JP5492007B2 - Content server, content receiving apparatus, attribute key issuing server, user key issuing server, access control system, content distribution program, and content receiving program - Google Patents

Description

  The present invention relates to an access control technique using a user attribute in content distribution using a broadcast wave or a network such as the Internet or a dedicated IP line.

  With the spread of digital broadcasting and the increase in speed and capacity of networks, services for distributing broadcast contents using networks such as broadcast waves, the Internet, and dedicated IP lines have been realized. In such a service, when performing access control such that only a specific user can decrypt and view the encrypted content, the service provider specifies in advance the user who is permitted to decrypt the content. It is common to do. As an example of a user who permits decryption, when a service provider permits decryption of content only by a user having membership of the service provider, the content is encrypted by directly specifying the user having membership. For this reason, there is a problem that when a user has a change in membership (membership, withdrawal, etc.), the service provider must specify the user and encrypt the content each time.

  Ciphertext-Policy Attribute-Based Encryption is known as means for solving such problems (see Non-Patent Document 1). This is a public key cryptosystem, and the sender is based on an access policy that describes the conditions of the recipient's attributes (residence, gender, age, membership type, etc.) that the receiver should satisfy when encrypting the message. To encrypt. Only a recipient having an attribute that satisfies the access policy can be decrypted using an attribute secret key that is a secret key corresponding to the attribute.

  When attribute-based encryption is used, it is not necessary for the service provider to directly specify individual users when performing access control, so the load on the service provider can be reduced. For example, as an example of the user who permits the above-described decryption, when the service provider permits the decryption of the content only to the user having the membership of the service provider, the service provider designates when encrypting the content “ The access policy is “user with membership” only, and it is not necessary to specify the user with membership directly and perform encryption. Therefore, even when the user has changed membership (membership, withdrawal, etc.), there is no need to encrypt the content again.

  In the attribute-based encryption, the user proves that the user has an attribute to an attribute authority (AA) and issues an attribute secret key corresponding to the attribute. In the method disclosed in Non-Patent Document 1, there is a problem that management cost increases because one AA must manage all attribute information.

  As means for solving such a problem, an attribute-based encryption (Multi-Authority Attribute-Based Encryption) in which a plurality of AAs can exist is known (see Non-Patent Document 2 and Non-Patent Document 3). According to these methods, since the attribute information managed by one AA can be reduced, the management cost of AA can be reduced.

J. Bethencourt, A. Sahai and B. Waters, “Ciphertext-Policy Attribute-Based Encryption,” Proc. Of the 2007 IEEE Symposium on Security and Privacy, pp. 321-334, 2007. M. Chase, “Multi-Authority Attribute Based Encryption,” Proc. Of TCC’07, Lecture Notes in Computer Science 4392, pp. 515-534, Springer-Verlag, 2007. S. Muller, S. Katzenbeisserand C. Eckert, “Distributed Attribute-Based Encryption,” Proc. Of ICISC’08, Lecture Notes in Computer Science 5461, pp. 20-36, Springer-Verlag, 2009.

  Conventionally, in attribute-based cryptography in which a plurality of AAs can exist, in order to prevent the problem of user collusion attacks, a central authority (CA) that manages users is separately installed as a central authority that bundles each AA. ing. Here, the collusion attack means that a plurality of users who do not satisfy the access policy by themselves collusion and share each other's attribute secret key, thereby enabling decryption of the content.

  However, in the prior arts described in Non-Patent Documents 2 and 3, since the CA, which is the central institution installed to prevent the collusion attack of the user, holds the master key, in principle, everything on the system Can be decrypted. Therefore, when there is a CA with low reliability, there is a problem that the security is lowered without maintaining the confidentiality of the ciphertext in the system.

  Specifically, in the methods described in Non-Patent Documents 2 and 3, the CA server inputs a system public key PK, a master key MK, and a user identifier u, and uses a user public key and a user secret as user keys. Generate a key.

For example, in the method described in Non-Patent Document 3, the CA server sets G as a bilinear group of prime order p and sets e: G × G → G _T in system initialization. origin g ∈ g, and P∈G, randomly selects y∈Z _p, outputs a system public key PK and a master key MK = g ^y shown by the formula (101).

Also, CA server, using a random number mk _u randomly selected from _Z p (the set of integers from 0 to p-1) to a user u, the user public key PK _u shown in equation (102) , A user secret key SK _u shown in equation (103) is generated.

Then, the server of the _a -th AA (= AA _a ) out of AA receives the system public key PK and the identifier a and inputs a hash function H _xa : {0, 1} ^* → from a finite hash function family. Z _p is selected uniformly at random, and the secret key of AA _a is set as SK _a = x _a . When AA _a manages the attribute i, the server of AA _a receives the system public key PK, the attribute i, and the secret key SK _a as input, and obtains the attribute public key PK _i of the attribute i shown in Expression (104). Output. When the user u has the attribute i, the server of AA _a receives the system public key PK, the attribute i, the secret key SK _a , the user identifier u, and the user public key PK _u as inputs, and the expression (105 The attribute private key SK _i of u shown in FIG.

Further, the service provider server receives the system public key PK, the message M, the access policy A, and a plurality of attribute public keys PK _i as input, and the random number R for the element j (1 ≦ j ≦ n) of the access policy A. the _j ∈Z _p chosen at random, the ciphertext _{CT = <CT 1, ...,} CT n> to output. Here, CT _j is expressed by Expression (106).

Then, the decryption-side user terminal receives the system public key PK, the ciphertext CT, the access policy A, the user secret key SK _u, and the plurality of attribute secret keys SK _{i, u} and inputs the message M by the equation (107). Can be decrypted.

Here, the introduction of notation a _j shown in the following equation _{(108), E j, E''} j in the equation (106), respectively formula (109), represented by the formula (110) It will be.

It can be seen that the equation (109) is related to the master key MK = g ^y by performing equation transformation like the equation (111) using the pairing bilinearity. In addition, the relationship of Formula (110) was used here.
And the message M is represented by Formula (112) from the relationship between the leftmost side and the rightmost side of Formula (111). That is, the CA having the master key MK = g ^y can decrypt the message M by decrypting all the ciphertexts of this system.

  The present invention has been made in view of the above problems, and provides a technique for providing a secure content distribution service by broadcasting or communication using an access control system based on user attributes. Let it be an issue.

  In order to solve the above problem, a content server according to claim 1 of the present invention includes a user key issuing server that issues a user public key and a user secret key as a user key, and a system public key, and an attribute for each attribute. A plurality of attribute key issuing servers that issue an attribute private key for each user corresponding to the public key and the attribute; a content server that distributes content; and a content receiving device that is used by a user and receives the content, The content server in the access control system for controlling access to the content based on an access policy created in advance on the content providing side using a user attribute as a condition for accessing the content, wherein the content encryption Means, policy input means, and content key encryption method If, it was decided to include the content coupling means, and content delivery means.

  According to such a configuration, the content server generates encrypted content by encrypting the input content with the content key that is a common key by the content encryption unit. Then, the content server inputs the access policy by policy input means. Then, the content server encrypts the input content key by the content key encryption means to generate an encrypted content key. Then, the content server combines the encrypted content key generated by the content key encryption unit and the encrypted content generated by the content encryption unit by the content combining unit and adds the access policy to the header. By doing so, encrypted content with a header is generated. Then, the content server distributes the encrypted content with the header to the content receiving device by the content distribution means.

According to such a configuration, the content server uses the content key encryption unit to set the system public key and the j-th included in the input access policy when the number of elements of the access policy is n. For each element included in the access policy, the content key M is input using the attribute public key PK _i shown in the following equation (14) issued for the attribute i included in the element The partial ciphertext CT _j shown in the following formula (22) is generated for the _jth element, and the partial ciphertexts CT _{1 to} CT _n obtained from all the elements of the access policy are generated. As an encrypted content key, a ciphertext CT represented by the following formula (23) is generated. Therefore, the content server can distribute the content by an encryption method of an algorithm that eliminates the need for the master key itself for decrypting all ciphertexts in the system. As a result, the access control system does not have an organization that can independently decrypt all ciphertexts in the system. Therefore, it is possible to provide a secure content distribution service by broadcasting or communication using an access control system based on user attributes.

  A content receiving apparatus according to claim 2 of the present invention is the content receiving apparatus that receives the content distributed by the content server in an access control system including the content server according to claim 1, and has an attribute A secret key storage unit, a user secret key storage unit, a content reception unit, a content separation unit, a determination unit, a content key decryption unit, and a content reproduction unit are provided.

