEICE Technical Report, Vol. 104, no. 199, ISEC 2004-35, pp. 151-158

  However, the conventional technique described in Non-Patent Document 1 has a problem that, for example, if a general-purpose device is left somewhere, the secret key is easily leaked. In addition, since this device is general-purpose, it is possible to copy a secret key, and there is a problem that all secret keys stored in the device are leaked.

In the conventional method, an unauthorized person tracking function is added. When a malicious person intentionally creates and distributes multiple copies of his / her private key, the malicious key is examined by examining the private key. It is possible to identify a person with a password and to prevent unauthorized users from occurring.
However, it is also conceivable that a malicious person creates and distributes many copies by intentionally obtaining one copy of another person's private key. In this case, there is a problem that anyone can view (use) the content if it is a secret key that is within the expiration date or a secret key that is valid for a certain content.

  The present invention has been made in view of the above problems, and can be received and viewed (utilized) by any content receiving apparatus connected to the network, and the number of times the content is used It is an object of the present invention to provide a security module, a content receiving apparatus, a contract information generating apparatus, a contract information verifying apparatus, and a contract information verifying method that can limit the damage to key leakage and minimize the damage.

  The present invention has been developed to achieve the above object. First, the security module according to claim 1 is provided to a content receiving device that receives content by a limited reception method, and is another content receiving device. The security module generates authentication information used for user authentication for receiving the content, and includes a secret information storage unit, a temporary group signature key generation unit, and a token generation unit.

According to such a configuration, the security module uniquely assigns a group signature key in the electronic authentication method and signature key generation information that is information for generating a temporary group signature key that is temporarily generated to the user. The secret information is stored in the secret information storage means.
The secret information stored in the secret information storage means is stored in advance by a provider who performs user registration (user registration). The signing key generation information is a group signing key generation polynomial for generating a group signing key. By using the signing key generation information, the group signing key stored in advance in the security module is used. In addition, it is possible to temporarily generate a user-specific group signature key.

Then, the security module generates a temporary group signature key that becomes a part of the authentication information based on the signature key generation information stored in the secret information storage unit by the temporary group signature key generation unit. Since this temporary group signature key is generated based on the secret information stored in advance in the secret information storage means, it becomes a regular group signature key for the user and can be used as user authentication information.
In addition, the security module uses the token generation means to verify a verification key (group signature verification key) that is a pair of the group signature key, a token generation random number (pseudorandom number) that is a part of the authentication information, and a user-specific Based on the identification information, a token that is a part of the authentication information indicating the authority of the user is generated.

Since this token is generated based on the group signature verification key and identification information (for example, user ID) unique to the user, it becomes possible to authenticate the individual user and use it as user authentication information. can do. Furthermore, since the token is generated based on a pseudo-random number, it becomes information that is difficult to generate other than the security module.
By using the authentication information generated in this way, it becomes possible to authenticate the user other than the content receiving apparatus provided with the security module.

  The security module according to claim 2, wherein the temporary group signature key generation unit updates the temporary group signature key based on the signature key generation information and a temporary group signature key generated in the past. It was decided to generate again.

  According to this configuration, the security module generates the temporary group signature key from the past (previously used) temporary group signature key in the temporary group signature key generation unit. That is, when the previously used temporary group signing key does not exist, a new temporary group signing key cannot be generated, and the validity of the temporary group signing key can be improved.

  Furthermore, the content receiving apparatus according to claim 3 is a content that receives content by a limited reception method using a security module that includes a secret information storage unit, a temporary group signature key generation unit, and a token generation unit. The receiving apparatus is configured to include authentication information output means for outputting authentication information generated by the security module to the outside.

  According to such a configuration, the content receiving apparatus includes a group signature key unique to the user in the electronic authentication method, and signature key generation information unique to the user for generating a temporary group signature key that is temporarily generated. , A temporary group signature key generating unit that generates a temporary group signature key that becomes part of the authentication information based on the signature key generation information stored in the secret information storage unit, and a group signature Indicates a user's authority based on a verification key (group signature verification key) that is a key pair, a token generation random number (pseudorandom number) that is part of the authentication information, and identification information unique to the user A security module including a token generation unit that generates a token that is a part of the authentication information, and the authentication information generated by the security module by the authentication information output unit. And outputs to the outside. For example, the authentication information output unit records the authentication information on an external recording medium. Thereby, the user can authenticate the user in another content receiving apparatus by using the recording medium.

  The content receiving device according to claim 4 is the content receiving device according to claim 3, wherein the secret information storage means stores the maximum number of times the authentication information is issued at a time, and The information output means outputs the authentication information to an external recording medium up to the maximum number of times.

  According to such a configuration, the content receiving device limits the number of pieces of authentication information recorded on the recording medium to a finite number. For example, even when the authentication information is passed to a third party, the authentication information is used without limitation. There is nothing to do.

  Furthermore, the contract information generation device according to claim 5 is output from another content reception device including the security module according to claim 1 or 2 in a content reception device that receives content by a limited reception method. The contract information generating apparatus generates contract information for receiving the content using the authentication information, and includes a token challenge receiving unit, a token answer generating unit, and a combining unit.

  According to such a configuration, the contract information generation apparatus receives a token challenge, which is a pseudo-random number for verifying a token, distributed from the content distribution side in response to the content distribution request, by the token challenge receiving unit. Then, the token answer generation means generates a token answer that is information for token verification based on the token challenge received by the token challenge reception means and the token generation random number that is a part of the authentication information.

  Then, the contract information generation apparatus generates the contract information by adding the group signature to the token using the temporary group signature key and combining the token answer by the combining unit. Since the token answer is generated based on the token challenge delivered from the content delivery side and the token generation random number used when the token was created, it is possible to verify the token answer on the content delivery side. It becomes possible to judge the validity of the contract information.

  The contract information generation apparatus according to claim 6, wherein the synthesizing unit uses a temporary group signature key that is a part of the authentication information for content fee information indicating a fee for content in addition to the token. The contract information is generated by adding a group signature and synthesizing the token answer.

  According to such a configuration, the contract information generation apparatus includes the content fee information in the token, and further generates the contract information by adding the group signature. Therefore, the provider who issued the group signature key specifies the user. Thus, it becomes possible to perform billing processing.

  Furthermore, the content receiving apparatus according to claim 7 is configured to include an authentication information input unit and the contract information generation apparatus according to claim 5 in the content receiving apparatus that receives the content by the limited reception method.

  According to such a configuration, the content receiving apparatus inputs authentication information output from a security module provided in another content receiving apparatus by the authentication information input unit. For example, the authentication information input means inputs the authentication information by reading the authentication information from a recording medium on which the authentication information output from the security module is recorded. Then, contract information for receiving content is generated by the contract information generation apparatus using the authentication information. As a result, the content receiving apparatus that does not include the security module can receive and view the content.

  The contract information verification apparatus according to claim 8 is a contract information verification apparatus which is arranged on the content distribution side and verifies contract information generated by the contract information generation apparatus according to claim 5, wherein the contract information verification apparatus is a token challenge. The configuration includes a selection unit, a token challenge transmission unit, a contract information reception unit, a group signature verification unit, and a token verification unit.

  According to this configuration, the contract information verification device verifies the token, which is information indicating the authority of the content user, in response to the content distribution request transmitted from the content receiving side by the token challenge selection unit. A token challenge that is a pseudo-random number is selected, and the token challenge is transmitted to the content receiver by the token challenge transmission means.

  Then, the contract information verification apparatus receives the contract information generated by the contract information generation apparatus using the token challenge by the contract information receiving means. Then, the contract information verification device verifies the group signature added to the contract information by the group signature verification means based on a verification key (group signature verification key) that is a pair of a group signature key unique to the user. . This makes it possible to verify whether the contract information has been added by a legitimate user.

  In addition, the contract information verification device verifies the token included in the contract information by the token verification means based on the token answer also included in the contract information and the token challenge selected by the token challenge selection means. To do. Since this token answer is generated using the token challenge in the contract information generation device, the validity of the token answer can be verified by using this token challenge.

