JP7174633B2 - Content distribution device, mobile terminal, receiving device and their programs - Google Patents

Description

The present invention relates to a content distribution device, a mobile terminal, a receiving device, and programs thereof that enable viewing and listening of encrypted broadcast content under the same conditions inside and outside the home.

Broadcasting services currently employ a triple key scheme consisting of a scramble key (Ks), a work key (Kw), and a master key (Km), and broadcast content (hereinafter referred to as content) is encrypted (scrambled) before being broadcast. .
Specifically, as shown in FIG. 15, the broadcasting station provides encrypted content obtained by encrypting the content with a scramble key (decryption key) Ks and encrypted content obtained by encrypting the scramble key (Ks) with a work key (Kw). The encrypted scramble key and the encrypted work key obtained by encrypting the work key (Kw) with the master key (Km) common to the receiving device are multiplexed and distributed. A scramble key is a key that is updated in a few seconds. A work key is a key that is updated about once a month to a year. A master key is a key unique to a receiving device.
On the other hand, the receiving device uses the master key (Km) to decrypt the encrypted work key into a work key (Kw), and uses the work key (Kw) to decrypt the encrypted scramble key into a scramble key (Ks). The receiving device then decrypts the encrypted content into content using the scramble key (Ks).

In order to enjoy this broadcasting service, the receiving device incorporates a mechanism for generating (decrypting) a scramble key. This mechanism is embedded in the B-CAS card for satellite broadcasting and terrestrial broadcasting, and in the IC chip embedded in the receiving device for 4K8K satellite broadcasting. is not possible. In addition, in pay broadcasting, contract information is contained in the B-CAS card or IC chip, and the output of the scramble key from the B-CAS card or IC chip is controlled based on this contract information.

If the B-CAS card or IC chip can be taken outside, for example, even outside the home, the same broadcasting service as that enjoyed at home can be enjoyed.
However, it is very difficult to take out the IC chip. Also, although it is possible to take out the B-CAS card, it is difficult to take out the card from the receiving device in consideration of damage to the device and the card. In addition, there are several types of card sizes these days, and one card cannot be used for all receiving devices. Furthermore, when a family uses one B-CAS card, if the card is taken out, other members of the family will not be able to enjoy the broadcasting service even at home.

On the other hand, a system has been proposed in which the same broadcasting service as in the home can be enjoyed outside the home by modifying the unauthorized user tracking cipher and setting a time limit (hereinafter referred to as OHI07 method; see Non-Patent Document 1). Furthermore, various devices (IoT [Internet of Things] devices, etc.) can be connected to broadcast receivers by broadcast-communication cooperation services that integrate broadcasting and communications. For example, from September 2013, a broadcasting and communication cooperation service called Hybridcast (registered trademark) has been started (see Non-Patent Documents 2 and 3). A method for enjoying the same broadcasting service outside the home as inside the home by setting time and place restrictions using the cooperation between this IoT device and the broadcast receiving device and the attribute-based encryption (ABE) method. has been proposed (hereinafter, OTH17 method; see Non-Patent Document 4).

K. Ogawa, G. Hanaoka, and H. Imai, “Traitor Tracing Scheme Secure against Key Exposure and its Application to Anywhere TV service,” IEICE Trans. on Fundamentals, Vol.E90-A, no.5, pp.1000- 1011, 2007. “Broadcasting and Communications Linkage System Specifications (IPTVFJ STD-0010) Version 2.2”, General Incorporated Association IPTV Forum, Revised September 21, 2018 “HTML5 Browser Specification (IPTVFJ STD-0011) Version 2.4”, General Incorporated Association IPTV Forum, Revised September 21, 2018 K. Ogawa, S. Tamura, and G. Hanaoka, “Key Management for Versatile Pay-TV services,” Proc. of International Workshop on Security and Trust Management 2017, pp.3-18, 2017.

With the conventional OHI07 method, it is possible to enjoy the same broadcasting service outside the home with a time limit, but it is not possible to limit the place where the broadcasting service can be enjoyed. Therefore, as one form of service, it is desired to provide not only a time limit but also a limit based on usage conditions such as location.
In addition, in the conventional OTH17 method, the time and place of use outside the home can be restricted, but the place and time of use must be communicated in advance to a center called a key management center. Therefore, if the key management center is unreliable due to insufficient information management, etc., there is a risk that privacy information (for example, viewing time and viewing location) may be leaked. Furthermore, since the work key is also sent to the key management center, there is a risk of leakage of the work key.

The present invention has been made in view of such problems, and allows users to enjoy the same broadcasting service as at home under predetermined usage conditions even outside the home without taking out the B-CAS card or IC chip. It is also an object of the present invention to provide a content distribution device, a mobile terminal, a receiving device, and a program thereof that can prevent leakage of privacy information and keys.

In order to solve the above problems, a content distribution device according to the present invention is a content distribution device that encrypts content and distributes it to a receiving device, comprising: content encryption means; first scramble key encryption means; The configuration includes scramble key encryption means, work key encryption means, multiplexing means, stream transmission means, secret distribution means, and second work key share transmission means.

In such a configuration, the content distribution device encrypts the content with the scramble key by the content encryption means to generate the encrypted content.
Also, the content distribution device encrypts the scramble key with the first work key by the first scramble key encryption means to generate the first encrypted scramble key. Also, the content distribution device encrypts the scramble key with the second work key by the second scramble key encryption means to generate a second encrypted scramble key.
This encrypts the scramble key with two different work keys.
Further, the content distribution device generates a first encrypted work key by encrypting the first work key with a master key specific to the receiving device by the work key encryption means.
Then, the content distribution device multiplexes the encrypted content, the first encrypted scramble key, the second encrypted scramble key, and the first encrypted work key by the multiplexing means.
Then, the content distribution device transmits the stream data multiplexed by the multiplexing means to the receiving device by the stream transmission means. As a result, the first work key is multiplexed with the encrypted content and broadcast as in the conventional case.

Also, the content distribution device fragments the second work key into a plurality of second work key shares by secret sharing in multi-party computation by the secret sharing means. As a result, the second work key cannot be generated only by fragmentary second work key sharing.
Then, the content distribution device divides and transmits the plurality of second work key shares to the plurality of servers that perform the calculation of the encryption function by the data calculation in the multi-party calculation by the second work key share transmission means.
This encryption function is a function that calculates a second encrypted work key from a second work key using a hash value of usage attributes including the authentication token of the user and the location and time of content viewing.
This allows a plurality of servers to distribute and generate the second encryption work key.
Note that the content distribution device can operate a computer with a program for functioning as each means described above.

Further, in order to solve the above-mentioned problems, the portable terminal according to the present invention provides a secret key for decrypting the second encrypted work key used for encrypting the content scramble key. A mobile terminal for generating a secret sharing means, a usage attribute share transmitting means, a secret key share receiving means, a secret key share synthesizing means, and a key information transmitting means.

In such a configuration, the mobile terminal divides the usage attributes including the authentication token of the user and the location and time of viewing the content by secret sharing in multi-party calculation and divides them into a plurality of usage attribute shares by the secret sharing means. become As a result, a usage attribute cannot be generated with only fragmentary usage attribute sharing.
Then, the portable terminal divides and transmits a plurality of usage attribute shares to a plurality of servers that perform calculation of the secret key generation function by data calculation in multi-party calculation, respectively, by the usage attribute share transmission means.
This secret key generation function is a function that obtains a hash value of a usage attribute and converts the hash value into a secret key with a predetermined key length.