According to such a configuration, the content receiving device stores the attribute secret key issued by the attribute key issuing server corresponding to the attribute to be satisfied by the user of the content receiving device in the attribute secret key storage unit, The user secret key issued by the user key issuing server is stored in a user secret key storage means. Then, the content receiving device receives the encrypted content with the header from the content server by the content receiving means. Then, the content receiving device uses the content separation unit to extract the access policy, the encrypted content, and the encrypted content key from the encrypted content with header received by the content receiving unit (23) The ciphertext CT shown in FIG. Then, the content receiving device determines whether or not an attribute to be satisfied by the user of the content receiving device is included in the element of the access policy based on the attribute secret key by the determining unit. The j-th element is selected. When the content key decrypting unit selects the j-th element of the access policy, the content receiving apparatus has the attribute secret key SK _i shown in the following equation (17) corresponding to the attribute i included in the element. _{, U,} and the user secret key SK _U shown in the following formula (9) and the system public key, the decryption operation shown in the following formula (24) is executed to decrypt the encrypted content key To do. Then, the content receiving apparatus reproduces the content by decrypting the encrypted content separated by the content separating means by the content reproducing means using the content key decrypted by the content key decrypting means.

  An attribute key issuing server according to claim 3 of the present invention is installed in an attribute management organization in the access control system including the content server according to claim 1 or the content receiving device according to claim 2, The attribute key issuing server for issuing the attribute key used in the content server or the content receiving device, comprising: an attribute management organization private key generation unit, an attribute public key generation unit, and an attribute secret key generation unit It was.

According to such a configuration, the attribute key issuing server, for example, when the attribute management authority is newly installed, the attribute management authority identifier a that identifies the attribute management authority and the system public key by the attribute management authority private key generation unit Is used to generate an attribute management authority secret key SK _a unique to the attribute management authority. Then, the attribute key issuing server uses the system public key, the attribute management institution secret key SK _a, and the request including the attribute acquired from the user by the attribute public key generation means, using the following formula (14): The attribute public key PK _i for each attribute shown in FIG. Then, the attribute key issuing server uses the attribute public key generating means to request the system public key, the attribute management organization secret key SK _a , the attribute acquired from the user, the user identifier U, and the user public key. Is used to generate the attribute secret key for each user of the attribute shown in the following equation (17). Therefore, in the access control system, an arbitrary number of attribute management organizations can issue attribute secret keys, and content can be encrypted and decrypted based on user attributes. Further, in this access control system, since any number of attribute management organizations can issue attribute secret keys, each attribute management organization can reduce management costs.

  A user key issuing server according to claim 4 of the present invention is an access comprising the content server according to claim 1, the content receiving device according to claim 2, or the attribute key issuing server according to claim 3. In the control system, the user key issuing server that is installed in a user management organization and generates the system public key used in the content server, the content receiving device, or the attribute key issuing server, the system public key generating unit; And a user key generation means.

According to such a configuration, when the system is initialized, the user key issuing server uses the system public key generation unit to generate the bilinear group G having the prime order p and the bilinear mapping e: G × G → G _T. Then, the system public key PK shown in the following formula (6) is generated using the generator shown in the following formula (5) selected at random from G. The user key issuing server is different for each user represented by the following equation (9) by using the user identifier U for identifying the user of the access control system and the system public key PK by the user key generation means. The user public key PK _U and the user secret key SK _U to be issued as keys are generated. In this access control system, since the user management organization only manages users, when installing a new attribute management organization in the access control system, the user management organization does not need to reissue the key. Compared with a system in which a key is reissued when a new attribute management organization is installed, it is more convenient and a new attribute management organization can be easily installed.

  An access control system according to claim 5 of the present invention includes a content server according to claim 1, a content receiving device according to claim 2, an attribute key issuing server according to claim 3, and a claim. And a user key issuing server described in item 4.

  According to this configuration, in the access control system, the content server uses the attribute public key generated by the attribute key issue server and the system public key generated by the user key issue server to transfer the content key to the access policy. Encrypts each element, generates encrypted content with a header, and distributes it. In addition, the content receiving device acquires and stores in advance the attribute private key generated by the attribute key issuing server and the system public key generated by the user key issuing server, and encrypts the content with a header from the content server. Receive. When the access policy includes an attribute to be satisfied by the user of the content receiving device, the content receiving device decrypts the content key and reproduces the content, while the access policy satisfies the user of the content receiving device. If the power attribute is not included, the content key is not decrypted. In addition, the content server can distribute the content using an encryption method with an algorithm that eliminates the need for the master key itself for decrypting all ciphertext in the system. As a result, the access control system does not have an organization that can independently decrypt all ciphertexts in the system. Therefore, it is possible to provide a secure content distribution service based on user attributes by an access policy created in advance on the content distribution side.

  According to a sixth aspect of the present invention, there is provided a content distribution program that causes a computer, which is the content server according to the first aspect, to perform content encryption means, policy input means, content key encryption means, content combination means, content distribution. It was decided to function as a means.

According to such a configuration, the content distribution program generates encrypted content by encrypting the input content with the content key that is a common key by the content encryption unit. Then, the content distribution program inputs the access policy by policy input means. Then, the content distribution program, when the number of elements of the access policy is n by the content key encryption means, the attribute included in the system public key and the jth element included in the input access policy Using the attribute public key PK _i shown in the following equation (14) issued for i, the input content key M is encrypted for each element included in the access policy, and the j th The partial ciphertext shown in the following formula (22) is generated for the elements of the above, and the partial ciphertexts CT _{1 to} CT _n obtained from all the elements of the access policy are generated. A ciphertext CT represented by Expression (23) is generated. Then, the content distribution program combines the encrypted content key generated by the content key encryption unit and the encrypted content generated by the content encryption unit by the content combining unit, and sets the access policy in the header. By adding, encrypted content with a header is generated. Then, the content distribution program distributes the encrypted content with a header to the content receiving device by the content distribution means.

  According to a seventh aspect of the present invention, there is provided a content receiving program according to an attribute key issuing server corresponding to an attribute to be satisfied by a user of a content receiving apparatus that receives the content distributed by the content server according to the first aspect. The attribute private key storage means which memorize | stored the said attribute private key issued in (3), The user private key storage means which memorize | stored the said user private key issued by the said user key issue server The computer as the content receiving apparatus is caused to function as a content receiving unit, a content separating unit, a determining unit, a content key decrypting unit, and a content reproducing unit.

According to this configuration, the content receiving program receives the encrypted content with a header from the content server by the content receiving unit. Then, the content receiving program uses the following formula (23) that is the access policy, the encrypted content, and the encrypted content key from the encrypted content with header received by the content receiving unit by the content separating unit. And the ciphertext CT shown in FIG. Then, the content receiving program determines whether or not an attribute to be satisfied by a user of the content receiving device is included in the element of the access policy based on the attribute secret key by the determining unit. The j-th element is selected. When the content key decrypting unit selects the j-th element of the access policy, the content receiving program has the attribute secret key SK _i shown in the following equation (17) corresponding to the attribute i included in the element. _{, U,} and the user secret key SK _U shown in the following formula (9) and the system public key, the decryption operation shown in the following formula (24) is executed to decrypt the encrypted content key To do. Then, the content reception program reproduces the content by decrypting the encrypted content separated by the content separation unit by the content key decrypted by the content key decryption unit by the content reproduction unit.

According to the first aspect of the present invention, the content server can distribute the content using an encryption method of an algorithm that eliminates the need for the master key itself for decrypting all ciphertexts in the system. Therefore, the access control system does not have an organization that can independently decrypt all ciphertexts in the system. Therefore, the content server can provide a secure content distribution service by broadcasting or communication within the access control system.
According to the sixth aspect of the present invention, the computer in which the content distribution program is installed can achieve the same effect as the first aspect.

According to the second aspect of the present invention, the content receiving device can reproduce the received content when the content distribution side satisfies an access policy created in advance.
According to the seventh aspect of the present invention, the computer in which the content receiving program is installed can achieve the same effect as the second aspect.

According to the third aspect of the present invention, an arbitrary number of attribute key issuing servers can be easily installed in the access control system.
According to the invention described in claim 4, the user key issuing server can issue the user key and initialize the system.
According to the invention described in claim 5, since there is no institution that can decrypt all ciphertexts in the access control system alone, an access control system based on user attributes is used. It is possible to provide a secure content distribution service by broadcasting or communication.