  Furthermore, the group signature key generation device according to claim 9 is a group signature key for generating secret information stored in the security module according to claim 1 or claim 2 and public information corresponding to the secret information. The generation device is configured to include a group signature verification key generation unit, a group signature key generation polynomial generation unit, a group signature key generation unit, and a signature key generation information generation unit.

  According to this configuration, the group signature key generation device generates the group signature verification key in the electronic authentication method by the group signature verification key generation unit. This group signature verification key is disclosed as public information. Further, the group signature key generation apparatus generates a group signature key generation polynomial, which is a polynomial for generating a group signature key that is a pair of group signature verification keys, by a group signature key generation polynomial generation unit.

The group signature key generation device uses the group signature key generation unit based on the information used when the group signature verification key generation unit generates the group signature verification key and information unique to the user. A unique group signing key is generated. In addition, the group signature key generation device temporarily uses the signature key generation information generation unit based on information used when the group signature key generation unit generates a group signature and information unique to the user. Signature key generation information that is information for generating the generated temporary group signature key is generated. The group signature key and signature key generation information are secret information stored in the security module.
This makes it possible to generate a group signature key in the security module.

  The contract information verification method according to claim 10 can receive content that can be received by the first content receiving device that includes the security module and that receives the content by the limited reception method, by the second content receiving device. A contract information verification method for verifying the contract information for making the content information in the contract information verification apparatus on the content distribution side, wherein an authentication information generation step, a token challenge selection step, a token answer generation step, and a contract information generation step And a verification step.

  According to this procedure, in the authentication information generation step, the contract information verification method generates a temporary group signature key based on confidential information unique to the user in the security module provided in the first content receiving device. Then, a token that is information indicating the authority of the user is generated based on public information for generating a verification key that is a pair of a group signature key unique to the user and a token generation random number that is a pseudo-random number.

In the contract information verification method, the token challenge selection step includes a token challenge that is a pseudo-random number for verifying a token in response to a content distribution request transmitted from the second content receiving device in the contract information verification device. Is transmitted to the second content receiving apparatus.
The contract information verification method is information for verifying a token based on the token challenge and the token generation random number at the second content receiving device in the token answer generation step. Generate a token answer.

Furthermore, the contract information verification method generates contract information in the contract information generation step by adding a group signature to the token answer generated in the token answer generation step and the token using a temporary group signature key. To the contract information verification device.
Then, in the verification step, the contract information verification method receives the contract information in the contract information verification device, and the group signature added to the contract information is verified as a verification key paired with a group signature key unique to the user. The token included in the contract information is verified based on the token answer and the token challenge included in the contract information.

  According to the invention described in claim 1 or claim 3, by using the authentication information generated in the security module, the user can be authenticated even in the content receiving device not provided with the user-specific security module. Thus, any content receiving device connected to the network can receive and view (use) the content. Note that the group signature is not a personal authentication, but a mechanism for authenticating the group to which the user belongs. Therefore, the personal information cannot be determined only by the authentication information, and personal privacy is protected. become.

  According to the second aspect of the present invention, a new temporary group signature key cannot be generated unless a temporary group signature key generated in the past exists in the security module. Authentication information must be generated by a unique security module. For this reason, a third party cannot generate authentication information, and the security of the authentication information can be improved.

  According to the invention described in claim 4, the number of authentication information (tokens and the like) generated by the security module can be limited. As a result, even when the authentication information is taken out to the outside, the authentication information cannot be used without limitation, so that damage to the leakage of the authentication information can be minimized. Furthermore, when a token is used twice, the user can be specified, so that misuse of authentication information can be prevented.

  According to the invention described in claim 5 or claim 7, in the contract information generation apparatus, contract information for using the content can be generated from the authentication information generated by the security module. As a result, even in a content receiving device that does not include a security module, content can be used by a contracted user.

  According to the invention described in claim 6, content fee information indicating the fee for the content is included in the contract information, and a group signature is added so that the provider who issued the group signature key can identify the user. Can be charged.

  According to the eighth aspect of the present invention, when a content distribution request is made from a content receiving device not equipped with a security module on the content distribution side, contract information using a token is sent to the content receiving device. By generating, it is possible to verify whether the user is a regular user.

  According to the ninth aspect of the present invention, the security module can generate a group signature key serving as user authentication information. Accordingly, it is possible to authenticate the user by using the authentication information in the content receiving apparatus that does not include the user-specific security module.

  According to the tenth aspect of the present invention, in the contract information verification method, the security module can generate a token and a temporary group signature key as user authentication information, and generate contract information based on the authentication information. Thus, even if unauthorized use of content occurs, an unauthorized user can be specified.

Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Content distribution system configuration]
First, the configuration of the content distribution system according to the embodiment of the present invention will be described with reference to FIG. FIG. 1 is a block diagram showing a configuration of a content distribution system. The content distribution system 1 includes a group signing key generation server 10, a user identification server 20, a gateway connected to the content provider (user registration content provider) side that performs user registration connected via the intranet 3 ₁ (3). (GW) 5 ₁ (5), and the content server 30 and the content distribution server 40 connected to the content provider (content distribution content provider) that distributes the content via the intranet 3 ₂ (3) And is connected to the Internet 7.

In the content distribution system 1, a user fixed terminal 50 that is a terminal on the user side of content and a content receiving terminal 70 that is a terminal other than the user fixed terminal 50 are connected to the Internet 7.
In such a configuration, the content distribution system 1 also includes a content reception terminal (content reception device) 70 that is a terminal other than the user fixed terminal (content reception device) 50 and includes a security module 60 that stores a secret key. This is a system that enables content to be received and viewed.

  A group signature key generation server (group signature key generation device) 10 is issued in a security module 60 such as an IC card and stored in a token (Token) that is information indicating the authority of the user stored in the security module 60. On the other hand, a group signature key for performing a group signature in the electronic authentication method and a temporary group signature key which is a temporary group signature key to be taken out at the same time when the user takes out the token other than the user fixed terminal 50 are provided. It generates secret information to be generated by the user fixed terminal 50.

  The user specifying server 20 verifies the group signature added to the contract information transmitted from the content distribution server 40, and specifies the user who issued the group signature. As a result, it is possible to charge the specified user for content distribution usage.

  The content server 30 encrypts the content and generates content (distribution content) to be distributed to the user. Further, the content server 30 stores the encryption key used for encryption and the content fee (content fee information) together with the content for distribution, and makes a response to the request from the content distribution server 40. .

  The content distribution server 40 acquires the content requested by the content receiving terminal 70 (content for distribution), the encryption key, and the content fee information from the content server 30 and transmits them to the content receiving terminal 70. is there. The content distribution server 40 verifies the group signature added to the contract information transmitted from the content receiving terminal 70, and only distributes the content for distribution or the like when the request is from a legitimate user. 70.

  The user fixed terminal (content receiving device) 50 requests content (distribution content) desired by the user from the content distribution server 40, and decrypts the distribution content acquired from the content distribution server 40. . The user fixed terminal 50 is provided with a security module 60 that receives content in a limited manner using a limited reception method, and only the content for which the user has contracted can be viewed.

  The security module 60 is a tamper-resistant IC card or the like. Here, the content receiving device (content receiving terminal 70) other than the user fixed terminal 50 allows the user to receive and view the content. Generate possible authentication information. The authentication information generated by the security module 60 is recorded on an external recording medium, and is read by the content receiving terminal 70 where the user wants to view the content.

The content receiving terminal (content receiving device) 70 requests content (distribution content) desired by the user from the content distribution server 40 and decodes the distribution content acquired from the content distribution server 40.
In general, a receiving device that does not include the security module 60 cannot receive and view content, but here, the content receiving terminal 70 is generated by the security module 60 of the user fixed terminal 50. Content can be viewed using authentication information.

The gateway (GW) 5 (5 ₁ , 5 ₂ ) is a device for connecting each network of the intranet 3 (3 ₁ , 3 ₂ ) and the Internet 7. The gateway 5 is, for example, an IP router (IP: Internet Protocol), and has a firewall function that prevents unauthorized access to the intranet 3.
Hereinafter, each configuration of the group signature key generation server 10, the user identification server 20, the content server 30, and the content distribution server 40, which are devices on the provider side, and a user fixed terminal 50 and a content reception terminal, which are devices on the user side The configuration of 70 will be described sequentially.