Also, the mobile terminal receives secret key shares obtained by fragmenting the secret keys from a plurality of servers by the secret key share receiving means.
Then, the portable terminal combines the plurality of secret key shares received by the secret key share receiving means by the secret key share synthesizing means by performing a secret sharing restoration process to generate a secret key. As a result, the mobile terminal can acquire the private key while keeping the usage attributes confidential.
Then, the mobile terminal transmits the authentication token and the private key to the receiving device viewing the content by the key information transmitting means.
It should be noted that the mobile terminal can be operated by a program for causing the computer to function as each means described above.

Further, in order to solve the above-described problems, a receiving device according to the present invention includes encrypted content obtained by encrypting content with a scramble key, a first encrypted scramble key obtained by encrypting the scramble key with a first work key, and a scrambled Content is extracted from stream data obtained by multiplexing the second encrypted scramble key obtained by encrypting the key with the second work key and the first encrypted work key obtained by encrypting the first work key with the master key of the receiving device. A decryption receiving device comprising: secret distribution means; usage attribute share transmission means; second encrypted work key share reception means; second encrypted work key share synthesis means; The configuration includes work key decryption means, scramble key decryption means, and content decryption means.

In such a configuration, the receiving device uses the secret sharing means to fragment the usage attributes including the authentication token of the user and the location and time of viewing the content into a plurality of usage attribute shares by secret sharing in multi-party calculation. As a result, a usage attribute cannot be generated with only fragmentary usage attribute sharing.
Then, the receiving device uses the usage attribute share transmitting means to separately transmit the plurality of usage attribute shares to the plurality of servers that perform the calculation of the encryption function by the data calculation in the multi-party calculation.
This encryption function is a function that calculates a second encrypted work key from a second work key using a hash value of usage attributes including the authentication token of the user and the location and time of content viewing.
Also, the receiving device receives the second encrypted work key share obtained by fragmenting the second encrypted work key from the plurality of servers by the second encrypted work key share receiving means.
Then, the receiving device synthesizes the plurality of second encrypted work key shares received by the second encrypted work key share receiving means by the second encrypted work key share synthesizing means by the secret sharing restoration process, Generate a cryptographic work key.
As a result, the receiving device can acquire the second encrypted work key while keeping the usage attribute confidential.

Also, the receiving device receives the authentication token and the private key from the mobile terminal by the key information receiving means.
Then, the receiving device decrypts the second encrypted work key into the second work key using the secret key by the second work key decryption means.
Also, the receiving device uses the scramble key decoding means to decode the second encrypted scramble key multiplexed into the stream data into a scramble key using the second work key.
Then, the receiving device uses the content decryption means to decrypt the encrypted content multiplexed with the stream data using the scramble key.
It should be noted that the receiving device can be operated by a program for causing the computer to function as each means described above.

ADVANTAGE OF THE INVENTION This invention has the outstanding effect shown below.
According to the present invention, a user of a broadcasting service can enjoy the same content as the service enjoyed at home without removing the B-CAS card or IC chip from the receiver.
Also, according to the present invention, it is possible to prevent leakage of personal information such as when, where and which channel the user is watching.
Moreover, according to the present invention, since the temporal work key used for encrypting the scramble key is not leaked to a third party, it is possible to prevent unauthorized use of the content by a third party.

FIG. 4 is an explanatory diagram for explaining an outline of processing of the system for receiving broadcasting service outside the home according to the embodiment of the present invention; 1 is a system configuration diagram showing the overall configuration of an out-of-home broadcasting service receiving system according to an embodiment of the present invention; FIG. FIG. 3 is a block diagram showing the configuration of the content distribution device of FIG. 2; FIG. 3 is a block diagram showing the configuration of the Kwt secret sharing device of FIG. 2; FIG. 3 is a block diagram showing the configuration of the authentication device in FIG. 2; FIG. 3 is a block diagram showing the configuration of the encrypted Kwt share generation server of FIG. 2; FIG. 3 is a block diagram showing the configuration of a private key share generation server in FIG. 2; FIG. 3 is a block diagram showing the configuration of the mobile terminal in FIG. 2; FIG. FIG. 3 is a block diagram showing the configuration of the receiver in FIG. 2; FIG. 4 is a flow chart showing an operation of distributing a temporal work key (Kwt) as an encrypted Kwt share in the out-of-home broadcasting service receiving system according to the embodiment of the present invention; 4 is a flow chart showing an operation of acquiring a secret key in a mobile terminal of the system for receiving broadcasting service outside the home according to the embodiment of the present invention; 4 is a flow chart showing the operation of decrypting the temporal work key (Kwt) in the receiving device of the out-of-home broadcasting service receiving system according to the embodiment of the present invention; 4 is a flow chart showing the operation of decoding content in the receiving device of the out-of-home broadcasting service receiving system according to the embodiment of the present invention. FIG. 10 is a block diagram showing the configuration of a content distribution device according to another embodiment of the present invention; FIG. 10 is an explanatory diagram for explaining processing contents of a triple key scheme in a conventional broadcasting service;

BEST MODE FOR CARRYING OUT THE INVENTION Hereinafter, embodiments of the present invention will be described with reference to the drawings.
[Regarding the processing of the out-of-home broadcasting service receiving system]
First, with reference to FIG. 1, the outline of the processing of the out-of-home broadcasting service receiving system S will be described. The out-of-home broadcasting service receiving system S is a system for viewing contracted content on a receiving device (outside receiving device 8) other than the receiving device with which the user has a viewing contract.

A broadcasting station 1 encrypts contents and broadcasts them by broadcast waves. Here, the broadcasting station 1 encrypts the content by a conventional triple key (scramble key [Ks], work key [Kw], master key [Km]) method, and Ks has a shorter update period than Kw ( For example, 1 day) is encrypted with a temporal work key (hereinafter referred to as Kwt), multiplexed with encrypted content, and broadcasted. That is, the broadcasting station 1 individually encrypts Ks with Kw (first work key) and Kwt (second work key), duplicates the encrypted scramble key, and broadcasts.
In addition, the broadcasting station 1 divides Kwt into a plurality of distributed values by secret sharing in Multi Party Computation (MPC), and distributes to a plurality of servers (encrypted Kwt share generation servers) 5 (5A, 5B) Send each separately.

A plurality of servers (encrypted Kwt share generation servers) 5 distributes and calculates a function (encryption function) for encrypting Kwt by data calculation in multi-party calculation, and encrypts temporal work keys (hereinafter referred to as encrypted Kwt ) to generate encrypted Kwt shares, which are fragments (shares) of the distributed The function that encrypts this Kwt is the same function as the function that generates a secret key using a hash function such as SHA-3 (Secure Hash Algorithm 3) in a plurality of servers (private key share generation servers) 6 described later. , and a common key encryption such as AES (Advanced Encryption Standard) that encrypts Kwt using the output of the function as an encryption key, can be used as one function.
Here, the server (encrypted Kwt share generation server) 5 generates a distributed value of Kwt secret-shared by the broadcasting station 1 and usage attributes (installation location, current time, authentication token ) and the variance value of , generate the encrypted Kwt shares by data computation in a multi-party computation.

A plurality of servers (secret key share generation servers) 6 distribute and compute a function (secret key generation function) for generating a secret key (skt) for decrypting the encrypted Kwt by data computation in multi-party computation, A private key share, which is a fragment (share) obtained by dispersing the private key, is generated. A hash function such as SHA-3 can be used as a function for generating this secret key.
Here, the server (secret key share generation server) 6 generates the secret key share by data calculation in multi-party calculation from the distributed values of the usage attributes (usage location, usage time, authentication token) secret-shared by the portable terminal 7. Generate.