It is a block diagram which shows typically the access control system which concerns on embodiment of this invention. It is a block diagram which shows typically the structure of the user key issuing server which concerns on embodiment of this invention. It is a block diagram which shows typically the structure of the attribute key issuing server which concerns on embodiment of this invention. It is a block diagram which shows typically the structure of the content server which concerns on embodiment of this invention. It is a block diagram which shows typically the structure of the content receiver which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the system initialization in the user key issuing server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the user key issuing in the user key issuing server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the attribute management organization initialization in the attribute key issuing server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of attribute public key issue in the attribute key issue server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the attribute secret key issue in the attribute key issue server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the encryption in the content server which concerns on embodiment of this invention. It is a flowchart which shows the algorithm of the decoding in the content receiver which concerns on embodiment of this invention. It is a sequence diagram which shows operation | movement of the user key issuing server which concerns on embodiment of this invention. It is a sequence diagram which shows operation | movement of the attribute key issuing server which concerns on embodiment of this invention. It is a sequence diagram which shows operation | movement of the content server which concerns on embodiment of this invention. It is a sequence diagram which shows operation | movement of the content receiver which concerns on embodiment of this invention. It is a figure which shows the specific example of the attribute of the user of the content receiver which concerns on embodiment of this invention.

Hereinafter, embodiments for carrying out the present invention will be described in detail with reference to the drawings.
[Outline of access control system]
As shown in FIG. 1, an access control system 1 is a system that controls access to content based on an access policy that is based on user attributes, and includes a user key issuing server 2 and a plurality of attribute key issuing servers 3. And a content server 4 and a content receiving device 5. Here, the access policy is a condition for allowing the user to access the content, and is determined in advance by the side providing the content.

The user key issuing server 2 issues a user key, and is installed in a user management organization (Central Authority: CA).
The attribute key issuing server 3 issues an attribute key, and is installed in an attribute management authority (Attribute Authority: AA). In FIG. 1, it is assumed that one attribute key issuing server 3 is installed in each of a plurality of attribute management institutions (AA _{1 to} AA _n ).
The content server 4 distributes content and is installed in a service provider (for example, a broadcasting station).
The content receiving device 5 receives content via a wired or wireless network N or a broadcast wave W, and is used by a user. The content receiving device 5 is composed of, for example, a personal computer, a portable terminal, a television receiver, or the like.

  The user key issuing server 2, the attribute key issuing server 3, the content server 4, and the content receiving device 5 are connected to an external network N such as the Internet or a dedicated IP line. The content server 4 and the content receiving device 5 may be connected by a broadcast wave W. In the following description, it is assumed that the content receiving device 5 receives content from the network N.

[Configuration of each device of the access control system]
Each device includes an arithmetic device such as a CPU (Central Processing Unit), a storage device such as a memory and a hard disk, and an interface device that transmits and receives various types of information to and from the outside.
<User key issuing server>
As shown in FIG. 2, the user key issuing server 2 includes a system initialization device 21 and a user key issuing device 22.

(System initialization device)
The system initialization device 21 generates a system public key PK used by the content server 4, the content reception device 5, or the attribute key issuance server 3. The system public key generation unit 211, the system public key management unit 212, It has.

  The system public key generation unit (system public key generation unit) 211 generates a system public key PK when the system is initialized. The generated system public key PK is stored in the system public key management unit 212. An example of the system initialization algorithm, that is, the system public key PK generation algorithm will be described later.

  The system public key management unit 212 stores and manages the system public key PK. For example, a memory such as a RAM (Random Access Memory) or a ROM (Read Only Memory), a storage device such as a hard disk, and a storage device And a communication device for transmitting and receiving information via an external network N. The system public key PK managed by the system public key management unit 212 is information that anyone can access via the external network N.

(User key issuing device)
The user key issuing device 22 issues a user public key PK _U and a user secret key SK _U , and includes a user key request reception unit 221, a user key generation unit 222, and a user key management unit 223. . The user public key PK _U and the user secret key SK _U are collectively referred to as a user key unless otherwise distinguished.

  The user key request receiving unit 221 receives a request (user identifier U) from a user. The request from the user may be a request transmitted from the content receiving device 5 to the user key issuing server 2 online, or information delivered to the CA by an offline method such as mailing from the user is stored in the user key within the CA. The request may be directly input to the request receiving unit 221 or may be received by the user key request receiving unit 221 indirectly, once input to another terminal in the CA.

The user key generation unit (user key generation means) 222 uses the user identifier U for identifying the user of the access control system 1 and the system public key PK, and issues a user public key PK _U that is issued as a different key for each user. and it is intended to generate the user secret key SK _U.
The user key generation unit 222 generates a user public key PK _U and a user secret key SK _U of the user according to the request received by the user key request reception unit 221, and stores the user public key PKU _U in the user key management unit 223. An example of a user key generation algorithm will be described in an algorithm for issuing a user key to be described later.

The user key management unit 223 stores and manages user keys, and includes, for example, a storage device, a processing device, and a transmission / reception device. The processing device of the user key management unit 223 transmits the user public key PK _U and the user secret key SK _U to the user who made the request. Here, the user secret key SK _U, since information to be concealed, in the case of sending by the communication needs to be encrypted. In this case, as a secure communication means, for example, sends a user private key SK _U which is concealed after authenticating the TLS receiving apparatus using a (Transport Layer Security) or the like (or the content decryption apparatus).

<Attribute key issuing server>
As shown in FIG. 3, the attribute key issuing server 3 issues an attribute key used in the content server 4 or the content receiving device 5, and includes an attribute management organization initialization device 31, an attribute public key issuing device 32, An attribute secret key issuing device 33, a system public key storage unit 34, and a user management information storage unit 35 are provided. The attribute key is a general term for an attribute public key and an attribute secret key.

(Attribute management organization initialization device)
The attribute management authority initialization device 31 operates to initialize the attribute key issuing server 3 when, for example, a new attribute management authority (AA _i ) is installed. 311 and an attribute management organization private key storage unit 312.

The attribute management authority private key generation unit (attribute management authority private key generation means) 311, for example, when an attribute management authority (AA _i ) is newly installed, the attribute management authority identifier a and system for identifying the attribute management authority to the AA using the public key PK is intended to generate a unique attribute management authority secret key SK _a. The generated attribute management authority private key SK _a is stored in the attribute management authority private key storage unit 312. Note that the algorithm for generating the attribute management authority secret key SK _a, is described in the example of an algorithm initialization later attribute management authority.
Attribute management authority secret key storage unit 312 is for storing attribute management authority secret key SK _a, for example, a general memory.

(Attribute public key issuing device)
The attribute public key issuing device 32 issues an attribute public key PK _i for each attribute i in response to the attribute key request acquired from the user. The attribute public key request receiving unit 321 and the attribute public key generating unit 322 And an attribute public key management unit 323.

  The attribute public key request receiving unit 321 receives a request from a user (a request including the attribute i). The request from the user may be a request transmitted from the content receiving device 5 to the attribute key issuing server 3 online, or the information delivered to the AA by the offline method such as mailing from the user is disclosed in the AA. A request directly input to the key request receiving unit 321 may be used, or a request once input to another terminal in the AA may be indirectly received by the attribute public key request receiving unit 321.

  In the present embodiment, the attribute public key request receiving unit 321 determines whether or not the attribute i included in the received request is managed by the AA, and when the attribute i is managed, The data is output to the public key generation unit 322. For example, when managing the residence “Tokyo” as the user attribute in the AA, the attribute public key request reception unit 321 determines whether or not the residence included in the received request is “Tokyo”. Determine. Accordingly, when the residence included in the request is “Tokyo”, for example, an attribute public key common to users residing in “Tokyo” is issued. In this example, when the residence included in the request is “Chiba Prefecture”, for example, a reply that the key cannot be issued is returned.

The attribute public key generation unit (attribute public key generation means) 322 uses the system public key PK, the attribute management organization secret key SK _a, and the request including the attribute i acquired from the user to release the attribute for each attribute i. Key PK _i is generated.
After receiving the request (attribute i) from the user by the attribute public key request receiving unit 321, the attribute public key generation unit 322 generates an attribute public key PK _i corresponding to the attribute _i , and the attribute public key management unit Save to H.323. The algorithm for generating the attribute public key PK _i, be described in the examples of published algorithms later attribute public key PK _i.

The attribute public key management unit 323 stores and manages the attribute public key PK _i , and includes, for example, a storage device, a processing device, and a transmission / reception device. The processing device of the user key management unit 223 transmits the attribute public key PK _i to the user who made the request. The attribute public key PK _i is information that can be accessed by anyone via the external network N. Therefore, it is not necessary to generate the attribute public key PK _i every time in response to a request from the user. That is, the attribute public key PK _i corresponding to all the attributes i managed by the AA may be generated in advance and stored in the attribute public key management unit 323.

