1. Field of the Invention
The present invention relates to an electronic watermarking method, an electronic information distribution system, an image filing apparatus, and a storage medium on which the steps for performing the electronic watermarking method are stored so that they can be read by a computer. In particular, the present invention pertains to an electronic watermarking method for protecting copyrights for digital information, such as moving image data, static image data, audio data, computer data and computer programs, an electronic information distribution system, such as a multimedia network system, for distributing digital information by using the electronic watermarking method, an image filing apparatus that employs the electronic watermarking method, and a storage medium on which steps for performing the electronic watermarking method are stored so that they can be read by a computer.
2. Related Background Art
As a consequence of recent developments concerning computer networks and the availability of inexpensive high-performance computers, electronic transactions for trading in products across a network have become popular. Products for such transactions can be digital data, to include pictures, for example.
However, since a large number of complete copies of digital data can easily be prepared, a user who purchases digital data would be able to illegally prepare copies having the same quality as the original, and could then distribute the copied data. As a result, a warrantable price would not be paid to the owner of the copyright for the digital data or to a person (hereinafter referred to as a xe2x80x9csellerxe2x80x9d) by whom sale of the digital data is authorized by the copyright owner, and an infringement of the copyright would occur.
Once a copyright holder or a seller (hereinafter a person who legally distributes digital data is generally called a xe2x80x9cserverxe2x80x9d) has transmitted digital data to a user, full protection against the illegal copying of the data is not possible.
Therefore, an electronic watermark technique has been proposed for use instead of a method for the direct prevention of illegal copying. According to the electronic watermark technique, a specific process is performed for the original digital data and copyright information concerning the digital data, or user information, is embedded in the digital data. Thus, when an illegal copy of the digital data is discovered, the person who distributed the copied data can be identified.
In a conventional electronic watermark system, a server is assumed to be fully trustworthy. Therefore, if a server in a conventional system is not trustworthy and should engage in some sort of illegal distribution activity, a user who has committed no crime could be falsely accused of illegally copying data.
This occurs because in a conventional electronic watermark system, as is shown in FIG. 1, when a server embeds user information d1 for identifying a user in digital data g (in the following explanation image data are employed as the digital data), which is distributed to the user, and thereafter, without the permission of the user, makes a further distribution of the data containing the user""s identification data, there is no way the user can refute an accusation by the server, even though in this instance it is the server that performed an illegal act.
As a countermeasure, a system (FIG. 2) using a public key encryption method has been proposed.
According to the public key encryption method, an encryption key and a decryption key differ, with the encryption key being used as a public key while the decryption key is used as a secret key. RSA encryption and E1Gama1 encryption are typical, well known public key encryption system examples.
An explanation will be given for (a) features of a public key encryption system and (b) protocols for secret communications and authenticated communications.
(a) Features of Public Key Encryption
(1) Since an encryption key and a decryption key differ, and since the encryption key can be published, a secret delivery process is not required for the encryption key and its distribution is easy.
(2) Since the encryption keys of users are published, users need only provide for the secret storage of their decryption keys.
(3) An authentication function can be provided with which a recipient can verify that the sender of a message is not perpetrating a fraud and that the received message has not been altered.
(b) Protocols for Public Key Encryption
For example, when E (kp, M) denotes an encryption operation for a message M that uses a public encryption key kp, and D (ks, M) denotes a decryption operation for a message M that uses a secret decryption key ks, the public key encryption algorithm satisfies the following two conditions.
(1) The calculations for the encryption E (kp, M) can be performed easily using the encryption key kp that is provided, and the calculations for the decryption D (ks, M) can also be performed easily using the decryption key ks that is provided.
(2) So long as a user does not know the decryption key ks, even if the user knows the encryption key kp and the calculation procedures for the encryption of E (kp, M), and that the encrypted message C=E (kp, M), the user can not ascertain what is contained in the message M because a large number of calculations are required.
When, in addition to the conditions (1) and (2), the following condition (3) is established, the secret communication function can be implemented.
(3) The encryption E (kp, M) can be defined for all the messages (plain text) M, and
D(ks, E(kp, M))=M
is established. That is, anyone can perform the calculations for the encryption E (kp, M) using the public encryption key kp, but only a user who has the secret decryption key ks can perform the calculations for the decryption process D (ks, E (kp, M)) to obtain the contents of message M.
