Hitherto, to prevent an illegal use such as exploitation, alteration, or the like of digital data, an encrypting technique for executing an encrypting process to the digital data which is transmitted has been put into practical use. FIG. 1 schematically shows a construction of an example of encrypting digital data. Original data before the encrypting process is executed is called a plain sentence (plain text). The plain text is encrypted by an encrypting block 400 and an encryption sentence (encryption data) is formed. The encryption of the encryption sentence is decrypted by a decrypting block 401 corresponding to the encrypting block 400 and the encryption sentence is returned to the original plain text.
As an encryption system which is used for the encrypting block 400, for example, an AES (Advanced Encryption Standard) and a DES (Data Encryption Standard) are typical systems. According to the AES and DES, the encryption of the plain text and the decryption of the encryption sentence are executed by using a non-open key called a secret key. For example, when the encrypting block 400 executes the encryption by the AES, the plain text inputted to the encrypting block 400 is encrypted by using a key 402 as a secret key. The encrypted encryption sentence is supplied to the decrypting block 401 through a transmission path, decrypted by using the same key 402 as that used upon encryption, and returned to the original plain text. Each of the AES and DES is a common key system using a common key in the encryption and decryption.
As a construction of the encrypting block 400 and the decrypting block 401, there is considered a construction using an encryptor 50 and a decryptor 51 according to the AES or DES as they are as an encrypting circuit and a decrypting circuit as shown in an example in FIGS. 2A and 2B. The construction of FIGS. 2A and 2B is called an ECB (Electronic Codebook mode) mode. In the construction of FIG. 2A, the encryptor 50 encrypts an inputted plain text Mi by using a key (K) by, for example, the AES and obtains an encryption sentence Ci. The encryption sentence Ci is inputted to the decryptor 51 and decrypted by using the key (K), so that the encryption sentence Ci is decrypted and the original plain text Mi is obtained (FIG. 2B).
In the construction of FIGS. 2A and 2B, when the same plain text is continuously inputted, the same values continue also in the encryption sentence which is outputted, so that the decryption of the key (K) based on the plain text and the encryption sentence becomes easy. Various methods are considered to solve such a problem.
FIGS. 3A and 3B show a construction for feeding back an output of the encryptor to an input and this construction is called a CBC mode (Cipher Block Chaining mode). In an encrypting circuit 60 shown in FIG. 3A, the plain text Mi is inputted to an encryptor 62 through an EXOR (exclusive OR) circuit 61 and encrypted by using the key (K). An output of the encryptor 62 is outputted as an encryption sentence Ci and, as an initial value IV, a predetermined delay of, for example, one word is given to it by a delay circuit 63. The delayed encryption sentence Ci is supplied to the EXOR circuit 61 and the exclusive OR with the plain text Mi is calculated. An output of the EXOR circuit 61 is inputted to the encryptor 62.
FIG. 3B shows the construction of a corresponding decrypting circuit 65. Upon decrypting, the encryption sentence Ci is inputted to a decryptor 66 and, as an initial value IV (initialization vector), a predetermined delay of, for example, one word is given to it by a delay circuit 67. The delayed encryption sentence Ci is supplied to an EXOR circuit 68. The encryption sentence Ci is encrypted by using the key (K) by the decryptor 66 and the exclusive OR with the initial value IV which has been delayed by the predetermined time is calculated by the EXOR circuit 68. The encryption sentence Ci is decrypted to the original plain text Mi and the original plain text Mi is outputted.
According to the construction shown in FIGS. 3A and 3B, by changing the initial value IV, even if the same key (K) is used, the different encryption sentences Ci are formed from the same plain text Mi. Since the encryption sentence Ci obtained by encrypting the plain text Mi is used as an initial value IV, even if the same plain text Mi is continuously inputted, the encryption sentence Ci encrypted by the encryptor 62 does not become the same sentence, so that an analysis of the encryption sentence becomes more difficult than that in the foregoing ECB mode.
