JPH11212462A - Electronic watermark system, electronic information delivery system, picture filing device, and storage medium - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide an electronic information delivery system which surely prevents wrong delivery of data even in the case that elements constituting the purchase and sale of data are hierarchical. SOLUTION: A first entity 10 subjects original data G to primary encryption processing. A second entity 40 manages and delivers data E1(G+M) after the primary encryption processing and subjects this data to electronic watermark burying processing. A third entity 20 subjects data E3(G+M+D1(U)) after the electronic watermark burying processing to secondary encryption processing.

Description

DETAILED DESCRIPTION OF THE INVENTION

[0001]

The present invention relates to a digital watermarking system,
The present invention relates to an electronic information distribution system, an image file device, and a storage medium in which a process for implementing the digital watermarking method is stored in a computer-readable manner.
Digital watermarking system for protecting copyright in digital information such as moving image data, still image data, audio data, computer data, computer programs, etc., and electronic information such as a multimedia network system for distributing digital information using it The present invention relates to a distribution system, an image file device using the digital watermarking method, and a storage medium in which a process for implementing the digital watermarking method is readable by a computer.

[0002]

2. Description of the Related Art In recent years, with the development of computer networks and the spread of inexpensive and high-performance computers, electronic commerce for buying and selling goods on the networks has become popular. Accordingly, digital data including an image or the like can be considered as a product to be traded. However, digital data has the property that a perfect copy can be made easily and in large quantities, so that a user who has bought the digital data can illegally make and redistribute a copy (illegal copy) of the same quality as the original. Indicates the possibility. As a result, the creator of digital data or a person who is legally entrusted with sales by the creator (hereinafter referred to as “seller”)
Is not paid and the copyright is infringed.

[0003] On the other hand, if the author or seller (hereinafter, a person who legitimately distributes the above digital data is collectively referred to as a "server") once sends the digital data to the user, the above illegal copy is completely removed. Can not be prevented. For this reason, a technique called “digital watermark” has been proposed instead of directly preventing unauthorized copying.
This “digital watermark” means that by performing certain operations on the original digital data and embedding copyright information about the digital data and user information about the user in the digital data, who can recover the data if an illegal copy is found. This is a method to specify whether the contents have been distributed.

In a system using a conventional digital watermark,
The server is assumed to be a completely trusted authority. Therefore, if the server is not a reliable institution but has a possibility of committing fraud, a crime may be imposed on a user who does not copy illegally in the conventional system.

As shown in FIG. 12, in a conventional system, a server embeds user information d1 for specifying a user in digital data (hereinafter, digital data is described as image data) g. This is because, when the server arbitrarily embeds the user information d1 and illegally distributes the copy, the user specified from the user information d1 has no means to dismiss the server's claim.

As a countermeasure, for example, “B. Pfitmann a
nd M. Waidner: “Asymmetic Fingerprinting,” EUROCR
A system using a public key cryptosystem (FIG. 13) has been proposed in the document "YPT '96" (hereinafter referred to as document 1).

Here, the public key cryptosystem is a cryptosystem in which an encryption key and a decryption key are different, and the encryption key is made public and the decryption key is kept secret. Typical examples are RSA encryption and E1
Gama1 encryption and the like are known. Hereinafter, (a) features and (b) protocols such as secret communication and authentication communication in the public key cryptosystem will be described.

(A) Features of public key cryptography (1) Since the encryption key and the decryption key are different and the encryption key can be made public, there is no need to distribute the encryption key secretly, and key distribution is easy. (2) Since each user's encryption key is public, the user only needs to secretly store his / her own decryption key. (3) The sender of the sent message is not a fake,
And an authentication function for the receiver to confirm that the message is not falsified.

(B) Public key encryption protocol For example, an encryption operation performed on a communication message M using a public encryption key kp is E (kp, M), and a secret decryption key k
Assuming that the decryption operation performed using s is D (ks, M), the public key encryption algorithm first satisfies the following two conditions. (1) When an encryption key kp is given, an encryption operation E (k
Calculation of (p, M) is easy. Also, given the decryption key ks, the calculation of the decryption operation D (ks, M) is easy. (2) If the user does not know the decryption key ks, even if he knows the encryption key kp, the calculation procedure of the encryption operation E (kp, M), and the ciphertext C = E (kp, M), Determining the message M is difficult in terms of the amount of calculation.

Next, a secret communication function can be realized by satisfying the following condition (3) in addition to the conditions (1) and (2). (3) Encrypting operation E (k) for all messages (plaintext) M
_p , M) can be defined, and D (ks, E (kp, M)) = M holds. That is, since the encryption key kp is made public, anyone can calculate the encryption operation E (kp, M), but calculate D (ks, E (kp, M)) for communication. Only the person who has the secret decryption key ks can obtain the sentence M.

On the other hand, when the following condition (4) is satisfied in addition to the conditions (1) and (2), the authentication communication function can be realized. (4) Decryption operation D (k) for all message (plaintext) M
s, M), and E (kp, D (ks, M)) = M holds. That is, the decryption operation D (ks, M) can be calculated only by the person who has the secret decryption key ks, and the other person can use the false secret decryption key ks' to calculate D (k
s ', M), and the receiver receives the information because E (kp, D (ks', M) ≠ M) even if the person who has the secret decryption key ks is impersonated. Even if the value of D (ks, M) is falsified, E (kp, D (ks, M) ') ≠ M, and the receiver receives the information Can be confirmed.

In the above-described public key cryptosystem, a process E using a public encryption key (hereinafter also referred to as a public key) kp is “encrypted” and a secret decryption key (hereinafter also referred to as a secret key) k is used.
The process D using s is called “decoding”. Therefore, in secret communication, the sender encrypts and then the receiver decrypts it, but in authenticated communication the sender decrypts it,
Then the recipient will do the encryption.

The following is a protocol for performing a secret communication, an authentication communication, and a signed secret communication from the sender A to the receiver B by the public key cryptosystem. Here, the secret key of sender A is ksA, the public key is kpA, and the secret key of receiver B is k
Let sB and the public key be kpB.

[Secret Communication] When a message (plain text) M is confidentially transmitted from the sender A to the receiver B, the following procedure is performed. Step 1: Sender A encrypts message M with recipient B's public key kpB as follows, and sends ciphertext C to recipient B. C = E (kpB, M) Step 2: Recipient B decrypts ciphertext C with its own secret key ksB as follows to obtain original plaintext M. M = D (ksB, C) Since the public key kpB of the receiver B is disclosed to an unspecified number of persons, not only the sender A but also all persons can perform confidential communication with the receiver B.

[Authentication Communication] Authentication communication of a communication message (plaintext) M from the sender A to the receiver B is performed in the following procedure. Step 1: The sender A generates a sentence S with the private key ksA as follows and sends it to the receiver B. S = D (ksA, M) This sentence S is called a “signature sentence”, and the operation of obtaining the signature sentence S is called a “signature”. Step 2: Recipient B restores and converts signature text S using sender A's public key kpA as follows to obtain original plaintext M. M = E (kpA, S) If it is confirmed that the message M is a meaningful sentence, it authenticates that the message M was certainly sent from the sender A. Since the public key kpA of the sender A is disclosed to an unspecified number of persons, not only the receiver B but also all persons can authenticate the signature text S of the sender A. Such authentication is also called “digital signature”.

[Signed Secret Communication] When a message (plain text) M is sent from the sender A to the receiver B in a signed secret communication, the following procedure is performed. Step 1: The sender A signs the communication message M with his / her private key ksA as follows, and creates a signature message S. S = D (ksA, M) Further, the sender A encrypts the signature S with the receiver B's public key kpB as follows, and sends the ciphertext C to the receiver B. C = E (kpB, S) Step 2: Recipient B decrypts cipher text C with his / her private key ksB as follows to obtain signature text S. S = D (ksB, C) Further, the receiver B restores and converts the signature text S with the sender A's public key kpA as follows to obtain the original plaintext M. M = E (kpA, S) If it is confirmed that the message M is a meaningful sentence, it authenticates that the message M was certainly sent from the sender A.

The order in which the functions are applied in each step of the signed secret communication may be reversed. That is,
In the above procedure, Step 1: C = E (kpB, D (ksA, M)) Step 2: M = E (kpA, D (ksB, C)) Communication can be realized. Step 1: C = D (ksA, E (kpB, M)) Step 2: M = D (ksB, E (kpA, C))

Therefore, a system using a conventional digital watermark to which the above-mentioned public key cryptosystem is applied (see FIG. 1)
The procedure of the operation in 3) will be described.

