JP4867425B2 - Information processing apparatus, information processing method, and computer program - Google Patents

Description

  The present invention relates to an information processing apparatus, an information processing method, and a computer program. More specifically, the present invention relates to an information processing apparatus, an information processing method, and a computer program that execute various data processing accompanying encrypted content distribution processing that can be decrypted only by a specific contract user.

  In recent years, with the spread and development of not only PCs but also mobile phones and digital home appliances, content distribution businesses such as music and video have become increasingly important. As content distribution business, there are content providing systems using various routes such as CATV, satellite broadcasting, pay broadcasting using the Internet, and sales of contents using physical media such as CDs and DVDs. Data provided by such various routes is generally received or acquired by unspecified users. Therefore, when providing paid content or content subject to copyright management, it is necessary to construct a mechanism that allows the content to be used only by an authorized contractor.

  One of the methods for enabling content use only by a legitimate contractor is content encryption. Encryption methods are roughly classified into a common key method and a public key method. The common key method is also called a symmetric encryption method, and both the sender and the receiver have a common key. The public key system or the asymmetric encryption system is a configuration in which the sender and receiver have different keys for the common key encryption. Unlike the common key cryptosystem that uses a common key for encryption and decryption, the public key cryptosystem is advantageous in key management because the secret key that needs to be kept secret must be held by a specific person. . In the public key cryptosystem, a public key can be used by an unspecified number of people, and there is a method of using a certificate that certifies whether or not a public key to be distributed is valid, a so-called public key certificate. Many are used.

  For example, in a content distribution system, a system administrator (hereinafter referred to as a center) provides a user key (individual secret key) to a contractor in advance, and the content M is encrypted with a session key s during content distribution. The ciphertext C (encrypted content) and the header h obtained by encrypting the session key s are distributed. The header h can obtain the session key s by decryption with a user key (personal private key) held only by the contractor. With this processing configuration, only the contractor can acquire the content M.

  However, even if such a content distribution system is used, if the user key (personal secret key) held by the contractor is revealed intentionally or negligently, it is a normal user device using the exposed user key. It is possible to generate an illegal content protection release device (hereinafter referred to as an illegal decoder) that performs the same operation as that of the decoder (hereinafter referred to as a regular decoder). Actually, many such illegal decoders are sold in pay broadcasting such as CATV and satellite broadcasting, and the key provided only to the contract vendor is also revealed in content distribution using physical media such as DVD. In general, illegal decoders as software have been circulated, causing a great deal of damage to the content distribution business.

  There is an illegal person tracking method as an effective means for preventing such an illegal act by a contractor. The fraudster tracking method is a contractor who provided a key from the key contained in the fraudulent decryptor even if the contractor provided his / her own key and configured a fraudulent decryptor in the content distribution system as described above. This is a tracking method for identifying (hereinafter referred to as an unauthorized person). The outline of the fraud tracking method will be described below.

As shown in FIG. 1, in the fraudster tracking method, after the center determines a security parameter k, the center generates a k-th order secret polynomial f (x) (hereinafter referred to as a distribution polynomial) and is unique to the contractor i. A secret key d _i (hereinafter referred to as a personal secret key) is distributed in advance, and at the same time, the center public key e is disclosed.

  As shown in FIG. 2, at the time of content distribution, the content distributor encrypts the content M with the session key s, and the header h (hereinafter, the contract key can be acquired only by the contractor). Generate a distribution header) and distribute it.

Contractor i will get a session key s from its own private secret key d _i and a public key e and a header h, to get the content M by decrypting the ciphertext C. Usually, the decryption by the contractor uses a regular decoder (information processing apparatus) configured by software, hardware or both.

For example, as shown in FIG. 3, the regular decryptor can be configured by an information processing apparatus 10 having a data processing function similar to that of a general PC, and a unique personal secret key provided from the center to the contractor i. d _i is stored in the personal secret key storage unit 11.

Here, the contractor i illegally takes out his / her private secret key d _i from the information processing apparatus 10 and stores it in another information processing apparatus, thereby generating an illegal decryptor. For example, by copying the private secret key d _i a large amount, a large amount of unauthorized decryption unit is generated.

If this occurs, incorrect verifier acquires the unauthorized decryption unit, contractor i individual secret key d _i contained therein it is possible to identify that the fraudster. In addition, when the private secret key cannot be obtained directly from the unauthorized decryptor, the unauthorized person is identified by performing black box tracking.

  Black box tracking is a fraud tracking technique for identifying an unauthorized person by inputting a header for identifying an unauthorized person (hereinafter referred to as a tracking header) to an unauthorized decoder and verifying its output. As shown in FIG. 4, the unauthorized verifier first estimates a contractor (hereinafter referred to as a suspect) to be verified, and generates a tracking header h based on the suspect's ID.

  That is, a process of generating a tracking header h from a public key e and a suspect ID to be verified, inputting it to an unauthorized decryptor, and verifying the output result, specifically, the output of the unauthorized decryptor is the content and It is verified whether the suspect is an unauthorized person by confirming whether or not they match.

  As a method for realizing such black box tracking, for example, the methods described in Non-Patent Document 1 and Non-Patent Document 2 are applicable. In such a fraudster tracking method, the distribution header that excludes only the suspect is used as a tracking header, and it is the same as the normal decoder by checking whether the output of the illegal decoder matches the content. It is possible to realize black box tracking for an unauthorized decoder in which a decryption operation is performed and only a key used at that time belongs to an unauthorized person.

  There is Patent Document 1 as a document showing an efficient fraud tracking method for realizing such black box tracking. In the method described in Patent Document 1, a set of contractors is divided into a plurality of subgroups, and different k-th order distribution polynomials are assigned to the respective subgroups. By distributing the header, it is possible to eliminate contractors in subgroup units. As a result, not only the illegal decoder that is most easily configured by an attacker as described above, but also an illegal decoder having a function of avoiding the tracking when the tracking by the verifier is detected. Realistic black box tracking is realized.

The black box tracking method described in Patent Document 1 will be briefly described below. In the black box tracking method described in Patent Document 1, the center divides the contractor set into t subgroups in advance, and t k-th order distribution polynomials f _Z (x) (z) that differ for each subgroup. = 1, ..., t).

To each contractor, the private secret key generated using the distribution polynomial f _Z (x) corresponding to the subgroup U _Z to which the contractor belongs is distributed using a secure communication path. The distributor generates a session key and a random number, calculates common information for generating a header for distribution using this, and then corresponds to each subgroup U _Z (z = 1,..., T). A distribution header H _Z (z = 1,..., T) is generated. In this case the distributor changes the method of generating a distribution header H _Z by the method eliminating contractor belonging to subgroups. In other words, if you do not want to exclude all the contractors belonging to the subgroup, the header is generated from the public key and the above-mentioned common information, but if you exclude all the contractors who belong to the subgroup, do not exclude all A header is generated using random number information instead of the public key used in the case.

When only a part of the contractors belonging to the sub group is excluded, 0 is output for the ID of the contractor that is not excluded, and the ID of the contractor that is excluded corresponds to the ID. M′-th order polynomial (hereinafter referred to as exclusion polynomial) F _Z (x) that outputs a value other than 0, and the above-mentioned common information, public key e, and each contractor have their IDs A distribution header is generated using information for calculating a corresponding point on F _Z (x). The distributor distributes the distribution header H _Z (z = 1,..., T) generated by the above methods and the ciphertext C obtained by encrypting the content M with the session key s.

The contractor first selects from the received distribution header H _Z (z = 1,..., T) the one corresponding to the subgroup to which the contractor belongs, and from now on, the distribution polynomial corresponding to the own ID A point on f _Z (x) is calculated in the exponent part of g. Next, using the personal secret key d _i and the random number information included in the distribution header, a point on the distribution polynomial f _Z (x) corresponding to its own ID is calculated in the exponent part of g, and the value calculated earlier The ratio of At this time, a contractor who belongs to a subgroup in which all members are not excluded can accurately calculate a point on the distribution polynomial f _Z (x) corresponding to the ID from the header in the exponent part of g. Therefore, the calculation result is the session key s, but the contractor who belongs to the subgroup from which all members are excluded determines the point on the distribution polynomial f _Z (x) corresponding to the ID from the header g When calculating in the exponent part, a part of the information for calculating a point on f _Z (x) corresponding to the contractor's own ID is replaced with random number information, so that an accurate value can be calculated. It becomes impossible to acquire the session key s.

If only a part of the contractors belong to the excluded subgroup, a point on the distribution polynomial f _Z (x) corresponding to its own ID is calculated in the exponent part of g from the header. At this time, due to the structure of the header, a point on F _Z (x) corresponding to its own ID is calculated at the same time. Here, if the contractor is not excluded, F _Z (x) = 0, and the session key s is obtained by obtaining the ratio of the calculation results as in the case where all the members belong to the subgroup not excluded. However, if it is excluded, F _Z (x) ≠ 0, and it becomes impossible to acquire the correct session key s.

  In this way, by eliminating subscribers in subgroup units and excluding some subscribers in subgroups, it is possible to determine whether the input header is a header for distribution or a header for tracking, and for tracking purposes. Black box tracking can be efficiently realized even for an illegal decoder having a function of trying to avoid tracking if it is determined to be a header.

  However, when a contractor is excluded at the time of normal content distribution, there are various restrictions, so that efficient content distribution cannot always be realized. In the method described in Patent Document 1, the header size and the amount of calculation required for header generation are most reduced because there is no contractor to be excluded or the contractor can be excluded only in subgroup units. This is the case. However, when considering realistic content distribution, some contracts within the subgroup, such as the withdrawal of contractors due to the legitimate cancellation of contracts, viewing restrictions due to unpaid fees, etc., as well as the exclusion of contractors who are considered fraudulent In such a case, it is necessary to exclude only some contractors who belong to the subgroup.

In this case, it is necessary to generate the exclusion polynomial F _Z (x) based on the ID of the contractor that is not excluded, and the smaller the number of contractors that are not excluded, the lower the order m ′ of the exclusion polynomial. There is a problem that the value of becomes large and the header size and the calculation amount become very large. In addition, once a subgroup is confirmed, it cannot be changed dynamically. Therefore, if some contractors in the subgroup are removed, the subgroup is included in the subgroup. Unless all contractors are excluded, it is always necessary to exclude only some of the contractors. Therefore, in actual content distribution that frequently realizes exclusion of the contractor, such as withdrawal of the contractor, there is a problem that the cost of the header size and the calculation amount at the time of distribution is very high.
JP 2005-236963 A M. Yoshida, T. Fujiwara, "A Subscriber-Excluding and Traitor-Tracing Broadcast Distribution System," IEICE Trans. Fundamentals, vol. E84-A, No. 1, pp.247--255, 2001. T. Matsushita, "A Flexibly Revocable Key-Distribution Scheme for Efficient Black-Box Tracing," ICICS '02, LNCS 2513, Springer Verlag, pp.197--208, 2002.

  The present invention has been made in view of the above-described problems, and is illegal as a configuration for generating and providing a header that can prevent acquisition of a content decryption key by an excluded user in content distribution and use processing. An object of the present invention is to provide an information processing apparatus, an information processing method, and a computer program that prevent content use and reduce the header size and header generation calculation amount to realize efficient content distribution and use.

The first aspect of the present invention is:
An information processing device,
A data processing unit that executes generation processing of header information including decryption key information applied to decryption of the encrypted content;
The data processing unit
It is a configuration that executes header information generation processing that enables acquisition of the decryption key information only when user-specific information held by a non-excluded user other than the excluded user is applied among user-specific information held by the user device ,
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. An information processing apparatus is characterized in that it performs a generation process of header information including a decryption key calculation formula to which a polynomial F (x) that outputs different values is applied.

Furthermore, in an embodiment of the information processing apparatus of the present invention, the data processing unit includes m pieces of information [h _1,0 ,... For calculating points on F (x) corresponding to the user ID. , H _{1, m} ] and the excluded user ID [x ₁ ,..., X _m ], the header information generation process is executed, and the user ID as user specific information held on the user device side; The decryption key information can be obtained only by a non-exclusion user based on a calculation process using the personal secret key and the exclusion user ID [x ₁ ,..., X _m ] included in the header information. The header information generation process is executed.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the data processing unit further applies arithmetic processing that applies public key information corresponding to a management center that can be acquired on the user device side, and random number information included in the header. On the basis of the above, the header information generation process that enables the decryption key information to be obtained only by non-excluded users is performed.