The mobile terminal 7 restores the secret key for decrypting the encrypted Kwt and outputs it to the receiving device 8 .
Here, the mobile terminal 7 distributes the usage attributes (use location, usage time, authentication token) by secret sharing in multi-party calculation, and divides a plurality of distributed values among a plurality of servers (private key share generation servers) 6 respectively. to send. Note that the authentication token is a unique token of a user who has a contract to view content in advance.
Then, the portable terminal 7 acquires a plurality of secret key shares from a plurality of servers (secret key share generation servers) 6 , restores the secret key by secret sharing restoration processing, and outputs the restored secret key to the receiving device 8 .

The receiving device 8 at the destination decrypts the encrypted content broadcast from the broadcasting station 1 using the triple key method. Here, when a user who has a contract other than the receiving device 8 uses the receiving device 8 , the user transmits an authentication token to the receiving device 8 using the portable terminal 7 . The receiving device 8 receives the authentication token from the mobile terminal 7, distributes the usage attributes (installation location, current time, authentication token) by secret sharing in multi-party calculation, and distributes a plurality of distributed values to a plurality of servers (encrypted Kwt share generation server) 5 separately. The installation location indicates the location (latitude, longitude, etc.) where the receiving device 8 is installed, and the current time indicates the current year, month, and day. An authentication token indicates a unique token of a user authenticated by an authentication device (not shown).
Then, the receiving device 8 acquires a plurality of encrypted Kwt shares from a plurality of servers (encrypted Kwt share generating servers) 5, and restores the encrypted Kwt through secret sharing restoration processing.
At this time, if the usage attribute of the secret sharing by the mobile terminal 7 and the usage attribute of the secret sharing by the receiving device 8 are the same, the restored encrypted Kwt is decrypted with the secret key (skt) obtained by the mobile terminal 7. can do.
Then, the receiving device 8 can decrypt the encrypted scramble key into a scramble key with Kwt, and decrypt the content with the scramble key.

That is, the out-of-home broadcasting service receiving system S realizes the generation of the encrypted Kwt by multi-party calculation of the function f1 of the common key cryptosystem shown in the following equation ( ₁ ).

Here, AES_Enc denotes an encryption function that computes AES. H indicates a function that matches the SHA-3 output (hash value) with the AES key length, and "||" indicates the concatenation of each element. Matching the SHA-3 output to the AES key length means converting the SHA-3 512-bit output to 128 bits, which is the same as the AES key length. For example, the first 128 bits of the SHA-3 output can be used, or the SHA-3 output can be divided into 4-bit units and XORed values can be used for each. key length.
Further, px and py indicate the installation location (latitude, longitude, etc.) of the receiving device 8 among the usage attributes, tp indicates the current time (year, month, day) among the usage attributes, and α among the usage attributes. Indicates an authentication token. β indicates secret information of a plurality of servers (encrypted Kwt share generation servers) 5 and servers (secret key share generation servers) 6 .
The out-of-home broadcasting service receiving system S can restore the encrypted Kwt in the receiving device 8 while keeping Kwt and usage attributes confidential by multi-party calculation of the encryption function of Equation (1).

Further, the out-of-home broadcasting service receiving system S realizes the generation of the secret key by multi-party calculation of the function f2 shown in the following equation ( ₂ ).

Here, H indicates a function (private key generation function) for generating a secret key by matching the SHA-3 output (hash value) with the key length of AES, and "||" indicates the concatenation of each element. Further, px and py indicate the usage location (latitude, longitude, etc.) of the receiving device 8 that uses the service among the usage attributes, and tp indicates the usage time (year, month, day) for using the service among the usage attributes. , α indicate the authentication token among the usage attributes. β indicates secret information of a plurality of servers (encrypted Kwt share generation servers) 5 and servers (secret key share generation servers) 6 .
The out-of-home broadcasting service receiving system S calculates a secret for decrypting the encrypted Kwt in the portable terminal 7 while keeping Kwt and the usage attribute confidential by multi-party calculation of the secret key generation function of formula (2). Keys can be recovered.
Note that β in equations (1) and (2) is necessary in order to increase the security of key generation using the servers 5 and 6 in this service. No need.

Multi-party computation is a technique for computing one function by multiple parties (servers). Multi-party computation is a well-known technique disclosed in References 1 and 2 below, and therefore detailed description thereof is omitted here.
(Reference 1) T.Araki, J.Furukawa, Y.Lindell, A.Nof, and K.Ohara, “High-throughput semi-honest secure three-party computation with an honest majority,” Proc. of ACM SIGSAC CCS '16, pp.805-817, 2016.
(Reference 2) T.Nishide and K.Ohta, “Multiparty Computation for Interval, Equality, and Comparison without Bit-decomposition Protocol,” Proc. of PKC'07, pp.343-360, 2007.
The configuration and operation of the out-of-home broadcasting service receiving system S will be described below.

[Configuration of system for enjoying broadcasting service outside home]
The configuration of the out-of-home broadcasting service receiving system S will be described with reference to FIG.
As shown in FIG. 2, the out-of-home broadcasting service receiving system S includes a content distribution device 2, a Kwt secret sharing device 3, an authentication device 4, an encrypted Kwt share generation server 5, and a secret key share generation server 6. , a mobile terminal 7 and a receiving device 8 .

The content distribution device 2, the Kwt secret sharing device 3, and the authentication device 4 are connected by an intranet N1 in the broadcasting station 1 (broadcaster). The Kwt secret sharing device 3, the authentication device 4, the encrypted Kwt share generation server 5, the private key share generation server 6, the portable terminal 7 and the receiving device 8 are connected via the Internet N2.
There are a plurality of encrypted Kwt share generation servers 5 and a plurality of private key share generation servers 6, but two of each will be described here. Note that the encrypted Kwt share generation servers 5A and 5B and the private key share generation servers 6A and 6B are servers of individual third parties.
The configuration of each device will be described below with reference to the drawings.

(content delivery device)
The configuration of the content distribution apparatus 2 will be described with reference to FIG. 3 (see also FIG. 2 as appropriate).
The content distribution device 2 encrypts content (broadcast content such as video and audio) and distributes the encrypted content with broadcast waves W via a transmission device (not shown).
As shown in FIG. 3, the content distribution device 2 includes content encryption means 20, first Ks encryption means 21, second Ks encryption means 22, Kw encryption means 23, multiplexing means 24, stream A transmitting means 25 and a Kwt transmitting means 26 are provided.

The content encryption means 20 encrypts content such as video and audio with Ks (scramble key). Ks is an encryption key that is updated in several seconds.
The content encryption means 20 outputs the encrypted content (encrypted content) to the multiplexing means 24 .

The first Ks encryption means (first scramble key encryption means) 21 encrypts Ks for encrypting contents with Kw (work key). Kw is an encryption key that differs from one broadcaster to another and is updated every one to several months.
The first Ks encryption means 21 outputs Ks encrypted with Kw (first encryption Ks:Cks) to the multiplexing means 24 .

The second Ks encryption means (second scramble key encryption means) 22 encrypts Ks for encrypting contents with Kwt (temporal work key). Kwt is an encryption key that is updated every day or so and differs from broadcaster to broadcaster. Note that Kwt is not limited for each broadcaster, and may be an encryption key that differs for each channel or program.
The second Ks encryption means 22 outputs Ks encrypted with Kwt (second encryption Ks: Ckst) to the multiplexing means 24 .

The Kw encryption means (work key encryption means) 23 encrypts Kw, which is used when the first Ks encryption means 21 encrypts Ks, with Km (master key). Km is the individual encryption key at the receiving device 8 .
The Kw encryption means 23 outputs the encrypted Kw (encrypted Kw) to the multiplexing means 24 .

The multiplexing means 24 multiplexes the encrypted content, the first encrypted Ks, the second encrypted Ks and the encrypted Kw. The multiplexing means 24 outputs the stream data generated by multiplexing to the stream transmitting means 25 .