1) First, a contract d2 relating to sales of image data g is exchanged between the server and the user.

2) Next, the user enters a random number ID indicating himself / herself.
And a one-way function f is generated using this.
This one-way function is defined as x in the function y = f (x).
Is a function that is easy to find y from, but difficult to find x from y. For example, prime factorization or discrete logarithm for an integer having a large number of digits is often used as a one-way function. 3) Next, the user generates signature information d3 with respect to the contract document d2 and the one-way function f using his / her private key ksU, and sends them together to the server.

4) Next, the server sends the user's public key kp
U is used to confirm signature information d3 and contract d2. 5) After checking, the server embeds all the distribution records d4 up to the present and the random number ID created by the user in the image data g,
The digital watermarked image data (g + d4 + ID) is generated. 6) The server sends the digital watermarked image data (g + d4 + ID) to the user.

Thereafter, if an unauthorized copy is found,
The embedded information is extracted from the unauthorized image data, and the user is identified from the ID included therein. At this time, the fact that the unauthorized copy was not distributed without permission by the server is asserted on the basis of the following. that is,
The ID that identifies the user is generated by the user himself,
Since the one-way function value f using it is signed by the user, the server will not
D cannot be generated. However, it is still possible for a user who has formally contracted with the server to impose a crime on a user who has formally contracted, because an ID that identifies himself is sent to the server, and imposes a crime on an uncontracted user. Only becomes impossible.

Therefore, a system (FIG. 14) that makes it impossible for a user who has formally contracted to impose a crime is called "Miura,
Watanabe, Takashi (NAIST): This is proposed in the document “SCIS97-31C” (hereinafter referred to as Document 2) “Digital Watermarking Considering Server Fraud”. This is achieved by dividing the server into an original image server and an embedded server. However, in this system, the embedded digital watermark is not destroyed at the time of encryption and decryption. Hereinafter, an operation procedure in the system of FIG. 14 will be described.

1) First, the user requests the original image server for the image data with the signature d5.

2) The original image server confirms the contents of the request from the signature d5 of the user, and after the confirmation, encrypts the requested image data g and sends it to the embedded server. At this time, the original image server attaches a signature to the user name u and the entrusted content d6, and sends it to the embedded server. At the same time, the original image server sends a decryption function f ′ for encryption to the user.

3) The embedded server checks the transmitted encrypted image data g ′ and the signature (u + d6), and creates user information d7 for specifying the user based on the user name u and the entrusted content d6. And embedding to generate encrypted image data with digital watermark (g ′ + d7). afterwards,
The embedding server sends the digital watermarked encrypted image data (g ′ + d7) to the user.

4) The user uses the decryption function f 'sent from the original image server to convert the encrypted image data with digital watermark (g' + d7) into image data with digital watermark (g
+ D7) is decoded.

Thereafter, if an illegal copy is found,
The original image server encrypts the unauthorized image data to extract embedded information and sends it to the embedded server. The embedded server specifies a user from the embedded information.
In this system, since the original image server does not embed the user information d7 for specifying the user in the image data g, and the embedding server does not know the decoding function f '(the image cannot be restored), Based on the fact that each server cannot illegally distribute the image data g in which the user information d7 of the user is embedded without permission even for the user who has formalized the contract.

[0029]

However, the system shown in FIG. 14 does not consider the collusion between the original image server and the embedded server and does not consider the collusion between the embedded server and the user. Therefore, when the original image server and the embedded server collude, the embedded server has the encrypted image data g ′ of the image data g that is the original image,
Since the user has the decryption function f ', the server can be illicit as in the system of FIG. 13 described above. If the embedded server and the user collude, the original image (g) can be illicitly obtained. It is.

Also, the original image server sends the decoding function f 'to the user, but if the user's management of the decoding function f' is inadequate, the embedding server can avoid the user's carelessness without colluding with the user. There is a great possibility that the decoding function f 'can be known.

Further, in this system, the original image server has no embedding means or cannot embed correctly. However, since the embedded image is extracted from the original image server, if the embedded information is analyzed, It is likely that the image server will be able to perform the correct embedding. This is because the embedded server does not embed its signature etc., so only the correspondence between the embedded information and the user information is secret of the embedded server, but it is not a random correspondence between the embedded information and the user information using a database etc. This is because when embedded information is created from user information based on a certain rule, there is a high risk of being analyzed. Then, in this case, the same injustice as in the system of FIG. 13 described above is possible.

Further, conventionally, as described above,
Although a system consisting of a user and a server has been proposed incompletely, security in a system in which the server is hierarchically arranged has not been guaranteed. This is, for example, FIG.
As shown in FIG. 5, a plurality of sales agents 1,.
, M, and a plurality of users 11, below each.
, 1n,..., M1,... Mn, a hierarchical system (hierarchical network 1), FIG.
, M-1,
m asks the sales agency to which m belongs for sale of his or her own image data, and the sales agency sends the image data of a plurality of authors 1, 2, ..., m-1, m In a hierarchical system (hierarchical network 2) or the like in which sales are made to many users 1, 2,. This is because the number of authors, distributors, and users increases, and the problem becomes more complicated than a two-party system due to collusion. It should be noted that the system shown in FIG. 14 can be viewed as a system having a configuration of a server, an agency, and a user, when considered broadly. However, the system described in the above-mentioned reference 2 is a hierarchical system described here. However, the server is divided from the viewpoint of preventing one server from being fraudulent, and the collusion problem is not considered as described above.

Accordingly, the present invention has been made to eliminate the above-mentioned drawbacks, and an electronic watermarking method for surely preventing unauthorized distribution of data even when elements constituting data trading are hierarchical. , An electronic information distribution system, an image file device, and a storage medium.

[0034]

According to a first aspect of the present invention, a first entity performs a first encryption process on original data with a first entity, and a second entity performs data encryption after the primary encryption process with the first entity. A second step of performing at least one of a management process and a distribution process and performing a digital watermark embedding process;
Is a digital watermarking method including a third step of performing a secondary encryption process on the data after the digital watermark embedding process.

According to a second aspect, in the first aspect,
The first step includes a step of performing a digital watermark embedding process at least before or after the primary encryption process on the original data.

According to a third aspect, in the first aspect,
The second step includes a step of performing a tertiary encryption process at least before or after the digital watermark embedding process.

According to a fourth aspect, in the first aspect,
The method further includes a step of distributing data that has been subjected to the digital watermark embedding processing under the influence of at least one of the primary encryption processing and the secondary encryption processing.

According to a fifth aspect based on the first aspect,
Checking the signature of the third entity with an anonymous public key with a certificate by a certificate authority.

According to a sixth aspect, in the first aspect,
The second entity includes a plurality of entities.

According to a seventh aspect, in the first aspect,
The information embedded by the second entity in the digital watermark embedding process is at least one of information on the third entity and information on data to be transmitted.

According to an eighth aspect based on the first aspect,
The first step includes a step of performing a digital watermark embedding process at least either before or after the primary encryption process on the original data, and the n-th (n ≧ 1) entity performs the digital watermark embedding process. The information to be embedded by the watermark embedding process is at least one of information on the (n + 1) th entity and information on data to be transmitted.

In a ninth aspect based on the first or second aspect, the digital watermark embedding processing is performed at least in the second aspect.
The process is characterized in that it is a process that does not embed information relating to the entity.

In a tenth aspect based on the first aspect, the original data is image data.

An eleventh invention is an electronic information distributing system including at least first to third entities for transmitting and receiving data on a network, wherein the first entity includes a primary encryption key in the original data. First encryption processing means for performing encryption processing, the second entity includes management and distribution processing means for performing at least one of management processing and distribution processing on the data after the primary encryption processing, and digital watermark embedding. Digital information embedding processing means for performing embedding processing, and the third entity includes a secondary encryption processing means for performing secondary encryption processing on the data after the electronic watermark embedding processing. It is characterized by being.

In a twelfth aspect based on the eleventh aspect, the first entity performs a digital watermark embedding process at least before or after the primary encryption process on the original data. The digital watermark embedding processing means is further provided.

In a thirteenth aspect based on the eleventh aspect, the second entity performs a tertiary encryption process for performing a tertiary encryption process at least before or after the digital watermark embedding process. It is characterized by further comprising processing means.