Furthermore, in an embodiment of the information processing apparatus of the present invention, the data processing unit is configured to generate the decryption key information as a session key s,
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
As a setting of the session key s
s = g ^r modp
The header information generation process is configured to include the polynomial F (x) in the session key s calculation formula.

Furthermore, in an embodiment of the information processing apparatus according to the present invention, the data processing unit uses an inverse element of an expression [F (x) / r] to which the polynomial F (x) is applied as a calculation expression of the session key s. [(F (x) / r) ⁻¹ ] is the session key s calculation formula,
s = g ^r modp
The configuration is such that a session key calculation formula set as a constituent element of the exponent part r is generated.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the data processing unit includes, as configuration data of the exponent part r,
U _i ,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(U _i -x ₁ ) ... (u _i -x _m )} ^-1 = {(F (x) / r) ^-1 }
It is the structure which produces | generates the session key calculation formula which satisfies these relational expressions.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the information processing apparatus further includes a communication unit that executes transmission processing of the header information and the encrypted content.

Furthermore, the second aspect of the present invention provides
An information processing device,
A storage unit storing a user ID and a personal secret key;
Acquisition of the decryption key information by inputting header information including decryption key information applied to decryption of the encrypted content, and executing data processing to which the user ID and personal secret key are applied to the header information A data processing unit for executing processing,
The data processing unit
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. The information processing apparatus is configured to execute a data process to which the user ID and the personal secret key are applied to the header information included therein, and execute the acquisition process of the decryption key information.

Furthermore, in an embodiment of the information processing apparatus of the present invention, the data processing unit includes the header information as
_M pieces of information [h _1,0 , ..., h _{1, m} ] for calculating a point on F (x) corresponding to the user ID;
Excluded user ID [x ₁ , ..., x _m ],
The decryption key is input based on a calculation process in which the header information including the user ID, the personal secret key, and the excluded user IDs [x ₁ ,..., X _m ] included in the header information are applied. The information acquisition process is configured to be executed.

  Furthermore, in an embodiment of the information processing apparatus of the present invention, the data processing unit further includes the decryption key based on a calculation process applying public key information corresponding to a management center and random number information included in the header. The information acquisition process is configured to be executed.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the data processing unit is configured to calculate a session key s that is the decryption key information,
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
In the setting of, the session key s is expressed by the following calculation formula:
s = g ^r modp
Is calculated according to
In the calculation process of the session key s, an operation to which the polynomial F (x) is applied is executed.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the data processing unit is
The session key s calculation formula,
s = g ^r modp
As the calculation process of the exponent part r, the calculation of the inverse element [(F (x) / r) ⁻¹ ] of the formula [F (x) / r] to which the polynomial F (x) is applied is performed. It is characterized by.

Furthermore, in one embodiment of the information processing apparatus of the present invention, the formula [(F (x) / r) ⁻¹ ] is
U _i , the user ID stored in the storage unit,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(F (x) / r) ⁻¹ } = {(u _i −x ₁ )... (U _i −x _m )} ⁻¹
Satisfy the relationship
The data processing unit
Substituting the user ID: u _i stored in the storage unit into the above expression {(u _i −x ₁ )... (U _i −x _m )} ⁻¹ , and {(F (x) / r) ^{− 1} } is executed. The calculation process of ¹ } is performed.

Furthermore, the third aspect of the present invention provides
A content distribution system,
In the content distribution side device,
0 is output when the exclusion user ID corresponding to the exclusion user is substituted in the user ID included in the user-specific information held by the content receiving device as header information including the decryption key information applied to decryption of the encrypted content When a non-exclusion user ID corresponding to a non-exclusion user is substituted, a header information generation process including a polynomial F (x) that outputs a different value corresponding to each ID is executed, and the generation header information and encryption are executed. Providing content to the content receiving device,
In the content receiving device,
For the header information including the polynomial F (x), data processing using a user ID and a private secret key is executed, and a value other than 0 obtained by applying the polynomial F (x) is used. In the content distribution system, the decryption key information acquisition process is executed, and the acquired decryption key is applied to execute the decryption process of the encrypted content.

Furthermore, the fourth aspect of the present invention provides
An information processing method for executing generation processing of header information including decryption key information applied to decryption of encrypted content in an information processing device,
In the data processor
There is a header information generation step for generating header information that enables acquisition of the decryption key information only when user specific information held by a non-excluded user other than the excluded user is applied among user specific information held by the user device. And
The header information generation step executed in the data processing unit includes:
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. The information processing method is characterized in that it is a step of executing generation processing of header information having a decryption key calculation formula including a polynomial F (x) that outputs different values.

Furthermore, the fifth aspect of the present invention provides
An information processing method for executing processing for acquiring decryption key information of encrypted content from header information in an information processing device,
In the data processor
A header information processing step of inputting the header information, executing a data process in which the user ID and the personal secret key acquired from the storage unit are applied to the header information, and executing the process of acquiring the decryption key information; Have
The header information processing step executed in the data processing unit includes:
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. The information processing method is a step of executing a data process to which the user ID and the private secret key are applied to the header information including the header information, and executing the acquisition process of the decryption key information.

Furthermore, the sixth aspect of the present invention provides
A computer program that executes generation processing of header information including decryption key information applied to decryption of encrypted content in an information processing device,
In the data processor
There is a header information generation step for generating header information that enables acquisition of the decryption key information only when user specific information held by a non-excluded user other than the excluded user is applied among user specific information held by the user device. And
The header information generation step to be executed in the data processing unit includes:
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. The present invention resides in a computer program characterized in that it is a step of executing generation processing of header information having a decryption key calculation formula including a polynomial F (x) that outputs different values.

Furthermore, the seventh aspect of the present invention provides
A computer program for executing processing for acquiring decryption key information of encrypted content from header information in an information processing device,
In the data processor
A header information processing step of inputting the header information, executing data processing to which the user ID and the personal secret key acquired from the storage unit are applied to the header information, and executing the acquisition processing of the decryption key information; Have
The header information processing step to be executed in the data processing unit includes:
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. The computer program is a step of executing a data process to which the user ID and the personal secret key are applied to the header information including the header information to execute the acquisition process of the decryption key information.

  The computer program of the present invention is, for example, a storage medium or communication medium provided in a computer-readable format to a general-purpose computer system capable of executing various program codes, such as a CD, FD, MO, etc. Or a computer program that can be provided by a communication medium such as a network. By providing such a program in a computer-readable format, processing corresponding to the program is realized on the computer system.

  Other objects, features, and advantages of the present invention will become apparent from a more detailed description based on embodiments of the present invention described later and the accompanying drawings. In this specification, the system is a logical set configuration of a plurality of devices, and is not limited to one in which the devices of each configuration are in the same casing.

  According to the configuration of one embodiment of the present invention, in the content distribution and use process, a header that can prevent the content decryption key from being acquired by the excluded user is generated and provided to the user. In addition to being prevented, the header size and header generation calculation amount are reduced, and efficient content distribution and use are realized. That is, after a user as a content user is made into a single group, 0 is output for the excluded contractor ID, and a different value is output for each other contractor ID. A header including a session key calculation formula using is configured. With the header configuration of the present invention, the header size at the time of content distribution and the amount of calculation required at the time of header generation are reduced, and in the session key acquisition process on the content user side, the exclusion user's key acquisition is surely prevented. be able to.

Details of the information processing apparatus, the information processing method, and the computer program of the present invention will be described below with reference to the drawings. The description will be made in the order of the following items.
1. 1. Outline and features of the present invention 2. System configuration and symbol definition applicable to the configuration of the present invention Details of content distribution and black box tracking processing based on subgroup settings (3.1) Key generation processing,
(3.2) Content encryption processing,
(3.3) Content decryption processing,
(3.4) Black box tracking processing (3.5) Verification of problems in processing based on subgroup setting Details of content distribution and black box tracking processing according to the present invention (4.1) Key generation processing,
(4.2) Content encryption processing,
(4.3) Content decryption processing,
(4.4) Black box tracking process Differences between processing according to the present invention and conventional processing and advantages of processing according to the present invention (5.1) Comparison of key generation phases (5.2) Comparison of encryption and decryption phases (5.3) Black box 5. Comparison of tracking phases (5.4) Advantages of processing of the present invention Configuration example of information processing device

[1. Outline and Features of the Present Invention]
The present invention is a configuration that enables efficient and reliable content distribution and illegal person tracking in a content distribution processing configuration using a public key cryptosystem. A system administrator (center) provides a user key (individual secret key) to the contractor in advance, and a ciphertext C (encrypted content) obtained by encrypting the content M with the session key s when distributing the content; A header h obtained by encrypting the session key s is distributed. The header h can obtain the session key s by decryption with a user key (personal private key) held only by the contractor. With this processing configuration, only the contractor can acquire the content M.

  In such a content distribution system, a user key (individual secret key) held by a contractor is revealed intentionally or negligently, and an illegal decryptor that performs the same operation as a regular decryptor that is a regular user device can be generated. .

The present invention improves the efficiency of header generation in content distribution processing, reduces the content decryption processing during content usage, and ensures reliable and efficient tracking of unauthorized persons to eliminate unauthorized content usage by an unauthorized decoder Realize. First, features of the processing of the present invention will be described. The present invention has the following features.
(1) Treating a set of subscribers as content recipients as a single group (2) Contracting more than k people by using m (≧ k) degree exclusion polynomials separately from k order distribution polynomials (3) The center (management center) forms a k-th order distribution polynomial to generate a private secret key and public key. (4) Distributor in order to exclude specific subscribers. (Content distributor) constructs an m-th order exclusion polynomial for each distribution. (5) The distributor outputs 0 for the contractor ID to be excluded, and 0 for other contractor IDs. (6) By constructing the exclusion polynomial as shown in (4), the existing method (the above-mentioned Patent Document 1: Japanese Patent Laid-Open No. 2005-236963) is configured. Compared to the processing configuration of the publication) (7) By configuring the elimination polynomial as shown in (4), the existing method (Japanese Patent Laid-Open No. 2005-236963) and Compared with this, the header size of the tracking header and the amount of calculation required for header generation can be reduced.

[2. System configuration and symbol definition applicable to the configuration of the present invention]
Next, preconditions and symbol definitions of the configuration of the present invention will be described. The present invention provides a content distribution processing configuration using a public key cryptosystem, content distribution based on efficient header generation, content decryption based on session key acquisition based on efficient header processing, and efficient and reliable unauthorized persons. Follow up. The content is provided to the unspecified majority from the distributor as encrypted content, but the encrypted content is only used when the private secret key distributed to the user (contractor) who has a specific content usage right is used. It is possible to decrypt and use the content.

  For example, a fraudulent decoder is generated by taking out a legitimate personal secret key from a legitimate information processing apparatus and storing the personal secret key generated by a copy process or the like in another information processing apparatus. In other words, an unauthorized decryption device is an information processing apparatus that stores an unauthorized private secret key.

  In the unauthorized decryptor, by executing the same process as that of the regular decryptor (information processing apparatus), it is possible to process the data provided by the content distributor and decrypt the encrypted content. In addition, as a configuration of the illegal decoder, in addition to a configuration having one illegal personal secret key generated by illegal copying, a plurality of different personal secret keys are copied and held, and a plurality of different personal secret keys are selected. Various devices are conceivable, such as a device that performs a decoding operation by using it and determines whether or not illegal person tracking is performed based on the result and makes black box tracking difficult.

  Furthermore, the personal secret key is not only configured to be stored directly in the memory of the information processing apparatus that performs decryption and reproduction of the content, but also distributed as a file stored in a storage medium such as a disk different from the information processing apparatus. There is also a configuration in which personal secret key data is distributed by a magnetic card or the like. In such a key distribution configuration, an illegal decryptor using a personal secret key can be easily generated by copying a file storing the personal secret key or a magnetic card. The present invention enables efficient and reliable tracking for such illegal decoders.