(Group signature key generation server configuration)
First, the configuration of the group signature key generation server will be described with reference to FIG. 2 (refer to FIG. 1 as appropriate). FIG. 2 is a block diagram showing the configuration of the group signature key generation server. Here, the group signature key generation server 10 includes a group signature related information generation unit 11, a secret information generation unit 12, a group signature related information storage unit 13, a group signature related information transmission unit 14, and a verification key transmission unit 15. And.

  The group signature related information generating unit 11 generates a group signature verification key in the electronic authentication method as public information to be disclosed to the public and also generates a group signature key for generating a group signature key that is a pair of the group signature verification key. A polynomial is generated. Here, the group signature related information generation unit 11 includes a group signature verification key generation unit 11a and a group signature key generation polynomial generation unit 11b.

The group signature verification key generation unit 11a generates a group signature verification key in the electronic authentication method. The group signature verification key generated by the group signature verification key generation unit 11 a is stored in the group signature related information storage unit 13.
Here, the group signature verification key generation unit 11a first prepares a value in which the value of (p−1) is divisible by q among the two prime numbers p and q, and the sequence {1, 2,. , Q−1} to randomly select (n + 1) × (m + 1) values (where q ≧ (n + 1) × (m + 1) +1), and the selected (n + 1) × (m + 1) values Are coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m}. Further, the group signature verification key generation unit 11a randomly selects one generation source g from a multiplicative group forming a group with respect to the multiplication of the order q prepared in advance.

The group signature verification key generation unit 11a then multiplies the selected prime numbers p and q, the generation source g, and the generation source g to the coefficient (a _{i, j} ) as shown in the following equation (1). A group signature verification key VK composed of power values (y _0,0 , y _0,1 ,..., Y _{n, m} ) is generated. All subsequent calculations are performed on modulo p.

The group signature key generation polynomial generation means 11b generates a group signature key generation polynomial which is a polynomial for generating a group signature key which is a pair of group signature verification keys. The group signature key generation polynomial generated by the group signature key generation polynomial generation unit 11 b is stored in the group signature related information storage unit 13.
Here, the group signature key generating polynomial generator 11b generates a group signature key generating polynomial f (u, t) for generating a group signature key unique to the user, as shown in the following equation (2). Is generated.

  In this equation (2), the calculation is performed with u being user-specific information (for example, user ID) and t being unique information (for example, the number of times to generate the group signature key) on the side of generating the group signature key. Thus, a temporary group signature key (temporary group signature key) that is unique to each user and that corresponds to the unique information can be generated.

  The secret information generation means 12 generates a user-specific group signature key and information for generating a temporary group signature key (temporary group signature key generation secret information) as secret information specific to the user. It is. Here, the secret information generation unit 12 includes a group signature key generation unit 12a and a signature key generation information generation unit 12b.

The group signature key generation unit 12a generates a group signature key unique to the user. The group signature key, which is secret information generated by the group signature key generation means 12a, is stored in a tamper-resistant security module 60 such as an IC card and distributed to users.
Here, the group signature key generation unit 12a uses the user-specific information u (for example, user ID) and the coefficient {a _{i, j} used when the group signature verification key generation unit 11a generates the group signature key. } (Where m = 0 coefficient {a _1,0 , a _2,0 ,..., A _{n, 0} }), as shown in the following equation (3), the group signature key SK _u, Generate ₀ .

The signature key generation information generation unit 12b generates signature key generation information that is information for generating a temporary group signature key that is temporarily generated. The signature key generation information, which is secret information generated by the signature key generation information generation means 12b, is stored in a tamper-resistant security module 60 such as an IC card and distributed to users.
Here, the signature key generation information generation unit 12b uses the user-specific information u (for example, user ID) and the coefficient {a _{i, j} } used in generating the group signature key (here, the coefficient { a _{i, 1} , a _{i, 2} ,..., a _{i, m} }) to generate temporary group signing key generation secret information SK ^* _u as shown in the following equation (4).

  The group signature related information storage means 13 stores the group signature verification key generated by the group signature related information generation means 11 and the group signature key generation polynomial as group signature related information. It is a storage device. The group signature verification key or the like stored in the group signature related information storage unit 13 is read from the group signature related information transmission unit 14 or the verification key transmission unit 15.

  The group signature related information transmitting unit 14 transmits group signature related information (group signature verification key, group signature key generating polynomial) stored in the group signature related information storage unit 13 to the user specifying server 20. is there. The group signature key generation polynomial is information (public information) that can be referred to only by the user registration content provider.

  The verification key transmission unit 15 discloses the group signature verification key stored in the group signature related information storage unit 13. Here, the verification key transmission means 15 transmits the group signature verification key as public information to the content distribution server 40 or the like.

  By configuring the group signature key generation server 10 in this way, the group signature key generation server 10 secures the user-specific secret information (group signature key and temporary group signature key generation secret information) to be distributed to the user. The module 60 can be stored and distributed. Further, the group signature key generation server 10 may generate a group signature verification key, which is public information for identifying the user, and a group signature key generation polynomial for the information with the group signature. it can.

(Configuration of user specific server)
Next, the configuration of the user specifying server will be described with reference to FIG. FIG. 3 is a block diagram showing the configuration of the user specifying server. Here, the user specifying server 20 includes group signature related information receiving means 21, charging request receiving means 22, group signature verifying means 23, and group signer specifying means 24.

  The group signature related information receiving means 21 receives the group signature related information (group signature verification key and group signature key generation polynomial) generated in the group signature key generation server 10 in order to identify the user who uses the content. To do. The group signature verification key received by the group signature related information receiving unit 21 is output to the group signature verification unit 23, and the group signature key generating polynomial is output to the group signer specifying unit 24.

The charging request receiving unit 22 receives a charging request for a user who uses content distributed from the content distribution server. This billing request includes contract information (for example, a viewing channel, a usage time limit, etc.) for the user to use the content. The contract information is combined with a token indicating the authority of the user, and a group signature is added by a temporary group signature key. The token includes the number of times the signature key has been issued.
The group signature added to the billing request (contract information) received by the billing request receiving unit 22 is output to the group signature verifying unit 23, and the number of temporary group signature keys issued is output to the group signer specifying unit 24. Is done.

  The group signature verifying unit 23 verifies the group signature added to the contract information received by the charging request receiving unit 22 with the group signature verification key received by the group signature related information receiving unit 21. As a result, it is possible to verify whether the contract information has been distributed by an authorized user. When the group signature verifying unit 23 verifies that the user is an authorized user, the fact is output to the group signer specifying unit 24.

The group signer specifying unit 24 includes a group signature key generating polynomial received by the group signature related information generating unit 11 when the group signature verifying unit 23 verifies that the user is an authorized user, Based on the number of times the group signature key (temporary group signature key) is added to the contract information received by the billing request receiving means 22, the user who added the group signature is specified. Note that a method for specifying a user by this group signature will be described in detail later.
By configuring the user specifying server 20 in this way, the user specifying server 20 can verify the group signature added to the contract information and specify the user who issued the group signature. Billing processing can be performed for the identified user.

(Content server configuration)
Next, the configuration of the content server will be described with reference to FIG. 4 (refer to FIG. 1 as appropriate). FIG. 4 is a block diagram showing the configuration of the content server. Here, the content server 30 includes an encryption key generation unit 31, a content reception unit 32, a content encryption unit 33, a content fee reception unit 34, a content storage unit 35, a content request reception unit 36, an encryption An encryption key transmission unit 37, a distribution content transmission unit 38, and a content fee transmission unit 39 are provided.

  The encryption key generation unit 31 generates an encryption key for encrypting content. The generated encryption key is output to the content encryption unit 33 and is stored in the content storage unit 35 in association with the encrypted content. This encryption key is randomized using a pseudo-random number generation means, a hash function, etc. (not shown), and has a uniform key length.

  The content receiving unit 32 receives content for distribution. The content received here is output to the content encryption means 33. For example, the content receiving unit 32 may read content from a recording medium (not shown), or may acquire content as communication data via a network (Internet 7 or the like). .