According to a fourteenth aspect, in the eleventh aspect, the data subjected to the digital watermark embedding process is distributed under the influence of at least one of the primary encryption process and the secondary encryption process. It is characterized by further comprising a distribution means for performing.

A fifteenth invention is characterized in that, in the eleventh invention, a checking means for checking the signature of the third entity with an anonymous public key with a certificate by a certificate authority is further provided.

In a sixteenth aspect based on the eleventh aspect, the second entity includes a plurality of entities.

In a seventeenth aspect based on the eleventh aspect, the information embedded by the second entity by the digital watermark embedding process is at least one of information on the third entity and information on data to be transmitted. It is characterized by having done.

In an eighteenth aspect based on the eleventh aspect, the first entity performs a digital watermark embedding process at least before or after the primary encryption process on the original data. Digital watermark embedding processing means,
The digital watermark embedding processing means of the n-th (n ≧ 1) entity sets the information to be embedded by the digital watermark embedding processing as at least one of information on the (n + 1) -th entity and information on data to be transmitted. A watermark embedding process is performed.

In a nineteenth aspect based on the eleventh or twelfth aspect, the digital watermark embedding processing means performs the digital watermark embedding processing without embedding at least information relating to the second entity. I do.

According to a twentieth aspect, in the eleventh aspect, the original data is image data.

According to a twenty-first aspect of the present invention, there is provided an image file device for storing data generated in each step of the digital watermarking method according to any one of the first to tenth aspects.

A twenty-second invention is a storage medium in which the steps of the digital watermarking method according to any one of claims 1 to 10 are readable by a computer.

[0056]

Embodiments of the present invention will be described below with reference to the drawings.

(First Embodiment)

According to the present invention, for example, a hierarchical system (a system having many agents) as shown in FIG.
Applied to FIG. 1 is the same as FIG.
In the system of FIG. 5, the configuration of a server, an agency, and an arbitrary user among a plurality of users belonging to the agency is shown in a simplified manner, focusing on an arbitrary agency among the plurality of agencies. is there. Hereinafter, the system 100 will be specifically described with reference to FIG.

The system 100 includes a terminal device (server terminal device) 10 on the server (or creator) side, a terminal device (agent terminal device) 40 on the agency side, and a terminal device (user terminal device) on the user side. 20 is a network system including a large number of entities (not shown) including a network 20. Each entity exchanges digital data with each other via a network.

The server terminal 10 is connected to the user terminal 2
Contract confirmation processing unit 11 to which data from 0 is supplied, digital watermark embedding processing unit 12 to which, for example, image data (digital data) G and agency information M are supplied, and output of digital watermark embedding processing unit 12 , A primary decryption processing unit 14 to which data from the agency terminal device 40 is supplied, and a confirmation processing unit 15 to which data from the agency terminal device 40 are supplied. Primary decoding processing unit 14
And a hash generation processing unit 16 to which the output is supplied. Each output of the primary encryption processing unit 13 and the hash generation processing unit 16 is supplied to the agency terminal device 40. The output of the primary decryption processing unit 14 is supplied to the hash generation processing unit 16 and also to the user terminal device 20 via the agency terminal device 40.

The agency terminal device 40 is a user terminal device 2
A contract generation processing unit 41 to which data from 0 is supplied; a digital watermark embedding processing unit 42 to which each output of the contract generation processing unit 41 and the primary encryption processing unit 13 of the server terminal device 10 is supplied; A tertiary encryption processing unit 43 to which the output of the watermark embedding processing unit 42 is supplied, a hash generation processing unit 44 to which the output of the tertiary encryption processing unit 43 is supplied, and an output of the hash generation processing unit 44 to be supplied Confirmation processing unit 45, the tertiary decoding processing unit 46 and the confirmation processing unit 47 to which data from the user terminal device 20 is supplied, and the digital watermark embedding processing to which the output of the tertiary decoding processing unit 46 is supplied And a part 48. The output of the tertiary encryption processing unit 43 is supplied to the hash generation processing unit 44 and also to the primary decryption processing unit 14 and the confirmation processing unit 15 of the server terminal device 10. . The output of the hash generation processing unit 16 of the server terminal device 10 is also supplied to the confirmation processing unit 45, and the output of the confirmation processing unit 45 is also supplied to the user terminal device 20. Further, data from the user terminal device 20 is also supplied to the digital watermark embedding processing unit 48, and the output of the digital watermark embedding processing unit 48 is supplied to the user terminal device 20.

The user terminal device 20 is the agent terminal device 4
And a primary decryption processing unit 14 of the server terminal device.
From the secondary encryption processing unit 24 and the confirmation / signature processing unit 28 supplied with the data from the
It has a hash generation processing unit 26 to which the output of the next encryption processing unit 24 is supplied, and a secondary decryption processing unit 27 to which the output of the digital watermark embedding processing unit 48 of the agency terminal device 40 is supplied. Then, the output of the secondary encryption processing unit 24 is supplied to the hash generation processing unit 26 and also to the tertiary decryption processing unit 46 and the confirmation processing unit 47 of the agency terminal device 40. I have. The output of the hash generation processing unit 26 is transmitted to the confirmation processing unit 47 of the agency terminal device 40.
To be supplied. Further, the confirmation / signature processing unit 28 includes a confirmation processing unit 45 of the agent terminal device 40.
Is supplied.

In the system 100 as described above, information relating to the primary encryption such as the scheme and secret key is information known only to the server, information relating to the secondary encryption is information known only to the user, and information relating to the tertiary encryption. Is information known only to the agency. However, between these ciphers, if any one of the ciphers is decrypted first, the cipher will be decrypted.
Has the property of Hereinafter, encryption is referred to as “E
i () ”and decryption are represented by“ Di () ”, and the embedding process related to the digital watermark is represented by“ + ”.

Therefore, the embedding process relating to the digital watermark in the system 100 will be described first.

[Embedding Process] 1) First, in the user terminal device 20, a user attaches a signature and requests image data from an agency. The request data is information (user signature information) generated by the contract generation processing unit 21 and is hereinafter referred to as contract information.
Then, the agency terminal device 40 receives the contract information from the user, confirms this, and then requests the server for image data.

2) Next, in the server terminal device 10,
The digital watermark embedding unit 12 embeds the agency information M in the image data G requested by the agency. Then, the primary encryption processing unit 13 performs primary encryption E1 of the image data (G + M) in which the agency information M is embedded by the digital watermark embedding processing unit 12, and transmits the image data to the agency side. Accordingly, the primary encrypted image data E1 (G + M) is stored in the agent terminal device 40.
Will be sent.

3) Next, in the agency terminal device 40,
The contract generation processing unit 41 generates user information U from contract information from the user side. Then, the digital watermark embedding processing unit 42 generates the user information U generated by the contract generation processing unit 41.
To the primary encrypted image data E1 (G +
M). The tertiary encryption processing unit 43 performs tertiary encryption E3 on the primary encrypted image data E1 (G + M) + U in which the user information U is embedded in the digital watermark embedding processing unit 42, and outputs the data (tertiary encryption). (Encrypted image data) E3 (E1
(G + M) + U) to the server. At the same time, the hash generation processing unit 44 generates and signs a hash value H1 for the transmission data (tertiary encrypted image data) E3 (E1 (G + M) + U), and transmits them to the server side. Therefore, the tertiary encrypted image data E3 (E1 (G + M) + U), the hash value H1, and its signature are sent to the server terminal device 10.

The above-mentioned hash value is generally an output value of the hash function h (), and is a compression function that does not easily cause a collision. Here, the collision means that h (x1) = h (x2) for different values x1 and x2. The compression function is a function for converting a bit string having an arbitrary bit length into a bit string having a certain length. Therefore, a hash function is a function h () that converts a bit string of an arbitrary bit length into a bit string of a certain length, and h (x
1) Values x1 and x2 satisfying = h (x2) cannot be easily found. At this time, from an arbitrary value y, y = h
Since the value x satisfying (x) cannot be easily found, the hash function is necessarily a one-way function. Specific examples of the hash function include MD (Message Digest) 5 and SHA.
(Secure HashAlgorithm) and the like are known.