FIGS. 4A and 4B show a construction in which a part of the generated encryption sentence Ci is fed back as an input of an encryptor and this construction is called a CFB mode (Cipher Feedback mode). In an encrypting circuit 70 shown in FIG. 4A, the plain text Mi inputted as j-bit data is supplied to an EXOR circuit 71 and the exclusive OR with j bits in an output of an encryptor 74 is calculated and the resultant sentence is outputted as an encryption sentence Ci. This output is supplied to a DR circuit 73 through a ξ circuit 72 for converting the number of bits from j bits to k bits. The DR circuit 73 has a shift register, by which the inputted data of k bits is shifted in input order, thereby generating data Xi of, for example, 128 bits. The data Xi is supplied to the encryptor 74 and encrypted by using the key (K), and data Yi of 128 bits is derived. The data Yi is a pseudo random number train. By calculating the exclusive OR of the data Yi and the plain text Mi which is inputted, the encryption sentence Ci is formed.
FIG. 4B shows the construction of a corresponding decrypting circuit 75. The encryption sentence Ci inputted as j-bit data is converted into the k-bit data by a (circuit 76, supplied to a DR circuit 78, and also supplied to an EXOR circuit 77. The DR circuit 78 has a shift register, by which the data Xi of, for example, 128 bits is formed from the supplied k-bit data. The data Xi is supplied to en encryptor 79. The data Xi is encrypted by the encryptor 79 by using the key (K) and becomes the data Yi of 128 bits. The data Yi is a pseudo random number train. By calculating the exclusive OR of the data Yi and the inputted encryption sentence Ci, the encryption sentence Ci is decrypted to the original plain text Mi.
According to the CFB mode, since the inputted plain text Mi or the encryption sentence Ci is inputted to the shift register and inputted to the encryptor, thereby generating the pseudo random number train, the CFB mode is suitable for encryption of stream data in which the plain text Mi is continuously inputted. On the other hand, there is such a drawback that if an error occurs in the encryption data outputted from the encrypting circuit 75, for example, by a transmitting system or the like, the circuit cannot be recovered from the error until the data is circulated in the shift register (DR circuit).
FIGS. 5A and 5B show a construction in which only an output of an encryptor is fed back to thereby generate pseudo random numbers and this construction is called an OFB mode (Output Feedback mode). In an encrypting circuit 80 shown in FIG. 5A, an output of an encryptor 83 itself is inputted to the encryptor 83 through a DR circuit 82 having a shift register and encrypted by using the key (K). The data Yi outputted from the encryptor 83 is a pseudo random number train. Only j bits in the data Yi are supplied to an EXOR 81 circuit and by calculating the exclusive OR of the data Yi and the plain text Mi which is inputted as j-bit data, the plain text Mi becomes the encryption sentence Ci and is outputted.
FIG. 5B shows the construction of a corresponding decrypting circuit 85. In the OFB mode, the decrypting circuit 85 has substantially the same construction as that of the encrypting circuit 80. That is, the encryption sentence Ci of j bits is inputted to an EXOR circuit 86. On the other hand, an output of an encryptor 88 itself is inputted to the encryptor 88 through a DR circuit 87 having a shift register and encrypted by using the key (K). The data Yi outputted from the encryptor 88 is a pseudo random number train. Only j bits in the data Yi are supplied to the EXOR circuit 86 and by calculating the exclusive OR of the data Yi and the inputted encryption sentence Ci, the encryption sentence Ci is decrypted to the plain text Mi.
According to the OFB mode, since the feedback is completed in the encrypting circuit 80 and the decrypting circuit 85, there is such an advantage that the data is not influenced by the transmitting system error or the like.
FIGS. 6A and 6B show a construction in which an output of a counter is sequentially counted up and given to an input of the encryptor and this construction is called a counter mode. That is, in the counter mode the output of the counter is encrypted and used. In an encrypting circuit 90 shown in FIG. 6A, a count value Xi which has sequentially been counted up by a counter 92 of a 128-bit output is inputted to an encryptor 93 and encrypted by using the key (K). The data Yi outputted from the encryptor 93 is a pseudo random number train. Only j bits in the data Yi are supplied to an EXOR circuit 91 and by calculating the exclusive OR of the data Yi and the plain text Mi inputted as j-bit data, the encryption sentence Ci is formed.