  The content encryption unit 33 encrypts the distribution content received by the content reception unit 32 with the encryption key generated by the encryption key generation unit 31 and generates encrypted content (distribution content). is there. The distribution content generated here is stored in the content storage unit 35 in association with the content identification information for specifying the content. The content encryption unit 33 encrypts the content using the common key encryption method using the encryption key. Since the content to be encrypted is assumed to be information with a large amount of data such as video, the common key encryption method that uses faster encryption processing than the public key encryption method is used here. And For example, a common common key encryption method such as AES (Advanced Encryption Standard) may be used.

  The content fee receiving unit 34 receives a fee for content for distribution (content fee information). The content fee information received here is stored in the content storage unit 35 in association with the content for distribution. For example, the content fee receiving unit 34 may read content fee information from a recording medium (not shown), or acquire content fee information as communication data via a network (Internet 7 or the like). It may be.

  The content storage unit 35 includes the encryption key generated by the encryption key generation unit 31, the distribution content generated by the content encryption unit 33, and the content fee information received by the content fee reception unit 34. It is stored in association with content identification information, and is a general storage device such as a hard disk. The encryption key, distribution content, and content fee information stored in the content storage unit 35 are included in the encryption key transmission unit 37, the distribution content transmission unit 38, and the content fee transmission unit 39 when the content is requested. Respectively.

Content request receiving unit 36 is transmitted from the content distribution server 40, inclusive of the content request content identification information identifying the content for delivery, and receives via the intranet 3 _2. The content request receiving unit 36 outputs the content identification information included in the content request to the encryption key transmitting unit 37, the distribution content transmitting unit 38, and the content fee transmitting unit 39.

  The encryption key transmitting unit 37 reads the encryption key corresponding to the content identification information output from the content request receiving unit 36 from the content storage unit 35 and sends it to the requested content distribution server 40 as a decryption key. To be sent.

  The distribution content transmission unit 38 reads out the distribution content corresponding to the content identification information output from the content request reception unit 36 from the content storage unit 35 and transmits it to the requested content distribution server 40. .

The content fee transmitting unit 39 reads content fee information corresponding to the content identification information output from the content request receiving unit 36 from the content storage unit 35 and transmits it to the requested content distribution server 40.
By configuring the content server 30 in this way, the content server 30 encrypts the content with the encryption key, associates the encrypted content, the encryption key, and the fee information of the content, and distributes the content. The data can be transmitted to the content distribution server 40 as data for use.

(Content distribution server configuration)
Next, the configuration of the content distribution server will be described with reference to FIG. 5 (refer to FIG. 1 as appropriate). FIG. 5 is a block diagram showing the configuration of the content distribution server. Here, the content distribution server 40 includes a content request receiving means 41, a content request transmitting means 42, a contract information verifying means 43, a decryption key receiving means 44, a distribution content receiving means 45, and a content fee receiving. Means 46, decryption key transmission means 47, distribution content transmission means 48, and content fee transmission means 49 are provided.

  The content request document receiving means 41 receives a request (content request document) transmitted from the content receiving terminal 70 and indicating the content desired by the user via the network (Internet 7 or the like). The content request includes at least content identification information for specifying the content and terminal identification information (for example, an IP address) indicating from which content receiving terminal 70 the request is made. The content request receiving means 41 outputs the content identification information to the content request transmitting means 42, and outputs the terminal identification information to the contract information verifying means 43 and the content fee transmitting means 49.

Content request transmission means 42, including the content identification information output from the content requisition receiving means 41 content delivery request (content request), via the intranet 3 _2, and transmits to the content server 30. In response to this content request, the content distribution server 40 acquires from the content server 30 the decryption key associated with the content identification information, the content for distribution, and the content fee information that is the fee for the content for distribution. Can do.

  The contract information verification means (contract information verification device) 43 verifies the contract information transmitted from the content receiving terminal 70 and verifies whether the content request is transmitted from the content receiving terminal 70 by a legitimate user. To do. Here, the contract information verification unit 43 includes a token challenge selection unit 43a, a token challenge transmission unit 43b, a contract information reception unit 43c, a verification key reception unit 43d, a verification unit 43e, and a billing request transmission unit 43f. I have.

The token challenge selection means 43a selects a token challenge that is a pseudo random number for verifying a token that is information indicating the authority of the user of the content. Here, the token challenge selecting means 43a selects an arbitrary value α (α∈ _R G _q ) from the subgroup G _q (multiplicative group forming a group with respect to the multiplication of the order q) of the finite field Z ^* _p. This is a token challenge. The order q is the same as the prime q included in the group signature verification key generated by the group signature verification key generation means 11a (FIG. 2). The token challenge selected by the token challenge selection unit 43a is output to the token challenge transmission unit 43b.

  The token challenge transmitting unit 43b transmits the token challenge selected by the token challenge selecting unit 43a to the content receiving terminal 70 corresponding to the terminal identification information output from the content request receiving unit 41.

  The contract information receiving unit 43c receives contract information including a token transmitted from the content receiving terminal 70 and a token answer that is generated by using a token challenge and is token verification information. The contract information is added with a group signature by the temporary group signature key in the content receiving terminal 70. The token in the contract information received by the contract information receiving unit 43c and the group signature are separated and output to the verification unit 43e.

  The verification key receiving unit 43d receives the group signature verification key generated in the group signature key generation server 10 (FIG. 2), which is disclosed for specifying the user who uses the content. The group signature verification key received by the verification key receiving unit 43d is output to the verification unit 43e.

  The verification unit 43 e verifies the group signature and the token (token answer) in the contract information received by the contract information reception unit 43 c. Here, the verification unit 43 e includes a group signature verification unit 431 and a token verification unit 432.

  The group signature verification unit 431 uses the group signature added to the contract information and the token as a verification key (group signature verification key received by the verification key reception unit 43d) that is a pair of a group signature key unique to the user. Based on the verification. Thereby, it is possible to verify whether or not the contract information is transmitted from an authorized user.

The token verification unit 432 verifies the token included in the contract information based on the token answer and the token challenge selected by the token challenge selection unit 43a. Thereby, it is possible to verify whether or not the token is illegally used.
When the verification means 43e verifies that the content request has been transmitted by an authorized user, the verification means 43e outputs the contract information to the billing request transmission means 43f, and receives the content received by transmitting the content request. The terminal identification information of the terminal 70 is output to the decryption key transmission unit 47 and the distribution content transmission unit 48.

  The charging request transmitting unit 43f transmits a charging request including the contract information output from the contract information receiving unit 43c to the user specifying server 20. The contract information included in the billing request is information for billing the user who uses the content in the user specifying server 20.

Decryption key receiving unit 44, a decryption key corresponding to the content identification information transmitted from the content request transmission unit 42 is configured to receive from the content server 30 via the intranet 3 _2. The decryption key received by the decryption key receiving unit 44 is output to the decryption key transmitting unit 47.

Distribution content receiving unit 45, a distribution content corresponding to the transmitted content identification information from the content request transmission unit 42 is configured to receive from the content server 30 via the intranet 3 _2. The distribution content received by the distribution content receiving unit 45 is output to the distribution content transmitting unit 48.

Content fee receiving unit 46, a content charge information indicating a charge for contents corresponding to the transmitted content identification information from the content request transmission unit 42 is configured to receive from the content server 30 via the intranet 3 _2. The content fee information received by the content fee receiving unit 46 is output to the content fee transmitting unit 49.

  The decryption key transmission unit 47 transmits the decryption key received by the decryption key reception unit 44 to the content reception terminal 70 corresponding to the terminal identification information output as a result of verification by the contract information verification unit 43. It is.

  The distribution content transmission unit 48 transmits the distribution content received by the distribution content reception unit 45 to the content reception terminal 70 corresponding to the terminal identification information output as a result of verification by the contract information verification unit 43. It is.

  The content fee transmitting unit 49 transmits the content fee information received by the content fee receiving unit 46 to the content receiving terminal 70 corresponding to the terminal identification information output from the content request receiving unit 41.