4) Next, in the server terminal device 10,
The confirmation processing unit 15 determines that the signature of the hash value H1 from the agent side matches the hash value of the hash value H1 with the hash value of the transmission data (tertiary encrypted image data E3 (E1 (G + M) + U)). Confirm and save the data sent after confirmation. Further, the primary decryption processing unit 14 receives the tertiary encrypted image data E3 (E1 (G + M) + U) from the agency side.
Is decrypted and transmitted to the user agent side. At the same time, the hash generation processing unit 16 generates a hash value H for the transmission data (E3 (G + M + D1 (U))).
2 and sign them and send them to the agency. Therefore, the data E3 (G + M +
D1 (U)), the hash value H2 and its signature are sent.

5) Next, in the agency terminal device 40,
The confirmation processing unit 45 determines that the signature of the hash value H2 from the server side and the hash value H2 are the transmission data (E3 (G + M
+ D1 (U))), and stores the data sent after the confirmation. Also,
The confirmation processing unit 45 transmits the data from the server as it is to the user. Therefore, in the user terminal device 20,
Data E3 (G + M + D1 (U)) and hash value H2
And its signature.

6) Next, in the user terminal device 20,
The confirmation / signature processing unit 28 receives the hash value H from the agency side.
2 and its hash value H2 are the transmission data (E3
It confirms that it matches the hash value of (G + M + D1 (U)), and saves the data sent after the confirmation.
Further, the confirmation / signature processing unit 28 generates its own signature A for the hash value H2, and transmits it to the server via the agency. The confirmation processing unit 45 of the agency terminal device 40 and the hash generation process 16 of the server terminal device 10
The signature A from the user is confirmed, and after the confirmation, it is stored.

7) Next, in the user terminal device 20,
The secondary encryption processing unit 24 receives the data E3 from the agency side.
(G + M + D1 (U)) is subjected to secondary encryption E2 and transmitted to the agency side. At the same time, the hash generation processing unit 26 transmits the transmission data (E2 (E3 (G + M + D1
Generate and sign a hash value H3 for (U)))) and send them to the agency side. In addition, it generates its own certification information S and transmits it to the agency side. Therefore,
The agent terminal device 40 has data E2 (E3 (G + M +
D1 (U))), the hash value H3 and its signature, and the certification information S are sent.

8) Next, in the agency terminal device 40,
The confirmation processing unit 47 sends the signature of the hash value H3 from the user side and the hash value H3 to the transmission data (E2 (E3
(G + M + D1 (U)))) and confirm that the hash value matches, and save the data sent after the confirmation. Further, the tertiary decryption processing unit 46 decrypts the tertiary encryption of the data E2 (E3 (G + M + D1 (U))) from the user side. Then, the digital watermark embedding processing unit 48 embeds the certification information S from the user side into the data E2 (G + M + D1 (U)) obtained by decoding by the tertiary decoding processing unit 46, and the data E2 (G + M + D1 ( U)) + S is transmitted to the user side. Further, the hash generation processing unit 49 calculates a hash value H4 of the data E2 (G + M + D1 (U)).
Is generated, and the hash value H4 is signed and transmitted to the user side. Therefore, the data E2 is stored in the user terminal device 20.
(G + M + D1 (U)) + S will be sent.

9) Next, in the user terminal device 20,
The confirmation processing unit 29 confirms the signature of the hash value H4 from the agent side, and this hash value H4
Confirm that the hash value matches the hash value of (G + M + D1 (U)), and save the data sent after the confirmation. Then, the secondary decryption processing unit 27 receives the data E from the agency side.
Decodes the 2 (G + M + D1 ( U)) + S secondary encryption, and outputs the taken out watermarked image data G _W. This image data G _W can be expressed by G _W = G + M + D1 (U) + D2 (S). This is because, for the original image data G, agency information M and user information (watermark information) that has undergone primary decryption
U and the signature information S affected by the secondary encryption are embedded.

As described above, since the embedding of the user's signature information S is performed by the agency, the user cannot fundamentally cheat. Also, the agency embeds the user information U and the signature information S of the user, but the user information U is affected by the primary encryption known only to the server, and the signature information S is known only to the user 2 The agency cannot directly embed D1 (U + D2 (S)) in the original image data G because it is affected by the next encryption. At this time, if an illegal copy (illegal image) is found, for example, an unauthorized user is identified by a procedure according to the flowchart shown in FIG. 2 (hereinafter, this is referred to as a verification process). However, here, it is assumed that the image data is not subjected to the deformation and erasure of the watermark information, as in the above-described Documents 1 and 2.

[Verification Process] 1) First, the server extracts agency information M 'from the found unauthorized image data Gw' (step S101). At this time, if the agency information M 'is not extracted, it is determined that the server (or the creator or the like) is unauthorized (step S10).
2). This is because the server information is embedded in the agency information M '.

2) In step 1), when the correct agency information M is extracted (when M ′ = M), the server
Submit the unauthorized image data Gw ′ and the key of the primary encryption to
Primary encryption of unauthorized image data Gw '(step S10)
3) and request for extraction of user information U '(step S104). At this time, when correct user information U 'is extracted (when U' = U), the process proceeds to 8) described later.

3) If the correct user information U ′ is not extracted in 2), the verification authority 30
Request the stored data E3 (E1 (G + M) + U), the hash value H1 and its signature, and
And confirm its signature. Thereafter, the verification station 30 decrypts the primary encryption of the data E3 (E1 (G + M) + U), generates a hash value, and confirms that the hash value matches the hash value H2 stored by the agency. Confirm. At the same time, the verification station 30 also checks the signature of the hash value H2 (step S105).

4) In 3), if the hash value generated by the verification station 30 does not match the hash value H2 stored by the agency, the verification station 30 determines that the server is illegal. (Step S106). This is because the primary encryption key submitted by the server is incorrect.

5) In 3), if the hash value generated by the verification station 30 matches the hash value H2 stored by the agency, the verification station 30 sends the third encryption code to the agency. Requesting the submission of the key, the data E3 (E3
1 (G + M) + U) is decrypted to extract user information U '(step S107).

6) In 5), when correct user information U ′ is extracted (when U ′ = U), the verification authority 30 determines that the server is illegal (step S108). This means that the embedding process of the user information U 'has been properly performed. Further, the verification processing up to 5) indicates that the primary encryption of the unauthorized image data Gw ′ is correct and the user information U ′ is incorrect, so that the primary image data Gw ′ can be generated only by the primary This is because only the server knows the encryption.

7) If the correct user information U 'is not extracted in 5), the verification authority 30 determines that the agent is illegal (step S109). This means that the correct user information U 'was not embedded in the embedding process, and the embedding of the user information U' is performed by the agency.

8) If the correct user information U ′ is extracted in the above 2) (U ′ = U), the verification station 30
Requests the server and the agent to submit the stored hash value H2 and the signature A 'of the hash value H2 by the user, and confirms the signature A' (step S1).
10).

9) In step 8), if the correct signature A ′ is not confirmed (not submitted), the verification authority 30
Judges that the server and the agent are illegal due to collusion (step S111). This is a collaboration between the server and the agency,
Data G + M + indicating an arbitrary user (user information U ′)
This is because it means that D1 (U ') is forged.

10) In step 8), when the correct signature A ′ is confirmed (A ′ = A), the verification authority 30 requests the user to submit the secondary encryption key, and The secondary encryption of the image data Gw 'is performed (step S112), and the signature information S' is extracted (step S113).

11) In step 10), when correct signature information S 'is extracted (if S' = S), verification station 30 recognizes that the user is illegal (step S114). this is,
This is because the process of performing secondary encryption and returning to the signature information S 'can be performed only by the user side.

12) In step 10), if the correct signature information S ′ is not extracted, the verification authority 30 sends the stored data E3 (G + M + D1 (U)) to the user.
Requesting the submission of the hash value H3 and its signature, and confirming the hash value H3 and its signature. After that, Verification Bureau 3
0 performs the secondary encryption of the data E3 (G + M + D1 (U)), generates the hash value, and confirms that the hash value matches the hash value H3. At the same time, the verification bureau 30 also checks the signature of the hash value H3 (step S115).

13) In 12), the hash value generated by the verification station 30 and the hash value H3 stored by the user
If does not match, the verification authority 30 determines that the user is fraudulent (step S116). This is because the key of the secondary encryption submitted by the user is incorrect.

14) In 12), the hash value generated by the verification station 30 and the hash value H3 stored by the user
If they match, the verification bureau 30 determines that the agent is illegal (step S117). This means that in the embedding process, the agent did not correctly embed the signature information S.