For example, when the residence is managed as a user attribute in AA in units of prefectures, 47 attribute public keys may be generated and stored in advance using only the residence attribute. For example, when the user's age attribute is managed by the AA based on whether the user is a minor, two attribute public keys may be generated and stored in advance using only the age attribute. Here, for example, in the case where the first AA (AA ₁ ) manages the residence attribute and the second AA (AA ₂ ) manages the age attribute, the service provider starts from AA ₁ If the attribute public key related to the attribute of residence is acquired and the attribute public key related to the attribute of age is acquired from AA ₂ , for example, content for adults living in Tokyo can be distributed. Of course, a single AA may manage a plurality of types of attributes, such as a residence attribute and an age attribute. If the attribute public key related to the attribute of the child and the attribute public key related to the attribute of the age are acquired, for example, content for adults living in Tokyo can be distributed.

(Attribute private key issuing device)
The attribute secret key issuing device 33 issues an attribute secret key SK _{i, U} for each user corresponding to the attribute i in response to a request for the attribute key acquired from the user. The attribute secret key request receiving unit 331, An attribute secret key generation unit 332 and an attribute secret key management unit 333 are provided.

The attribute private key request reception unit 331 receives a request from a user (user identifier U, user public key PK _U , attribute i). The request from the user received by the attribute secret key request receiving unit 331 is the same as the attribute public key request receiving unit 321 except that the user identifier U and the user public key PK _U are included. .
In the present embodiment, the attribute secret key request reception unit 331 determines whether or not the attribute i included in the received request is managed by the AA, and further manages the user management information. By referring to the user management information stored in the storage unit 35, it is determined whether or not the user who sent the request has the attribute i. If the user has the attribute i (a legitimate user) ), The request is output to the attribute secret key generation unit 332.

The attribute secret key generation unit (attribute secret key generation means) 332 uses the system public key PK, the attribute management organization secret key SK _a, and the request including the attribute i acquired from the user for each user of the attribute i. Attribute private key SK _{i, U} is generated. This request includes the user identifier U and the user public key PK _U in addition to the attribute i.
After receiving the request from the user, the attribute secret key generation unit 332 generates the attribute secret key SK _{i, U} corresponding to the attribute i and the user, and stores it in the attribute secret key management unit 333. Incidentally, the attribute secret key SK _i, for generation algorithm _U, described later attribute secret key SK _i, be described in the published algorithms _U.

The attribute secret key management unit 333 stores and manages the attribute secret keys SK _{i, U} and includes, for example, a storage device, a processing device, and a transmission / reception device. The processing device of the attribute secret key management unit 333 transmits the attribute secret key SK _{i, U} to the user who made the request using a secure communication means. Here, since the secure communication means is the same as the user key management unit 223 described above, the description thereof is omitted. Note that the attribute secret key management unit 333 may simultaneously transmit the attribute secret key SK _{i, U} together with the attribute public key PK _i to the user who made the request.

The system public key storage unit 34 stores the system public key PK, and is composed of, for example, a general memory.
The user management information storage unit 35 stores user management information and includes, for example, a general memory or a hard disk.
The user management information is user information managed in advance by AA, and includes, for example, a user identifier U for identifying the user and a user attribute i such as an address and sex.

<Content server>
As shown in FIG. 4, the content server 4 distributes content only to users having specific attributes according to an access policy created in advance by a service provider. The content encryption device 41 and the content distribution device 42 And.
(Content encryption device)
The content encryption device 41 encrypts content to be distributed to a user having a specific attribute according to an access policy. The content encryption device 41 includes a content input unit 411, a content key generation unit 412, and a content encryption unit 413. And a content storage unit 414.

The content input unit 411 inputs content C. Content C is multimedia content such as video and audio. The content encoding method is not particularly limited. The input content C is sent to the content encryption unit 413 via the content key generation unit 412.
When the content C is input, the content key generation unit 412 generates a content key M for encrypting the content C. The content key generation unit 412 generates the content key M by calculation using a randomly generated random number.

The content encryption unit (content encryption unit) 413 generates the encrypted content E (C) by encrypting the input content C with the content key M. Note that the content C is generally encrypted using a common key cryptosystem capable of high-speed processing. Here, for example, DES (Data Encryption Standard) or AES (Advanced Encryption Standard) may be used as the encryption algorithm of the common key cryptosystem.
The content storage unit 414 stores the generated encrypted content E (C) and the content key M, and includes, for example, a general hard disk.

(Content distribution device)
The content distribution device 42 distributes encrypted content to a user having a specific attribute according to an access policy, and includes a public key storage unit 421, a policy input unit 422, a content key encryption unit 423, , A content combining unit 424 and a content distribution unit 425 are provided.

The public key storage unit 421 stores the attribute public key PK _i and the system public key PK acquired in advance by the content server 4, and includes, for example, a general memory.
The content server 4 stores a plurality of attribute public keys PK _i issued for each attribute acquired from the attribute key issuing server 3 in response to the request in the public key storage unit 421. For example, if the user's residence attribute is managed by AA in AA, and the service provider needs a national residence as a user attribute, 47 attribute public keys are only used for the residence attribute. Obtain and store in advance.

  The policy input unit (policy input means) 422 inputs an access policy. This policy input unit 422 inputs an access policy A created in advance by the service provider as a condition indicated by an additive standard form expressed by a logical sum between elements organized by the logical product of user attributes. An example of the structure of the access policy A used for encryption is shown in Expression (1).

  Here, the additive normal form (also called disjunctive normal form) is called Disjunctive Normal Form (DNF), and a plurality of attributes i are combined with an AND symbol “属性” as shown on the right side of Expression (1). It consists of a logical expression in which elements (hereinafter referred to as conjunction) are connected by OR symbol “∨” for each conjunction.

Here, S ₁ represented by the formula (2) represents a set of attributes i appearing in the first the conjunction, the user's attribute with the content distribution object is determined to satisfy the first the conjunction condition . Set S ₁ of the attribute, for example, it can be expressed as {Tokyo, male, adult}.

Also, S ₂ represented by the formula (3) represents the set of attributes i that appears in the second the conjunction, user attributes and content distribution object is determined so as to satisfy the second the conjunction condition. Set S ₂ of the attributes, for example, it can be expressed as {Chiba, adult}. If the OR of the attribute set S ₁ = {Tokyo, male, adult} is taken, it is possible to distribute contents targeted at an adult male living in Tokyo and an adult living in Chiba Prefecture.

Here, the number of conjunctions is not limited to two, but is arbitrary. Hereinafter, the notation of S _j indicates a set of attributes i appearing in the j-th conjunction. Note that a specific example of the structure of the access policy A will be described in a specific example of user attributes of the content receiving apparatus described later.

The content key encryption unit (content key encryption means) 423 generates an encrypted content key by encrypting the input content key. The content key encryption unit 423 receives the content key M stored in the content storage unit 414 and inputs the content key M into the conjunction (included in the access policy A input by the policy input unit 422). For each element), an encrypted content key E (M) is generated by performing encryption using the attribute public key PK _i and the system public key PK issued for each attribute included in the conjunction. An example of the encryption algorithm for the content key M will be described later.

  The content combining unit (content combining unit) 424 combines the encrypted content key E (M) generated by the content key encryption unit 423 and the encrypted content E (C) generated by the content encryption unit 413 to generate a header. By adding the access policy A, the encrypted content HE (C) with a header is generated.

  The content combining unit 424 combines the encrypted content key E (M) with the encrypted content E (C) stored in the content storage unit 414 and adds the access policy A, so only the header is plaintext. Therefore, in the content receiving device 5 that receives the combined access policy A, it is possible to quickly determine whether or not the user of the content receiving device 5 satisfies the access policy A. In order to detect falsification of the access policy A, the content server 4 further adds falsification detection information of a known copyright protection method as protection information, and the content reception device 5 falsifies the falsification detection information. It may be used for determination.

  The content distribution unit (content distribution unit) 425 distributes the encrypted content HE (C) with a header to the content receiving device 5. Note that the distribution mode of the content C may be video on demand (VoD) for distributing the content C in response to a user request, or multicast distribution such as IP broadcast.

<Content receiving device>
As shown in FIG. 5, the content receiving device 5 receives encrypted content HE (C) with a header distributed by a content server, and includes a public key storage unit 51, an attribute secret key storage unit 52, a user A secret key storage unit 53, a content reception unit 54, a content separation unit 55, a decryption determination unit 56, a content key decryption unit 57, and a content reproduction unit 58 are provided.