By configuring the content distribution server 40 in this way, the content distribution server 40 can transmit the content for distribution in response to a request (content request form) indicating the content desired by the user transmitted from the content receiving terminal 70. The decryption key and the content fee information can be acquired from the content server 30 and distributed to the requested content receiving terminal 70. The content distribution server 40 distributes the distribution content and the decryption key to the content receiving terminal 70 only when the user is an authorized user.
The content distribution server 40 verifies the user by verifying the signature added to the contract information when receiving the content request from the user fixed terminal 50 provided with the security module 60. Since this configuration is the same as the conventional one, the description thereof is omitted here.

(Configuration of user fixed terminal)
Next, the configuration of the user fixed terminal will be described with reference to FIG. 6 (refer to FIG. 1 as appropriate). FIG. 6 is a block diagram showing the configuration of the user fixed terminal. Here, the user fixed terminal 50 includes a content request transmission unit 51, a content fee reception unit 52, a contract information generation unit 53, a contract information transmission unit 54, a decryption key reception unit 55, a distribution content. Receiving means 56, content decrypting means 57, authentication information output means 58, and old temporary group signature key input means 59 are provided. Furthermore, the user fixed terminal 50 has a security module 60 mounted therein.

  The content request sending means 51 requests content (distribution content) desired by the user from the content distribution server 40 on the provider (content distribution content provider) side via the Internet 7. For example, the content request document transmission means 51 includes the content identification information by inputting content identification information (for example, a file name) specifying the content desired by the user by an input means (not shown). A content request is generated and transmitted to the content distribution server 40 to request distribution content.

  The content fee receiving means 52 receives content fee information indicating the fee of the content for distribution requested by the user from the content distribution server 40 via the Internet 7. The content fee information received by the content fee receiving unit 52 is output to the contract information generating unit 53.

  The contract information generation unit 53 generates contract information, which is information indicating that the user has contracted for the content, based on the content fee information received by the content fee reception unit 52. The contract information generated by the contract information generating means is output to the contract information group signing means 65 of the security module 60.

  The contract information transmitting unit 54 transmits the contract information added with the group signature by the contract information group signature unit 65 of the security module 60 described later to the content distribution server 40 via the Internet 7. As a result, it is possible for the content distribution server 40 to verify that the user who requested the content distribution is an authorized user.

  The decryption key receiving means 55 receives, via the Internet 7, a decryption key for decrypting the distribution content requested by the user from the content distribution server 40 on the provider (content distribution content provider) side. It is. The decryption key received by the decryption key receiving unit 55 is output to the content decrypting unit 57.

  The distribution content receiving means 56 receives the distribution content requested by the user from the content distribution server 40 on the provider (content distribution content provider) side via the Internet 7. The distribution content received by the distribution content receiving unit 56 is output to the content decoding unit 57.

  The content decrypting unit 57 uses the decryption key received by the decryption key receiving unit 55 to decrypt the distribution content received by the distribution content receiving unit 56. As a result, the distribution content is decoded into content that can be viewed (reproduced content).

  The authentication information output means 58 outputs a signed token, a temporary group signature key, and a token generation random number, which are authentication information generated by the security module 60 described later, to the outside. For example, the authentication information output unit 58 records the authentication information on the external recording medium 80. Thus, the user can use the recording medium 80 in which the authentication information is recorded, so that the user can be authenticated in the other content receiving device (content receiving terminal 70), and the content is received. It becomes possible to watch.

  The old temporary group signature key input means 59 reads the temporary group signature key recorded on the recording medium 80. The temporary group signature key recorded on the recording medium 80 is a group signature key that has been generated by the security module 60 and recorded on the recording medium 80 in the past. The temporary group signature key read by the old temporary group signature key input unit 59 is output to the temporary group signature key generation unit 62 of the security module 60 and used to generate a new temporary group signature key.

  The security module 60 is a tamper-resistant IC card or the like, and includes a secret information storage unit 61, a temporary group signature key generation unit 62, a token generation unit 63, a token group signature unit 64, and a contract information group signature. Means 65.

The secret information storage means 61 stores secret information unique to the user, and is a storage device such as a semiconductor memory. This secret information includes the group signature key generated by the group signature key generation means 12a (FIG. 2) of the group signature key generation server 10 on the provider (user registration content provider) side, and temporary group signature key generation secret information ( Signature key generation information).
The secret information storage means 61 stores the maximum number of tokens (authentication information) that can be issued (generated) at the same time. Thus, the authentication information output means 58 can limit the use of the token by recording the token on the recording medium 80 up to the maximum number of times.

  The temporary group signature key generation means 62 is authentication information for authenticating a user based on the temporary group signature key generation secret information (signature key generation information) that is secret information stored in the secret information storage means 61. A temporary group signing key that becomes a part of the key is generated. The temporary group signature key generation unit 62 first generates a temporary group signature key from the group signature key that is the secret information stored in the secret information storage unit 61, and thereafter generates (issues) the past. A temporary group signing key is newly generated from the temporary group signing key thus obtained. The temporary group signature key generated in the past is read from the recording medium 80 by the old temporary group signature key input means 59. The temporary group signature key generated by the temporary group signature key generation unit 62 is output to the authentication information output unit 68 outside the security module 60.

When the temporary group signature key is first generated, the temporary group signature key generation unit 62 includes the temporary group signature key generation secret information SK ^* _u stored in the secret information storage unit 61 and the group signature key SK _{u. , 0} is used to generate a temporary group signature key SK _{u, 1} . Thereafter, the temporary group signature key generation means 62 is generated in the past (at time “t−1” when the current time is “t”), and is input by the old temporary group signature key input means 59. A new temporary group signature key SK _{u, t} is generated using the temporary group signature key SK _{u, t−1} .
That is, the temporary group signature key generation means 62 generates a temporary group signature key SK _{u, t} as shown in the following equations (5) and (6).

  Here, the temporary group signature key generated in the past is acquired from the recording medium 80, but the temporary group signature key generated by the temporary group signature key generation unit 62 is stored in the secret information storage unit 61. Alternatively, it may be a form in which it is read and used as a temporary group signature key generated in the past.

  The token generating means 63 determines the authority of the user based on a verification key (group signature verification key) that is a pair of group signature keys and a random number for token generation that is a pseudo random number and is a part of authentication information. This is information to generate a token that is a part of the authentication information.

The token generation unit 63 includes a generation source g included in the group signature verification key generated by the group signature verification key generation unit 11a of the group signature related information generation unit 11 on the user registration content provider side, and prime numbers p and q. Use and to generate tokens.
That is, the token generating means 63 first selects arbitrary numerical values m, n, a from the subgroup G _q of the finite field Z ^* _p (multiplicative group forming a group with respect to the multiplication of the order q) (m, n , A∈G _q ). Then, the token generating unit 63 calculates a numerical value b that satisfies “u = a × b” using identification information (for example, user ID) u that identifies the user. Then, the token generating unit 63 generates “Token = <g ^m , g ⁿ , g ^a , g ^b >” as a token (Token). The token (Token) generated by the token generating unit 63 is output to the token group signature unit 64. The token generation random numbers (m, n, a, b) used for generating the token are output to the authentication information output means 58 as a part of the authentication information.

  The token group signature unit 64 uses the group signature key stored in the secret information storage unit 61 to generate the token generated by the token generation unit 63 and the temporary group signature key generation unit 62 to generate a temporary group signature key. A group signature is added to a value (<Token‖t>) (“‖” indicates concatenation) obtained by synthesizing the value t indicating the time point. The signed token with the group signature added is output to the authentication information output means 58 outside the security module 60.

  The contract information group signature unit 65 adds a group signature using a group signature key unique to the user stored in the secret information storage unit 61 to the contract information generated by the contract information generation unit 53. Thus, contract information with a signature is generated. The contract information to which the group signature is added is output to the contract information transmission means 54.

  Thus, by writing the authentication information (signed token, temporary group signature key and token generation random number) generated in the security module 60 to the recording medium 80, the user can record the authentication information in the recording medium 80. 80 can be carried around. Since the number of tokens (such as signed tokens) recorded on the recording medium 80 is limited, the number of times the content is used can be limited, and damage to leakage can be minimized.