As described above, according to the present embodiment, the verification station 30 is not required until an illegal image is found,
It is not possible to commit fraud before a fraudulent image is found. In addition, if the procedure of the above-described verification process is publicly known, and the server, the agency, and the user see each other, the fraud can be specified according to the situation without the verification station 30.

(Second Embodiment)

The present invention is applied to, for example, a hierarchical system (a system with one agency) as shown in FIG. FIG. 3 shows, for simplicity of explanation, in the system of FIG. 16 described above, focusing on an arbitrary creator and a user among a plurality of writer (or server etc.) agencies and a plurality of users. Here, the structure of a server), an agency, and a user are shown in a simplified manner. Hereinafter, the system 200 will be described with reference to FIG.
Will be specifically described.

The system 200 has the same configuration as the system 100 shown in FIG. 1, but differs in the following points. 1) In the server terminal device 10, the digital watermark embedding processing unit 12 is not provided, and only the image data G is supplied to the primary encryption processing unit 13. 2) In the agency terminal device 40, a hash generation processing unit 49 to which the output of the digital watermark embedding processing unit 48 is supplied is further provided, and the output of the hash generation processing unit 49 is supplied to the user terminal device 20. Is done. 3) In the user terminal device 20, the agency terminal device 40
Digital watermark embedding processing section 48 and hash generation processing section 4
Further, a confirmation processing unit 29 to which each output of No. 9 is supplied is further provided.

As described above, in the system 200, the embedding of the agency information M indicating the agency is omitted. Therefore, first, an embedding process related to a digital watermark in the system 200 will be described.

In the system 200 shown in FIG. 3,
The parts that operate in the same manner as the system 100 of FIG.

[Embedding Process] 1) First, in the user terminal device 20, a user attaches a signature and requests image data (contract information) from an agency.
Then, the agency terminal device 40 receives the contract information from the user, confirms this, and then requests the server for image data.

2) Next, in the server terminal device 10,
The primary encryption processing unit 13 converts the image data G into primary encryption E
1 and transmit it to the agency. Therefore, the primary encrypted image data E1 (G) is sent to the agency terminal device 40.

3) Next, in the agency terminal device 40,
The contract generation processing unit 41 generates user information U from contract information from the user side. Then, the digital watermark embedding processing unit 42 generates the user information U generated by the contract generation processing unit 41.
Is embedded in the primary encrypted image data E1 (G) from the server side. The tertiary encryption processing unit 43 performs tertiary encryption E3 on the primary encrypted image data E1 (G) + U in which the user information U is embedded by the digital watermark embedding processing unit 42, and obtains the data (tertiary encryption). Encrypted image data) E3 (E1 (G) + U)
To the server side. At the same time, the hash generation processing unit 44 transmits the transmission data (tertiary encrypted image data) E
3 (E1 (G) + U)), generates and signs a hash value H1, and sends them to the server side. Therefore, the server terminal device 10 provides the tertiary encrypted image data E3 (E
1 (G) + U), the hash value H1 and its signature are sent.

4) Next, in the server terminal device 10,
The confirmation processing unit 15 checks that the signature of the hash value H1 from the agent side matches the hash value of the hash value H1 with the hash value of the transmission data (tertiary encrypted image data E3 (E1 (G) + U)). Confirm and save the data sent after confirmation. Further, the primary decryption processing section 14 decrypts the primary encryption of the tertiary encrypted image data E3 (E1 (G) + U) from the agency side and transmits it to the user agency side. At the same time, the hash generation processing unit 16 transmits the transmission data (E3 (G
+ D1 (U))), generates and signs a hash value H2, and sends them to the agency side. Therefore, the data E3 (G + D1 (U)), the hash value H2, and the signature thereof are sent to the agency terminal device 40.

5) Next, in the agency terminal device 40,
The verification processing unit 45 determines that the signature of the hash value H2 from the server side and that the hash value H2 is the transmission data (E3 (G + D
1 (U))), and stores the data sent after the confirmation. In addition, the confirmation processing unit 45 transmits the data from the server side to the user side as it is. Therefore, the data E3 (G + D1 (U)), the hash value H2, and the signature thereof are sent to the user terminal device 20.

6) Next, in the user terminal device 20,
The confirmation / signature processing unit 28 receives the hash value H from the agency side.
2 and its hash value H2 are the transmission data (E3
It confirms that the hash value matches the hash value of (G + D1 (U)), and saves the data sent after the confirmation. Further, the confirmation / signature processing unit 28 generates its own signature A for the hash value H2, and transmits it to the server via the agency. The confirmation processing unit 45 of the agency terminal device 40 and the hash generation process 16 of the server terminal device 10
The signature A from the user is confirmed, and after the confirmation, it is stored.

7) Next, in the user terminal device 20,
The secondary encryption processing unit 24 receives the data E3 from the agency side.
(G + D1 (U)) is subjected to secondary encryption E2 and transmitted to the agency side. At the same time, the hash generation processing unit 2
6 is transmission data (E2 (E3 (G + D1 (U))))
Generates and signs a hash value H3, and sends them to the agency side. In addition, it generates its own certification information S and transmits it to the agency side. Therefore, data E2 (E3 (G + D1 (U))) is stored in the agency terminal device 40.
, The hash value H3 and its signature, and the certification information S are sent.

8) Next, in the agency terminal device 40,
The confirmation processing unit 47 sends the signature of the hash value H3 from the user side and the hash value H3 to the transmission data (E2 (E3
(G + D1 (U)))) and confirm that the hash value matches the hash value, and save the data sent after the confirmation. Further, the tertiary decoding processing unit 46 receives the data E2 from the user side.
The tertiary encryption of (E3 (G + D1 (U))) is decrypted. Then, the digital watermark embedding processing unit 48 embeds the proof information S from the user side into data E2 (G + D1 (U)) obtained by decoding by the tertiary decoding processing unit 46,
2 (G + D1 (U)) + S is transmitted to the user side. Therefore, the data E2 (G + D1) is stored in the user terminal device 20.
(U)) + S will be sent.

9) Next, in the user terminal device 20,
The secondary decryption processing unit 27 receives the data E2 (G
+ D1 (U)) + decrypts the secondary encrypted in S, and outputs the taken out watermarked image data G _W. This image data G _W can be expressed by G _W = G + D1 (U) + D2 (S). This indicates that the user information (watermark information) U subjected to the primary decryption and the signature information S affected by the secondary encryption are embedded in the original image data G.

As described above, the embedding of the user's signature information S is performed by the agency, so that the user cannot basically cheat. Also, the agency embeds the user information U and the signature information S of the user, but the user information U is affected by the primary encryption known only to the server, and the signature information S is known only to the user 2 The agency cannot directly embed D1 (U + D2 (S)) in the original image data G because it is affected by the next encryption. At this time, if an unauthorized copy (illegal image) is found, the verification process is performed in the following procedure so that the unauthorized agency can be specified without using the agency information M described above.
However, here, it is assumed that the image data is not subjected to the deformation and erasure of the watermark information, as in the above-described Documents 1 and 2.

[Verification Process] 1) First, the server submits the primary encryption key from the found unauthorized image data Gw 'to the verification station 30, and performs primary encryption and use of the unauthorized image data Gw'. Requesting the extraction of user information U '. When the correct user information U ′ is extracted (when U ′ = U), the process proceeds to 7) described later.

2) If the correct user information U ′ is not extracted in 1), the verification authority 30
It requests the stored data E3 (E1 (G) + U), the hash value H1 and its signature, and confirms the hash value H1 and its signature. After that, the verification authority 30 transmits the data E
3 (E1 (G) + U) is decrypted, a hash value is generated, and it is confirmed that the hash value matches the hash value H2 stored by the agency. At the same time, the verification station 30 also checks the signature of the hash value H2.

3) In 2), if the hash value generated by the verification station 30 does not match the hash value H2 stored by the agency, the verification station 30 recognizes that the server is illegal. I do. This is because the primary encryption key submitted by the server is incorrect.

4) In 2), if the hash value generated by the verification station 30 matches the hash value H2 stored by the agency, the verification station 30 sends the third encryption code to the agency. Requesting the submission of the key, the data E3 (E3
1 (G) + U) is decrypted to extract user information U ′.

5) In 4), when correct user information U ′ is extracted (when U ′ = U), the verification station 30 determines that the server is illegal. This means that the embedding process of the user information U 'has been properly performed. Further, by the verification processing up to 4), the unauthorized image data G
Since it has been shown that the primary encryption of w 'is correct and the user information U' is incorrect, the unauthorized image data Gw 'can be generated only by the server that knows the primary encryption.