The public key storage unit 51 stores the attribute public key PK _i and the system public key PK, and includes, for example, a general memory. The content receiving device 5 stores a plurality of attribute public keys PK _i issued for each attribute acquired from the attribute key issuing server 3 in response to the request in the public key storage unit 51. For example, when a user who uses the content receiving apparatus 5 needs two attributes i of the place of residence and gender in order to receive the contents, two attribute public keys are acquired and stored in advance.

The attribute secret key storage unit (attribute secret key storage means) 52 is the attribute secret key SK _{i, U} issued by the attribute key issuing server 3 in response to the attribute i to be satisfied by the user of the content receiving device 5. For example, a general memory. The same number of attribute secret keys SK _{i, U} as the attribute public keys PK _i are acquired. The attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52 is output to the decryption determination unit 56 and the content key decryption unit 57.

The attribute secret key storage unit 52 is preferably a tamper-resistant module configured such that information recorded therein cannot be read from the outside. For example, when the content receiving device 5 is configured by a television receiver, the attribute secret key storage unit 52 may be a security module configured by an IC card or the like. Note that the attribute secret key storage unit 52 may store the attribute public key PK _i together with the attribute secret keys SK _{i, U.}

User private key storage unit (user private key storage means) 53, there is stored the user private key SK _U issued by the user key issuing server 2, for example, a general memory. The user secret key storage unit 53 may store the user public key PK _U together with the user secret key SK _U. The user secret key storage unit 53 may be a security module configured so that information recorded therein cannot be read from the outside.

  The content receiving unit (content receiving means) 54 receives the encrypted content HE (C) with a header from the content server 4. The received encrypted content HE (C) with header is output to the content separation unit 55.

  The content separation unit (content separation unit) 55 receives the access policy A, the encrypted content key E (M), and the encrypted content E (C) from the encrypted content HE (C) with header received by the content receiving unit 54. ). The access policy A separated here is output to the decryption determination unit 56. Further, the separated encrypted content key E (M) is output to the content key decrypting unit 57. Further, the encrypted content E (C) is output to the content reproduction unit 58.

Based on the attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52, the decryption determination unit (determination means) 56 sets the attribute to be satisfied by the user of the content receiving device 5 in the separated access policy A. It is determined whether or not a conjunction (element) summarized by a logical product of i is included. Accordingly, the decryption determination unit 56 checks whether or not the attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52 satisfies the access policy A. When the decryption determination unit 56 determines that the stored attribute private key SK _{i, U} satisfies the access policy A, information on each attribute included in the jth conjunction that satisfies the access policy A. Is output to the content key decrypting unit 57. A specific example of user attributes in the structure of the access policy A will be described later.

The content key decrypting unit (content key decrypting means) 57, when the access policy A includes the attribute i to be satisfied by the user of the content receiving device 5, the user secret key SK _U , the attribute secret key SK _{i, U} and the system disclosure The encrypted content key E (M) is decrypted using the key PK. When the attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52 satisfies the access policy A, the content key decryption unit 57 stores the attribute secret key SK _{i, U} and the user secret key. using the user secret key SK _U stored in the section 53, decrypts the encrypted content key E (M). The decrypted content key M is output to the content reproduction unit 58.

  The content reproduction unit (content reproduction unit) 58 reproduces the content by decrypting the encrypted content E (C) separated by the content separation unit 55 with the content key M decrypted by the content key decryption unit 57. is there. The reproduced content C is output to an output unit (not shown).

[Processing algorithm in the access control system]
<System initialization algorithm>
A system initialization algorithm executed by the user key issuing server 2 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 6 (refer to FIG. 2 as appropriate). That is, an example of an algorithm for generating the system public key PK when the system is initialized will be described.

First, the system public key generation unit 211 in the user key issuing server 2 selects a bilinear group G having a prime order p based on security parameters such as a key length (step S1). Here, "G is bilinear group", the group operations on G is efficiently obtained, bilinear map (pairing) indicated by the group G _T, and efficiently computable equation (4) A group where e exists. Then, the system public key generation unit 211 selects a bilinear mapping (pairing) e represented by Expression (4) (step S2).

  Then, the system public key generation unit 211 selects a generation source represented by Expression (5) (Step S3). Then, the system public key generation unit 211 generates a system public key PK represented by Expression (6) (step S4) and stores it in the system public key management unit 212 (step S5).

<User key issuance algorithm>
An algorithm for issuing a user key executed by the user key issuing server 2 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 7 (refer to FIG. 2 as appropriate).
The user key generation unit 222 in the user key issuing server 2 randomly selects a random number u from Z _p (a set of integers from 0 to p−1) based on the user identifier U (step S11). Then, the user key generation unit 222 generates a user public key PK _U corresponding to the user identifier U using the selected random number u as shown in Expression (7) (step S12). In Expression (7), g ₁ and h are generators in the system public key PK shown in Expression (6).

Further, the user key generation unit 222 generates a user secret key SK _U corresponding to the user identifier U using the selected random number u as shown in the equation (8) (step S13). In Expression (8), g is a generation source in the system public key PK shown in Expression (6).

Then, the user key generation unit 222 includes the user key <PK _U , SK _U shown in the equation (9) including the user public key PK _U of the equation (7) and the user secret key SK _U of the equation (8). > Is issued to the user (step S14).

<Attribute management organization initialization algorithm>
An AA initialization algorithm executed by the attribute key issuing server 3 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 8 (refer to FIG. 3 as appropriate).
In the attribute management institution secret key generation unit 311 of the attribute key issuing server 3, a hash function H _xa is uniformly and randomly selected from a finite hash function family as shown in the equation (10) (step S21). In equation (10), {0, 1} ^* indicates a set of bit strings having an arbitrary length. Furthermore, _{Z p} denotes an integer of the set from 0 to p-1. p represents a prime number.

Then, the attribute management authority private key generation unit 311 stores the attribute management authority private key SK _a having the attribute management authority identifier _a in the attribute management authority private key storage unit 312 as shown in the equation (11) (step 11). S22). In the formula (11), _{x a} is the index of the hash function shown in equation (10), a suffix x is an attribute management authority identifier.

<Issuance algorithm of attribute public key PK _i >
An algorithm for issuing an attribute public key PK _i executed by the attribute key issuing server 3 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 9 (refer to FIG. 3 as appropriate). The issued attribute public key PK _i is composed of two elements.

In the attribute key issuing server 3, a request (attribute i) from the user is input to the attribute public key request receiving unit 321 (step S31). Then, the attribute public key request receiving unit 321 determines whether or not the attribute i included in the request from the user is managed (step S32). When the attribute i included in the request is managed (step S32: Yes), the attribute public key generation unit 322 uses the first element PK ′ _i (PK prime i) shown in Expression (12) for the corresponding attribute public key. Is generated (step S33), and a second element PK ″ _i (PK double prime i) shown in the equation (13) is generated (step S34). In Expression (12) and Expression (13), g and h are generators in the system public key PK shown in Expression (6). H _SKa (i) is an index indicating the power of g or h, and indicates the hash value of attribute i in the hash function of Expression (10).

Then, the attribute public key generation unit 322 generates an attribute public key PK _i including the first element and the second element as shown in the equation (14) (step S35).

  On the other hand, when the attribute i included in the request is not managed in step S32 (step S32: No), the attribute public key request reception unit 321 outputs “NULL” (step S36).

<Issuance algorithm of attribute secret key SK _{i, U} >
The algorithm for issuing the attribute secret key SK _{i, U} executed by the attribute key issuing server 3 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 10 (refer to FIG. 3 as appropriate). The issued attribute secret key SK _{i, U} consists of two elements.

First, the attribute key issuing server 3 inputs a request (attribute i) from the user to the attribute secret key request receiving unit 331 (step S41). Then, the attribute private key request receiving unit 331 determines whether or not the attribute i included in the request from the user is managed (step S42). When the attribute i is not managed (step S42: No), the attribute secret key request reception unit 331 outputs “NULL” (step S49), and the process ends. On the other hand, when the attribute i is managed (step S42: Yes), the attribute secret key request receiving unit 331 receives the attribute i, the user identifier U, and the user public key PK _U included in the request from the user as input (step S42). S43), it is determined whether or not the user indicated by the user identifier U (hereinafter simply referred to as user U) has the attribute i (step S44). Here, the attribute secret key request reception unit 331 refers to the user management information stored in the user management information storage unit 35 and determines whether or not the user who sent the request has the attribute i.

In step S44, when the user U has the attribute i (step S44: Yes), the attribute secret key generation unit 332 first sets the random number R _{i, U} to Z _p (0 to p−1). It is randomly generated from a set of integers (step S45).
Then, the attribute secret key generation unit 332 generates the first element SK ′ _i shown in the equation (15) for the corresponding attribute secret key using the generated random numbers R _{i, U} (step S46) and the equation ( The second element SK ″ _i shown in FIG. 16) is generated (step S47). In Expressions (15) and (16), h bar and g are generation sources in the system public key PK shown in Expression (6). H _SKa (i) is an index indicating the power of PK _U.