(Content receiving terminal configuration)
Next, the configuration of the content receiving terminal will be described with reference to FIG. 7 (refer to FIG. 1 as appropriate). FIG. 7 is a block diagram showing the configuration of the content receiving terminal. Here, the content receiving terminal 70 includes a content request form transmitting unit 51, a content fee receiving unit 52, a contract information generating unit 53B, a contract information transmitting unit 54, a decryption key receiving unit 55, and a distribution content receiving unit. Means 56, content decryption means 57, and authentication information input means 71 are provided.
The configuration other than the contract information generation unit 53B and the authentication information input unit 71 is the same as the configuration of the user fixed terminal 50 described with reference to FIG.

  The contract information generating means (contract information generating apparatus) 53B is the content fee information received by the content fee receiving means 52, the token challenge distributed from the content distribution server 40, and the user authentication recorded on the recording medium 80. The contract information for using the content is generated based on the information. Here, the contract information generating unit 53B includes a separating unit 531, a token challenge receiving unit 532, a token answer generating unit 533, and a combining unit 534.

  The separation unit 531 separates the token (signed token) and the token generation random number, which are the authentication information input via the authentication information input unit 71, and the temporary group signature key. The token and token generation random number separated by the separation unit 531 are output to the token answer generation unit 533, and the temporary group signature key is output to the synthesis unit 534.

  The token challenge receiving unit 532 receives a token challenge, which is a pseudo-random number for verifying a token distributed from the content distribution server 40 on the provider (content distribution content provider) side. The token challenge received by the token challenge receiving unit 532 is output to the token answer generating unit 533.

The token answer generation unit 533 generates a token answer which is information for token verification based on the token challenge received by the token challenge reception unit and the token generation random number which is a part of the authentication information. .
Here, the token answer generation unit 533 uses the token challenge α received by the token challenge reception unit 532 and the token generation random number (m, n, a, b) to generate the token answer β shown in the following equation (7). ₁ and β ₂ are generated.

  The token answer generated by the token answer generating unit 533 is output to the synthesizing unit 534.

  The synthesizing unit 534 synthesizes the content fee information received by the content fee receiving unit 52 and the token separated by the separating unit 531, and adds a group signature with the temporary group signature key separated by the separating unit 531. Further, the contract information is generated by synthesizing the token answers generated by the token answer generating means 533. The contract information generated by the synthesizing unit 534 is output to the contract information transmitting unit 54 and transmitted to the content distribution server 40.

By configuring the content receiving terminal 70 in this way, the content receiving terminal 70 can receive and view the content even if the security module 60 is not installed.
As described above, each server and reception device configuring the content distribution system 1 has been described. However, the configuration of each server is not limited to this, and each unit in each server may be configured as one server. Conversely, a plurality of servers may be combined into a single server.

[About group signatures]
Hereinafter, an example of the group signature used in the present invention will be described. Note that the method of performing signature by this group signature is based on the TTaKE (Traitor Tracing against Key Exposure) method described in Non-Patent Document 1.

(Group signature method)
First, a group signature key generating polynomial f (u, t) for a user having user-specific information (for example, user ID) u to generate a t-th temporary group signature key is the above (2). It is a formula. If the temporary group signature key at a certain time is SK _{u, t} , the following equation (8) is satisfied.

  Here, when t is fixed, the equation (8) can be transformed into the following equation (9).

The signature is generated using the temporary group signature key SK _{u, t according} to the following procedure. In the token group signing means 64 (FIG. 6) according to the present invention, the group signature for signing the token may be t = 0 in the following procedure. Thereby, SK _{u, t} becomes a polynomial in which only u is a variable.
First, the token group signing means 64 selects arbitrary values γ _{α, i} , γ _{β, i} , γ _{χ, i} from the finite field Z _q (γ _{α, i} , γ _{β, i} , γ _{χ, i} ∈ _R Z _q (0 ≦ i ≦ l)).
Then, the token group signing means 64 uses the public key cryptosystem such as RSA cipher or ElGamal cipher to encrypt ciphertexts C ⁽⁰⁾ _{i, t} and C ^{(1 )} Create _{i, t} . Here, “enc ()” indicates an encryption function.

  Subsequently, the token group signing means 64 generates a random number c as shown in the following expression (11) by using a hash function. Here, m is data to be signed.

Then, the token group signature unit 64 calculates verification data s _{i, t} and d _i for verifying the group signature by the following equation (12).

Then, the token group signature unit 64 generates a group signature Gsig as shown in the following equation (13) and adds it to the data to be signed.

(Group signature verification method)
Next, a method for verifying the group signature Gsig generated by the equation (13) described in the group signature method will be described.
In the present invention, the group signature verification means 23 (FIG. 3) of the user specifying server 20 uses the value included in the group signature Gsig and uses the following expression (14) for each i (0 ≦ i ≦ l): Verify that holds.

  That is, the group signature verification unit 23 determines that the group signature is added by a legitimate user when the formula (14) is satisfied.

(Group signer identification method)
Next, a method for specifying the user (group signer) to whom the group signature is added will be described.
In the present invention, the group signer specifying means 24 (FIG. 3) of the user specifying server 20 specifies the user (group signer) to which the group signature is added.
First, the group signer specifying means 24 extracts a group signature key (temporary group signature key) SK _{u, t} from the group signature as shown in the following equation (15). Here, “dec ()” is an inverse function of “enc ()” in the equation (10).

Then, the group signer specifying means 24 substitutes t and u into the group signature key generation polynomial f (u, t) shown in the above equation (2), so that the temporary group signature key SK _{u, t} Find u that matches. Here, the obtained u is information (for example, a user ID) for specifying the user who performed the group signature, and the user (group signer) is specified.

[Operation of content distribution system]
Next, the operation of the content distribution system 1 (FIG. 1) will be described.
(Group signature key, secret information generation operation for temporary group signature key generation)
First, with reference to FIG. 8 (refer to FIG. 2 as appropriate for the configuration), an operation of generating the group signature key and the temporary group signature key generation secret information in the group signature key generation server 10 will be described. FIG. 8 is a flowchart showing an operation of generating a group signature key and temporary group signature key generation secret information in the group signature key generation server.

First, the group signature key generation server 10 selects prime numbers p and q by which the value of (p−1) is divisible by q by the group signature verification key generation unit 11a (step S10), and the sequence {1, 2,. (n + 1) × (m + 1) values are randomly selected from q−1} and the selected (n + 1) × (m + 1) values are selected as coefficients a _{i, j} {0 ≦ i ≦ n, 0 ≦ j ≦ m} is selected (step S11). Further, the group signature key generation server 10 uses the group signature verification key generation unit 11a to select one multiplicative group generation source g that forms a group with respect to the multiplication of the order q (step S12).

Then, the group signature key generation server 10 uses the group signature verification key generation unit 11a to convert the prime numbers p and q selected in step S10, the generation source g selected in step S12, and the generation source g to a coefficient (a _{i, j} ) generating a group signature verification key VK (see the above equation (1)) composed of the raised power values (y _0,0 , y _0,1 ,..., y _{n, m} ) (step S13), The information is stored in the group signature related information storage means 13 (step S14).
In addition, the group signature key generation server 10 generates a group signature key generation polynomial for generating a group signature key to be paired with the group signature verification key VK by the group signature key generation polynomial generation unit 11b (step S15). ) And stored in the group signature related information storage means 13 (step S16).

Subsequently, the group signature key generation server 10 uses the group signature key generation unit 12a based on the coefficient {a _{i, j} } selected in step S11 and user-specific information (for example, user ID), A user-specific group signature key SK _{u, 0} (see equation (3) above) is generated (step S17). Further, the group signature key generation server 10 uses the signature key generation information generation unit 12b to use the temporary group signature key using the user-specific information and the coefficient used when generating the group signature key in step S17. The generation secret information SK ^* _u (see the above equation (4)) is generated (step S18).

  The group signature key generated in step S17 and the temporary group signature key generation secret information generated in step S18 are stored in a tamper-resistant security module 60 such as an IC card and distributed to users. (Step S19).

(Delivery content generation operation)
Next, referring to FIG. 9 (refer to FIG. 4 as appropriate for the configuration), the operation of generating content for distribution in the content server 30 will be described. FIG. 9 is a flowchart illustrating an operation of generating content for distribution in the content server.
First, the content server 30 receives content to be distributed from the outside by the content receiving means 32 (step S20). Further, the content server 30 uses the encryption key generation unit 31 to generate an encryption key using a common key encryption method (step S21).