The stream transmission means 25 transmits the stream data generated by the multiplexing means 24 to a transmission device (not shown). This stream data is distributed to the receiving device 8 via the broadcast wave W by the transmitting device.

The Kwt transmission means 26 transmits Kwt, which is used when the second Ks encryption means 22 encrypts Ks, to the Kwt secret sharing device 3 .
The Kwt transmitting means 26 transmits Kwt to the Kwt secret sharing device 3 via the intranet N1 within the broadcasting station 1 . This Kwt is secret-shared by the Kwt secret sharing device 3 .

By configuring the content distribution device 2 as described above, the content distribution device 2 can encrypt Ks separately with Kw and Kwt and duplicate them. Also, the content distribution device 2 can distribute Kwt through a route different from that of the broadcast wave W. FIG.
Note that the content distribution device 2 can operate a computer with a program for functioning as each means described above.

(Kwt secret sharing device)
The configuration of the Kwt secret sharing device 3 will be described with reference to FIG. 4 (see FIG. 2 as appropriate).
The Kwt secret sharing device 3 secret-shares Kwt.
As shown in FIG. 4 , the Kwt secret sharing device 3 includes Kwt receiving means 30 , secret sharing means 31 and Kwt share transmitting means 32 .

The Kwt receiving means 30 receives Kwt transmitted from the content distribution device 2 via the intranet N1. The Kwt receiving means 30 outputs the received Kwt to the secret sharing means 31 .

The secret sharing means 31 distributes Kwt to a plurality of fragments (shares) by secret sharing in multi-party computation.
This secret sharing means 31 secretly shares Kwt according to the number of encrypted Kwt share generation servers 5 (5A, 5B). Here, since the number of encrypted Kwt share generation servers 5 is "2", the secret distribution means 31 distributes Kwt into two shares (Kwt shares).
The secret sharing means 31 outputs the Kwt shares (here, k ₁ and k ₂ ) for which the secret is shared to the Kwt share transmitting means 32 .

Kwt share transmission means (second work key share transmission means) 32 transmits a plurality of Kwt shares k ₁ and k ₂ generated by the secret distribution means 31 to individual encrypted Kwt share generation servers 5A and 5B, respectively. It is something to do. The Kwt share transmission means 32 transmits the Kwt share to the encrypted Kwt share generation server 5 via the Internet N2.
As a result, the Kwt secret sharing device 3 can share Kwt as secret information that cannot restore Kwt from one Kwt share, and transmit it to the encrypted Kwt share generation server 5 .
The Kwt secret sharing device 3 can be operated by a program for causing a computer to function as each means described above.

(authentication device)
The configuration of the authentication device 4 will be described with reference to FIG. 5 (see FIG. 2 as necessary).
The authentication device 4 authenticates whether or not the user has a contract with the broadcasting station 1 for viewing contents.
As shown in FIG. 5 , the Kwt secret sharing device 3 includes authentication token request receiving means 40 , authentication means 41 , user information storage means 42 and authentication token transmission means 43 .

The authentication token request receiving means 40 receives an authentication token request including a user identifier for identifying the user from the portable terminal 7 via the Internet N2.
The authentication token request receiving means 40 outputs the received authentication token request to the authentication means 41 .

The authentication means 41 determines whether or not the user has a contract with the broadcasting station 1 (broadcaster) based on the user identifier included in the authentication token request. To authenticate whether or not the service is contracted at the user's home.
This authentication means 41 authenticates whether or not the user corresponding to the user identifier has a contract for viewing content outside the home, based on the user information stored in the user information storage means 42. do.
Then, if the user corresponding to the user identifier is a contractor of the service as an authentication result, the authentication means 41 generates an authentication token and outputs it to the authentication token transmission means 43 . A general software token generation method can be used for this authentication token generation method. Note that the authentication means 41 performs password authentication to determine whether or not the authentication token request is from a legitimate user.

The user information storage means 42 stores whether or not there is a contract for each user. This user information storage means 42 can be configured by a general storage device such as a hard disk.
In the user information storage means 42, user identifiers, passwords, etc. that individually identify users are registered as user information via input means (not shown) at the stage where the user has made a contract in advance. Keep

The authentication token transmission means 43 transmits the authentication token generated by the authentication means 41 to the portable terminal 7 that requested the authentication token via the Internet N2.
By configuring the authentication device 4 as described above, the authentication device 4 can authenticate that the user has contracted for a service for viewing content outside the home.
Note that the authentication device 4 can be operated by a program for causing a computer to function as each means described above.

(encrypted Kwt share generation server)
The configuration of the encrypted Kwt share generation server 5 will be described with reference to FIG. 6 (see also FIG. 2 as needed).
The encrypted Kwt share generation server 5 encrypts Kwt from the Kwt share generated by secret sharing in the Kwt secret sharing device 3 and the user attribute share generated by secret sharing in the receiving device 8 described later. The encrypted Kwt share is generated by fragmenting the encrypted Kwt. The encrypted Kwt is distributed and generated in a plurality of encrypted Kwt share generation servers 5A and 5B, and the encrypted Kwt share is a share obtained by secret sharing the encrypted Kwt.
As shown in FIG. 6, the encrypted Kwt share generation server 5 includes Kwt share receiving means 50, Kwt share storage means 51, usage attribute share receiving means 52, encrypted Kwt share computing means 53, encrypted Kwt share and share transmission means 54 .

The Kwt share receiving means 50 receives the Kwt share obtained by secret sharing Kwt from the Kwt secret sharing device 3 via the Internet N2.
Here, the Kwt share receiving means 50 of the encrypted Kwt share generation server 5A receives _Kwt share k1, and the _Kwt share reception means 50 of the encrypted Kwt share generation server 5B receives Kwt share k2. do.
The Kwt share receiving means 50 stores the received Kwt shares in the Kwt share storage means 51 .

The Kwt share storage means 51 stores the Kwt shares received by the Kwt share reception means 50 . This Kwt share storage means 51 can be composed of a general storage device such as a hard disk.

The usage attribute share receiving means 52 receives the usage attribute share in which the user attribute is secret-sharing from the receiving device 8 via the Internet N2.
Here, the usage attribute share receiving means 52 of the encrypted _Kwt share generation server 5A receives the usage attribute share p3, and the usage attribute share reception means 52 of the encrypted _Kwt share generation server 5B receives the usage attribute share p4. shall be received.
The usage attribute share receiving means 52 outputs the received usage attribute share to the encrypted Kwt share calculation means 53 .

The encrypted Kwt share calculation means 53 performs data calculation in the multi-party calculation based on the Kwt share stored in the Kwt share storage means 51 and the usage attribute share received by the usage attribute share reception means 52 to obtain encrypted It generates encrypted Kwt shares by fragmenting the encrypted Kwt.
The function (encryption function of Kwt) calculated by the encrypted Kwt share calculation means 53 of each of the plurality of encrypted Kwt share generating servers 5A and 5B is Equation (1) described above.
The encrypted Kwt share calculation means 53 of each of the plurality of encrypted Kwt share generation servers 5A and 5B calculates the formula (1) for calculating the encrypted Kwt by encrypting Kwt, thereby obtaining the encrypted Kwt share calculation means 53 can compute a fragmented encrypted Kwt (encrypted Kwt share) with the usage attributes and Kwt fragmented.
The encrypted Kwt share calculation means 53 outputs the encrypted Kwt share, which is the calculation result, to the encrypted Kwt share transmission means 54 .

The encrypted Kwt share transmission means 54 transmits the encrypted Kwt share generated by the encrypted Kwt share calculation means 53 to the receiving device 8 via the Internet N2.
Here, the encrypted Kwt share transmission means 54 of the encrypted Kwt share generation server 5A transmits the encrypted _Kwt share c1 to the receiving device 8, and the encrypted Kwt share transmission means 54 of the encrypted Kwt share generation server 5B , the encrypted Kwt share c ₂ to the receiving device 8 .