The definition of each symbol used in the following description is as follows.
n: contractor of the total number n _Z: the number of subscribers belonging to the divided z-th subgroup U: the set of values that is uniquely assigned to subscribers across and contractor U _Z: divided z-th subgroup And a set of values uniquely assigned to the contractors belonging thereto l (el): the total number of excluded contractors l _Z (elzet): the number of excluded contractors belonging to the divided z-th subgroup p: a large prime number modulo the multiplicative group Z _p ^* : a set of integers that are multiplicative and mutually prime with Z _p and p q: prime number satisfying q | (p−1) and q> n + k + 1 g: Z _p ^* 1 q root u _{i above} : ID of i-th contractor
e: system public key d _i : personal secret key of i-th contractor M: unencrypted content (plaintext)
s: Session key C: Ciphertext (encrypted content) when plaintext M is encrypted with session key s
E _S (M): Encryption with plaintext M key s D _S (C): Decryption with ciphertext C key s H or h: Header, including encrypted session key s

  The contractor is a user who is permitted to use the content provided by the content distributor, and is a user who is provided with a regular personal secret key. However, the excluded contractor is not allowed to use the content. The contractor permitted to use the content can obtain the session key s by processing the header h received from the content distributor by applying a personal secret key held by the subscriber h. Can be applied to decrypt the ciphertext C to obtain the content (plaintext M). On the other hand, an excluded contractor whose use of the content is not permitted cannot obtain the session key s even if the header h received from the content distributor is processed by applying a personal secret key held by the header h. Therefore, the ciphertext C to which the session key s is applied cannot be decrypted, and the content (plaintext M) cannot be acquired. The content distributor generates a header corresponding to the exclusion contractor and distributes the header together with the ciphertext.

[3. Details of content distribution and black box tracking process based on subgroup settings]
First, details of content distribution and black box tracking processing based on subgroup settings will be described. Here, content distribution and black box tracking processing described in Patent Document 1 (Japanese Patent Laid-Open No. 2005-236963) described briefly above will be described.

  In the content distribution and black box tracking processing described in Patent Document 1 (Japanese Patent Laid-Open No. 2005-236963), all contractors are divided into a plurality of subgroups, and individual contractor exclusion is realized in units of subgroups. It is a configuration.

As an aspect of individual contractor exclusion executed on a sub-group basis,
a. All contractors included in subgroups are not excluded b. All contractors included in the subgroup are excluded c. Only a part of the contractors included in the subgroup is excluded. There are these aspects of a to c, and each subgroup is classified into any one of the above a to c.

Content distribution and black box tracking processing described in Patent Document 1 (Japanese Patent Laid-Open No. 2005-236963)
Key generation processing,
Content encryption processing,
It consists of four phases: content decryption processing and black box tracking processing. The key generation phase is executed only once by the center when the system is configured, the encryption phase is executed by the content distributor, and the decryption phase is executed by the contractor as the content user for each content distribution. The black box tracking phase is executed by the verifier at the time when fraud is detected. The verifier is usually the center, but since no secret information is required, it may be a third party other than the center. Hereinafter, the processing of each phase will be described.

(3.1) Key generation processing The key generation processing is executed by a center that is an administrator of the content distribution system. The center executes processing according to the flowchart shown in FIG. 5 to generate the individual private key and public key of each contractor.

The processing of each processing step in the flowchart shown in FIG. 5 is as follows.
STEP01: Select a prime number q satisfying large prime numbers p and q | (p−1) and q> n + k + 1. (However, the total number of subscribers is n and the security parameter is k)
STEP 02: Select a qth root g of 1 on the multiplicative group Z _p ^* .
STEP 03: Select individual values u _i εZ _q ^* for all subscribers i (i = 1,..., N).
STEP 04: The contractor ID set U is divided into _t subgroups U ₁ ,..., U _t having no common set.
STEP 05: k + t + 1 values a ₀ , a ₁ ,..., A _k , b ₁ ,..., B _t ∈Z _q ^*, which are the secret keys of the center, are randomly selected and distributed as follows: The polynomial f _Z (x) (z = 1,..., T) is constructed.

とする。 STEP 06: For all contractors i (i = 1,..., N), the contractor i uses the distribution polynomial f _Z (x) corresponding to the subgroup U _Z to which the contractor i belongs. The private secret key d _i is calculated as follows and distributed using a secure communication path.
di = (u _i , f _Z (u _i ))
STEP 07: The public key e is configured and disclosed as follows.
e = (p, q, g, y ₀ , ₀ , y ₀ , ₁ , ..., y _{0, k} , y ₁ , ₁ , ..., y _{1, t} )
However,

And

By the key generation by this center, as shown in FIG. 6, the individual secret key di = (u _i , f _Z (u _i )) is provided to each contractor i (i = 1,..., N). Will be.

(3.2) Content encryption processing,
Next, the encryption process of the content provided to the contractor will be described. In the configuration described in Patent Document 1 (Japanese Patent Laid-Open No. 2005-236963), a set of contractors is divided into a plurality of subgroups, and a different distribution polynomial is applied to each of the subgroups. The elimination of contractors is realized. For example, subgroups 1 to t shown in FIG.

As shown in FIG. 7, the content distributor sends the encrypted content C and the contractor having the personal secret key di = (u _i , f _Z (u _i )) generated in the above key generation process. Then, a distribution header h corresponding to each subgroup is generated and distributed.

  The header h is information including the encrypted data of the session key s applied to the decryption process of the encrypted content C, and the session key s is obtained by the decryption process using the personal secret key possessed by the contractor permitted to use the content. It can be set as possible. Therefore, the method for generating the header h differs depending on the setting of the content use excluder.

  A generation process and transmission sequence of data (encrypted content C and distribution header h) to be provided to the contractor will be described with reference to flowcharts shown in FIGS.

FIG. 8 is a flowchart showing the entire sequence of the generation process and transmission process of data (encrypted content C and distribution header h) provided to the contractor, and FIG. 9 shows step 15 in the process flow shown in FIG. -A, FIG. 10 is a flowchart showing the detailed sequence in step 15-b in the processing flow shown in FIG. 8, and FIG. 11 is step 15-c in the processing flow shown in FIG.
Step 15-a (FIG. 9) is a process in the case where all the contractors included in the subgroup are not excluded,
Step 15-b (FIG. 10) is a process when all the contractors included in the subgroup are excluded,
Step 15-c (FIG. 11) is processing when only a part of the contractors included in the subgroup is excluded,
It corresponds to each of the above processes.

  First, generation processing and transmission sequence of data (encrypted content C and distribution header h) provided to the contractor will be described with reference to the flowchart shown in FIG. The processing executed in each processing step of the flowchart shown in FIG. 8 is as follows.

を計算するために必要となる情報を以下のように計算する。

STEP 11: A session key sεZ _q ^* and a random number rεZ _q ^* are selected at random.
STEP12: Header corresponding to each subgroup U _Z (z = 1,..., T)

Information necessary for calculating is calculated as follows.

STEP 13: Set z = 0.
STEP14: z + 1 is substituted for z.
STEP15:
If not the subscriber included in the subgroup _{U Z} and all excluded performs STEP 15-a.
If you all eliminated contractor included in the subgroup _{U Z} performs STEP 15-b.
If to eliminate only part of the subscriber included in the subgroup _{U Z} performs STEP 15-c.
STEP16: If z = t, go to STEP17. Otherwise, return to STEP14.
STEP 17: Generate a ciphertext C from the content M and the session key s, that is, encrypt the content M with the session key s to generate a ciphertext C = E _S (M), and a header H corresponding to each subgroup _1, ..., to deliver along with the _{H t.}

  In this processing example, in STEP 15, the header generation method varies depending on the contractor exclusion form included in the subgroup. Hereinafter, with reference to FIG. 9 to FIG. 11, a header generation method for each contractor exclusion form will be described.

a. When all the contractors included in the subgroup are not excluded A distribution header generation method when all the contractors included in the subgroup are not excluded will be described with reference to the flowchart shown in FIG. The processing of the steps in the flow shown in FIG. 9 is as follows.
STEP15-a1:

  When all the contractors included in the subgroup are not excluded, the header generated in step 15-a1 is set as a header to be distributed to the contractors.

b. When All Contractors Included in Subgroups are Excluded Next, a distribution header generation method when all contractors included in a subgroup are excluded will be described with reference to the flowchart shown in FIG. The processing of the steps in the flow shown in FIG. 10 is as follows.
STEP15-b1: randomly selects _{r Z} ∈Z _q ^*.
STEP15-b2:

  When all the contractors included in the subgroup are excluded, the header generated in steps 15-b1 and b2 is set as a header to be distributed to the contractors.

を選択する。
ＳＴＥＰ１５−ｃ２：排除されないｎ_Ｚ−ｌ_Ｚ人の契約者に対して、ｄ_Ｚ、ｍ_Ｚを以下のように計算する。

c. When only a part of the contractors included in the subgroup is excluded Next, refer to the flowchart shown in FIG. 11 for the distribution header generation method when only a part of the contractors included in the subgroup is excluded. To explain. The processing of the steps in the flow shown in FIG. 11 is as follows.
STEP 15-c1: n _Z -1 _Z subscriber IDs not excluded

Select.
STEP 15-c2: against _n Z -l _Z's subscribers not _eliminated, calculates d Z, a _{m Z} as follows.

_STEP15-c3: proceed to the _{n Z} -l _{Z <m Z} if STEP15-c4. Otherwise, go to STEP15-c5.

をランダムに選択する。
ＳＴＥＰ１５−ｃ５：ｃ_０＝１とし、以下の式を満たす

を計算し、以下に示すＦ_Ｚ（ｘ）を排除用多項式とする。

STEP15-c4:

Select at random.
STEP15-c5: c ₀ = 1 and satisfy the following formula

And the following F _Z (x) is set as an elimination polynomial.

を計算する。 STEP 15-c6: randomly select r _Z ∈ _{Z q} ^*

Calculate

STEP 15-c7: m _Z +1 pieces of information for calculating a point on F _Z (x) corresponding to the contractor's own ID in the exponent part of g

  When only a part of the contractors included in the subgroup is excluded, the header generated in steps 15-c1 to c7 is set as a header to be distributed to the contractors.

(3.3) Content Decryption Processing Next, content decryption processing executed by the contractor who has received the ciphertext C and the header h from the content distributor will be described with reference to the flowchart shown in FIG. The processing of the steps in the flow shown in FIG. 12 is as follows.

STEP 21: The contractor i acquires the session key s from the header H _Z corresponding to the subgroup U _{Z in which} it is included as follows. However, the exclusion form of the contractor included in the subgroup U _Z is
a. If all sub-group contractors are not excluded, or
b. When all the contractors included in the subgroup are excluded When these are a and b, m _Z = k and d _Z = 0.

STEP 22: The plaintext M is decrypted as follows using the session key s.
M = D _S (C)

  As described above with reference to the flowcharts of FIGS. 8 to 11, in STEP 15 of the encryption phase, a distribution header is created according to the contractor exclusion form included in the subgroup. However, in the decryption phase, it is possible to acquire a correct session key if it is not excluded by executing STEP 21 in the decryption phase without confirming whether or not itself is excluded including subgroups. Become. Hereinafter, a calculation sequence for calculating the session key s in STEP 21 in the decryption phase that varies depending on the form of contractor exclusion will be described.

a. When all contractors included in the subgroup are not excluded First, the session key s calculation process of STEP 21 when all the contractors included in the subgroup are not excluded will be described.

As described above with reference to FIGS. 8 and 9, [a. The structure of the distribution header in the case where all the contractors included in the subgroup are not excluded is as follows.

Accordingly, the session key s calculation processing operation of STEP 21 in the decryption phase is as follows.

By the arithmetic processing, the contractor included in the subgroup U _Z becomes possible to obtain the correct session key based on the header.

b. Case where all contractors included in a subgroup are excluded Next, the session key s calculation process of STEP 21 when all contractors included in a subgroup are excluded will be described.

As described above with reference to FIGS. 8 and 10, [b. The structure of the distribution header in the case where all the contractors included in the subgroup are excluded is as follows.

Accordingly, the session key s calculation processing operation of STEP 21 in the decryption phase is as follows.