  Then, the content server 30 encrypts the content received in step S20 with the encryption key generated in step S21 by the content encryption unit 33, and generates encrypted content (distribution content) (step S22). The encryption key and the distribution content are stored in the content storage unit 35 (step S23).

Further, the content server 30 receives the content fee information indicating the content fee corresponding to the content for distribution from the outside by the content fee receiving unit 34 and stores it in the content storage unit 35 in association with the content for distribution (step). S24).
As a result, content for distribution is prepared in the content storage unit 35.

(Token and temporary group signing key generation operation)
Next, an operation of generating a token and a temporary group signature key in the security module 60 attached to the user fixed terminal 50 will be described with reference to FIG. FIG. 10 is a flowchart showing an operation of generating a token and a temporary group signature key in the security module.

First, the security module 60 selects (m, n, aεG _q ) any numerical value m, n, a from the subgroup G _q of the finite field Z ^* _p by the token generating means 63 (step S30). ), Using the identification information (for example, user ID) u that identifies the user, a numerical value b that satisfies “u = a × b” is calculated (step S31).

Then, the security module 60 uses the token “Token = <” based on the numerical value m, n, a selected in step S30, the numerical value b calculated in step S31, and the generation source g. g ^m , g ⁿ , g ^a , g ^b > ”are generated (step S32).
Further, the security module 60 uses the temporary group signature key generation means 62 to store the temporary group signature key SK _{u, t-1} generated in the past (at time “t−1” when the current time is “t”). Using this, a new temporary group signature key SK _{u, t} is generated (step S33).

Then, the security module 60 combines the token generated in step S32 with the token group signing means 64 and the value t indicating the time point when the temporary group signature key was generated in step S33 (step S34). A group signature is added to the value (<Token に t>) using the group signature key SK _{u, 0} stored in the secret information storage means 61 to generate a signed token (step S35).
By recording the token with signature and the temporary group signature key generated in this way on the external recording medium 80 as authentication information for authenticating the user, the user can select another content receiving device (content receiving terminal). 70), the content can be used.
Steps S30 to S35 correspond to the authentication information generation step in the claims.

(Content distribution operation)
Next, the content distribution operation in the content distribution system 1 (FIG. 1) will be described with reference to FIG. 11 (refer to FIGS. 3, 4, 5, and 7 as appropriate for the configuration). FIG. 11 is a flowchart showing an operation of distributing content in the content distribution system.

  First, in the content receiving terminal 70, the content request transmission means 51 generates a content request that describes content identification information (for example, a file name, etc.) that specifies the content desired by the user (step SA1), and content distribution It transmits to the server 40 (step SA2).

  In the content distribution server 40, the content request receiving unit 41 receives the content request transmitted from the content receiving terminal 70 (step SB1), and the content request transmitting unit 42 is described in the content request. The content identification information is transmitted to the content server 30 as a content distribution request (content request) (step SB2).

  Then, in the content server 30, the content request receiving means 36 receives the content request transmitted from the content distribution server 40 (step SC1). Subsequently, the content fee transmission means 39 reads the content fee information corresponding to the content identification information from the content storage means 35 (step SC2) and transmits it to the requested content distribution server 40 (step SC3). Further, the distribution content transmitting unit 38 reads out the distribution content corresponding to the content identification information from the content storage unit 35 (step SC4) and transmits it to the requested content distribution server 40 (step SC5). Further, the encryption key transmission unit 37 reads the encryption key corresponding to the content identification information from the content storage unit 35 (step SC6), and transmits it to the requested content distribution server 40 as a decryption key ( Step SC7).

In the content distribution server 40, the content fee receiving unit 46 receives the content fee information transmitted from the content server 30 (step SB3), and the content fee transmitting unit 49 sends the content to the requested content receiving terminal 70. Charge information is transmitted (step SB4).
Further, in the content distribution server 40, the token challenge selecting unit 43a selects an arbitrary value α (αε _R G _q ) from the subgroup G _q of the finite field Z ^* _p as a token challenge (step SB5). The token challenge transmission unit 43b transmits the token challenge to the requested content receiving terminal 70 (step SB6). Steps SB5 and SB6 correspond to the token challenge selection step in the claims.

In the content receiving terminal 70, the content fee receiving means 52 receives the content fee information transmitted from the content distribution server 40 (step SA3). Further, the token challenge receiving means 532 receives the token challenge transmitted from the content distribution server 40 (step SA4).
Then, the separating unit 531 separates the token (signed token) and the token generation random number, which are the authentication information input via the authentication information input unit 71, and the temporary group signature key, and the token answer generating unit 533 Then, a token answer (refer to the equation (7)), which is information for token verification, is generated from the token challenge α received in step SA4 and the token generation random numbers (m, n, a, b) (step (7)). SA5: token answer generation step).

Further, the synthesizing unit 534 synthesizes the content fee information received in step SA3 and the token, adds a group signature with the temporary group signature key, and further synthesizes the token answer generated in step SA5 to thereby obtain the contract information. Is generated (step SA6; contract information generation step).
Then, the contract information transmitting means 54 transmits the contract information generated at step SA6 to the content distribution server 40 (step SA7).

In the content distribution server 40, the contract information receiving unit 43c receives the contract information transmitted from the content receiving terminal 70 (step SB7), and separates the token and the group signature from the contract information (step SB8).
Then, the verification unit 43e verifies the token added to the contract information and the group signature (step SB9; verification step). That is, the group signature verification unit 431 of the verification unit 43e verifies the group signature added to the token by the group signature verification key and the group signature added to the contract information, and the token verification unit 432 The token is verified based on the token challenge received in step SB5. If the token is invalid as a result of the verification, the content distribution service is stopped.

Then, the distribution content receiving means 45 receives the distribution content transmitted from the content server 30 (step SB10), and if the token is a regular token in step SB9, the received distribution content is requested. Is transmitted to the received content receiving terminal 70 (step SB11). Further, the decryption key receiving means 44 receives the decryption key transmitted from the content server 30 (step SB12). When the token is a regular token in step SB9, the received decryption key is requested. Is transmitted to the received content receiving terminal 70 (step SB13).
Further, the billing request transmission unit 43f transmits a billing request including contract information to the user specifying server 20 (step SB14).

In the content receiving terminal 70, the distribution content receiving means 56 receives the distribution content distributed from the content distribution server 40 (step SA8), and the decryption key receiving means 55 is also distributed from the content distribution server 40. The decrypted key is received (step SA9).
Then, the content decrypting unit 57 reproduces the content by decrypting the distribution content received in Step SA8 with the decryption key received in Step SA9 (Step SA10).

On the other hand, in the user identification server 20, the billing request receiving means 22 receives the billing request transmitted from the content distribution server 40 (step SD1).
Then, the group signature verification unit 23 verifies the group signature added to the contract information with the group signature verification key received by the group signature related information reception unit 21 (step SD2). When it is verified that the verification of the group signature is added by a legitimate user, the group signer specifying means 24 uses the group signature key generation polynomial and the contract included in the billing request received in step SD1. Based on the number of times the group signature key (temporary group signature key) is added to the information, the user (signer) who added the group signature is specified (step SD3).

As a result, the user who uses the content is specified, and the charging process for the user is performed (step SD4). This step SD4 is performed in a general billing apparatus on the user registration content provider side outside the user specifying server 20.
With the above operation, the content distribution system 1 can verify a legitimate user and provide the content to the user even in the content receiving terminal 70 that does not include the security module 60.
In this embodiment, the group signature key that is the user's secret key and the temporary group secret key that is another secret key in TTaKE described in Non-Patent Document 1 are used. Not limited to this, a general group signature key may be used.