6) In 4), if the correct user information U 'is not extracted, the verification authority 30 determines that the agent is illegal. This means that the correct user information U 'was not embedded in the embedding process, and the embedding of the user information U' is performed by the agency.

7) If the correct user information U 'is extracted in the above 1) (when U' = U), the verification station 30
Requests the server and the agency to submit the stored hash value H2 and the signature A 'of the hash value H2 by the user, and confirms the signature A'.

8) In 7), if the correct signature A 'is not confirmed (if not submitted), the verification authority 30
Will be found to be fraudulent by collusion of the server and the agency. This means that the server and the agency collude and forge data G + D1 (U ') indicating an arbitrary user (user information U').

9) In 7), when the correct signature A ′ is confirmed (A ′ = A), the verification authority 30 requests the user to submit the key of the secondary encryption, and Image data G
The secondary encryption of w 'is performed, and the signature information S' is extracted.

10) In step 9), when correct signature information S 'is extracted (if S' = S), the verification station 30 determines that the user is illegal (step S114). This is 2
This is because the process of next encryption and returning to the signature information S 'can be performed only by the user.

11) If the correct signature information S ′ is not extracted in 9), the verification authority 30
A request is made to submit the stored data E3 (G + D1 (U)) and the hash value H3 and the signature thereof.
3 and confirm its signature. Thereafter, the verification station 30 performs the secondary encryption of the data E3 (G + D1 (U)), generates the hash value, and confirms that the hash value matches the hash value H3. At the same time, the verification authority 30
Also performs a signature check on the hash value H3.

12) In 11), the hash value generated by the verification station 30 and the hash value H3 stored by the user
Does not match, the verification authority 30 determines that the user is illegal. This is because the key of the secondary encryption submitted by the user is incorrect.

13) In 11), the hash value generated by the verification station 30 and the hash value H3 stored by the user
If they match, the verification authority 30 recognizes that the agent is illegal. This means that in the embedding process, the agent did not correctly embed the signature information S.

As described above, according to the present embodiment, the verification station 30 does not need to detect the unauthorized image until it is found.
It is not possible to commit fraud before a fraudulent image is found. In addition, if the procedure of the above-described verification process is publicly known, and the server, the agency, and the user see each other, the fraud can be specified according to the situation without the verification station 30.

(Third Embodiment)

First, in recent years, a currency on a network called electronic cash has been realized. In this electronic cash, anonymity is realized because the name of the owner is not written like ordinary cash. If the anonymity is not realized, the merchandise seller can know the information of who purchased which merchandise from the electronic cash, which violates the privacy of the user. For this reason,
As with copyright protection of authors by digital watermarking, it is important to protect user privacy.

Therefore, in the third embodiment, the anonymity of the user is realized at the time of purchase, and when a fraud such as fraudulent distribution of an image is discovered, the original purpose of the digital watermark, which is the original purpose of the digital watermark, is obtained. Make identification possible. This is achieved, for example, by a system 300 as shown in FIG.

This system 300 has the same configuration as the system 200 in FIG.
0 is configured to receive an anonymous public key certificate from the certificate authority 40.

Here, in general, a public key for checking signature information is often provided with a certificate by an organization called a certification authority to prove its validity. The certificate authority is an organization that issues a certificate to a user's public key in order to guarantee the validity of the user's public key in the public key cryptosystem. That is, the certificate authority creates and issues a certificate by signing the user's public key and data related to the user with the certificate authority's private key. Other users who have sent their public keys with certificates from one user can check the certificate against the public key of the certificate authority to verify the validity of the user who sent the public key (at least by the certificate authority). Authenticated user).
VeriSign is one of the organizations that operate such certificate authorities.
And CyberTrust are well known companies.

Therefore, in the embedding process 1) in the second embodiment described above, when the agent checks the contract information of the user from the signature, the agent may check the contract information with the public key with the certificate of the certificate authority. Can be However, this certificate usually bears the name of the owner of the public key. Therefore, in this case, the anonymity of the user at the time of data purchase is not realized.

On the other hand, if the correspondence between the public key and the owner is kept secret by the certificate authority, the name of the owner can be omitted from the certificate of the public key. Such a public key with a certificate is hereinafter referred to as “anonymous public key with a certificate”.

Therefore, the user sends the signature of the contract information and the anonymous public key with certificate for checking the signature information S together with the contract information in 1) of the embedding process in the above-described second embodiment. , Users can make themselves anonymous at the time of purchase. Therefore, the anonymous public key with a certificate is passed to the agency as information for identifying the user. When an unauthorized party is found, the anonymous public key with the certificate is indicated to the certificate authority 50 and the user corresponding to the public key is indicated. The user can be specified by being told.

As described above, the embedding process 1) and the verification process 7) in the above-described second embodiment are performed.
As described below, anonymity at the time of purchase of a user and identification of a fraudulent person at the time of fraud detection are realized.

Hereinafter, the embedding process and the verification process in the system 300 shown in FIG. 4 will be specifically described.

In the system 300 shown in FIG.
Parts that operate in the same manner as in the system 200 of FIG. 3 are denoted by the same reference numerals, and detailed description thereof will be omitted. Except for the embedding process 1) and its verification process 1),
Since this is the same as the above-described second embodiment, a detailed description thereof will be omitted.

[Embedding Process] 1 ') First, in the user terminal device 20, the contract generation processing unit 21 publishes the contract information for requesting image data together with the anonymous public key with certificate from the certificate authority 50. Sign the key and send it to the agency. In the agency terminal device 40, the contract information from the user is confirmed from the anonymous public key with the certificate, and then the image data is requested from the server.

Thereafter, processes similar to 2) to 9) of the embedding process in the above-described second embodiment are performed.

In this case as well, the user cannot fundamentally cheat, and the agency is D1 (U + D2 (S))
Cannot be directly embedded in the original image data G. At this time, if an illegal copy (illegal image) is found, the following verification processing is performed.

[Verification Processing] 1) to 6) First, the same processing as the verification processing 1) to 6) in the above-described second embodiment is performed.

7 ') If the correct user information U' is extracted in the above 1) (when U '= U), the verification station 30
Submits the anonymous public key with certificate obtained from the user information U 'and the contract information to the certificate authority 50, and requests the certificate authority 50 for a user name corresponding to the anonymous public key with certificate. . Further, the verification station 30 requests the server and the agency to submit the stored hash value H2 and the signature A ′ of the hash value H2 by the user, and confirms the signature A ′.

Thereafter, the same processes as the verification processes 8) to 13) in the above-described second embodiment are performed.

As described above, according to the present embodiment, as in the second embodiment, the verification station 30 does not need to check the unauthorized image until the unauthorized image is found, Can not do. In addition, if the procedure of the above-described verification process is publicly known, and the server, the agency, and the user see each other, the fraud can be specified according to the situation without the verification station 30.

In the third embodiment, the system 200 in the second embodiment is provided with the certificate authority 50. However, the present invention is not limited to this. The station 50 may be provided.
In this case, the embedding process 1) in the first embodiment is the above 1 ′), and the verification process 8) in the first embodiment is the above 7 ′).

Various data including the hash value of each stage obtained by the embedding process of the image data and the watermark information shown in the above-described first to third embodiments should be stored in the following formats. Can be.

For example, in the following general image format, image data sent at each stage can be stored in the image data section, and the corresponding hash value and its signature can be stored in the image header section. In addition, the hash value, the signature, the key of the secondary encryption, and the like that the user needs to store finally can be stored in the image header section, and the image data with digital watermark can be stored in the image data section. .

On the other hand, in the FlashPix ™ file format described below, a general image format including the above-described hash value and its signature can be stored as data of each layer. In addition, the hash value and its signature can be stored in the property set as attribute information.

[Description of General Image Format] In a general image format, as shown in FIG. 5, an image file is divided into an image header section and an image data section. Generally, the image header section stores information necessary for reading image data from the image file and additional information describing the content of the image. In the example of FIG. 5 described above, an image format identifier indicating the image format name,
File size, image width / height / depth, compression / non-compression,
Information such as a resolution, an offset to a storage position of image data, and information of a color palette is stored. On the other hand, the image data section is a section that stores image data sequentially. As typical examples of such an image format, the BMP format of Microsoft Corporation and the GIF format of Compuserve Corporation are widely used.