When, in addition to the above conditions (1) and (2), the following condition (4) is established the authenticated communication function can be implemented.
(4) The decryption process D (ks, M) can be defined for all the (plain text) messages M, and
E(kp, D(ks, M))=M
is established. That is, only a user who has the secret decryption key ks can perform the calculations for the decryption process D (ks, M). Even if another user attempts to calculate D (ksxe2x80x2, M) using a bogus secret decryption key ksxe2x80x2, and performs the calculations as would a user who has the secret decryption key ks, the result obtained is
E(kp, D(ksxe2x80x2, M)xe2x89xa0M,
and a recipient would understand that the received information was illegally prepared.
When the value D (ks, M) is altered, the result obtained is
E(kp, D(ks, M)xe2x80x2)xe2x89xa0M,
and a recipient would understand that the received information was illegally prepared.
In the above described encryption method, operation E ( ), for which the public encryption key (hereinafter also referred to as a public key) kp is used, is called xe2x80x9cencryption,xe2x80x9d and operation D ( ), for which the secret decryption key (hereinafter also referred to as a secret key) ks is used, is called xe2x80x9cdecryption.xe2x80x9d
Therefore, for a secret communication a sender performs the encryption and a recipient performs the decryption, while for an authenticated communication, a sender performs the decryption and a recipient performs the encryption.
The protocols shown below are for a secret communication, an authenticated communication, and a secret communication for a recipient B bearing a signature affixed by a sender A using the public key encryption system.
The secret key of the sender A is ksA and the public key is kpA, and the secret key of the recipient B is ksB and the public key is kpB.
[Secret Communication]
The following procedures are performed for the secret transmission of a (plain text) message M by the sender A to the recipient B.
Step 1: The sender A transmits to the recipient B a message C that is obtained by employing the public key kpB of the recipient B to encrypt the message M as follows:
C=E(kpB, M).
Step 2: To obtain the original plain text message M, the recipient employs his or her secret key ksB to decrypt the received message C as follows:
M=D(ksB, C).
Since the public key kpB of the recipient B is openly available to many, unspecified people, users other than the sender A can also transmit secret communications to the recipient B.
[Authenticated Communication]
For the authenticated transmission of a (plain text) message M by the sender A to the recipient B, the following procedures are performed.
Step 1: The sender A transmits to the recipient B a message S that he or she created by employing his or her secret key as follows:
S=D(ksA, M).
This message S is called a signed message, and the operation employed to prepare the signed message S is called xe2x80x9csigning.xe2x80x9d
Step 2: To obtain the original plain text message M, the recipient B employs the public key KpA of the sender A to convert the signed message S as follows:
M=E(kpA, S).
If the recipient B ascertains that the message M makes sense, he or she verifies that the message M was transmitted by the sender A. And since the public key kpA of the sender A is available to many, unspecified persons, users other than the recipient B can also authenticate the signed message S transmitted by the sender A. This authentication is called xe2x80x9cdigital signing.xe2x80x9d
[Secret Communication with Signature]
The following procedures are performed for the secret transmission to the recipient B by the sender A of a (plain text) message M for which a signature has been provided.
Step 1: The sender A prepares a signed message S by employing his or her secret key ksA to sign the message M as follows:
S=D(ksA, M).
Thereafter, to prepare an encrypted message C that is subsequently transmitted to the recipient B, the sender A employs the public key kpB of the recipient B to encrypt the signed message S as follows:
C=E(kpB, S).
Step 2: To obtain the signed message S the recipient B employs his or her secret key ksB to decrypt the encrypted message C as follows:
S=D(ksB, C).
And then, to obtain the original plain text message M, the recipient B employs the public key kpA of the sender A to convert the signed message S as follows:
M=E(kpA, S).
When the recipient has ascertained that the message M makes sense, he or she verifies that the message M was transmitted by the sender A.