It is a block diagram which shows the structure of the content delivery system which concerns on this invention. It is a block diagram which shows the structure of a group signature key production | generation server. It is a block diagram which shows the structure of a user specific server. It is a block diagram which shows the structure of a content server. It is a block diagram which shows the structure of a content delivery server (a contract information verification apparatus is included). It is a block diagram which shows the structure of a user fixed terminal (a security module is included). It is a block diagram which shows the structure of a content receiving terminal (a contract information production | generation apparatus is included). It is a flowchart which shows the operation | movement which produces | generates the group signature key and the secret information for temporary group signature key production | generation in a group signature key production | generation server. It is a flowchart which shows the operation | movement which produces | generates the content for delivery in a content server. It is a flowchart which shows the operation | movement which produces | generates a token and a temporary group signature key in a security module. It is a flowchart which shows the operation | movement which distributes content in a content delivery system.

Explanation of symbols

1 Content Distribution System 10 Group Signature Key Generation Server (Group Signature Key Generation Device)
11 Public information generation means 11a Group signature verification key generation means 11b Group signature key generation polynomial generation means 12 Secret information generation means 12a Group signature key generation means 12b Signature key generation information generation means 13 Public information storage means 14 Group signature related information transmission Means 15 Verification key transmission means 20 User identification server 21 Group signature related information reception means 22 Billing request reception means 23 Group signature verification means 24 Group signer identification means 30 Content server 31 Encryption key generation means 32 Content reception means 33 Content encryption Converting means 34 content fee receiving means 35 content storage means 36 content request receiving means 37 encryption key transmitting means 38 distribution content transmitting means 39 content fee transmitting means 40 content distribution server 41 content Motomesho receiving unit 42 content request transmission means 43 contract information verifying section (contract information verification apparatus)
43a token challenge selection means 43b token challenge transmission means 43c contract information reception means 43d verification key reception means 43f charge request transmission means 43e verification means 431 group signature verification means 432 token verification means 44 decryption key reception means 45 distribution content reception means 46 Content fee receiving means 47 Decryption key device means 48 Distribution content transmitting means 49 Content fee transmitting means 50 User fixed terminal (content receiving device, first content receiving device)
51 Content Request Sending Means 52 Content Fee Sending Means 53 Contract Information Generating Means 54 Contract Information Sending Means 55 Decryption Key Receiving Means 56 Distribution Content Receiving Means 57 Content Decoding Means 58 Authentication Information Output Means 59 Old Temporary Group Signature Key Input Means 60 Security Module 61 Secret Information Storage Unit 62 Temporary Group Signature Key Generation Unit 63 Token Generation Unit 64 Token Group Signature Unit 65 Contract Information Group Signature Unit 70 Content Receiving Terminal (Content Receiving Device, Second Content Receiving Device)
53B Contract information generation means (contract information generation device)
531 Separation means 532 Token challenge reception means 533 Token answer generation means 534 Composition means 71 Authentication information input means

Claims (10)

A security module that is provided to a content receiving device that receives content by a limited reception method and generates authentication information used for user authentication for receiving the content in another content receiving device,
Secret information storage means for storing a group signature key in the electronic authentication method and signature key generation information that is information for generating a temporary group signature key that is temporarily generated as secret information unique to the user;
Temporary group signature key generation means for generating the temporary group signature key that becomes a part of the authentication information based on the signature key generation information stored in the secret information storage means;
Information indicating the authority of the user based on a verification key that is a pair of the group signature key, a token generation random number that is a pseudo-random number that is a part of the authentication information, and identification information unique to the user A token generating means for generating a token that is a part of the authentication information;
A security module characterized by comprising:   The temporary group signature key generation means updates and regenerates the temporary group signature key based on the signature key generation information and a temporary group signature key generated in the past. Security module described in. Secret information storage means for storing a group signature key in the electronic authentication method and signature key generation information that is information for generating a temporary group signature key that is temporarily generated as secret information unique to the user; Based on the signature key generation information stored in the secret information storage unit, the group signature key is paired with a temporary group signature key generation unit that generates the temporary group signature key that is a part of the authentication information. Based on a verification key, a token generation random number that is a pseudo-random number that is a part of the authentication information, and identification information unique to the user, information indicating the authority of the user, A content reception device that receives content by a limited reception method using a security module including a token generation unit that generates a token that is a part,
A content receiving apparatus comprising: authentication information output means for outputting the authentication information generated by the security module to the outside. The secret information storage means stores the maximum number of times the authentication information is issued at a time,
The content receiving apparatus according to claim 3, wherein the authentication information output means outputs the authentication information to an external recording medium up to the maximum number of times. A content receiving device that receives content by a limited reception method for receiving the content using authentication information output from another content receiving device including the security module according to claim 1 or 2. A contract information generation device for generating contract information,
A token challenge receiving means for receiving a token challenge, which is a pseudo-random number for verifying a token, distributed from a content distribution side in response to a content distribution request;
Token answer generating means for generating a token answer that is information for verifying the token based on the token challenge received by the token challenge receiving means and a token generating random number that is a part of the authentication information;
A synthesizing unit that adds a group signature to a token that is a part of the authentication information using a temporary group signature key that is a part of the authentication information and generates the contract information by synthesizing the token answer;
A contract information generating apparatus comprising:   The synthesizing unit adds a group signature to content fee information indicating a fee of content in addition to the token using a temporary group signature key that is a part of the authentication information, and synthesizes the token answer. The contract information generating apparatus according to claim 5, wherein the contract information is generated by the method. In a content receiving apparatus that receives content by a limited reception method,
Authentication information input means for inputting authentication information output from another content receiving device including the security module according to claim 1 or 2,
The contract information generation apparatus according to claim 5, wherein the contract information for receiving the content is generated using the authentication information input by the authentication information input means,
A content receiving apparatus comprising: A contract information verification apparatus that is arranged on the content distribution side and verifies contract information generated by the contract information generation apparatus according to claim 5,
A token challenge selecting means for selecting a token challenge that is a pseudo-random number for verifying a token that is information indicating the authority of the user of the content in response to a content distribution request transmitted from the content receiving side;
Token challenge transmission means for transmitting the token challenge selected by the token challenge selection means to the content receiver;
Contract information receiving means for receiving the contract information in response to the token challenge;
A group signature verification unit that verifies a group signature added to the contract information received by the contract information reception unit based on a verification key that is a pair of a group signature key unique to the user;
Token verification means for verifying the token included in the contract information based on the token answer and the token challenge included in the contract information;
An apparatus for verifying contract information, comprising: A group signature key generation device that generates secret information stored in the security module according to claim 1 or 2, and public information corresponding to the secret information,
A group signature verification key generating means for generating a group signature verification key in the electronic authentication method as the public information;
A group signature key generating polynomial generating means for generating a group signature key generating polynomial that is a polynomial for generating a group signature key to be paired with the group signature verification key;
Based on the information used when the group signature verification key generating means generates the group signature verification key and the information specific to the user, the group signature key unique to the user is changed to the secret information. A group signature key generating means to be generated as a part;
Information for generating a temporary group signature key that is temporarily generated based on information used when generating the group signature by the group signature key generation means and information unique to the user. Signing key generation information generating means for generating a certain signing key generation information as part of the secret information;
A group signature key generation apparatus comprising: The contract information on the content distribution side is contract information for enabling the second content receiving device to receive the content that can be received by the first content receiving device that includes the security module and receives the content by the limited reception method. A contract information verification method for verification in a verification device,
In the security module provided in the first content receiving device,
Generates a temporary group signing key based on secret information unique to the user, public information for generating a verification key to be paired with the group signature key unique to the user, and token generation that is a pseudo-random number An authentication information generating step for generating a token, which is information indicating the authority of the user, based on a random number for use;
In the contract information verification device,
Talk challenge selection step of selecting a token challenge, which is a pseudo-random number for verifying the token, in response to a content distribution request transmitted from the second content receiving device, and transmitting the token challenge to the second content receiving device. When,
In the second content receiving device,
A token answer generation step of receiving the token challenge and generating a token answer, which is information for verifying the token, based on the token challenge and the token generation random number;
A contract that generates contract information by adding a group signature to the token answer generated in the token answer generation step and the token using the temporary group signature key, and transmits the contract information to the contract information verification apparatus. An information generation step;
In the contract information verification device,
The contract information is received, the group signature added to the contract information is verified based on a verification key that is a pair of a group signature key unique to the user, and a token included in the contract information Verifying based on the token answer and the token challenge included in the contract information;
The contract information verification method characterized by including.

Images