であった部分が、［ｂ．サブグループに含まれる契約者が全員排除される場合］のセッション鍵ｓ算出処理演算式では、ランダムな値によって生成された

に置き換えられている。このため、サブグループＵ_Ｚに含まれる契約者は、分子におけるｇの指数部がｒｆ_Ｚ（ｕ_ｉ）とならないため、正しいセッション鍵ｓを取得することが不可能となり、結果としてサブグループＵ_Ｚに含まれる契約者全員を排除可能となる。 In the above equation, [a. Compared with the session key s calculation processing formula in the case where all the contractors included in the subgroup are not excluded]

The part that was The session key s calculation processing formula in the case where all the contractors included in the subgroup are excluded] is generated with a random value.

Has been replaced. For this reason, the contractors included in the subgroup U _Z cannot obtain the correct session key s because the exponent part of g in the numerator is not rf _Z (u _i ), and as a result, the subgroup U _Z It becomes possible to exclude all the contractors included in.

c. Case where only a part of the contractors included in the subgroup is excluded Next, the session key s calculation process of STEP 21 when only a part of the contractors included in the subgroup is excluded will be described.

As described above with reference to FIGS. 8 and 11, [c. The structure of the distribution header in the case where only a part of the contractors included in the subgroup is excluded is as follows.

Accordingly, the session key s calculation processing operation of STEP 21 in the decryption phase is as follows.

Here, if the i-th contractor u _i is not excluded, F _Z (u _i ) = 0, and the session key s can be acquired, but the i-th contractor u _i is excluded. In this case, F _Z (u _i ) ≠ 0, and the session key s cannot be acquired. As a result, part of the contractors included in the subgroup can acquire the session key s, and part of the contractor cannot acquire the session key s.

(3.4) Black Box Tracking Process Next, the black box tracking process in the above processing example will be described. In the content distribution system described above, the user key (personal secret key) held by the contractor is revealed intentionally or negligently, and an illegal decryptor that performs the same operation as a regular decryptor that is a regular user device can be generated. There is a possibility that the session key s is illegally acquired by the illegal decryptor and the content is illegally used. A black box tracking process is performed as an unauthorized person tracking process for eliminating such unauthorized use of content by an unauthorized decoder.

  The verifier generates a tracking header from the public key e and the contractor ID, and inputs this and the ciphertext to the unauthorized decryptor. Further, the output of the unauthorized decoder is acquired, and the ID of the unauthorized person is specified from the result. A black box tracking processing sequence executed by the verifier will be described with reference to a flowchart shown in FIG. The processing of each step in the flowchart shown in FIG. 13 is as follows.

STEP 31: j = 1.
STEP 32: Select suspect j's ID: u _j from U.
STEP 33: For the subgroup to which the suspect j belongs, a header excluding only the suspect j is generated, and for the other subgroups, the exclusion form is [a. Header for all subscribers in a subgroup are not excluded].
STEP 34: The header generated in STEP 33 is used as a tracking header, and is input to the illegal decryptor together with the ciphertext C.
STEP 35: Obtain M ′ that is an output from the illegal decoder.
STEP 36: If M ′ ≠ M, proceed to STEP 37. Otherwise, go to STEP38.
STEP 37: The suspect j is identified as an unauthorized person.
STEP38: j + 1 is substituted for j.
STEP39: If j = n + 1, the process is completed. Otherwise, return to STEP32.
By the above process, an unauthorized person can be identified without directly extracting a key from the unauthorized decryptor.

(3.5) Verification of problems in processing based on subgroup setting Next, problems in processing based on the above-described subgroup setting will be verified. In the content distribution system described above, first, a set of contractors is divided into a plurality of subgroups in STEP 04 of the key generation phase described with reference to the flowchart shown in FIG. Is generated. Further, in STEP 06, the individual secret key corresponding to the subgroup to which the contractor belongs is secretly distributed to each contractor.

  At the time of content distribution, as described with reference to the flowchart shown in FIG. 8, after generating common information in STEP 12, a distribution header corresponding to the exclusion form of each subgroup is generated in STEP 15.

Here, the exclusion form of the contractor, that is,
a. All contractors included in subgroups are not excluded b. All contractors included in the subgroup are excluded c. Only a part of the contractors included in the subgroup is excluded. In each of these cases, the header size required and the amount of calculation required for header generation are verified.

のうち、図９に示すフローを参照して説明したように、ｈ_ｇ（Ｚ）に対応する情報のみを、

に置き換えるため、あるサブグループＵ_Ｚがａである場合、Ｕ_Ｚに対応するヘッダＨ_Ｚのヘッダサイズは（ｋ＋２）ｌｏｇｐとなる。また、ヘッダ生成時に計算する必要のある情報は、

のみであるため、そのヘッダ生成時に必要となる計算量は、
Ｏ（ｌｏｇ^３ｐ）
となる。 a. When all the contractors included in the subgroup are not excluded When all the contractors included in the subgroup are not excluded, the common information generated in STEP 12 of the flowchart shown in FIG.

As described with reference to the flow shown in FIG. 9, only information corresponding to h _{g (Z)} is obtained.

Therefore, when a certain subgroup U _Z is a, the header size of the header H _Z corresponding to U _Z is (k + 2) logp. Also, the information that needs to be calculated when generating the header is

Therefore, the amount of calculation required when generating the header is
O (log ³ p)
It becomes.

のうち、図１０に示すフローを参照して説明したように、ｈ_ｇ（Ｚ）に対応する情報のみを、

に置き換えるが、これは、上記の［ａ．サブグループに含まれる契約者が全員排除されない］場合と同様であり、あるサブグループＵ_Ｚの排除形態が［ｂ．サブグループに含まれる契約者が全員排除される］場合、Ｕ_Ｚに対応するヘッダＨ_Ｚのヘッダサイズは（ｋ＋２）ｌｏｇｐ、ヘッダ生成時に必要となる計算量は、
Ｏ（ｌｏｇ^３ｐ）
となる。 b. When all the contractors included in the sub group are excluded When all the contractors included in the sub group are excluded, the common information generated in STEP 12 of the flowchart shown in FIG.

As described with reference to the flow shown in FIG. 10, only information corresponding to h _{g (Z)}

Which replaces the above [a. Contractor included in the sub-group is the same as that not all eliminated, eliminating the form of a subgroup U _Z is [b. If subscriber included in the sub-group are all eliminated, the header size of the header H _Z corresponding to U _Z is (k + 2) logp, the amount of computation required during header generation,
O (log ³ p)
It becomes.

を計算することが必要となる。 c. When only a part of the contractors included in the subgroup is excluded Finally, when only a part of the contractors included in the subgroup is excluded, as described above with reference to the flow of FIG. Then, after determining d _Z and m _Z in STEP 15-c2, calculate the elimination polynomial F _Z (x) corresponding to the subgroup in STEP 15-c5, and further belong to the subgroup in STEP 15-c7. If the contracting party to be excluded is excluded, a value corresponding to the contractor's ID is output, and if not excluded, information for outputting the session key

Need to be calculated.

Therefore, the header size is (m _Z +2) logp, and the amount of calculation required for header generation is
^{_{O (max (m Z log 3}} p, m Z 2 log 2 q))
It becomes. ^{_{Incidentally, O (max (m Z log}} 3 p, m Z 2 log 2 q)) represents a process of selecting the larger one of _O (m Z ^log 3 p) or ^{_{O (m Z 2 log 2 q}} ) ing.

As described above, in the content distribution processing based on the subgroup setting and the black box tracking processing according to the above-described Patent Document 1 (Japanese Patent Application Laid-Open No. 2005-236963), for the distribution corresponding to the subgroup depending on the subgroup exclusion mode. Although the header size of the header and the calculation amount required for header generation are different, it is necessary to simultaneously distribute the headers H ₁ ,..., H _Z and the ciphertext C for all the subgroups during distribution. Thus the header size H _1, ..., equal to the total size of the header H _Z, the amount of computation required during header generation H _1, ..., the largest of the calculated amount needed when H _Z product However, as described above, these values differ depending on the subgroup exclusion mode.

  Specifically, the header size and calculation amount required for each distribution are set to [c], that is, [c. The case where only a part of the contractors included in the subgroup is excluded] greatly differs depending on the number of contractors excluded in such a subgroup. Since it is impossible to describe all cases that these values can take, here, simply, the number of subgroups whose exclusion form is [c] is v (1 ≦ v ≦ t), and such sub It is assumed that the number of subscribers excluded in the group is l ′ (El ′).

Moreover, subscribers _{n 1} belonging to each subgroup, ..., a _{n Z} but is capable of with each different value, for _{simplicity, n '= n 1 = ···} = n Z Assume that the number of contractors belonging to each subgroup is equal. At this time, d ′ = d _Z and m ′ = m _Z. Based on the above process, calculating the header size required for each delivery,
Header size = {(t−v) (k + 2) + v (m ′ + 2)} logp
The amount of calculation required when generating the header is
O (max ((t−v) log ³ p, vm′log ³ p, vm ′ ² log ² q))
It becomes.

Here, the division number t and the security parameter k are values determined by the center in the key generation phase and are not changed thereafter. Therefore, the most significant influence during distribution is that the exclusion form [c. In the case where only a part of the contractors included in the subgroup is excluded], the number of subgroups v and the degree m ′ of the elimination polynomial F _Z (x) are obtained.

In the processing example with this subgroup setting, the exclusion polynomial F _Z (x) is output as 0 for the ID of the contractor who is not excluded, and the value for the ID of the excluded contractor. Since the value on F _Z (x) corresponding to is output, if the number of contractors excluded in the subgroup is small, the degree m ′ of the exclusion polynomial F _Z (x) increases. . Therefore, when there are a small number of excluded subscribers in a plurality of subgroups, both v and m ′ are large values, and both the header size and the calculation amount required for header generation are large. There is a problem of becoming a value.

In the black box tracking, it is necessary to generate a tracking header that excludes only one suspect. In this processing example, 0 is set for a contractor who cannot exclude the exclusion polynomial F _Z (x). Since it is configured to output, the header size of the tracking header and the amount of calculation required when generating the header also increase. In addition, since black box tracking is performed for all subscribers, the overall size of the header required to verify one suspect and the amount of computation required when generating the header is n times, which is illegal. There is a problem that it takes time to specify the person.

  As described above, in the present processing example with subgroup setting, the header size and the header generation are necessary except when there is no excluded contractor or when there is a fixed number of subgroups. There is a problem that the amount of calculation becomes large. This means that in content distribution, a very large amount of data is required for each distribution, and a great amount of calculations are required to create the data. Further, since more data and calculations are required in black box tracking, a very long processing time is required even when an unauthorized person is specified.

[4. Details of Content Distribution and Black Box Tracking Processing According to the Present Invention]
Next, details of content distribution and black box tracking processing according to the present invention for solving the above problems will be described. The features of the content distribution and black box tracking process of the present invention are as described above.
(1) Treating a set of subscribers who are content recipients as a single group (2) Contracting more than k people by using m (≧ k) degree exclusion polynomials in addition to k order distribution polynomials (3) The center constructs a k-th order distribution polynomial to generate a private secret key and public key. (4) In order to exclude a specific subscriber, (5) The distributor outputs 0 for the contractor ID to be excluded, and outputs different values other than 0 for the other contractor IDs. (6) By constructing the exclusion polynomial as shown in (4), compared to the existing method (the process described in Patent Document 1: Japanese Patent Laid-Open No. 2005-236963) Required for header size and header generation for delivery header (7) By configuring the elimination polynomial as in (4), the header size of the tracking header and the tracking header can be reduced as compared with the existing method (Japanese Patent Laid-Open No. 2005-236963). These features make it possible to reduce the amount of calculation required when generating headers.

Hereinafter, regarding content distribution and black box tracking processing according to the present invention,
(4.1) Key generation processing,
(4.2) Content encryption processing,
(4.3) Content decryption processing,
(4.4) Black box tracking process The black box tracking process will be described in order divided into these four process phases.

  The key generation phase is executed once by the center when the system is configured, the encryption phase is executed by the content distributor, and the decryption phase is executed by the contractor as the content user for each content distribution. The black box tracking phase is executed by the verifier at the time when fraud is detected. The verifier is usually a center, but since no secret information is necessary, it may be an arbitrary third party.

(4.1) Key generation processing,
The key generation process is executed by a center that is an administrator of the content distribution system. The center executes processing according to the flowchart shown in FIG. 14 to generate the individual private key and public key of each contractor.