Then, the attribute secret key generation unit 332 generates the attribute secret key SK _{i, U} including the first element and the second element as shown in Expression (17) (step S48).

On the other hand, if the user U does not have the attribute i in step S44 (step S44: No), the attribute secret key request reception unit 331 outputs “NULL” (step S36). That is, only when the attribute key issuance server 3 manages the attribute i included in the request from the user and it is confirmed that the user U has the attribute i, the attribute secret key generation is performed. The unit 332 generates the attribute secret key SK _{i, U} and issues it to the user, and otherwise outputs “NULL”.

<Content key encryption algorithm>
The algorithm for encrypting the content key M executed by the content server 4 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 11 (refer to FIG. 4 as appropriate).

The content key encryption unit 423 of the content server 4 performs encryption for each conjunction of the access policy A when the content key M is encrypted. First, the content key encryption unit 423 randomly generates a random number r _j corresponding to the jth conjunction of the access policy A from Z _p (a set of integers from 0 to p−1) based on the access policy A. (Step S51).

Then, the content key encryption unit 423 converts E _j shown in Equation (18) into Equation (19) as four elements obtained by encrypting the jth conjunction of the access policy A based on the attribute public key PK _{i. E'j,} to generate an expression E'' _j shown in (20), E''' _j (E Triple prime j) shown in equation (21) shown (step S52). In Expressions (18) to (21), e, g, g1, and h bar are included in the system public key PK shown in Expression (6). Note that the attribute public key PK _i is transferred by the above-described equation (14).

  Then, as shown in Expression (22), the content key encryption unit 423 generates a partial ciphertext in which the four elements shown in Expression (18) to Expression (21) are aggregated for the jth conjunction of the access policy A. Generate (step S53).

Then, the content key encryption unit 423 performs the above-described steps S51 to S53 for all the conjunctions of the access policy A, and each partial ciphertext CT _{1 to} CT _n (n is the conjunction of the access policy A). Total number) is generated, and the ciphertext CT of the content key M, which is the message to be encrypted, is generated using these as elements as shown in the equation (23) (step S54).

  The ciphertext CT of the content key M shown in Expression (23), that is, the encrypted content key E (M), is then combined with the encrypted content E (C) and the access policy A is added to the header. It is distributed to the user as encrypted content HE (C) with a header.

<Decryption algorithm for encrypted content key>
An algorithm for decrypting an encrypted content key executed by the content receiving device 5 in the access control system 1 according to the embodiment of the present invention will be described with reference to FIG. 12 (see FIG. 5 as appropriate). First, the content receiving device 5 of the user receives the access policy A separated from the received encrypted content HE (C) with header in the decryption determination unit 56 (step S61), and the attribute i of the user U is It is checked whether or not the access policy A included in the received ciphertext is satisfied (step S62). When the attribute i of the user U satisfies the access policy A (step S62: Yes), for example, if the attribute i of the user U satisfies the jth conjunction of the access policy A, the decryption determination unit 56 The jth conjunction satisfying the access policy A is selected from the total n conjunctions of the policy A (step S63).

Then, the content receiver 5 uses the attribute secret key SK _{i, U} and the user secret key SK _U corresponding to the attribute i included in the conjunction for the selected jth conjunction in the content key decrypting unit 57. The decoding operation shown in Expression (24) is executed (step S64).

In Expression (24), e is included in the system public key PK shown in Expression (6). Note that the SK _{i, U} prime and the SK _{i, U} double prime are transposed by the equation (17).

  The content key decrypting unit 57 outputs the content key M as a message included in the ciphertext CT of the content key M as the decryption calculation result shown in Expression (24) (step S65). On the other hand, if the attribute i of the user U does not satisfy the access policy A in step S62 (step S62: No), “NULL” is output without performing the decryption process (step S66).

[Operation of access control system]
<Operation of user key issuing server>
Next, the operation of the user key issuing server 2 will be described with reference to FIG. 13 (refer to FIG. 2 as appropriate). The user key issuing server 2 generates a system public key PK by the system public key generation unit 211 in the system initialization device 21 at the time of initialization (step S201). The generated system public key PK is stored in the system public key management unit 212 (step S202). The system public key management unit 212 discloses the system public key PK (step S203). That is, anyone can access the system public key PK via the external network N. Thereby, the initialization of the user key issuing server 2 ends.

When the user key issuing server 2 receives the request from the user by the user key request receiving unit 221 of the user key issuing device 22, the user key generating unit 222 causes the user public key PK and the user identifier U included in the request to be received. Are used to generate a user public key PK _U and a user secret key SK _U (step S211). The generated user public key PK _U and user secret key SK _U are stored in the user key management unit 223 (step S212). Then, the user key management unit 223, to the user for which the request, issues a user public key PK _U, issues a user private key SK _U using a secure communication means (step S213).

<Operation of attribute key issuing server>
Next, the operation of the attribute key issuing server 3 will be described with reference to FIG. 14 (refer to FIG. 3 as appropriate). The attribute key issuing server 3 obtains the system public key PK by accessing the system public key PK released by the user key issuing server 2 at the time of initialization to newly install the attribute management authority (AA _i ). It memorize | stores in the system public key memory | storage part 34 (step S301).
The attribute key issuing server 3 generates the attribute management authority private key SK _a by the attribute management authority private key generation unit 311 in the attribute management authority initialization device 31 and stores it in the attribute management authority private key storage unit 312 (step 312). S302). Thereby, the initialization of the attribute key issuing server 3 ends.

When the attribute public key request receiving unit 321 of the attribute public key issuing device 32 receives a request from the user (step S311), the attribute key issuing server 3 receives the system public key PK and the attribute public key generation unit 322. Then, the attribute public key PK _i is generated using the attribute management organization private key SK _a and the attribute i included in the request (step S312). Here, the user means not only a user who uses the content receiving device 5 but also a service provider who uses the content server 4. The generated attribute public key PK _i is stored in the attribute public key management unit 323 (step S313). Then, the attribute public key management unit 323 discloses the attribute public key PK _i (step S314). That is, anyone can access the attribute public key PK _i via the external network N. Note that the attribute public key management unit 323 issues the attribute public key PK _i to the user who made the request.

When the attribute public key request receiving unit 321 of the attribute secret key issuing device 33 receives a request from the user, the attribute key issuing server 3 receives the system public key PK and the attribute management organization by the attribute secret key generating unit 332. The attribute secret key SK _{i, U} is generated using the secret key SK _a and the attribute i, user identifier U, and user public key PK _U included in the request, respectively (step S315). Here, the user means a user who uses the content receiving device 5. The generated attribute secret key SK _{i, U} is stored in the attribute secret key management unit 333 (step S316). Then, the attribute secret key management unit 333 issues the attribute secret key SK _{i, U} to the user who made the request using a secure communication means (step S317). Incidentally, the attribute secret key management unit 333, the attribute secret key SK _i, to the user for which the request _U, issued attribute secret key SK _{i, U} and attributes public key PK _i simultaneously using a secure communication means May be.

<Operation of content server>
Next, the operation of the content server 4 will be described with reference to FIG. 15 (see FIG. 4 as appropriate). At the time of initialization, the content server 4 accesses the system public key PK released by the user key issuing server 2, acquires the system public key PK, and stores it in the public key storage unit 421 (step S401). The content server 4 sends a request to the attribute key issuing server 3 to acquire the attribute public key PK _i and stores it in the public key storage unit 421 (step S402). Thereby, the initialization of the content server 4 ends. However, the present embodiment is not limited to this method. That is, even if the content server 4 does not obtain PK _i corresponding to all attributes i in advance at the time of initialization, it may be obtained every time it is encrypted. This is because when a service provider encrypts encrypted content, it is usual to first determine a policy and then obtain the corresponding attribute public key PK _i . Here, as an example, it is assumed that the content server 4 obtains PK _i corresponding to all the attributes i in advance at the time of initialization.

  The content server 4 executes the following steps S411 to S414 in the content encryption device 41. First, the content encryption apparatus 41 inputs the content C by the content input unit 411 (step S411). Then, the content encryption device 41 generates the content key M by the content key generation unit 412 (step S412). Then, the content encryption apparatus 41 generates the encrypted content E (C) by encrypting the content C with the content key M by the content encryption unit 413 (step S413). The generated encrypted content E (C) and content key M are stored in the content storage unit 414 (step S414).