By configuring the encrypted Kwt share generation server 5 as described above, the encrypted Kwt share generation server 5 generates the encrypted Kwt share by distributing the encrypted Kwt while keeping the usage attributes and Kwt secret. can do.
The encrypted Kwt share generation server 5 can be operated by a program that causes a computer to function as each means described above.

(private key share generation server)
The configuration of the private key share generation server 6 will be described with reference to FIG. 7 (see also FIG. 2 as appropriate).
The secret key share generation server 6 generates a secret key share by fragmenting the secret key from the usage attribute share generated by distributing the secret in the mobile terminal 7 . The secret key is distributed and generated in a plurality of secret key share generation servers 6A and 6B, and the secret key share is a share obtained by sharing the secret key.
As shown in FIG. 7 , the secret key share generation server 6 includes usage attribute share reception means 60 , secret key share calculation means 61 and secret key share transmission means 62 .

The usage attribute share receiving means 60 receives the usage attribute share of which the usage attribute is secret-sharing from the portable terminal 7 via the Internet N2.
Here, the usage attribute share receiving means 60 of the secret key share generation server 6A receives the usage attribute share p1, and the usage attribute _share reception means 60 of the secret key share generation server 6B receives the usage attribute share _p2 . It is assumed that
The usage attribute share receiving means 60 outputs the received usage attribute share to the secret key share computing means 61 .

The secret key share computing means 61 performs data calculation in multi-party calculation from the usage attribute share received by the usage attribute share receiving means 60 to generate a secret key share by fragmenting the secret key.
The function (secret key generation function) calculated by the secret key share calculation means 61 of each of the plurality of secret key share generation servers 6A and 6B is the above equation (2).
The secret key share calculation means 61 of each of the plurality of secret key share generation servers 6A and 6B calculates the formula (2) for calculating the secret key, thereby fragmenting the usage attributes. A fragmented private key (private key share) can be computed in the state.
The secret key share calculation means 61 outputs the secret key share, which is the calculation result, to the secret key share transmission means 62 .

The secret key share transmission means 62 transmits the secret key share generated by the secret key share calculation means 61 to the portable terminal 7 via the Internet N2.
Here, the secret key share transmission means 62 of the secret key share generation server 6A transmits the secret key share skt ₁ to the portable terminal 7, and the secret key share transmission means 62 of the secret key share generation server 6B transmits the secret key share skt. ₂ is transmitted to the mobile terminal 7 .

By configuring the private key share generation server 6 as described above, the private key share generation server 6 can generate a private key share in which the private key is distributed while keeping the usage attribute secret.
The private key share generation server 6 can be operated by a program for causing a computer to function as each means described above.

(mobile terminal)
The configuration of the portable terminal 7 will be described with reference to FIG. 8 (see also FIG. 2 as needed).
The mobile terminal 7 generates a secret key for decrypting encrypted content that enables the user to view the content subscribed to by the receiving device 8 at the destination.
As shown in FIG. 8, the mobile terminal 7 includes authentication token request transmission means 70, authentication token reception means 71, storage means 72, usage attribute input means 73, secret sharing means 74, usage attribute share transmission means. 75 , private key share receiving means 76 , private key share synthesizing means 77 , authentication token transmitting means 78 , and private key transmitting means 79 .

The authentication token request transmission means 70 transmits an authentication token request containing a user identifier for identifying the user to the authentication device 4 via the Internet N2.
The authentication token request transmission means 70 transmits to the authentication device 4 the user identifier obtained by making a contract with the broadcaster in advance. The contract shall include a service for the user to view content outside the home.
The authentication token request transmission means 70 inputs a user's password and the like via an input means (not shown), and authenticates the user with the authentication device 4 .

The authentication token reception means 71 receives an authentication token from the authentication device 4 via the Internet N2 as a response to the authentication token request issued by the authentication token request transmission means . The authentication token receiving means 71 stores the received authentication token in the storage means 72 .

The storage unit 72 stores data acquired by the mobile terminal 7 . This storage means 72 can be composed of a general storage device such as a hard disk.
The storage means 72 stores the authentication token received by the authentication token receiving means 71 and the secret key generated by the secret key share synthesizing means 77 described later.

The usage attribute input means 73 is for inputting usage attributes for viewing and listening to content on the receiving device 8 at the destination.
The usage attribute is specifically the usage location and usage time of the receiving device 8 that uses the content viewing service.
The place of use may be any information that can specify the place as a numerical value, such as latitude, longitude, or XY coordinates obtained by projecting the earth onto a plane. Here, the places of use are written as px and py. It should be noted that the usage attribute input means 73 does not directly input the location of use as a numerical value, but incorporates general software for inputting an address and converting it into numerical values such as latitude and longitude.
The usage time is the date when the content is viewed. Here, the usage time is written as tp.
The usage attribute input means 73 outputs the input usage locations px, py and usage time tp to the secret distribution means 74 .

The secret distribution means 74 concatenates the usage location px, py and the usage time tp input by the usage attribute input means 73, which are usage attributes, and the authentication token α stored in the storage means 72, and performs multi-party calculation. It is distributed to multiple fragments (shares) by secret sharing in .
This secret distribution means 74 secretly distributes the usage attribute according to the number of secret key share generation servers 6 (6A, 6B). Here, since the number of secret key share generation servers 6 is "2", the secret distribution means 74 distributes the usage attributes to two shares (usage attribute shares).
The secret distribution means 74 outputs the secret-divided usage attribute shares (here, p ₁ and p ₂ ) to the usage attribute share transmission means 75 .

The usage attribute share transmission means 75 transmits the plurality of usage attribute shares p ₁ and p ₂ generated by the secret distribution means 74 to the individual secret key share generation servers 6A and 6B, respectively. The usage attribute share transmission means 75 transmits the usage attribute share to the secret key share generation server 6 via the Internet N2.

The secret key share receiving means 76 receives the secret key share obtained by secret sharing the secret key from the secret key share generating server 6 via the Internet N2.
Here, the secret key share receiving means 76 receives the secret key share skt ₁ from the secret key share generation server 6A and the secret key share skt ₂ from the secret key share generation server 6B.
The private key share receiving means 76 outputs the received private key shares to the private key share synthesizing means 77 .

The secret key share synthesizing means 77 synthesizes a plurality of secret key shares skt ₁ and skt ₂ received by the secret key share receiving means 76 to generate a secret key.
The secret key share synthesizing means 77 generates a secret key by performing secret sharing restoration processing on the secret key shares skt ₁ and skt ₂ .
The secret key share synthesizing means 77 stores the generated secret key skt in the storage means 72 .

The authentication token transmission means (key information transmission means) 78 transmits the authentication token stored in the storage means 72 to the receiving device 8 at the destination.
The secret key transmission means (key information transmission means) 79 transmits the secret key stored in the storage means 72 to the receiving device 8 at the destination.
The authentication token transmitting means 78 and the private key transmitting means 79 transmit the authentication token and the private key to the receiving device 8 when the user is instructed to do so by the receiving device 8 at the destination. Data transmission between the mobile terminal 7 and the receiving device 8 is not particularly limited, but infrared communication may be used, or Hybridcast Connect defined in Non-Patent Documents 2 and 3 may be used. .

By configuring the mobile terminal 7 as described above, the mobile terminal 7 can generate a secret key for decrypting encrypted content that enables viewing of the content on the receiving device 8 on the go.
The portable terminal 7 can be operated by a program for causing the computer to function as each means described above.