The processing of each processing step in the flowchart shown in FIG. 14 is as follows.
STEP 41: Select a prime number q satisfying large prime numbers p and q | (p−1) and q> n + k + 1. (The total number of contractors is n, and the security parameter is k)
STEP 42: Select a q-th root g of 1 on the multiplicative group Z _p ^* .
STEP 43: k + 1 values a ₀ , a ₁ ,..., A _k ∈ Z _q ^* which are secret keys of the center are selected at random, and a distribution polynomial f (x) is configured as follows.
f (x) = a ₀ + a ₁ x +... + a _k x ^k modq
STEP 44: An individual value u _i εZ _q ^* is selected for the contractor i (i = 1,..., N), and the private secret key d _i is configured as follows.
d _i = (u _i , f (u _i ))

とする。 STEP45: contractor i (i = 1, ..., n) with respect to, a private secret key _{d i} be distributed using a secure communication channel.
STEP 46: The public key e is configured and disclosed as follows.
e = (p, q, g, y ₀ , y ₁ , ..., y _k )
However,

And

With this key generation by the center, as shown in FIG. 15, a private secret key di = (u _i , f (u _i )) is provided to each contractor i (i = 1,..., N). Will be. In the key generation phase according to the present invention, the main difference from the above processing example (Patent Document 1: the processing example described in Japanese Patent Laid-Open No. 2005-236963) is that the contractor is divided into a plurality of subgroups. It is whether or not.

In the processing example based on the above-described subgroup setting (Patent Document 1: processing example described in Japanese Patent Application Laid-Open No. 2005-236963), since the contractor is divided into a plurality of subgroups, a value corresponding to each subgroup. B _Z (z = 1,..., T) is generated, and these values are used to generate a different distribution polynomial f _Z (x) for each subgroup. In the key generation processing sequence according to the present invention according to the flowchart shown in FIG. 14, since the entire contractor is handled as one group, values corresponding to the respective subgroups as described above: b _Z (z = 1,... It is not necessary to generate t), and it is only necessary to generate a single distribution polynomial f (x). Therefore, the amount of calculation is reduced, and efficient key generation becomes possible.

(4.2) Content Encryption Processing Next, content encryption processing provided to the contractor will be described. In the processing example according to the present invention, the content distributor encrypts the private secret key di = (u _i , f (u _i )) generated in the above key generation processing as shown in FIG. Content C and a distribution header h corresponding to each subgroup are generated and distributed.

  The header h is information including the encrypted data of the session key s applied to the decryption process of the encrypted content C, and the session key s is obtained by the decryption process using the personal secret key possessed by the contractor permitted to use the content. The session key s cannot be obtained by the decryption process using the private secret key of the exclusion contractor. Therefore, the method for generating the header h differs depending on the setting of the content use excluder. The content distributor generates and distributes the header h and the ciphertext C according to the flowchart shown in FIG. With reference to the flowchart shown in FIG. 17, the generation process and transmission sequence of data (encrypted content C and distribution header h) provided to the contractor will be described.

  The process according to the flowchart shown in FIG. 17 is executed in the information processing apparatus of the content distributor. The specific hardware configuration of the information processing apparatus will be described later. Basically, the information processing apparatus of the content distributor has a CPU as a data processing unit, and follows the flowchart described below. This is an information processing apparatus having as constituent elements a program that describes a data processing sequence, a storage unit that stores parameters necessary for data processing, key information, and the like, a cryptographic processing unit, and a random number generation unit.

また、ｍ＝ｄ（ｋ＋１）＋ｋとする。 The processing executed in each processing step of the flowchart shown in FIG. 17 is the following processing.
STEP 51: Select a subscriber ID of an l person to be excluded: x ₁ ,..., X ₁ (x1 to xel (l)).
STEP 52: d and m are calculated as follows for l subscribers to be excluded.

Further, m = d (k + 1) + k.

をランダムに選択する。 STEP53: If l <m, proceed to STEP54. Otherwise, go to STEP55.
STEP54:

Select at random.

STEP 55: rεZ _q ^* is selected at random.
STEP 56: Calculate c ₀ ,..., C _m εZ _q ^* satisfying the following expression, and let F (x) be an exclusion polynomial.
F (x) = r (x−x ₁ )... (Xx _m ) modq = c ₀ + c ₁ x +... C _m x ^m modq = 0

STEP 57: R ₀ ,..., R _d εZ _q ^* are selected at random, and h _0,0 ,..., H _{0, d} are calculated as follows.

STEP58: m + 1 pieces of information for calculating a point on F (x) corresponding to the contractor's own ID in the exponent part of g h _1,0 ,..., H _{1, m} are calculated as follows: To do.

STEP 59: The session key s is calculated as follows, and the ciphertext C = E _S (M) is constructed.
s = g ^r modp
STEP 60: The header h is configured as follows and transmitted together with the ciphertext C.

The header h provided to the contractor is set as follows.
_{h = (x 1, ...,} x m, h 1,0, ..., h 1, m, h 0,0, ..., h 0, d)
That is,
_M pieces of information [h _1,0 , ..., h _{1, m} ] for the contractor to calculate a point on F (x) corresponding to his / her ID;
As information for constructing a polynomial having a ratio different from F (x), the ID [x ₁ ,..., X _m ] of the excluded contractor,
d + 1 random numbers [h _0,0 , ..., h _{0, d} ]
Is set to have.

Through the above-described processing, the encrypted content C and the distribution header h are generated and transmitted to the contractor. In the processing example based on the subgroup setting described above (Patent Document 1: Processing example described in Japanese Patent Laid-Open No. 2005-236963), for example, [c. In the case where only a part of the contractors included in the subgroup is excluded], the subscriber IDs that are not excluded in STEP15-c1 of the flow shown in FIG. 11 are selected, and these IDs are selected in STEP15-c5. For the other IDs, an exclusion polynomial F _Z (x) is generated so that different values corresponding to the IDs are output.

  On the other hand, in the processing example of the present invention, the contractor IDs to be excluded are selected in STEP 51 of the flow shown in FIG. 17, and 0 is output for these IDs in STEP 55, and the other IDs. For this, an exclusion polynomial F (x) that outputs different values corresponding to the IDs is generated.

Furthermore, the header generated in the processing example based on the above-described subgroup setting is a header composed of m _Z +1 pieces of information and random number information for the contractor to calculate a point on the exclusion polynomial corresponding to its own ID. However, in the present invention, the header h provided to the contractor is set as follows.
_{h = (x 1, ...,} x m, h 1,0, ..., h 1, m, h 0,0, ..., h 0, d)

That is, in the processing example in which the entire subscriber considered as a single group of the present invention, information about the ID of the subscriber to be eliminated _{[x 1, ..., x m} ] and subscribers correspond to its own ID exclusion m pieces of information to calculate a point on use polynomial _{[h 1,0, ..., h 1} , m], and d + 1 random numbers information _{[h 0,0, ..., h 0} , d ] Constitutes a header.

  Processing executed in the information processing apparatus on the content distribution side in the present invention will be described collectively. The information processing apparatus on the content distribution side has a data processing unit that executes a process of generating header information including decryption key information applied to decryption of the encrypted content, and is held by the user device on the contractor side in the data processing unit In the user specific information to be executed, header information generation processing that enables acquisition of the decryption key information is executed only when user specific information held by a non-excluded user other than the excluded user is applied. Specifically, among the user IDs included in the user-specific information, 0 is output when the excluded user ID corresponding to the excluded user is substituted, and each when the non-excluded user ID corresponding to the non-excluded user is substituted. A header information generation process including a decryption key calculation formula to which a polynomial F (x) that outputs different values corresponding to IDs is applied is executed.

That is, the data processing unit of the information processing apparatus on the content distribution side
_M pieces of information [h _1,0 , ..., h _{1, m} ] for calculating a point on F (x) corresponding to the user ID;
Excluded user ID [x ₁ , ..., x _m ],
Execute header information generation processing including
User ID as user-specific information held on the user device side on the contractor side, personal secret key, excluded user ID [x ₁ ,..., X _m ] included in the header information, and acquired on the user device side Based on the public key information corresponding to the possible management center and the calculation process using the random number information included in the header, a generation process of header information that enables only the non-exclusion user to acquire the decryption key information is executed.

Furthermore, specifically, the data processing unit of the information processing apparatus on the content distribution side is configured to generate the decryption key information as the session key s.
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
As the setting of the session key s
s = g ^r modp
And the header information generation process configured to include the above-described polynomial F (x) in the session key s calculation formula is executed.

That is, the inverse element [(F (x) / r) ⁻¹ ] of the formula [F (x) / r] to which the polynomial F (x) is applied is ^{expressed as} an exponent part of the session key s calculation formula: s = g ^r modp A session key calculation formula for setting as a component of r is generated. Specifically, as the constituent data of the exponent part r,
U _i ,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(U _i -x ₁ ) ... (u _i -x _m )} ^-1 = {(F (x) / r) ^-1 }
A session key calculation formula that satisfies the relational expression is generated.

  The information processing apparatus on the content distribution side performs processing for transmitting the header information having such a configuration and the encrypted content to the user apparatus as a contractor via, for example, a communication unit.

(4.3) Content Decryption Processing Next, content decryption processing executed by the contractor who has received the ciphertext C and the header h from the content distributor will be described with reference to the flowchart shown in FIG.

  The process according to the flowchart shown in FIG. 18 is executed in an information processing apparatus of a contractor (user) as a content recipient. The specific hardware configuration of the information processing apparatus will be described later, but basically, the information processing apparatus of the contractor (user) has a CPU as a data processing unit, and is a flowchart described below. The information processing apparatus includes a program that describes a data processing sequence according to the above, a storage unit that stores parameters necessary for data processing, key information, an encryption processing unit, a random number generation unit, and the like as components. The storage unit stores various types of information applied to header information processing and content decryption, such as a user ID, personal secret key, and center public key.

The processing of the steps in the flow shown in FIG. 18 is as follows.
STEP 61: Private secret key d _i = (u _i , f (u _i ))
Header h = (x ₁ , ..., x _m , h _1,0 , ..., h _{1, m} , h _0,0 , ..., h _{0, d} ),
By applying the public key e = (p, q, g, y ₀ , y ₁ ,..., Y _k ), the session key s = g ^r modp is obtained by the following calculation.

STEP 62: The plaintext M is decrypted as follows using the session key s.
M = D _S (C)

  The contractor who has received the header and the ciphertext through the above processing acquires the session key s from the header, and acquires the content by decrypting the ciphertext C to which the acquired session key s is applied.

  In the processing example of the present invention, as described above with reference to FIG. 17, in the encryption phase, 0 is output for the ID of the contractor from which the exclusion polynomial F (x) is excluded, For different contractor IDs, different values corresponding to the IDs are output.

Furthermore, the header h provided to the contractor is set as follows as described above.
_{h = (x 1, ...,} x m, h 1,0, ..., h 1, m, h 0,0, ..., h 0, d)
That is,
_M pieces of information [h _1,0 , ..., h _{1, m} ] for the contractor to calculate a point on F (x) corresponding to his / her ID;
As information for forming a polynomial [F (x) / r] having a ratio different from that of F (x), the setting is made to have the excluded contractor IDs [x ₁ ,..., X _m ].

となりＳＴＥＰ６１における計算が不可能となり、セッション鍵ｓを取得することができない。 For this reason, the excluded contractor (u _i = x _{1 to} x _{1 (el)} ) has an exponent part of calculation in STEP 61,

Thus, the calculation in STEP 61 becomes impossible and the session key s cannot be acquired.

となるため、ＳＴＥＰ６１における計算が可能となり、正しいセッション鍵ｓを取得することができる。 On the other hand, non-excluded subscribers (u _i ≠ x _{1 to} x _{1 (el)} )

Therefore, calculation in STEP 61 becomes possible, and the correct session key s can be acquired.

  Processing executed in the information processing apparatus on the content receiving side in the present invention will be described collectively. The information processing apparatus on the content receiving side includes a storage unit storing a user ID and a personal secret key, and a data processing unit, and the data processing unit includes decryption key information applied to decryption of the encrypted content. The header information is input, the data processing in which the user ID and the personal secret key are applied to the header information is executed, and the decryption key information acquisition processing is executed. That is, the data processing unit outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. For the header information including the polynomial F (x) to be performed, the data processing using the user ID and the personal secret key is executed, and the decryption key information acquisition processing is executed.