The content server 4 executes the processes of the following steps S421 to S424 in the content distribution device 42. First, the content distribution apparatus 42 inputs the access policy A related to the attribute i of the user permitted to decrypt using the policy input unit 422 (step S421). Then, the content distribution apparatus 42 encrypts the content key M stored in the content storage unit 414 using the attribute public key PK _i corresponding to the access policy A and the access policy A by the content key encryption unit 423. (Step S422). Then, in the content distribution device 42, the content combining unit 424 combines the encrypted content key E (M) and the encrypted content E (C) stored in the content storage unit 414, and the access policy A is included in the header. Is added to generate encrypted content HE (C) with a header. (Step S423). Then, the content distribution device 42 distributes the encrypted content HE (C) with a header to the user's content reception device 5 by the content distribution unit 425b (step S424).

<Operation of content receiving device>
Next, the operation of the content receiving device 5 will be described with reference to FIG. 16 (refer to FIG. 5 as appropriate). At the time of initialization, the content receiving device 5 accesses the system public key PK released by the user key issuing server 2, acquires the system public key PK, and stores it in the public key storage unit 51 (step S501). Further, the content receiving apparatus 5 acquires the user key (user public key PK _U and user secret key SK _U ) issued by the user key issuing server 2 in response to the request, and stores the user key in the user secret key storage unit 53 ( Step S502). Further, the content receiving device 5 sends a request for requesting an attribute key to the attribute key issuing server 3 (step S503). The content receiving device 5 acquires the attribute public key PK _i published by the request and stores it in the public key storage unit 51 (step S504). Further, the content receiving device 5 acquires the attribute secret key SK _{i, U} issued by the request and stores it in the attribute secret key storage unit 52 (step S505). The attribute public key PK _i may be acquired together with the attribute secret key SK _{i, U} and stored in the attribute secret key storage unit 52. Thereby, the initialization of the content receiving device 5 is completed.

  When the content receiving unit 54 receives the encrypted content with header HE (C) distributed from the content server 4 at the content receiving unit 54, the content separating unit 55 receives the access policy A and the encrypted content described in the header part. The key E (M) is extracted (step S511).

Then, the content receiving apparatus 5 determines whether or not the attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52 satisfies the access policy A by the decryption determination unit 56 (step S512). . That is, it is determined whether or not the access policy A includes an AND element of the attribute i to be satisfied by the user of the content receiving device 5.

When the stored attribute secret key SK _{i, U} satisfies the access policy A (step S512: Yes), the content receiver 5 causes the content key decryption unit 57 to use the attribute secret key SK _{i, U} and the user secret. using the user secret key SK _U stored in the key storage unit 53, decodes the separated encrypted content key E (M) from the header-added encoded contents HE (C), to obtain a content key M (step S513 ).
Using the decrypted content key M, the content receiving device 5 decrypts the encrypted content E (C) separated from the header-encrypted content HE (C), and reproduces the content C (step S514).

In step S512, when the attribute secret key SK _{i, U} stored in the attribute secret key storage unit 52 does not satisfy the access policy A (step S512: No, the content receiving device 5 reproduces the content). The process is finished without.

[Specific example of user attributes]
Next, a specific example of the user attribute of the content receiving apparatus according to the embodiment of the present invention will be described with reference to FIG. 17 (refer to FIG. 1 as appropriate). In the access control system 1 shown in FIG. 1, for example, it is assumed that the attribute of the user's residence is managed in each prefecture by the AA attribute key issuing server 3. Then, it is assumed that the user key issuing server 2, the attribute key issuing server 3, the content server 4, and the content receiving device 5 are respectively initialized and each obtains and stores a necessary key. .

Under this premise, as shown in FIG. 17, one content server 4 that distributes a certain content and five content receiving apparatuses 5 (5a, 5b, 5c, 5d, 5e) connected to the network N are assumed. A specific example will be described. Here, it is assumed that the service provider permits viewing of the content C only by female users residing in Shikoku.
The access policy A input to the content server 4 of the service provider is described as in Expression (25) using the residence attribute and the gender attribute.

A = (Kagawa Prefectural Women) ∨ (Tokushima Prefectural Women) ∨ (Ehime Prefectural Women) ∧ (Kochi Prefectural Women)
... Formula (25)

The user Ua of the content receiving device 5a is assumed to be a woman who lives in Kagawa Prefecture, for example. Here, as shown in FIG. 17, in this user Ua, the attribute of residence and the attribute of gender are described as attribute i ₁ = “Kagawa prefecture” and attribute i ₂ = “female”.
Further, it is assumed that the user Ub of the content receiving device 5b has the attribute i ₃ = “Tokushima Prefecture” and the attribute i ₄ = “female”.
Further, the user Uc of the content receiving device 5c is assumed to have the attribute i ₅ = “Ehime Prefecture” and the attribute i ₆ = “female”.
Further, it is assumed that the user Ud of the content receiving device 5d has the attribute i ₇ = “Kochi Prefecture” and the attribute i ₈ = “female”.
Further, it is assumed that the user Ue of the content receiving device 5e has the attribute i ₉ = “Kagawa Prefecture” and the attribute i ₁₀ = “male”.

The content server 4 shown in FIG. 17 has a system public key PK and attribute public key PK _i acquired in advance and a generated content key. In addition, the content receiving device 5a includes the system public key PK, the user key of the user Ua = <user public key PK _U , user secret key SK _U >, the attribute public key PK _i, and the attribute private key SK _{i of the} user Ua. _{, U} and holding. In addition, although illustration is abbreviate | omitted, each content key corresponding to a user shall be similarly memorize | stored in the other content receivers 5b-5e.

The access policy A in Expression (25) is rewritten as Expression (26).
In addition, a set of attributes i appearing in j = 1 to 4th conjunction of the access policy A is represented by Expression (27), Expression (28), Expression (29), and Expression (30), respectively.

The content receiving device 5a separates the access policy A shown in Expression (26) from the received ciphertext. Here, the attributes i ₁ and i ₂ of the user Ua satisfy j = 1st conjunction of the access policy A shown in Expression (26). Accordingly, the content receiving device 5a, select the j = 1 th conjunction access policy A, and attribute secret key SK _{i1, U} corresponding to the attribute i _1, attribute secret key SK _i2 corresponding to the attribute i _{2, U} and Then, the decryption operation shown in the equation (24) is executed using the user secret key SK _Ua .

Further, the content receiving device 5b, select a j = 2 th conjunction access policy A, and attribute secret key SK _{i3, U} corresponding to the attribute i _3, attribute secret key SK _i4 corresponding to the attribute i _{4, U} and The decryption operation shown in the above equation (24) is executed using the user secret key SK _Ub .
Similarly, the content receiving device 5c selects j = 3th conjunction of the access policy A, and the content receiving device 5d selects j = 4th conjunction of the access policy A, and obtains the content key M by decryption.
On the other hand, the combination of the attributes i ₉ and i ₁₀ of the user Ue who uses the content receiving device 5e does not satisfy the access policy A shown in Expression (26). Therefore, the content receiving device 5e does not decrypt the ciphertext according to the access policy A.
Thereby, only the female user residing in Shikoku can view the content C.

  The access control system 1 according to the present embodiment is a content distribution service using a network N such as a broadcast wave W, the Internet, a dedicated IP line, or the like. Can be encrypted based on the access policy A describing the condition of the attribute i to be satisfied by the user without directly specifying individual users.

  Thereby, it is possible to easily realize access control when the service provider performs the content distribution service. For example, by using “residence” as the attribute i of the user, it is possible to realize a content distribution service only for viewers who live in a specific area. Further, for example, by using “age” as the user attribute i, a content distribution service with age restriction can be realized. Furthermore, for example, by using “member type” as the user attribute i, a premium content distribution service limited to members can be realized. In this way, a fine content distribution service according to the user's attribute i can be provided.

Further, since the access control system 1 according to the present embodiment can issue the attribute secret key SK _{i, U} by an arbitrary number of AAs, the management cost of each AA can be reduced, and a new AA can be installed. Will also be easier.

  Furthermore, since the access control system 1 according to the embodiment does not have an organization that can decrypt the ciphertext independently, the access control system 1 can be constructed more safely than before, and the user can secure the content distribution service provided by the service provider. Available with heart.

As mentioned above, although this invention was demonstrated based on embodiment, this invention is not limited to this. For example, the content receiving device 5 receives content from the network N. However, the content receiving device 5 may receive content by a broadcast wave W transmitted from the content server 4 provided in the broadcaster's broadcast station. In this case, the content receiving apparatus 5 is provided with, for example, a tuner for receiving digital broadcasting, CAS (Conditional Access System) user private key to the card SK _U and attribute secret key SK _i, may be recorded _U.