(receiving device)
The configuration of the receiving device 8 will be described with reference to FIG. 9 (see also FIG. 2 as needed).
The receiving device 8 receives the encrypted content distributed from the broadcasting station 1 and decrypts it.
As shown in FIG. 9, the receiving device 8 includes location information storage means 80, clocking means 81, authentication token receiving means 82, secret sharing means 83, usage attribute share transmitting means 84, and encrypted Kwt share receiving means. means 85, encrypted Kwt share synthesizing means 86, secret key receiving means 87, Kwt decrypting means 88, second Ks decrypting means 89, stream receiving means 90, separating means 91, Kw decrypting means 92, 1Ks decoding means 93 , switching means 94 and content decoding means 95 are provided.

The place information storage means 80 stores in advance the place where the receiving device 8 is installed. A general storage medium such as a semiconductor memory can be used for this location information storage means 80 .
The place where the receiving device 8 is installed may be any information as long as it can be specified as a numerical value. py).
The timer 81 is a timer that measures time. The clocking means 81 also clocks the date (here, expressed as tp) as the current time.
The authentication token receiving means 82 receives the authentication token α from the mobile terminal 7 .
The authentication token receiving means 82 outputs the received authentication token to the secret distribution means 83 .

The secret sharing means 83 uses the installation locations px and py stored in the location information storage means 80, the current time tp clocked by the clock means 81, and the authentication token received by the authentication token receiving means 82 as usage attributes. α is concatenated and distributed into multiple pieces (shares) by secret sharing in multi-party computation.
This secret distribution means 83 secretly distributes usage attributes according to the number of encrypted Kwt share generation servers 5 (5A, 5B). Here, since the number of encrypted Kwt share generation servers 5 is "2", the secret distribution means 83 distributes the usage attributes to two shares (usage attribute shares).
The secret distribution means 83 outputs the secret-divided utilization attribute shares (here, p ₃ and p ₄ ) to the utilization attribute share transmission means 84 .

The usage attribute share transmission means 84 transmits the plurality of usage attribute shares p ₃ and p ₄ generated by the secret distribution means 83 to the individual encrypted Kwt share generation servers 5A and 5B, respectively. The usage attribute share transmission means 84 transmits the usage attribute share to the encrypted Kwt share generation server 5 via the Internet N2.

The encrypted Kwt share receiving means (second encrypted work key share receiving means) 85 receives the encrypted Kwt share obtained by secret sharing the encrypted Kwt from the encrypted Kwt share generation server 5 via the Internet N2. is.
Here, the encrypted _Kwt share receiving means 85 receives the encrypted _Kwt share c1 from the encrypted Kwt share generation server 5A and the encrypted Kwt share c2 from the encrypted Kwt share generation server 5B. and
The encrypted Kwt share receiving means 85 outputs the received encrypted Kwt shares to the encrypted Kwt share synthesizing means 86 .

Encrypted Kwt share synthesizing means (second encrypted work key share synthesizing means) 86 synthesizes a plurality of encrypted Kwt shares c ₁ and c ₂ received by encrypted Kwt share receiving means 85 to generate encrypted Kwt. It is something to do.
The encrypted Kwt share synthesizing means 86 generates encrypted Kwt by performing secret sharing restoration processing on the encrypted Kwt shares c ₁ and c ₂ .
The encrypted Kwt share synthesizing means 86 outputs the generated encrypted Kwt (Ckwt) to the Kwt decoding means 88 .

The private key receiving means 87 receives the private key skt from the mobile terminal 7 .
The private key receiving means 87 outputs the received private key to the Kwt decoding means 88 .
The Kwt decryption means (second work key decryption means) 88 decrypts the encrypted Kwt (Ckwt) generated by the encrypted Kwt share synthesizing means 86 using the secret key skt received by the secret key receiving means 87. is. The Kwt decryption means 88 outputs the temporal work key (Kwt) obtained by decrypting the encrypted Kwt (Ckwt) to the second Ks decryption means 89 .
The second Ks decryption means (scramble key decryption means) 89 converts the second encrypted Ks (Ckst) separated by the separation means 91 described later into a scramble key (Ks) using Kwt decrypted by the Kwt decryption means 88. It decodes to . The second Ks decoding means 89 outputs the decoded Ks to the switching means 94 .

The stream receiving means 90 receives stream data distributed from the content distribution device 2 via broadcast waves W. FIG.
Stream receiving means 90 outputs the received stream data to separating means 91 .

The separating means 91 separates the stream data received by the stream receiving means 90 into individual data.
Separating means 91 separates the encrypted content from the stream data and outputs it to content decrypting means 95 . Also, the separation means 91 separates the encrypted Kw (Ckw) from the stream data and outputs it to the Kw decryption means 92 . Also, the separation means 91 separates the first encrypted Ks (Cks) from the stream data and outputs it to the first Ks decryption means 93 . Also, the separation means 91 separates the second encrypted Ks (Ckst) from the stream data and outputs it to the second Ks decryption means 89 .

The Kw decryption means 92 decrypts the encrypted Kw (Ckw) separated by the separation means 91 using the master key (Km) unique to the receiving device 8 .
The Kw decryption means 92 outputs the decrypted work key (Kw) to the first Ks decryption means 93 .
The first Ks decryption means 93 decrypts the first encrypted Ks (Cks) separated by the separation means 91 using the work key (Kw) decrypted by the Kw decryption means 92 .
The first Ks decrypting means 93 outputs the decrypted scramble key (Ks) to the switching means 94 .
The Kw decoding means 92 and the first Ks decoding means 93 are incorporated in the B-CAS card or IC chip.

The switching means 94 switches between the Ks decoded by the first Ks decoding means 93 and the Ks decoded by the second Ks decoding means 89 and outputs them to the content decoding means 95 .
The switching means 94 switches so as to input the output from the first Ks decoding means 93 when viewing the contracted content on the receiving device 8 . Further, the switching means 94 switches so as to input the output from the second Ks decoding means 89 when the user views the contents as the remote receiving device 8 using the portable terminal 7 .
The switching of the input of the switching means 94 can be performed by an external switch or the like, for example.

The content decoding means 95 uses the scramble key (Ks) switched by the switching means 94 to decode the encrypted content separated by the separating means 91 .
The content decoding means 95 presents the decoded content to the user via display means (not shown).

By configuring the receiving device 8 as described above, the receiving device 8 can decrypt the temporal work key (Kwt) using the private key received from the mobile terminal 7 . As a result, the user can view the content on the remote receiving device 8 with which the user has not made a contract.
Note that the receiving device 8 can be operated by a program for causing a computer to function as each means described above.

[Operation of outside home broadcasting service receiving system]
The operation of the out-of-home broadcasting service receiving system S will be described with reference to FIGS. 10 to 13. FIG.

(Action to Generate Encrypted Kwt Shares)
The operation of distributing the Kwt of the out-of-home broadcasting service receiving system S as an encrypted Kwt share will be described with reference to FIG.
First, the content distribution device 2 performs the following steps S1 to S6.

In step S1, the first Ks encryption means 21 encrypts Ks (scramble key) with Kw (work key).
In step S2, the second Ks encryption means 22 encrypts Ks with Kwt (temporal work key).
In step S3, the Kw encryption means 23 encrypts Kw with the master key (Km).
At step S4, the content encryption means 20 encrypts the content with Ks.

In step S5, the multiplexing means 24 combines the Ks encrypted in step S1 (first encrypted Ks), the Ks encrypted in step S2 (second encrypted Ks), and the Ks encrypted in step S3. The obtained Kw (encrypted Kw) and the encrypted content generated in step S4 are multiplexed.
In step S6, the stream transmission means 25 transmits the stream data multiplexed in step S4 to a transmission device (not shown) and to the reception device 8. FIG.