Specifically, the data processing unit of the information processing apparatus on the user side that uses the content uses m pieces of information [h _1,0 ,... For calculating points on F (x) corresponding to the user ID. ., H _{1, m} ] and excluded user ID [x ₁ ,..., X _m ] are input, and the user ID, personal secret key, and excluded user ID [x included in the header information] ₁ ,..., X _m ], and further, decryption key information acquisition processing is executed based on arithmetic processing that applies public key information corresponding to the management center and random number information included in the header.

More specifically, the data processing unit of the information processing apparatus on the user side that uses the content is configured to calculate a session key s that is decryption key information.
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
In the setting of, the session key s is calculated by the following formula:
s = g ^r modp
Calculate according to

In the process of calculating the session key s, an operation applying the polynomial F (x) is executed. That is, an inverse element [(F (x) / r) of the expression [F (x) / r] to which the polynomial F (x) is applied as the calculation process of the exponent part r of the session key s: s = g ^r modp ⁻¹ ] is executed. [(F (x) / r) ⁻¹ ] is
U _i , the user ID stored in the storage unit,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(F (x) / r) ⁻¹ } = {(u _i −x ₁ )... (U _i −x _m )} ⁻¹
The data processing unit of the information processing apparatus on the user side who uses the content uses the user ID: u _i stored in the storage unit as expressed by the above expression {(u _i −x ₁ ) (u _i −x _m )} ⁻¹ and the calculation process of {(F (x) / r) ⁻¹ } is executed.

  By this process, only the non-exclusion user can acquire the session key, and as a result, only the non-exclusion user who acquired the session key can decrypt the content by using the session key s and use the content.

(4.4) Black Box Tracking Process Next, the black box tracking process in the process example according to the present invention described above will be described. In the content distribution system described above, the user key (personal secret key) held by the contractor is revealed intentionally or negligently, and an illegal decryptor that performs the same operation as a regular decryptor that is a regular user device can be generated. There is a possibility that the session key s is illegally acquired by the illegal decryptor and the content is illegally used. A black box tracking process is performed as an unauthorized person tracking process for eliminating such unauthorized use of content by an unauthorized decoder.

  The verifier uses the public key e and the contractor ID to generate a tracking header and inputs it to the unauthorized decryptor. Further, the ID of the unauthorized person is specified from the output of the unauthorized decoder. A black box tracking processing sequence executed by the verifier will be described with reference to a flowchart shown in FIG.

  The process according to the flowchart shown in FIG. 19 is executed in the information processing apparatus of the verifier. The specific hardware configuration of the information processing apparatus will be described later, but basically, the verifier's information processing apparatus has a CPU as a data processing unit and follows the flowchart described below. This is an information processing apparatus having a program describing a data processing sequence, a storage unit storing parameters necessary for data processing, key information, an encryption processing unit, a random number generation unit, and the like as components. Specifically, the data processing unit inputs a header and encrypted content to the user device, and executes identification of an unauthorized person based on the processing result. It is comprised by an unauthorized person determination part. In either case, the CPU executes processing according to a program describing a data processing sequence according to the flowchart described below.

The processing of each step in the flowchart shown in FIG. 19 is as follows.
STEP 71: j = 1.
STEP 72: Select suspect j's ID: u _j from U.
STEP 73: A header from which only the suspect j is excluded is generated.
STEP 74: The header generated in STEP 73 is set as a tracking header, and is input to the illegal decryptor together with the ciphertext C.
STEP 75: Obtain M ′ which is an output from the illegal decoder.
STEP76: If M ′ ≠ M, proceed to STEP77. Otherwise, go to STEP78.
STEP 77: The suspect j is identified as an unauthorized person.
STEP 78: j + 1 is substituted for j.
STEP79: If j = n + 1, the process is completed. Otherwise, return to STEP72.
Through these processes, it is possible to identify an unauthorized person without directly extracting the key from the unauthorized decryptor.

  Processing executed in the information processing apparatus of the verifier that performs black box tracking in the present invention will be described together. The verifier information processing apparatus is an information processing apparatus that verifies a user device that executes decryption of encrypted content and executes an unauthorized person identification process, and includes a header information generation unit that executes header information generation processing, and header information And an unauthorized person determination unit that verifies the processing result of the encrypted content in the user device.

  The header information generation unit is header information including decryption key information applied to decryption of the encrypted content, and when the suspect suspected as an unauthorized person is excluded as an excluded user, an excluded user ID corresponding to the excluded user is substituted When 0 is output to and a non-exclusion user ID corresponding to a non-exclusion user is substituted, header information including a decryption key calculation formula applying a polynomial F (x) that outputs a different value corresponding to each ID is generated. To do.

  The fraudster determination unit inputs the header information and the encrypted content generated by the header information generation unit to the user device, and applies the header information and the encrypted content to which the user specific information including the user ID stored in the user device is applied. The processing result is verified, and when the decrypted content is not acquired, processing for determining the suspect as an unauthorized person is executed.

The header information generator
_M pieces of information [h _1,0 , ..., h _{1, m} ] for calculating a point on F (x) corresponding to the user ID;
Excluded user ID [x ₁ , ..., x _m ],
Execute header information generation processing including
User ID as user-specific information held on the user device side, personal secret key, excluded user ID [x ₁ ,..., X _m ] included in the header information, and management obtainable on the user device side Based on the calculation process that applies the public key information corresponding to the center and the random number information included in the header, a generation process of header information that enables only the non-exclusion user to acquire the decryption key information is executed.

The header information generation unit is configured to generate the decryption key information as the session key s.
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
As a setting of the session key s
s = g ^r modp
Set as
A header information generation process is performed in which the polynomial F (x) is included in the session key s calculation formula.

Specifically, the header information generation unit converts the formula for calculating the session key s into the inverse element [(F (x) / r) ^{−1 of} the formula [F (x) / r] to which the polynomial F (x) is applied. ] For calculating the session key s,
s = g ^r modp
A session key calculation formula that is set as a constituent element of the exponent part r is generated. Specifically, as the configuration data of the exponent part r, the user ID is u _i ,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(U _i -x ₁ ) ... (u _i -x _m )} ^-1 = {(F (x) / r) ^-1 }
A session key calculation formula that satisfies the relational expression is generated.

  The verifier's information processing device that performs black box tracking inputs the header information having such a configuration and the encrypted content to the user device, and if the normal content M cannot be obtained, the suspect = exempt user And conclude that the suspect is a fraudster.

[5. Difference between processing according to the present invention and conventional processing and advantages of the processing of the present invention]
Next, each processing example described above, that is,
[3. Content distribution and black box tracking process based on subgroup settings]
[4. Content distribution and black box tracking process according to the present invention]
Differences between these two processes and advantages of the process of the present invention will be described.

(5.1) Comparison of Key Generation Phase First, the differences in the key generation phase will be described. The main difference in the key generation phase is the difference that occurs depending on whether or not the contractor is divided into subgroups. [3. In the content distribution and black box tracking process based on the subgroup setting], as described above, the contractor is divided into a plurality of subgroups, and different distribution polynomials are assigned to the subgroups. Is eliminated.

As the processing in units of subgroups, for example, in STEP 04 of the key generation sequence described above with reference to FIG. 5, the set of contractors is divided into t subgroups, and in STEP05, each subgroup is divided. After generating the corresponding value b _Z (z = 1,..., T), it is necessary to generate a different distribution polynomial f _Z (x) for each subgroup. On the other hand, in the processing of the present invention, since the set of contractors is handled as one group, such work does not occur.

(5.2) Comparison of Encryption and Decryption Phase Next, differences in the encryption and decryption phases will be described. In addition, [4. In the content distribution and black box tracking process according to the present invention, since arbitrary contractor exclusion is realized, [3. [C] in the exclusion form in [Content distribution based on subgroup setting and black box tracking processing], that is, [c. Only a part of the contractors included in the subgroup is excluded]. Therefore, in the following, [4. Content distribution and black box tracking process according to the present invention] and [3. [C. Content distribution based on subgroup setting and black box tracking processing] in the exclusion form [c. Compared to the case where only a part of the contractors included in the subgroup is excluded], the difference will be explained.

[3. In the content distribution and black box tracking process based on subgroup setting], in step 15-c1 of the encryption phase described with reference to the flowchart of FIG. 11, the ID of the contractor that is not excluded is selected, and in step 15-c5, The exclusion polynomial F _Z (x) is configured so that 0 is output for these IDs, and different values corresponding to the IDs are output for the excluded contractor IDs.

[3. The header h provided to the contractor in the content distribution and black box tracking process based on the subgroup setting] is m _z +1 pieces for the contractor to calculate the value of F _z (x) corresponding to his / her ID. It consists of information and random number information, which is generated as a distribution header and provided to the contractor.

を計算する。 [3. Content distribution based on subgroup setting and black box tracking processing] has such an exclusion polynomial F _Z (x) and distribution header h configuration, and the contractor has the flowchart of FIG. The session key s is calculated according to the calculation formula shown in STEP 21. That is,

Calculate

In the calculation based on the above session key calculation formula, if the contractor is not excluded, the session key s can be acquired from F _Z (u _i ) = 0, but if it is excluded, F _Z (u _i ) ≠ 0 and session key s cannot be acquired. That is, a contractor who is not excluded can delete an extra value at the time of decryption, but an excluded contractor uses an exclusion polynomial, a distribution header, and a calculation method at the time of decryption so that the value cannot be deleted. Configure and realize any contractor exclusion.

  On the other hand, in the processing of the present invention, as described above with reference to the flowchart of FIG. 17, the contractor IDs to be excluded are selected in STEP 51 of the encryption phase, and these IDs are selected in STEP 55. The exclusion polynomial F (x) is configured so that 0 is output for the ID of the contractor and different values corresponding to the ID are output for the IDs of the contractors that are not excluded. By constructing the exclusion polynomial in this way, the smaller the number of contracted parties l (el), the smaller the values of d and m, and the smaller the header size and the amount of calculation required for header generation. Become.

However, [3. With the same distribution header and decryption calculation method as in the content distribution and black box tracking process based on subgroup setting, any contractor cannot obtain a correct session key. Therefore, in the present invention, in order to avoid this, the header h is set as follows in the header setting process in STEP60.
_{h = (x 1, ...,} x m, h 1,0, ..., h 1, m, h 0,0, ..., h 0, d)
That is,
_M pieces of information [h _1,0 , ..., h _{1, m} ] for the contractor to calculate a point on F (x) corresponding to his / her ID;
As information for constructing a polynomial having a ratio different from F (x), the ID [x ₁ ,..., X _m ] of the excluded contractor,
d + 1 random numbers [h _0,0 , ..., h _{0, d} ]
Is set to have.

  Furthermore, the processing of the header h in the contractor, that is, the calculation for acquiring the session key s from the header performed for content decryption is performed by the processing shown in STEP 61 of the flowchart shown in FIG.

The expression applied to the acquisition calculation of the session key s from the header h according to the present invention shown in STEP 61 is [3. In the content distribution based on subgroup setting and black box tracking processing], the calculation result of STEP 21 described with reference to FIG. 12 includes the contractor's own ID [U _i ] and the excluded contractor ID included in the header. From [x ₁ ,..., X _m ], an inverse element [(F (x) / r) ⁻¹ ] of a polynomial [F (x) / r] that differs only in the ratio from the exclusion polynomial F (x). This is a power calculation formula. The session key s is calculated according to this calculation formula.

Thus, by configuring the exclusion polynomial F (x), the distribution header h, and the calculation method at the time of decoding, [3. Contrary to the content distribution and black box tracking process based on the subgroup setting], the excluded subscribers (u _i = x _{1 to} x _{1 (el)} ) have F (u _i ) = 0, so Thus, the session key s cannot be calculated.

On the other hand, since the contractor (u _i ≠ x _{1 to} x _{l (El)} ) that has not been excluded becomes F (u _i ) ≠ 0, the point on F (u _i ) corresponding to its own ID is determined from the header. The correct session key is calculated by further calculating the power of the inverse element of the polynomial that differs only in the point and ratio on F (u _i ) from the calculated contractor's own ID and the excluded contractor ID included in the header. s can be acquired.