  In the present embodiment, the user key management unit 223 of the user key issuing server 2 and the attribute secret key management unit 333 of the attribute key issuing server 3 use secure communication means. The secret key may be issued to the user offline (for example, by mail).

  Further, for example, the content server 4 can be realized by operating a general computer by a program (content distribution program) that functions as each of the above-described units. The content receiving device 5 can be realized by operating a general computer with a program (content receiving program) that functions as each of the above-described units. These content distribution program and content reception program can be distributed via a communication line, or can be distributed by writing in a recording medium such as a DVD or a CD-ROM.

  In general, since the digital broadcast receiver has a function of automatically downloading the software program of the receiver by downloading the data sent by the digital broadcast, when the digital broadcast receiver takes in the content reception program, The access control system 1 can function as the content receiving device 5.

DESCRIPTION OF SYMBOLS 1 Access control system 2 User key issuing server 21 System initialization apparatus 211 System public key production | generation part (system public key production | generation means)
212 System public key management unit 22 User key issuing device 221 User key request receiving unit 222 User key generation unit (user key generation means)
223 User key management unit 3 Attribute key issuing server 31 Attribute management organization initialization device 311 Attribute management organization private key generation unit (attribute management organization private key generation means)
312 Attribute management organization private key storage unit 32 Attribute public key issuing device 321 Attribute public key request reception unit 322 Attribute public key generation unit (attribute public key generation unit)
323 Attribute public key management unit 33 Attribute secret key issuing device 331 Attribute secret key request receiving unit 332 Attribute secret key generating unit (attribute secret key generating unit)
333 Attribute secret key management unit 34 System public key storage unit 35 User management information storage unit 4 Content server 41 Content encryption device 411 Content input unit 412 Content key generation unit 413 Content encryption unit (content encryption unit)
414 Content storage unit 42 Content distribution device 421 Public key storage unit 422 Policy input unit (policy input means)
423 content key encryption unit (content key encryption means)
424 Content combiner (content combiner)
425 Content distribution unit (content distribution means)
5 content receiving device 51 public key storage unit 52 attribute secret key storage unit (attribute secret key storage unit)
53 User private key storage (user private key storage means)
54 Content receiver (content receiver)
55 Content separation unit (content separation means)
56 Decoding determination unit (determination means)
57 Content key decryption unit (content key decryption means)
58 Content playback unit (content playback means)
N network

Claims (7)

A user key issuing server that issues a user public key and a user secret key as a user key and a system public key, and an attribute public key for each attribute and a plurality of attribute keys for issuing an attribute private key for each user corresponding to the attribute An publishing server, a content server that distributes content, and a content receiving device that is used by a user to receive the content, and that provides the content in advance using a user attribute as a condition for accessing the content. The content server in an access control system that controls access to the content based on a created access policy,
Content encryption means for generating encrypted content by encrypting the input content with a content key that is a common key;
Policy input means for inputting the access policy;
Content key encryption means for encrypting the input content key and generating an encrypted content key;
Generate encrypted content with a header by combining the encrypted content key generated by the content key encryption unit and the encrypted content generated by the content encryption unit and adding the access policy to the header Content merging means,
Content distribution means for distributing the encrypted content with a header to the content receiving device,
The content key encryption means includes
When the number of elements of the access policy is n, the following equation (14) issued for the system public key and the attribute i included in the jth element included in the input access policy The input content key M is encrypted for each element included in the access policy using the attribute public key PK _i shown, and the partial ciphertext represented by the following equation (22) for the j-th element CT _j is generated, each partial cipher text CT _{1 to} CT _n obtained from all elements of the access policy is generated, and a cipher text CT represented by the following equation (23) is generated as the encrypted content key. Content server characterized by this.

An access control system comprising the content server according to claim 1, wherein the content receiving device receives the content distributed by the content server,
Attribute secret key storage means for storing the attribute secret key issued by the attribute key issuing server corresponding to the attribute to be satisfied by the user of the content receiving device;
User secret key storage means for storing the user secret key issued by the user key issuing server;
Content receiving means for receiving the encrypted content with a header from the content server;
Content separation for separating the access policy, the encrypted content, and the ciphertext CT represented by the equation (23), which is the encrypted content key, from the encrypted content with the header received by the content receiving unit Means,
A determination means for determining whether or not the attribute of the access policy element includes an attribute to be satisfied by the user of the content receiving device based on the attribute secret key, and, if included, a determination unit that selects the j-th element; ,
When the j-th element of the access policy is selected, the attribute secret key SK _{i, U} shown in the following formula (17) corresponding to the attribute i included in the element and the following formula (9) using the user secret key SK _U and said system public key, a content key decryption means performs an operation of decoding indicated in the following equation (24), decrypting the encrypted content key,
Content reproducing means for reproducing the content by decrypting the encrypted content separated by the content separating means with the content key decrypted by the content key decrypting means;
A content receiving apparatus comprising:

The access control system comprising the content server according to claim 1 or the content receiving device according to claim 2, wherein the attribute is installed in an attribute management organization and issues the attribute key used in the content server or the content receiving device. A key issuing server,
And attribute management authority secret key generation means for generating a unique attribute management authority secret key SK _a to the attribute management engine with an attribute management authority identifier a and the system public key identifies the attribute management authority,
An attribute for generating the attribute public key PK _i for each attribute shown in the equation (14) using the system public key, the attribute management organization secret key SK _a, and a request including the attribute acquired from the user Public key generation means;
Using the system public key, the attribute management authority private key SK _a , the attribute acquired from the user, the request including the user identifier U and the user public key, the attribute shown in the following equation (17) Attribute secret key generation means for generating the attribute secret key for each user;
An attribute key issuing server comprising:

An access control system comprising the content server according to claim 1, the content reception device according to claim 2, or the attribute key issuing server according to claim 3, wherein the content server is installed in a user management organization, and the content reception The user key issuing server for generating the system public key used in the apparatus or the attribute key issuing server,
A bilinear group G having position number p arsenide, bilinear map e: and G × G → G _T, using the origin indicated by randomly selected the following formula (5) from G, the following formula ( 6) system public key generating means for generating the system public key PK shown in
Using the user identifier U for identifying the user of the access control system and the system public key PK, the user public key PK _U and the user secret issued as different keys for each user shown in the following equation (9) User key generation means (222) for generating a key SK _U ;
A user key issuing server comprising:

  A content server according to claim 1, a content receiving device according to claim 2, an attribute key issuing server according to claim 3, and a user key issuing server according to claim 4. And access control system. A computer that is the content server according to claim 1,
Content encryption means for generating encrypted content by encrypting the input content with a content key that is a common key;
Policy input means for inputting the access policy;
When the number of elements of the access policy is n, the system public key and the formula (14) issued for the attribute i included in the jth element included in the input access policy are shown. Using the attribute public key PK _i , the input content key M is encrypted for each element included in the access policy, and a partial ciphertext represented by the equation (22) is generated for the j-th element Content key encryption means for generating the partial ciphertexts CT _{1 to} CT _n obtained from all elements of the access policy and generating the ciphertext CT shown in the equation (23) as the encrypted content key ,
Generate encrypted content with a header by combining the encrypted content key generated by the content key encryption unit and the encrypted content generated by the content encryption unit and adding the access policy to the header Content combining means,
A content distribution program for causing the encrypted content with a header to function as content distribution means for distributing to the content receiving device. An attribute secret key storage storing the attribute secret key issued by the attribute key issuing server corresponding to an attribute to be satisfied by a user of a content receiving apparatus that receives the content distributed by the content server according to claim 1 A computer that is a content receiving device according to claim 2, further comprising: means and user secret key storage means that stores the user secret key issued by the user key issuing server.
Content receiving means for receiving the header-encrypted content from the content server;
Content separation for separating the access policy, the encrypted content, and the ciphertext CT represented by the equation (23), which is the encrypted content key, from the encrypted content with the header received by the content receiving unit means,
A determination means for determining whether or not the attribute of the access policy element includes an attribute to be satisfied by a user of the content receiving device based on the attribute secret key, and if included, a determination unit that selects the j th element;
When the jth element of the access policy is selected, the attribute secret key SK _{i, U} shown in the equation (17) corresponding to the attribute i included in the element _, and the user secret shown in the equation (9) the key SK _U by using the system public key, performs an operation of decoding indicated in the equation (24), the content key decryption means for decrypting the encrypted content key,
Content reproducing means for reproducing the content by decrypting the encrypted content separated by the content separating means with the content key decrypted by the content key decrypting means;
Content receiving program to function as

Images