In addition, in step S7, the Kwt transmitting means 26 transmits Kwt to the Kwt secret sharing device 3 separately from the route for encrypting and multiplexing Kwt and transmitting the stream.
Then, the Kwt secret sharing device 3 performs the operations of steps S8 to S10 below.
In step S<b>8 , the Kwt receiving means 30 receives Kwt from the content distribution device 2 .
In step S9, the secret sharing means 31 secret _- shares Kwt into a plurality of fragments ( _Kwt shares k1, k2).
In step S10, the Kwt share transmission means 32 transmits the _Kwt shares k1 and k2 generated in step S9 to the encrypted _Kwt share generation servers 5A and 5B.

Then, the encrypted Kwt share generation servers 5A and 5B perform the operations of steps S11A and S12A and steps S11B and S12B below.
In step S11A, the Kwt share receiving means ₅₀ receives the Kwt share k1 from the Kwt secret sharing device 3.
In step S12A, the Kwt share receiving means 50 stores the Kwt share k1 received in step S11A in the _Kwt share storage means 51. FIG.
Note that steps S11B and S12B are the same operations as steps S11A and S12A, except that _Kwt share k1 is _Kwt share k2, and thus description thereof is omitted.
Through the above operation, the Kwt shares in which Kwt is secret-sharing are stored in the different encrypted Kwt share generation servers 5A and 5B.

(Operation in which the mobile terminal acquires the private key)
With reference to FIG. 11 (see FIGS. 5, 7, and 8 for the configuration as needed), the operation of the portable terminal 7 to acquire the secret key for decrypting the encrypted Kwt of the out-of-home broadcasting service receiving system S will be described. .

In step S20, the authentication token request transmission means 70 of the portable terminal 7 transmits an authentication token request including a user identifier for identifying the user to the authentication device 4. FIG. At this time, the user's password is added to the authentication token request.

Then, the authentication device 4 performs the following steps S21 to S23.
In step S<b>21 , the authentication token request receiving means 40 receives an authentication token request from the mobile terminal 7 .
In step S22, the authentication means 41 uses the user identifier and password included in the authentication token request to allow the user stored in advance in the user information storage means 42 to subscribe to a service for viewing content outside the home. Authenticate whether or not there is
Here, the authentication means 41 generates an authentication token only when the user has contracted for a service for viewing content outside the home.
In step S23, the authentication token transmitting means 43 transmits the authentication token generated in step S22 to the portable terminal 7 that requested the authentication token.

Then, the portable terminal 7 performs the operations of steps S24 to S28 below.
In step S<b>24 , the authentication token receiving means 71 receives the authentication token from the authentication device 4 .
In step S25, the authentication token receiving means 71 stores the authentication token received in step S24 in the storage means 72. FIG.
In step S26, the usage attribute input means 73 inputs the location of usage px, py and the usage time tp of the receiving device 8 that uses the content viewing service.
In step S27, the secret sharing means 74 divides the usage location px, py, the usage time tp and the authentication token α stored in the storage means 72 input in step S26 into a plurality of fragments (usage attribute share p ₁ , p ₂ ).
_In step S28, the usage attribute share transmitting means 75 transmits the usage attribute shares p1 and p2 generated in step S27 to the secret key _share generation servers 6A and 6B, respectively.

After that, the private key share generation servers 6A and 6B perform the operations of steps S29A to S31A and steps S29B to S31B below.
In step _S29A , the usage attribute share receiving means 60 receives, from the mobile terminal 7, the usage attribute share p1 obtained by secret sharing the usage attributes.
At step S30A, the secret key share calculation means 61 generates _a secret key share skt_1 by fragmenting the secret key from the usage attribute share p_1 received at step _S29A by data calculation in multi-party calculation.
In step S31A, the secret key share transmission means 62 transmits the secret key share skt1 generated in step _S30A to the mobile terminal 7. FIG.
Note that steps S29B to S31B are the same operations as steps S29A to S31A, except that the data to be processed are different, so the description thereof will be omitted.

Then, the mobile terminal 7 performs the operations of steps S32 to S34 below.
In step S32, the secret key share receiving means 76 receives the secret key shares skt ₁ and skt ₂ obtained by sharing the secret keys from the secret key share generation servers 6A and 6B, respectively.
In step S33, the secret key share synthesizing means 77 synthesizes the plurality of secret key shares _skt1 and _skt2 received in step S32 to generate a secret key.
In step S34, the private key sharing synthesizing means 77 stores the private key generated in step S33 in the storage means 72. FIG.
By the above operation, the portable terminal 7 can generate a secret key from secret key shares generated by the plurality of secret key share generation servers 6A and 6B.

(Operation of receiving device decoding Kwt)
With reference to FIG. 12 (see FIGS. 6, 8, and 9 for the configuration as appropriate), the operation of the receiving device 8 decoding Kwt in the out-of-home broadcasting service receiving system S will be described.
In step S40, the authentication token transmission means 78 of the mobile terminal 7 transmits the authentication token α to the destination receiving device 8, and the private key transmission means 79 transmits the private key skt to the destination receiving device 8. Send.

Then, the receiving device 8 performs the following steps S41 to S44.
In step S<b>41 , the authentication token receiving means 82 receives the authentication token from the mobile terminal 7 and the private key receiving means 87 receives the private key skt from the mobile terminal 7 .
In step S<b>42 , the secret distribution means 83 obtains the installation locations px, py stored in the location information storage means 80 and obtains the current time tp from the clock means 81 .
In step S43, the secret sharing means 83 divides the authentication token α received in step S41, the installation locations px, py, and the current time tp obtained in step S42 into a plurality of fragments (usage attribute shares p3 _{, p4} ). secret sharing.
In step S44, the usage attribute share transmitting means 84 transmits the usage attribute shares p3 and p4 generated in step S43 to the encrypted _Kwt share generation servers 5A and 5B, _respectively .

After that, the encrypted Kwt share generation servers 5A and 5B perform the operations of steps S45A to S47A and steps S45B to S47B below.
In step _S45A , the usage attribute share receiving means 52 receives, from the receiving device 8, the usage attribute share p3 in which the usage attribute is secret-sharing.
In step S46A, the encrypted Kwt share calculation means 53 uses the usage attribute share p3 received in step _S45A and the _Kwt share k1 stored in the Kwt share storage means 51, by data calculation in multi-party calculation, _An encrypted Kwt share c1 is generated by fragmenting the encrypted Kwt.
In step S47A, the encrypted Kwt share transmitting means 54 transmits the encrypted Kwt share c1 generated in step _S46A to the receiving device 8.
Note that steps S45B to S47B are the same operations as steps S45A to S47A, except that the data to be processed are different, so description thereof will be omitted.

Then, the receiving device 8 performs the operations of steps S48 to S50 below.
In step S48, the encrypted Kwt share receiving means 85 receives the encrypted Kwt shares c ₁ and c ₂ obtained by secret sharing the encrypted Kwt from the encrypted Kwt share generation servers 5A and 5B, respectively.
In step S49, the encrypted _Kwt share synthesizing means 86 synthesizes the plurality of encrypted _Kwt shares c1 and c2 received in step S48 to generate the encrypted Kwt.
In step S50, the Kwt decrypting means 88 decrypts the encrypted Kwt generated in step S49 into Kwt using the private key received in step S41.
By the above operation, the receiving device 8 can generate Kwt from the encrypted Kwt shares generated by the plurality of encrypted Kwt share generation servers 5A and 5B and the secret key obtained from the portable terminal 7. FIG.