Header size of the distribution header in the present invention will become (2m + d + 2) logp next, the amount of calculation needed when the header generation ^{O (max (mlog 3 p,} m 2 log 2 q)).

(5.3) Comparison of black box tracking phase Finally, a comparison is made regarding black box tracking. In the black box tracking phase,
[3. Content distribution based on subgroup setting and black box tracking process], the black box tracking process described with reference to FIG.
[4. In the content distribution and black box tracking process according to the present invention], both the black box tracking process described with reference to FIG. 19 uses the distribution header from which only the suspect is excluded as the tracking header. Tracking is realized.

  In these two processes, the procedure differs in STEP 33 of the flow of FIG. 13 in the black box tracking phase of [3] and STEP 73 of FIG. 19 in the black box tracking phase of the present invention [4]. However, in [3], the subgroup to which the suspect belongs belongs to the exclusion form [c. Only a part of the contractors included in the subgroup is excluded] and other subgroups are excluded [a. It is necessary to generate a tracking header as a subgroup. However, in the present invention, setting for each subgroup is not necessary, and a distribution header that excludes only suspects is required. It only needs to be used as a tracking header.

  In addition, as a method for generating a tracking header, an exclusion polynomial that outputs 0 for a contractor ID that is not excluded in [3] is configured, whereas a contractor excluded in the present invention is used. Since the exclusion polynomial that outputs 0 for the ID of the ID is configured, the detailed procedure is similar to the difference in the encryption phase.

(5.4) Advantages of the processing of the present invention Next, the advantages of the content distribution and black box tracking processing of the present invention derived from the above comparison will be described. [3. Content distribution based on sub-group settings and black box tracking processing] divides the contractor group into multiple subgroups, thereby eliminating contractors on a subgroup basis, and some contracts included in the subgroups For the exclusion of the contractor, an exclusion polynomial that outputs 0 for the ID of the contractor that is not excluded and outputs a different value corresponding to the ID for the ID of the contractor that is excluded is used. By doing so, the contractor is eliminated.

  This processing configuration realizes efficient black box tracking. However, at the time of actual content distribution, there are many cases where individual contractors are excluded, such as cancellation of contracts by contractors, so there are multiple subgroups where only some contractors are excluded Is most likely to occur. Therefore, the header size and the amount of calculation required at the time of header generation increase, and a reduction in efficiency is inevitable.

  Furthermore, [3. In the processing based on the subgroup setting], in the subgroup in which only some contractors are excluded, since the exclusion polynomial is configured using the IDs of the contractors that are not excluded, there are many contractors that are excluded. Unless this is the case, there is a problem that the degree m ′ of the exclusion polynomial becomes a large value and the header size and the amount of calculation required for header generation increase.

  On the other hand, [4. In the content distribution and black box tracking process according to the present invention], since the contractor set is treated as one group, it is excluded regardless of how distributed contractors are distributed in the contractor set. If the number of contracted subscribers is the same, the header size and the calculation amount required when generating the header are the same. In addition, for exclusion of contractors, an exclusion polynomial is used that outputs 0 for the contractor IDs to be excluded and outputs different values for the other contractor IDs. Therefore, when the number of contractors to be excluded is small, the header size and the amount of calculation required when generating the header are reduced, and the content can be distributed efficiently.

[3. Content distribution and black box tracking process based on subgroup setting], [4. Table 1 below shows the header size of the distribution header and the amount of calculation required when generating the header in each of the content distribution and black box tracking processing according to the present invention].

Furthermore, [3. Content distribution and black box tracking process based on subgroup setting], [4. Table 2 below shows the header size of the tracking header and the amount of calculation required when generating the header in each of the content distribution and black box tracking processing according to the present invention].

  First, regarding the distribution header, [3. Content distribution and black box tracking process based on subgroup setting], [4. Content distribution and black box tracking process according to the present invention]. As understood from Table 1, [4. Processing of the present invention] and [3. In the subgroup setting processing] header size and calculation amount required for header generation, not only the security parameter k but also the division number t, the number v of subgroups in which only some contractors are excluded, and included in the subgroup The condition of the total number of contractors to be excluded l (el) by the value of the number of contractors n ′ to be excluded and the number of contractors to be excluded l ′ (el ′) in the subgroup in which only some contractors are excluded Are very different.

Therefore, in the following, for the sake of simplicity, the division number t, the number of contractors n ′ included in the subgroup, and the number of contractors l ′ (el ′) excluded in the subgroup in which only some contractors are excluded A description will be given of a change in conditions accompanying a change in the number v of subgroups in which the value is fixed and only some contractors are excluded. In particular,
n = 10000,
k = 500,
t = 10
For the subgroup from which only a part of the contractors is excluded, only one contractor included in the subgroup is excluded, that is, l ′ (el ′) = 1. [3. In the subgroup setting process], the most efficient delivery is possible, that is, [b. It is assumed that there is always one subgroup that is set so that all contractors included in the subgroup are excluded.

  Under such conditions, the number of subgroups v = 1,. Processing of the present invention] and [3. FIG. 20 shows comparison data of the header size with the subgroup setting process], and FIG. 21 shows comparison data of the calculation amount at the time of header generation.

  First, FIG. 20 will be described. FIG. 20 shows [3. Header size in [subgroup setting processing] and [4. When the header sizes in the processing of the present invention are equal, that is, {(t−v) (k + 2) + v (m ′ + 2)} − (2m + d + 2) = 0. The abscissa and ordinate represent the number v of subgroups and the total number of contractors to be excluded (el), respectively. As shown in FIG. 20, when the total number l (el) of contractors to be excluded is smaller than the value of l (el) on the straight line at the value v, [3. [4. Subgroup setting process]. It can be seen that the header size is smaller in the process of the present invention. It can also be seen that as the value of v increases, the smaller the number of contractors excluded, the smaller the header size can be in the present invention. This is because [3. [4. Subgroup setting process]. The processing of the present invention indicates that the content can be distributed with a smaller amount of data.

  Next, FIG. 21 will be described. FIG. 21 shows [3. The relationship between v and l (el) when the calculation amount required at the time of header generation in the subgroup setting process] and the calculation amount required at the time of header generation in the present invention are equal. The vertical axis represents the number v of subgroups and the total number of contractors to be excluded 1 (el). However, as shown in Table 1, [3. Subgroup setting process] and [4. The amount of calculation required for header generation in the processing of the present invention varies depending on the values of p, q, m, m ′, v, and t. Subgroup setting process] and [4. The straight line in the case of vm′−m = 0 is shown in the case where the calculation amount required at the time of header generation in the processing of the present invention is vm′logp and mlogp. In FIG. 21, as in the case of the header size, when the total number l (el) of contractors to be excluded is smaller than the value of l (el) on the straight line in the value v, as in the case of the header size. [3. [4. Subgroup setting process]. It can be seen that the processing according to the present invention requires less calculation amount when generating the header. It can also be seen that as the value of v increases, the smaller the number of contractors excluded, the smaller the amount of calculation required by the present invention for header generation. This indicates that the distributor can generate the header at a higher speed during content distribution.

  Next, a comparison will be made regarding black box tracking. As can be seen from Table 2, in the black box tracking for the illegal decoder that is most easily configured by the attacker, the header size related to the tracking header and the amount of calculation required at the time of header generation are n times that related to the distribution header. 3], v = 1. This is because it is necessary to carry out black box tracking for all contractors when the contractor is a suspect. Therefore, the larger the difference between the header size related to the header for delivery and the amount of calculation required at the time of header generation, the larger the difference between the header size of the header for tracking required for black box tracking and the amount of calculation required for header generation. growing. However, even in this case, since each value changes greatly depending on the parameter setting, each parameter is set as in the case of the distribution header, and [3] is compared with the present invention.

First, regarding the header size, in [3], n {(t−1) (k + 2) + m ′ + 2} = 55210000
In contrast, in the present invention, n (2m + d + 2) = 10020000
Thus, it is understood that black box tracking can be realized with a data amount much smaller than that in [3].

Next, regarding the calculation amount required at the time of header generation, in [3], nm ′ = 10010000, nm ′ ² = 10020010000
In contrast, in the present invention, nm = 5000000, nm ² = 2,500,000,000
In this regard, it is understood that black box tracking can be realized at a higher speed than [3].

  Thus, [4. In the content distribution and black box tracking process according to the present invention], [3. Compared with the content distribution and black box tracking processing based on the subgroup setting], more efficient content distribution is realized and efficient black box tracking is realized.

[6. Configuration example of information processing apparatus]
Next, [4. In the content distribution and black box tracking process according to the present invention], the information processing apparatus of the center that executes the key generation process, the header information generation apparatus, the information processing apparatus of the distributor that executes the content distribution process with ciphertext generation, the header, FIG. 22 shows a configuration example of a contractor information processing apparatus that receives a ciphertext and generates a session key and decrypts the ciphertext, and a verifier information processing apparatus that executes a black box tracking process. To explain.

  These information processing apparatuses can be realized in, for example, a general data processing apparatus such as a PC, store processing programs corresponding to the respective processes in a memory, and execute each processing program in a control unit such as a CPU. Thus, each process is executed.

  That is, each process described in the above embodiment is a process that can be executed by a combination of hardware and software, and can be performed by causing a general-purpose computer or microcomputer to execute a program. When each data processing is performed by software, a program constituting the software is installed in, for example, a general-purpose computer or a one-chip microcomputer. FIG. 22 shows a configuration example as an embodiment of a computer in which a program for executing the data processing described above is installed.

  The information processing apparatus configuration example shown in FIG. 22 is one example, and the information processing apparatus in each entity is not necessarily required to have all the functions shown here. A CPU (Central processing Unit) 501 shown in FIG. 22 is a processor that executes various programs and an OS (Operating System). A ROM (Read-Only-Memory) 502 stores a program executed by the CPU 501 or fixed data as calculation parameters. A RAM (Random Access Memory) 503 is used as a storage area and work area for programs executed in the processing of the CPU 501 and parameters that change as appropriate in the program processing.

  The HDD 504 executes hard disk control, and executes various data and program storage processing and read processing for the hard disk. The encryption processing unit 505 functions as an encryption processing unit or a decryption processing unit that executes transmission data encryption processing, decryption processing, and the like. Although an example in which the cryptographic processing means is an individual module is shown here, such an independent cryptographic processing module is not provided, for example, a cryptographic processing program is stored in the ROM 502, and the CPU 501 reads and executes the ROM stored program. You may comprise.

The memory (secure module) 506 is configured as a memory having a tamper-resistant structure, for example, and can be used as a storage area for key data necessary for cryptographic processing, parameters to be held in non-Mitsu, and the like. For example, if the information processing apparatus on the user side (subscriber), is set as a storage unit for storing a secret key d _i. Part of the data can be stored in another memory area or storage medium. For example, data that is not required to be kept secret, such as a public key, can be stored in a hard disk or the like.

  The bus 521 is constituted by a PCI (Peripheral Component Internet / Interface) bus or the like, and enables data transfer with each module and each available power device via the input / output interface 122.

  The input unit 511 includes, for example, a keyboard, a pointing device, and the like, and is operated by a user to input various commands and data to the CPU 501. The output unit 512 is a CRT, a liquid crystal display, or the like, for example, and displays various types of information as text or images.

  The communication unit 513 executes communication processing with an entity connected to the system, for example, encryption data communication entity. Under the control of the CPU 501, data supplied from each storage unit, data processed by the CPU 501, or encryption Processing to transmit the received data or the like, or to receive data from other entities.

  The drive 514 is a drive that performs recording and reproduction of a removable recording medium 515 such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disc, a DVD (Digital Versatile Disc), a magnetic disc, and a semiconductor memory. The program or data playback from each removable recording medium 515 and the storage of the program or data in the removable recording medium 515 are executed.

  When a program or data recorded in each storage medium is read and executed or processed by the CPU 501, the read program or data is supplied to, for example, the connected RAM 503 via the input / output interface 522 and the bus 521.