For a secret communication for which a signature has been provided, the order in which the calculating functions are performed at the individual steps may be inverted. In other words, in the above procedures,
Step 1: C=E (kpB, D (ksA, M))
Step 2: M=E (kpA, D (ksB, C))
are performed in this order. However, for such a secret communication, the following order may be employed:
Step 1: C=D (ksA, E (kpB, M))
Step 2: M=D (ksB, E (kpA, C)).
An explanation will now be given for the operating procedures for a conventional electronic watermark system employing the above described public key encryption method.
1) First, a contract d2 concerning the exchange of image data g is prepared by a server and a user.
2) Next, the user generates a random number ID to identify himself or herself, and employs this ID to generate a unidirectional function f.
The unidirectional function is one that when used for a function y=f(x), calculating y from x is easy, but calculating x from y is difficult. For example, a unique factorization or a discrete logarithm for an integer having a number of digits is frequently employed as a unidirectional function.
3) Then, the user prepares signature information d3 using his or her secret key ksU, and transmits it with the contract d2 and the unidirectional function f to the server.
4) Following this, the server verifies the signature information d3 and the contract d2 using the public key kpU of the user.
5) After the verification has been completed, the server embeds in the image data g a current data distribution record d4 and the random number ID prepared by the user, and generates image data which includes an electronic watermark (g+d4+ID).
6) Finally, the server transmits to the user the image data that includes the electronic watermark (g+d4+ID).
When an illegal copy of data is found, embedded information is extracted from the illegal image data, and a specific user is identified using the ID included therein. At this time, a claim by the server that it did not distribute the illegal copy without permission is based on the following grounds.
Since the ID used to specify a user is generated by the user, and since by using that ID the signature of the user is provided for the unidirectional function f, the server can not generate such an ID for an arbitrary user.
However, since a user who has officially concluded a contract with the server must transmit his or her ID to the server, only users who have not made contracts with the server can not be accused of committing a crime, whereas a user who has officially concluded a contract can be so accused.
Therefore, a system (FIG. 3) has been proposed for neutralizing an accusation that a crime has been committed by a user who has officially concluded a contract.
This system is implemented by dividing the server into an original image server and an embedding server. According to this system, the embedded electronic watermark is not destroyed during encryption and decryption.
The operating procedures for the system in FIG. 3 will now be described.
1) First, to obtain desired image data a user issues a request bearing his or her signature d5 to an original image server.
2) The original image server employs the user""s signature d5 to verify the contents of the request, and subsequently encrypts the requested image data g and transmits the encrypted data to an embedding server.
At this time, the original image server transmits to the embedding server the image data g accompanied by a signature for a user name u and for consignment contents d6. The original image server also transmits to the user a decryption function fxe2x80x2 that is related to the encryption.
3) The embedding server verifies the received encrypted image data gxe2x80x2 and the signature (u+d6), employs the user name u and the consignment contents d6 to prepare and embed user information d7 for specifically identifying a user, and thereby creates encrypted data (gxe2x80x2+d7) having an electronic watermark. Then, the embedding server transmits to the user the encrypted image data (gxe2x80x2+d7) that includes the electronic watermark.
4) The user employs the decryption function fxe2x80x2, which was received from the original image server, to decrypt the encrypted image data that includes an electronic watermark, (gxe2x80x2+d7), and to obtain the image data provided with the electronic watermark, (g+d7).
When an illegal copy is found later, the original image server encrypts the illegal image data and extracts the embedded information, and transmits it to the embedding server. The embedding server specifically identifies a user from the embedded information.
In this system, since an original image server does not embed in the image data g the user information d7 specifically identifying a user, and since the embedding server does not know the decryption function f (and can not retrieve the original image), the individual server can not illegally distribute to officially contracted servers image data in which is embedded the user information d7.
However, neither the collusion of the original image server and the embedding server, nor the collusion of the embedding server and a user is taken into account in the system in FIG. 3. Since the embedding server holds the encrypted image data gxe2x80x2 for the image data g, which are the original image data, and the user holds the decryption function fxe2x80x2, when the original image server is in collusion with the embedding server, the servers, as in the system in FIG. 2, can perform an illegal act. And when the embedding server is in collusion with the user, the original image (image data g) can be illegally obtained.