FIG. 6B shows a construction of a corresponding decrypting circuit 95. In the counter mode, the decrypting circuit 95 has substantially the same construction as that of the encrypting circuit 90. That is, the count value Xi which has sequentially been counted up by a counter 97 is inputted to an encryptor 98 and encrypted by using the key (K). The data Yi outputted from the encryptor 98 is a pseudo random number train. Only j bits in the data Yi are supplied to an EXOR circuit 96 and by calculating the exclusive OR of the data Yi and the encryption sentence Ci inputted as j-bit data, the encryption sentence Ci is decrypted to the plain text Mi.
As mentioned above, in the CFB mode, OFB mode, and counter mode, the encryption sentence Ci is decrypted by calculating the exclusive OR of the same pseudo random numbers as those used for the encryption and the encryption sentence Ci. The various encrypting systems as mentioned above have been disclosed in Document “Foundation of Encryption Theory” (author: Douglas R. Stinson, translated by Koichi Sakurai, published by Kyoritsu Shuppan Co., Ltd., issued in 1996).
In recent years, for example, a digital cinema system in which video data accumulated in a video server is reproduced and projected onto a screen to thereby play a movie in a movie theater or the like has been proposed. According to such a system, for example, video data distributed through a network or video data recorded in a recording medium such as an optical disk or the like of a large capacity is supplied to the video server. The video data is transmitted from the video server to a projector through, for example, a coaxial cable, and a video image based on the video data is projected onto the screen by the projector.
The video data is transmitted as serial digital data from the video server to the projector by a transmitting format according to, for example, an HD-SDI (High Definition-Serial Data Interface). This video data is transmitted as video data of a base band and its transmission rate is set to, for example, about 1.5 Gbps (Giga bits per second).
At this time, to prevent the exploitation of the video data, the video data which is outputted from the video server is encrypted and the encrypted video data is outputted to, for example, the coaxial cable and transmitted to the projector. In this instance, if there is no restriction in codes which are transmitted in the format of the HD-SDI, an encrypting/decrypting system of the HD-SDI can be realized by using each of the foregoing encrypting systems. That is, an encrypting circuit is provided for the video server side and the video data which is outputted is encrypted. A decrypting circuit corresponding to the encrypting circuit of the video server is provided for the projector side. The video data encrypted by the video server is transmitted to the projector in the format of the HD-SDI through the coaxial cable, the encryption is decrypted by the decrypting circuit of the projector, and the decrypted data is returned to the video data of the base band.
However, actually, inhibition codes for word synchronization have been defined in the foregoing HD-SDI. Therefore, a system for making the encryption without generating any inhibition code has already been filed by the applicant of the present invention as Japanese Patent Application No. 2002-135039. As related applications of such an application, Japanese Patent Application Nos. 2002-135079, 2002-135092, 2002-173523, and 2002-349373 have already been filed.
Further, in recent years, the standardization regarding the encryption/decryption of the video data in the HD-SDI has been progressed. It has been proposed that the counter mode described with reference to FIGS. 6A and 6B is used as an encrypting system. According to such a proposition, the data of 128 bits as an encryption unit is divided and used and the following three kinds of counters are applied to the divided bits, respectively.                (1) Clock counter which is counted up every clock of the encryptor        (2) Line counter which is counted up every line of the video data        (3) Frame counter which is counted up every frame of the video data        
Among those three kinds of counters, the clock counter of (1) is reset each time the line is updated. The line counter of (2) is reset each time the frame is updated. The frame counter of (3) is reset only once when one program according to the video data is started. By combining and using a plurality of counters whose counting periods are different and whose reset timing are different as mentioned above, even if pull-out, data dropout, or the like occurs in the transmitting system of the data, for example, an amount of data which is lost, that is, the data which cannot be decrypted can be set to the data of one line at most.
Even if the resetting by the clock counter of (1) or the line counter of (2) is executed, since the value of the frame counter of (3) is sequentially updated, there is also such an advantage that the same pseudo random number train is not repeated.