  A program for executing the processing included in the description with reference to each flowchart is stored in the ROM 502 and processed by the CPU 501 or stored in the hard disk and supplied to the CPU 501 via the HDD 504 and executed. The

  The present invention has been described in detail above with reference to specific embodiments. However, it is obvious that those skilled in the art can make modifications and substitutions of the embodiments without departing from the gist of the present invention. In other words, the present invention has been disclosed in the form of exemplification, and should not be interpreted in a limited manner. In order to determine the gist of the present invention, the claims should be taken into consideration.

  The series of processing described in the specification can be executed by hardware, software, or a combined configuration of both. When executing processing by software, the program recording the processing sequence is installed in a memory in a computer incorporated in dedicated hardware and executed, or the program is executed on a general-purpose computer capable of executing various processing. It can be installed and run.

  For example, the program can be recorded in advance on a hard disk or ROM (Read Only Memory) as a recording medium. Alternatively, the program is temporarily or permanently stored on a removable recording medium such as a flexible disk, a CD-ROM (Compact Disc Read Only Memory), an MO (Magneto optical) disk, a DVD (Digital Versatile Disc), a magnetic disk, or a semiconductor memory. It can be stored (recorded). Such a removable recording medium can be provided as so-called package software.

  The program is installed on the computer from the removable recording medium as described above, or is wirelessly transferred from the download site to the computer, or is wired to the computer via a network such as a LAN (Local Area Network) or the Internet. The computer can receive the program transferred in this manner and install it on a recording medium such as a built-in hard disk.

  Note that the various processes described in the specification are not only executed in time series according to the description, but may be executed in parallel or individually according to the processing capability of the apparatus that executes the processes or as necessary. Further, in this specification, the system is a logical set configuration of a plurality of devices, and the devices of each configuration are not limited to being in the same casing.

  As described above, according to the configuration of one embodiment of the present invention, in the content distribution and use process, a header that can prevent acquisition of the content decryption key by the excluded user is generated and provided to the user. Therefore, unauthorized use of content is prevented, and the header size and header generation calculation amount are reduced, thereby realizing efficient content distribution and use. That is, after a user as a content user is made into a single group, 0 is output for the excluded contractor ID, and a different value is output for each other contractor ID. A header including a session key calculation formula using is configured. With the header configuration of the present invention, the header size at the time of content distribution and the amount of calculation required at the time of header generation are reduced, and in the session key acquisition process on the content user side, the exclusion user's key acquisition is surely prevented. be able to.

It is a figure explaining an unauthorized person tracking process. It is a figure explaining a content delivery process. It is a figure explaining the apparatus structure which uses a content. It is a figure explaining the process sequence of a fraud tracking process. It is a figure which shows the flowchart explaining the key production | generation process sequence which produces | generates and provides the individual private key and public key of each contractor in the content delivery structure based on a subgroup setting. It is a figure explaining the key generation process which produces | generates and provides the individual private key and public key of each contractor in the content delivery structure based on subgroup setting. It is a figure explaining the content delivery process in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining the content encryption processing sequence accompanying the header in a content delivery structure based on subgroup setting, and a ciphertext production | generation. It is a figure which shows the flowchart explaining the process sequence when not all the contractors contained in a subgroup are excluded in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining the process sequence in case all the contractors contained in a subgroup are excluded in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining a process sequence in case only the one part of contractor contained in a subgroup is excluded in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining the content decoding process sequence in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining the black box tracking process sequence in the content delivery structure based on a subgroup setting. It is a figure which shows the flowchart explaining the key production | generation process sequence which produces | generates and provides the individual private key and public key of each contractor in the content delivery structure according to this invention. It is a figure explaining the key generation process which produces | generates and provides the individual private key and public key of each contractor in the content delivery structure according to this invention. It is a figure explaining the content delivery process in the content delivery structure according to this invention. It is a figure which shows the flowchart explaining the content delivery processing sequence in the content delivery structure according to this invention. It is a figure which shows the flowchart explaining the content decoding process sequence in the content delivery structure according to this invention. It is a figure which shows the flowchart explaining the black box tracking process sequence in the content delivery structure according to this invention. It is a figure which shows the comparison data of the header size in the content delivery structure according to this invention, and the content delivery structure based on a subgroup setting. It is a figure which shows the comparison data of the computational complexity at the time of the header production | generation in the content delivery structure according to this invention, and the content delivery structure based on a subgroup setting. It is a figure which shows the structural example of the information processing apparatus applied in each process in the content delivery process and black box tracking according to this invention.

Explanation of symbols

DESCRIPTION OF SYMBOLS 10 Information processing apparatus 11 Private secret key storage part 501 CPU
502 ROM
503 RAM
504 HDD
505 Encryption processing unit 506 Memory 511 Input unit 512 Output unit 513 Communication unit 514 Removable storage medium 521 Bus 522 I / O interface

Claims (18)

An information processing device,
A data processing unit that executes generation processing of header information including decryption key information applied to decryption of the encrypted content;
The data processing unit
It is a configuration that executes header information generation processing that enables acquisition of the decryption key information only when user-specific information held by a non-excluded user other than the excluded user is applied among user-specific information held by the user device ,
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. An information processing apparatus having a configuration for executing header information generation processing including a decryption key calculation formula to which a polynomial F (x) that outputs different values is applied. The data processing unit
_M pieces of information for calculating a point on F (x) corresponding to the user ID [h ₁ , _0,. . . , H _{1, m} ],
Excluded user IDs [x ₁ ,. . . , X _m ],
Execute header information generation processing including
The user ID as user-specific information held on the user device side, the personal secret key, and the excluded user IDs [x ₁ ,. . . , X _m ] based on the calculation process applied, the header information generation process that enables the non-excluded user to obtain the decryption key information is executed. Information processing device. The data processing unit further includes:
Based on the public key information corresponding to the management center that can be acquired on the user device side and the arithmetic processing that applies the random number information included in the header, The information processing apparatus according to claim 2, wherein the information processing apparatus is configured to execute generation processing. The data processing unit
The decryption key information is generated as a session key s,
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
As a setting of the session key s
s = g ^r modp
Set as
The information processing apparatus according to claim 1, wherein the information processing apparatus is configured to execute a header information generation process including the polynomial F (x) in the session key s calculation formula. The data processing unit
The session key s is calculated from the inverse [[F (x) / r) ⁻¹ ] of the formula [F (x) / r] to which the polynomial F (x) is applied. ,
s = g ^r modp
The information processing apparatus according to claim 4, wherein a session key calculation formula set as a constituent element of the exponent part r is generated. The data processing unit
As constituent data of the exponent part r,
U _i ,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(U _i -x ₁ ) ... (u _i -x _m )} ^-1 = {(F (x) / r) ^-1 }
6. The information processing apparatus according to claim 5, wherein a session key calculation formula that satisfies the relational expression is generated. The information processing apparatus further includes:
The information processing apparatus according to claim 1, further comprising: a communication unit that executes transmission processing of the header information and the encrypted content. An information processing device,
A storage unit storing a user ID and a personal secret key;
Acquisition of the decryption key information by inputting header information including decryption key information applied to decryption of the encrypted content, and executing data processing to which the user ID and personal secret key are applied to the header information A data processing unit for executing processing,
The data processing unit
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. An information processing apparatus having a configuration in which a data process to which the user ID and a private secret key are applied is executed on header information including the header information, and the acquisition process of the decryption key information is executed. The data processing unit
As the header information,
_M pieces of information for calculating a point on F (x) corresponding to the user ID [h ₁ , _0,. . . , H _{1, m} ],
Excluded user IDs [x ₁ ,. . . , X _m ],
Enter header information including
The user ID, the private secret key, and the excluded user ID [x ₁ ,. . . , X _m ], the information processing apparatus according to claim 8, wherein the decryption key information acquisition process is executed based on an arithmetic process to which The data processing unit further includes:
10. The information according to claim 9, wherein the decryption key information acquisition process is executed based on a calculation process using public key information corresponding to a management center and random number information included in the header. Processing equipment. The data processing unit
A configuration for calculating a session key s which is the decryption key information;
p: a large prime number modulo the multiplicative group,
Z _p ^* : a multiplicative group, a set of integers that are relatively prime to Z _p and p,
q: a prime number satisfying q | (p−1) and q> n + k + 1,
g: q root of 1 on Z _p ^*
In the setting of, the session key s is expressed by the following calculation formula:
s = g ^r modp
Is calculated according to
The information processing apparatus according to claim 8, wherein the calculation process using the polynomial F (x) is performed in the session key s calculation process. The data processing unit
The session key s calculation formula,
s = g ^r modp
As the calculation process of the exponent part r, the calculation of the inverse element [(F (x) / r) ⁻¹ ] of the formula [F (x) / r] to which the polynomial F (x) is applied is performed. The information processing apparatus according to claim 11. The formula [(F (x) / r) ⁻¹ ] is
U _i , the user ID stored in the storage unit,
Excluded user IDs corresponding to the excluded users are x ₁ to x _m ,
When
{(F (x) / r) ⁻¹ } = {(u _i −x ₁ )... (U _i −x _m )} ⁻¹
Satisfy the relationship
The data processing unit
Substituting the user ID: u _i stored in the storage unit into the above expression {(u _i −x ₁ )... (U _i −x _m )} ⁻¹ , and {(F (x) / r) ⁻ The information processing apparatus according to claim 12, wherein the information processing apparatus is configured to execute a calculation process of ¹ }. A content distribution system,
In the content distribution side device,
0 is output when the exclusion user ID corresponding to the exclusion user is substituted in the user ID included in the user-specific information held by the content receiving device as header information including the decryption key information applied to decryption of the encrypted content When a non-exclusion user ID corresponding to a non-exclusion user is substituted, a header information generation process including a polynomial F (x) that outputs a different value corresponding to each ID is executed, and the generation header information and encryption are executed. Providing content to the content receiving device,
In the content receiving device,
For the header information including the polynomial F (x), data processing using a user ID and a private secret key is executed, and a value other than 0 obtained by applying the polynomial F (x) is used. A content distribution system having a configuration for executing the process of obtaining the decryption key information and executing the process of decrypting the encrypted content by applying the obtained decryption key. An information processing method for executing generation processing of header information including decryption key information applied to decryption of encrypted content in an information processing device,
In the data processor
There is a header information generation step for generating header information that enables acquisition of the decryption key information only when user specific information held by a non-excluded user other than the excluded user is applied among user specific information held by the user device. And
The header information generation step executed in the data processing unit includes:
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. An information processing method, which is a step of executing generation processing of header information having a decryption key calculation formula including a polynomial F (x) that outputs different values. An information processing method for executing processing for acquiring decryption key information of encrypted content from header information in an information processing device,
In the data processor
A header information processing step of inputting the header information, executing a data process in which the user ID and the personal secret key acquired from the storage unit are applied to the header information, and executing the process of acquiring the decryption key information; Have
The header information processing step executed in the data processing unit includes:
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. An information processing method, comprising: performing a data process using the user ID and the personal secret key on the header information, and performing a process for obtaining the decryption key information. A computer program that executes generation processing of header information including decryption key information applied to decryption of encrypted content in an information processing device,
In the data processor
There is a header information generation step for generating header information that enables acquisition of the decryption key information only when user specific information held by a non-excluded user other than the excluded user is applied among user specific information held by the user device. And
The header information generation step to be executed in the data processing unit includes:
Out of the user IDs included in the user-specific information, 0 is output when an excluded user ID corresponding to an excluded user is assigned, and each ID is assigned when a non-excluded user ID corresponding to a non-excluded user is assigned. A computer program characterized in that it is a step of executing a generation process of header information having a decryption key calculation formula including a polynomial F (x) that outputs different values. A computer program for executing processing for acquiring decryption key information of encrypted content from header information in an information processing device,
In the data processor
A header information processing step of inputting the header information, executing data processing to which the user ID and the personal secret key acquired from the storage unit are applied to the header information, and executing the acquisition processing of the decryption key information; Have
The header information processing step to be executed in the data processing unit includes:
A polynomial F (x) that outputs 0 when the excluded user ID corresponding to the excluded user is substituted, and outputs a different value corresponding to each ID when the non-excluded user ID corresponding to the non-excluded user is substituted. A computer program characterized in that it is a step of executing data processing to which the user ID and the personal secret key are applied to the header information that is included, and executing the acquisition processing of the decryption key information.

Images