The original image server transmits the decryption function fxe2x80x2 to the user; however, if the user does not provide adequate management control for the decryption function fxe2x80x2, the carelessness of the user will result in the embedding server obtaining knowledge of the decryption function fxe2x80x2, even though the embedding server is not in collusion with the user.
Furthermore, in the system in FIG. 3 the original image server does not include embedding means, nor can it correctly perform embedding. However, since the embedded information is extracted by the original image server, the original image server could correctly perform the embedding by analyzing the embedded information.
For this reason, since the embedding server does not embed its own signature, the correspondence between the embedded information and the user information constitutes the only embedding server secret. However, the correspondence between the embedded information and the user information is not a random correspondence involving the use of a database. If the embedded information is prepared from the user information according to specific rules, there is a good probability that analyzation of the embedded information will be possible.
In this case, as in the system in FIG. 2, the performance of an illegal act is possible.
Furthermore, as is described above, while a system comprising a user and a server has been proposed, though still incomplete, the security available with a system wherein servers are provided hierarchically is not guaranteed.
The reason is as follows. For example, for a system (hierarchial network 1) shown in FIG. 4 wherein a plurality of sales agencies 1 to m are located under a server, and users 11 to 1n and users m1 to mn are located under the individual sales agencies, or for a system (hierarchial network 2) shown in FIG. 5 wherein one of a plurality of authors 1 to m requests that a sales agency that represents him or her sell his or her image data and the sales agency sells image data authored by the pertinent author to many users 1 to n, the participating constituents associated with the trade in data increase from a server and a user, to a server (or an author), an agency and a user, so that the collusion that may occur in the system wherein there are three participating constituents is more complex than is that in the system wherein there are two participating constituents.
The system shown in FIG. 3 could be regarded as a system comprising a server, an agency and a user. However, the conventional system is not based on a hierarchial system, and servers are provided separately in order to prevent an illegal act that may be performed by a single server. As is described above, that collusion may occur is not taken into account.
In order to resolve the above shortcomings, it is one objective of the present invention to provide an electronic watermarking method that accurately prevents the illegal distribution of data, even if components that perform the trading of data are arranged hierarchically, an electronic information distribution system, an image filing apparatus, and a storage medium.
To achieve the above objective, according to one aspect of the present invention, an electronic watermarking method comprises:
a first step at which a first entity performs a first encryption process for the original data;
a second step at which a second entity, at the least, either manages or distributes the data that are provided by the first encryption and embeds an electronic watermark in the data; and
a third step at which a third entity performs a second encryption process for the data in which the electronic watermark has been embedded.
According to one more aspect of the present invention, an electronic information distribution system that exchanges data across a network at the least comprises:
a first entity, including first encryption means, for performing a first encryption process for the original data;
a second entity, including management distribution means for, at the least, either managing or distributing the data that are provided by the first encryption process, and including electronic watermark embedding means for embedding an electronic watermark in the data; and
a third entity, including second encryption means for performing a second encryption of the data in which an electronic watermark is embedded.
According to another aspect of the present invention, an electronic watermarking method comprises the steps of:
employing a plurality of means or entities to perform distributed processing for the encryption and for the embedding of an electronic watermark; and
employing additional means or entities to examine the legality of, at the least, either the encryption processing or the processing for embedding an electronic watermark that is performed by the plurality of means or entities.
These means or entities may, at the least, consist of three types of means or of entities.
According to an additional aspect of the present invention, an electronic information distribution system, which exchanges digital data across a network system constituted by a plurality of entities, comprises:
a first entity, including first data encryption means;
a second entity, including electronic watermark embedding means, for managing and distributing data received from the first entity;
a third entity, including second encryption means, for employing data in which an electronic watermark has been embedded; and
a fourth entity for examining the legality of, at the least, either the encryption processing or the electronic watermark embedding process performed by the first to the third entities.
According to a further aspect of the present invention, an electronic information distribution system, which exchanges digital data across a network system constituted by a plurality of entities, comprises:
a first entity, including first data encryption means;
a second entity, including electronic watermark embedding means, for managing and distributing data received from the first entity;
a third entity, including electronic watermark embedding means and second encryption means, for employing data in which an electronic watermark has been embedded; and
a fourth entity for examining the legality of, at the least, either the encryption processing or the electronic watermark embedding process performed by the first to the third entities.