An exploiting method of the video data in the above digital cinema system will now be considered. FIG. 7 schematically shows a system of an example for realizing the exploitation of the video data. The video data is reproduced and encrypted by a video server 250 and sent as encryption data to a coaxial cable 251. As an encrypting system, in consideration of reconstructing performance for the error of the transmitting system, the method of resetting the counters every line of the video data, every frame, and at the head of the program is used in the foregoing counter mode. On a projector 254 side, inherently, the data which is sent through the coaxial cable 251 connected to the projector 254 is received, the encryption is decrypted to thereby form the video data of the base band, and this video data is displayed on a screen 255.
The exploiter of the video data prepares a data exploitation recording/exchanging apparatus 252, a video camera 256, and a video data recording apparatus 257. The data exploitation recording/exchanging apparatus 252 is inserted between the video server 250 and the projector 254. For example, as shown in FIG. 7, the coaxial cable 251 to connect the video server 250 and the projector 254 is connected to the data exploitation recording/exchanging apparatus 252 and an output of the data exploitation recording/exchanging apparatus 252 is sent to the projector 254 by a coaxial cable 253. The video camera 256 is arranged so that it can photograph a video image projected onto the screen 255. The video image photographed by the video camera 256 is supplied to the video data recording apparatus 257 and recorded onto a recording medium such as optical disk, magnetic tape, or the like.
In such a construction, the exploiter records the encryption data which is outputted from the video server 250 and in which the video data has been encrypted and meta data accompanied to the video data by the data exploitation recording/exchanging apparatus 252. In place of the encryption data supplied from the video server 250, the data exploitation recording/exchanging apparatus 252 outputs predetermined data which has been prepared together with the meta data which has been accompanied to the encryption data and supplied from the video server 250. At this time, the meta data is not modified. The predetermined data which has been prepared by the data exploitation recording/exchanging apparatus 252 is a fixed value to display, for example, a full black display image. That is, the video data outputted from the video server 250 is altered to the predetermined data by the data exploitation recording/exchanging apparatus 252 and outputted.
The predetermined data and the meta data outputted from the data exploitation recording/exchanging apparatus 252 are supplied to the projector 254. The supplied predetermined data is decrypted in the projector 254. That is, if the predetermined data is fixed data to display the full black image, the exclusive OR of the predetermined data and the pseudo random numbers in the decrypting circuit is calculated. The video data obtained by calculating the exclusive OR of the predetermined data and the pseudo random numbers is projected onto the screen 255.
As mentioned above, since the video image which is projected onto the screen 255 is based on, for example, the data in which the pseudo random numbers by the encrypting circuit are made to act on the predetermined data as a fixed value, an obtained picture quite differs from the original video data outputted from the video server 250 and becomes a video image which is merely seen as noises. The exploiter photographs the video image according to the foregoing predetermined data projected onto the screen 255 by the video camera 256 and records it by the video data recording apparatus 257. The original video data of the encryption data can be reconstructed on the basis of the encryption data recorded by the data exploitation recording/exchanging apparatus 252 and the video data recorded by the video data recording apparatus 257.
That is, there is such a problem that if projecting performance of the projector 254 and photographing performance of the video camera 256 are ideal, by calculating the exclusive OR of the encryption data and the video data, the original video data of the encryption data can be reconstructed.
Actually, since the projector 254 and the video camera 256 having the ideal performance do not exist, the original video data cannot be accurately reconstructed even by the above method. However, even if imperfect data is used, by executing the above calculation, the original video data can be reconstructed at a high probability.
For example, as a nature of the video data, it has been known that there is a high correlation between a certain pixel and a pixel adjacent thereto. In the situation as mentioned above, a value of the pixel which could not be accurately reconstructed can be obtained by using the correlation of the adjacent image. Thus, the pseudo random numbers at the time when the pixel (video data) is encrypted can be narrowed down. There is, consequently, such a problem that a large clue to decode the key (K) upon encryption of the video data is got by the exploiter.
By using the data which has been altered to the predetermined data by the exploiter in place of the video data which is outputted from the video server 250 as mentioned above, the encryption of the video data encrypted by the video server 250 can be easily decoded.