(Operation of receiving device to decrypt content)
With reference to FIG. 13 (see FIG. 3 and FIG. 9 as needed for the configuration), the operation of the receiving device 8 decoding the content in the out-of-home broadcasting service receiving system S will be described. Since the decoding of the contents in the user's domestic receiving device 8 is the same as the conventional one, only the operation of decoding the content in the out-of-home receiving device 8 outside the user's home will be described here. That is, it is assumed that the switching means 94 is switched to input the output from the second Ks decoding means 89 .

In step S60, the stream transmission means 15 of the content distribution device 2 transmits stream data. Note that this step S60 is the same as step S6 described in FIG.

Then, the receiving device 8 performs the following steps S61 to S64.
In step S61, the stream receiving means 90 receives stream data from the content distribution device 2. FIG.
In step S62, the separating means 91 divides the stream data received in step S61 into individual data (encryption Kw[Ckw], first encryption Ks[Cks], second encryption Ks[Ckst], encrypted content ).
In step S63, the second Ks decrypting means 89 decrypts the second encrypted Ks (Ckst) separated in step S62 into a scramble key (Ks) using Kwt decrypted in step S50 of FIG.
In step S64, the content decryption means 95 decrypts the encrypted content separated in step S62 using the scramble key decrypted in step S63.

By the above operation, the receiving device 8 can decrypt the scramble key with the temporal work key (Kwt). As a result, even a user who does not have a contract with the receiving device 8 can view the content with the receiving device 8 on the go if the user has a contract for viewing the content outside the home.

Although the configuration and operation of the out-of-home broadcasting service receiving system S have been described above, the present invention is not limited to this embodiment.
Here, the out-of-home broadcasting service receiving system S uses AES for encryption of the temporal work key (Kwt). However, as long as the Kwt encryption method is a common key encryption method, an encryption function other than AES, such as Camellia, KCipher-2, etc., may be used.
Also, here, SHA-3 is used to generate the secret key for AES, but a hash function other than SHA-3, such as SHA-2, may be used.

Also, here, in the broadcasting station 1, the content distribution device 2 and the Kwt secret distribution device 3 are separated. However, they may be configured as an integral unit.
For example, as shown in FIG. 14, the configuration of the content distribution device 2 may be a content distribution device 2B that further includes secret sharing means 31 and Kwt share transmission means 32, which are the components of the Kwt secret sharing device 3. FIG.

S system for enjoying broadcast service outside home 1 broadcasting station 2, 2B content distribution device 20 content encryption means 21 first Ks encryption means (first scramble key encryption means)
22 second Ks encryption means (second scramble key encryption means)
23 Kw encryption means (work key encryption means)
24 multiplexing means 25 stream transmitting means 26 Kwt transmitting means 3 Kwt secret sharing device 30 Kwt receiving means 31 secret sharing means 32 Kwt share transmitting means (second work key share transmitting means)
4 Authentication Device 40 Authentication Token Request Means 41 Authentication Means 42 User Information Storage Means 43 Authentication Token Transmission Means 5, 5A, 5B Encrypted Kwt Share Generation Device 50 Kwt Share Reception Means 51 Kwt Share Storage Means 52 Usage Attribute Share Reception Means 53 Encrypted Kwt share calculation means 54 Encrypted Kwt share transmission means 6, 6A, 6B Secret key share generation device 60 Usage attribute share reception means 61 Secret key share calculation means 62 Secret key share transmission means 7 Portable terminal 70 Authentication token request transmission means 71 authentication token reception means 72 storage means 73 use attribute input means 74 secret distribution means 75 use attribute share transmission means 76 secret key share reception means 77 secret key share synthesizing means 78 authentication token transmission means (key information transmission means)
79 private key transmission means (key information transmission means)
8 Receiving Device 80 Location Information Storage Means 81 Timing Means 82 Authentication Token Receiving Means 83 Secret Sharing Means 84 Use Attribute Share Sending Means 85 Encrypted Kwt Share Receiving Means (Second Encrypted Work Key Share Receiving Means)
86 Encryption Kwt Share Synthesis Means (Second Encryption Work Key Share Synthesis Means)
87 private key receiving means 88 Kwt decoding means (second work key decoding means)
89 2nd Ks decoding means (scramble key decoding means)
90 Stream receiving means 91 Separating means 92 Kw decoding means 93 First Ks decoding means 94 Switching means 95 Content decoding means

Claims (6)

A content distribution device that encrypts content and distributes it to a receiving device,
content encryption means for encrypting the content with a scramble key to generate encrypted content;
a first scramble key encryption means for encrypting the scramble key with a first work key to generate a first encrypted scramble key;
a second scramble key encryption means for encrypting the scramble key with a second work key to generate a second encrypted scramble key;
Work key encryption means for generating a first encrypted work key by encrypting the first work key with a master key specific to a receiving device;
multiplexing means for multiplexing the encrypted content, the first encrypted scramble key, the second encrypted scramble key, and the first encrypted work key;
stream transmission means for transmitting the stream data multiplexed by the multiplexing means to the receiving device;
secret sharing means for fragmenting the second work key into a plurality of second work key shares by secret sharing in multi-party computing;
multi-party operation of an encryption function for encrypting the second work key into a second encryption work key using a user authentication token and a hash value of usage attributes including the location and time of viewing the content; second work key share transmission means for transmitting the plurality of second work key shares separately to a plurality of servers performed by data calculation in calculation;
A content distribution device comprising: A program for causing a computer to function as the content delivery device according to claim 1. A mobile terminal for generating a secret key for decrypting a second encrypted work key obtained by encrypting a second work key used for encrypting a content scramble key,
a secret sharing means for distributing usage attributes including a user's authentication token and the location and time of viewing the content by secret sharing in multi-party calculation to fragment into a plurality of usage attribute shares;
Usage attribute share transmission means for transmitting the plurality of usage attribute shares separately to a plurality of servers that perform calculation of a secret key generation function that calculates a secret key using a hash value of the usage attribute by data calculation in multi-party calculation. When,
private key share receiving means for receiving private key shares obtained by fragmenting the private key from the plurality of servers;
a private key share synthesizing means for synthesizing a plurality of private key shares received by the private key share receiving means by a secret sharing restoration process to generate the private key;
a key information transmitting means for transmitting the authentication token and the private key to a receiving device for viewing the content;
A mobile terminal comprising: A program for causing a computer to function as the mobile terminal according to claim 3. Encrypted content obtained by encrypting content with a scramble key, a first encrypted scramble key obtained by encrypting the scramble key with a first work key, and a second encrypted scramble obtained by encrypting the scramble key with a second work key A receiving device that decrypts the content from stream data obtained by multiplexing a key and a first encrypted work key obtained by encrypting the first work key with a master key specific to the receiving device,
a secret sharing means for fragmenting the usage attribute including the authentication token of the user and the location and time of viewing the content into a plurality of usage attribute shares by secret sharing in multi-party calculation;
the plurality of usage attribute shares to a plurality of servers that perform data computation in multi-party computation to compute an encryption function that encrypts the second work key into a second encrypted work key using a hash value of the usage attribute; a usage attribute sharing transmission means for separately transmitting the
a second encrypted work key share receiving means for receiving second encrypted work key shares obtained by fragmenting the second encrypted work key from the plurality of servers;
second encryption work key share synthesis for generating the second encryption work key by synthesizing a plurality of second encryption work key shares received by the second encryption work key share receiving means by a secret sharing restoration process; means and
a key information receiving means for receiving an authentication token and a private key from the mobile terminal according to claim 3;
a second work key decryption means for decrypting the second encrypted work key into the second work key using the private key;
a scramble key decoding means for decoding a second encrypted scramble key multiplexed into the stream data using the second work key into the scramble key;
content decryption means for decrypting encrypted content multiplexed in the stream data using the scramble key;
A receiving device comprising: A program for causing a computer to function as the receiving device according to claim 5.

Images