According to one further aspect of the present invention, an electronic information distribution system, which exchanges digital data across a network system constituted by a plurality of entities, comprises:
a first entity, including electronic watermark embedding means and first data encryption means;
a second entity, including electronic watermark embedding means, for managing and distributing data received from the first entity;
a third entity, including second encryption means, for employing data in which an electronic watermark has been embedded; and
a fourth entity for examining the legality of, at the least, either the encryption processing or the electronic watermark embedding process performed by, the first to the third entities.
According to yet one more aspect of the present invention, an electronic information distribution system, which exchanges digital data across a network system constituted by a plurality of entities, comprises:
a first entity, including electronic watermark embedding means and first data encryption means;
a second entity, including, at the least, one of electronic watermark embedding means, a first encryption means and a second encryption means, for managing and distributing data received from the first entity;
a third entity, including electronic watermark embedding means and second encryption means, for employing data in which an electronic watermark has been embedded; and
a fourth entity for examining the legality of, at the least, either the encryption processing or the electronic watermark embedding process performed by the first to the third entities.
According to yet another aspect of the present invention, an electronic watermark superimposition method comprises the steps of:
encrypting electronic information and exchanging the resultant electronic information;
embedding electronic watermark information in the electronic watermark during the encryption process; and
repeating a plurality of times the processing for transmitting the electronic information accompanying an electronic watermark,
whereby the electronic information on which the electronic watermark information is superimposed is transmitted by a first entity and delivered via a second entity to a third entity.
According to yet an additional aspect of the present invention, an electronic information distribution system comprises:
a first entity in which original electronic information is held, including encryption means for encrypting the original electronic information and embedding means for embedding an electronic watermark in the electronic information provided by the encryption process;
a second entity, including encryption means for managing and distributing electronic information received from the first entity and for encrypting the electronic information, and including embedding means for embedding electronic watermark information in the electronic information; and
a third entity, including encryption means for encrypting electronic information received from the second entity, for employing the resultant electronic information.
According to yet a further aspect of the present invention, provided is an electronic watermark superimposition method, whereby, for the transmission of electronic information to a reception entity by a transmission entity, the transmission entity repeats the electronic watermark processing performed for electronic information that has been encrypted by the reception entity, so that electronic information on which an electronic watermark has been superimposed is, at the least, transmitted by a first entity via a second entity to a third entity.
According to yet one further aspect of the present invention, an electronic watermark superimposition method comprises the steps of:
a transmission entity performing a first encryption process for electronic information;
a reception entity performing for the resultant electronic information a second encryption process that differs from the first encryption process, and returning the obtained electronic information to the transmission entity; and
the transmission entity decrypting the electronic information for which the first encryption process has been performed, and embedding electronic watermark information in the electronic information that is decrypted,
whereby by repeating the steps, the electronic information on which the electronic watermark information has been superimposed is, at the least, transmitted by a first entity via a second entity to a third entity.
According to still one more aspect of the present invention, an electronic information distribution system comprises:
a first entity, whereat original electronic information is held;
a second entity, for managing and distributing electronic information received from the first entity; and
a third entity, for employing the electronic information received from the second entity,
wherein for transmission of electronic information by a transmission entity to a reception entity, the transmission entity repeats the processing for embedding an electronic watermark in electronic information, so that electronic information in which electronic watermark information is embedded is, at the least, is transmitted by the first entity via the second entity to the third entity.
According to still another aspect of the present invention, an electronic information distribution system comprises:
a first entity, whereat original electronic information is held;
a second entity, for managing and distributing electronic information received from the first entity; and
a third entity, for employing the electronic information received from the second entity,
wherein a reception entity performs a second encryption process for electronic information for which a transmission entity has performed a first encryption process that differs from the second encryption process, and returns the resultant electronic information to the transmission entity,
wherein the transmission entity decrypts electronic information for which the first encryption process has been performed, and embeds the electronic watermark information in the resultant electronic information, and
wherein by repeating the processing, electronic information on which electronic watermark information is superimposed is, at the least, transmitted by the first entity via the second entity to the third entity.