[Description of FlashPixTM File Format] FlashPixTM (FlashPix is a
In the Kodak (registered trademark) file format, the image attribute information stored in the image header section and the image data stored in the image data section are further structured and stored in a file. This structured image file is shown in FIGS. Each property or data in the file is accessed by storage and stream corresponding to the directory and file of MS-DOS. In FIG. 6 and FIG. 7, the shaded portion is the storage, the unshaded portion is the stream, and the image data and image attribute information are stored in the stream portion.

In FIG. 6, the image data is hierarchized at different resolutions.
It is called bimage and indicated by Resolution 0, 1,..., n. For each resolution image, information necessary to read the image data is stored in the Subimage Header, and the image data is stored in the Subimage data.

The property set is defined by classifying the attribute information according to the purpose of use and the contents.
mmary info. Property Set, Image info. Property Se
t, Image Content Property Set, Extension list prop
There is an erty Set.

[Description of each property set] Summary inf
o. Property Set is not specific to FlashPix,
A required property set for rosoft structured storage, which stores the title, title, author, thumbnail image, etc. of the file. Also, Comp Obj.Str
In eam, general information on the storage unit (Storage) is stored. The Image Content Property Set is an attribute that describes a method of storing image data (see FIG. 8). This attribute includes the number of layers of image data, the width and height of the image with the maximum resolution, the width, height, and color configuration of each resolution image, or the quantization table and Huffman table when using JPEG compression. Describe the definition of Extent
The ion list property set is an area used when adding information that is not included in the above basic specifications of FlashPix. Furthermore, the ICC (International Colo
r Consortinm) describes the conversion profile for the color space conversion.

[0147] The Image info. Property Set contains various information that can be used when using image data, such as how the image is captured and how it can be used. Stores information.・ Information on how to import and / or generate digital data ・ Information on copyright ・ Information on the contents of the image (person, location, etc. in the image) ・ Information on the camera used for shooting ・ Settings of the camera when shooting , Shutter speed, focal length, use of flash, etc.)-Information on the resolution and mosaic filter specific to digital cameras-Information on film manufacturer name, product name, type (negative / positive, color / black and white)-Original Information about the type and size of the document when it is a book or print ・ In the case of a scanned image, information about the scanner, software,

The FlashPix Image View Object shown in FIG.
Is an image file that stores viewing parameters and image data used when displaying an image. Viewing parameters are rotation, enlargement /
This is a set of processing coefficients stored in order to adapt the processing of reduction, movement, color conversion, and filtering when displaying an image. In FIG. 7, a locked attribute list is described in a Global info.property set portion, and for example, an index of a maximum image, an index of a maximum change item, information of a last modifier, and the like are described. . In the same figure, Source / Result FlashPix Image Obj
ect is the entity of FlashPix image data,
shPix Image Object is required and Result FlashPix Image
Object is optional. Source FlashPix Image Ob
ject is the original image data, ResultFlashPix Ima
The ge Object stores image data obtained as a result of image processing using viewing parameters.

Also, Source / Result desc. Property Set
Is a property set for identifying the image data, and stores an image ID, a property set for which change is prohibited, a last update date and time, and the like. The Transform Property Set stores an Affine conversion coefficient, a color conversion matrix, a contrast adjustment value, and a filtering coefficient for rotating, enlarging / reducing, and moving an image.

[Description of Handling of Image Data] Here,
An image format including an image of a plurality of resolutions divided into a plurality of tiles will be described as an example.

FIG. 9 shows an example of an image file composed of a plurality of images having different resolutions. In FIG. 9,
The image of the maximum resolution has a column × row composed of X0 × Y0, and the image with the next highest resolution is X0 / 2 × Y0 / 2.
Thereafter, both columns and rows are sequentially reduced by １ ／, and both columns and rows are reduced to 64 pixels or less or equal to each other.

As a result of hierarchizing the image data,
As the attribute information of the image, “the number of layers in one image file” and the header information and the image data described in the section of the general image format are required for the image of each layer (see FIG. 5). reference). Information about the number of layers in one image file, the width and height of the image with the maximum resolution, or the width, height, color configuration, compression method, etc. of the image with each resolution is described in the Image Content Property Set. (See FIG. 8 above).

Further, the image of the layer of each resolution is shown in FIG.
As shown by 0, the image is divided for each tile of 64 pixels × 64 pixels. If the image is divided into 64 × 64 pixel tiles sequentially from the upper left of the image, blanks may occur in some of the right and bottom tiles depending on the image. In this case, 64 pixels × 64 pixels are constructed by repeatedly inserting the rightmost image or the lowermost image.

In FlashPix ™, image data in each tile is stored by any of JPEG compression, single color, and non-compression. JPEG compression is ISO / IEC JT
An image compression method internationally standardized by C1 / SC29,
The description of the method itself is omitted here. In addition, the single color is a method of expressing the color of a single tile without recording the value of each pixel only when all of the one tile is configured with the same color. This method is particularly useful for images generated by computer graphics.

The image data thus divided into tiles is stored, for example, in the Subimage data stream shown in FIG. 6, and the total number of tiles, the size of each tile, the data start position, and the compression method are all stored in the Subimage Header. (See FIG. 11).

In the first to third embodiments described above, the embedding of the watermark information can be realized by various methods, for example, “Shimizu, Numao, Morimoto (Japanese I)
BM): "Hidden image data hiding by pixel block", Information Processing Society of Japan 53rd National Convention, 1N-11,
Reference 3 of September 1996, and “IJCox, J.Kilian, TL
eighton and T.shamoon (NEC): “Sucure Spread Sp
ectrum Watermarking for Multimedia, "NEC Reserc
h Institure Technical Report 95-10. "

The encryption scheme used as the primary encryption to the tertiary encryption can be realized by various methods. For example, the encryption method can be realized by changing the bit arrangement according to the encryption key.

Further, all transmission data can be sent with a hash value and its signature.

The primary to tertiary encryptions are used in the process of embedding watermark information so as not to notify each other's information. However, in order to prevent eavesdropping and falsification on a communication path by a third party, DES is separately used. (Data Encryption Stan
dard) or a hash function.

In the first to third embodiments described above, the detection of unauthorized distribution is performed on the server (or the creator) side, but the secret key relating to the primary encryption or the secondary encryption is not known. However, anyone who has only a digital watermark extracting means can know the illegal distribution and the user information of the illegal distribution. After that, it is only necessary to notify the server side of the discovery of the unauthorized distribution and start the verification process, and the discoverer of the unauthorized distribution is not limited to the server.

Further, the server can embed not only the user information U but also other information such as copyright information and information on the distribution status of the image data in the image data as necessary. When the server or the agency wants to embed secret information, if the embedding process is performed after the primary encryption, the information affected by the primary encryption can be embedded in the same manner as the signature information. Further, the user information U does not need to be always before the primary encryption, and may be embedded after the primary encryption (in this case, the detection of the user information U is
Only those who know the server or agent or the secret key of the primary encryption can do so).

When the user is the second entity using a common printer or terminal, the user's signature information and the secondary encryption may include the signature information of the printer or the common terminal and the encryption method.

Further, the primary encryption information on the server (or the creator) side may be widely distributed through a network, a CD-ROM, or the like without a request from the user based on contract information.

The signature information S of the user is not limited to information generated by the public key cryptosystem, but may be information (such as an encryption number) determined by the user in the contract information or the like.

In the United States, when using encryption of 40 bits or more, a key management station for managing encryption keys is required to prevent abuse of encryption. In such a case, the verification station 30 can also serve as the key management station. Therefore, when the verification station 30 manages the key of the secondary encryption in advance, if the verification station also monitors the unauthorized image, the verification station 30 alone performs the above-described verification processing 1) to 3). It can be carried out.
At this time, the primary encryption key of the server may be managed by the same verification authority, or may be managed by another different verification authority. The key of the server or the user may be generated and distributed by the key management station.

The number of agents is not limited to one, and a plurality of agents may be arranged in a hierarchy. In this case, the processing performed by the agency may be performed by a representative agency in the hierarchy, or the above-described protocol may be executed between the agencies to clarify their responsibilities.

After the request, the server (or the creator or the like) transmits the primary encryption data E1 of the original image data G.
(G) or E1 (G + M) is sent to the agency side, but data E1 (G) or E1 (G + M) may be sent to the agency side in advance.

[0168] In addition, the influence of the agency of a third-order encryption, but not remain in the image data G _W finally obtained, the user information U
Embedment after tertiary encryption, or embedment of signature information S after tertiary encryption, etc.
The effect of the tertiary encryption may be left.

Further, an object of the present invention is to provide a system or apparatus with a storage medium in which steps for realizing the functions of the host and the terminal according to the above-described first to third embodiments are stored as software program codes. Supply, computer (or CPU or MPU) of the system or device
Can also be achieved by reading and executing the program code stored in the storage medium. In this case, the program code itself read from the storage medium realizes the function of the above-described embodiment, and the storage medium storing the program code constitutes the present invention.

As storage media for supplying the program code, ROM, floppy disk, hard disk, optical disk, magneto-optical disk, CD-ROM, C
DR, a magnetic tape, a nonvolatile memory card, or the like can be used.

By executing the program code read by the computer, not only the functions of the first to third embodiments described above are realized, but also the computer executes the program code based on the instructions of the program code. It goes without saying that the operating OS or the like performs part or all of the actual processing, and the processing realizes the functions of the first to third embodiments.

Further, after the program code read from the storage medium is written into a memory provided in an expansion board inserted into the computer or a function expansion unit connected to the computer, based on the instruction of the program code, The CPU provided in the function expansion board or function expansion unit performs part or all of the actual processing,
It goes without saying that the processing may realize the functions of the above-described first to third embodiments.

[0173]

As described above, according to the present invention, the information about the third entity (user) can be embedded on the second entity (agent) side. In this case, the third entity cannot cheat. Further, the second entity embeds information (user information U, signature information S, etc.) related to the third entity, and the information is encrypted by only the first entity (server, author, etc.). (Primary encryption, first
The second entity is affected by the encryption (secondary encryption, the encryption in the second encryption unit) known only by the third entity, and the encryption by only the third entity. Cannot be embedded directly in the original data. Therefore, even in a hierarchically structured network, illegal distribution of data can be reliably prevented, and a secure system can be realized. Also,
User anonymity can be easily realized.

[Brief description of the drawings]

FIG. 1 is a block diagram showing a configuration of a system to which the present invention is applied in a first embodiment.

FIG. 2 is a flowchart illustrating a verification process in the system.

FIG. 3 is a block diagram showing a configuration of a system to which the present invention is applied in a second embodiment.

FIG. 4 is a block diagram showing a configuration of a system to which the present invention is applied in a third embodiment.

FIG. 5 is a diagram for explaining a general image format.

FIG. 6 is a diagram for explaining a structured image file (1).

FIG. 7 is a diagram for explaining a structured image file (2).

FIG. 8 is a diagram for explaining attributes describing a method of storing image data.

FIG. 9 is a diagram illustrating an example of an image file including a plurality of images having different resolutions.

FIG. 10 is a diagram for explaining an image of a layer of each resolution.

FIG. 11 is a diagram for explaining individual tile data of image data.

FIG. 12 is a diagram illustrating a conventional system using a digital watermark.

FIG. 13 is a diagram for explaining a system (1) using a conventional digital watermark in which the above system is improved.

FIG. 14 is a diagram for explaining a system (2) using a conventional digital watermark in which the above system is improved.

FIG. 15 is a diagram for explaining a conventional hierarchical system (a system including a server, an agency, and a user) using a digital watermark.

FIG. 16 is a diagram for explaining a conventional hierarchical system (a system including an author, an agency, and a user) using a digital watermark.

[Explanation of symbols]

 REFERENCE SIGNS LIST 100 System using digital watermark 10 Terminal device on server side 12 Digital watermark embedding processing unit 13 Primary encryption processing unit 14 Primary decryption processing unit 15 Confirmation processing unit 16 Hash generation processing unit 20 User terminal device 21 Contract Generation processing unit 24 Secondary encryption processing unit 26 Hash generation processing unit 27 Secondary decryption processing unit 28 Confirmation / signature processing unit 30 Verification station 40 Agent-side terminal device 41 Contract generation processing unit 42 Digital watermark embedding processing unit 43 Tertiary encryption processing unit 44 Hash generation processing unit 45 Confirmation processing unit 46 Tertiary decryption processing unit 47 Confirmation processing unit 48 Digital watermark embedding processing unit

Claims (22)

[Claims] 1. A first step in which a first entity performs a primary encryption process on original data, and a second entity performs at least one of a management process and a distribution process on the data after the primary encryption process. And a third step in which a third entity performs a secondary encryption process on the data after the digital watermark embedding process, and a third step in which the third entity performs a digital watermark embedding process. Digital watermarking scheme. 2. The method according to claim 1, wherein the first step includes:
2. The digital watermarking method according to claim 1, further comprising a step of performing a digital watermark embedding process at least before or after the next encryption process. 3. The digital watermark according to claim 1, wherein the second step includes a step of performing a tertiary encryption process at least before or after the digital watermark embedding process. method. 4. The method according to claim 1, further comprising the step of distributing the data subjected to the digital watermark embedding process under the influence of at least one of the primary encryption process and the secondary encryption process. Item 1. The digital watermarking method according to Item 1. 5. The digital watermarking method according to claim 1, further comprising a step of checking a signature of said third entity with an anonymous public key with a certificate by a certificate authority. 6. The digital watermarking method according to claim 1, wherein said second entity includes a plurality of entities. 7. The information which the second entity embeds in the digital watermark embedding process at least in the third entity.
2. The digital watermarking method according to claim 1, wherein the information is any one of information about an entity and information about data to be transmitted. 8. The method according to claim 1, wherein the first step includes:
A step of performing a digital watermark embedding process at least before or after the next encryption process, wherein the nth (n ≧ 1) entity embeds information embedded by the digital watermark embedding process into at least the (n + 1) th entity 2. The digital watermarking method according to claim 1, wherein the information is one of information on an entity and information on data to be transmitted. 9. The digital watermarking method according to claim 1, wherein the digital watermark embedding processing is processing that does not embed at least information on the second entity. 10. The digital watermarking method according to claim 1, wherein said original data is image data. 11. An electronic information distribution system for transmitting and receiving data on a network, including at least first to third entities, wherein the first entity performs a primary encryption process on original data. A first encryption processing unit, wherein the second entity performs a management / distribution processing unit that performs at least one of a management process and a distribution process on the data after the primary encryption process, and performs a digital watermark embedding process. Digital information embedding processing means, wherein the third entity is provided with secondary encryption processing means for performing secondary encryption processing on the data after the electronic watermark embedding processing. system. 12. The electronic apparatus according to claim 12, wherein the first entity further includes a digital watermark embedding unit that performs a digital watermark embedding process at least before or after the primary encryption process on the original data. The electronic information distribution system according to claim 11, wherein: 13. The method according to claim 13, wherein the second entity further includes a tertiary encryption processing unit that performs a tertiary encryption process at least before or after the digital watermark embedding process. Item 12. An electronic information distribution system according to Item 11. 14. At least the first encryption processing and the second encryption processing
12. The electronic information distribution system according to claim 11, further comprising a distribution unit that distributes the data on which the digital watermark embedding process has been performed under the influence of any of the following encryption processes. 15. The electronic information distribution system according to claim 11, further comprising a check unit that checks the signature of the third entity using an anonymous public key with a certificate by a certificate authority. 16. The electronic information distribution system according to claim 11, wherein said second entity includes a plurality of entities. 17. The information processing apparatus according to claim 11, wherein the information embedded by the second entity by the digital watermark embedding process is at least one of information on the third entity and information on data to be transmitted. Electronic information distribution system. 18. The electronic apparatus according to claim 18, wherein the first entity further comprises digital watermark embedding processing means for performing digital watermark embedding processing at least before or after the primary encryption processing on the original data. The digital watermark embedding processing means of the n (n ≧ 1) entity sets the information to be embedded by the digital watermark embedding process as at least one of information on the (n + 1) th entity and information on data to be transmitted. The electronic information distribution system according to claim 11, wherein an embedding process is performed. 19. The electronic information distribution system according to claim 11, wherein the digital watermark embedding processing unit performs the digital watermark embedding processing that does not embed at least information on the second entity. . 20. The electronic information distribution system according to claim 11, wherein said original data is image data. 21. An image file device for storing data generated in each step of the digital watermarking method according to claim 1. Description: 22. A storage medium wherein each step of the digital watermarking method according to any one of claims 1 to 10 is stored so as to be readable by a computer.