1. Field of the Invention
The present invention relates to encryption and decryption of digital data and authentication of access rights to digital data or services, which applies the encryption and decryption of the digital data.
2. Discussion of the Related Art
To protect the data security by encryption and decryption, there are the following two types of relationships between a user of encrypted data and an owner of a decryption key that is necessary to decrypt the data.
1) The user of the data and the owner of the decryption key are the same person. PA1 2) The user of the data and the owner of the decryption key are not the same person.
As an example of 1), personal confidential communication is a typical case. In this case, the recipient holds a decryption key for the data in secret. The sender encrypts the data with an encryption key corresponding to the decryption key of the recipient. The recipient's leakage of the decryption key to the third party leads to an intrusion into the recipient's privacy, which is a great disadvantage to the recipient. Therefore, if the recipient obtains the decryption key, no problem is expected.
As an example of 2), a simultaneous multi-address transmission of the digital data is mentioned. The charged digital data simultaneously transmitted to multi-addresses is encrypted and cannot be used without being decrypted. Although the decryption key is known to a third party, it will not be any disadvantage to a recipient of the data. Therefore, if the recipient obtains the decryption key for decrypting the encrypted digital data, there occurs a possibility that the recipient leaks the decryption key to the third party to get good value for it. In other words, the user of the data has a positive reason to leak the decryption key. Accordingly, it is necessary to separate the user of the data from the owner of the decryption key.
The satellite broadcast now solves the problem by storing the decryption key in an area in a hardware that is inaccessible from the outside and assigning the decryption of the data to the hardware (referred to as delegated decryption). The user of the digital data cannot obtain the decryption key, and therefore the problem that the decryption key is leaked by the user of the digital data does not arise.
Not only in the satellite broadcast, the same method is also used in the case where the decryption is performed on the data transmitted simultaneously to many and unspecified addresses, such as the simultaneous multi-address transmission through the World Wide Web (WWW) of the Internet or the cable television broadcast (CATV). There are many kinds of assignee, for example, a built-in decryption device of a satellite broadcast tuner, an IC card with a decryption function, a computer connected to a network and so forth. Any of them performs the delegated decryption.
If the delegated decryption is performed in an easy manner that the encrypted data is directly transmitted to the decryption device and the decryption result is received from the decryption device, the following problems arise.
(1) The decryption device can learn what is decrypted and what is a result of the decryption.
The decryption device can be created so that a history of the delegated decryption is generated. If such decryption device has been created, there occurs a possibility that a privacy of a recipient of data as to what kind of data he/she would like to decrypt is recorded by the decryption device and later used illegitimately. Such decryption device is also a disadvantage to a sender of the data because the sender cannot delegate the decryption of the data undesirable to be known to the decryption device. In the example of the satellite broadcast, if data of a movie is encrypted and sent, the decryption device stores the decrypted plain data of the movie. The data of the movie may be illegitimately used by the creator of the decryption device.
(2) If there is an intruder intercepting a communication with the decryption device, the intruder can learn what is decrypted and what is a result of decryption.
The seriousness of the problem can be understood by considering the example in which the recipient of delegation of the decryption is a computer connected to a network. Without any countermeasure, a third party intercepting the network can easily learn what is decrypted and what is a result of the delegated decryption.
A blind decryption is a technique of delegated decryption that clears up the above two problems. A blind decryption method based on the RSA (Rivest-Shamir-Adleman) is disclosed by "Fair Public Key Cryptosystem", Proc. Crypto 92, pp. 113-138 (1993). The outline is described as follows.
It is assumed that a person delegating the decryption is "Alice" and a decryption device that performs decryption on delegation is "Bob". It is further assumed that a decryption key held by Bob is D, an RSA modulus is n and an encryption key is E. Since this is the RSA cryptosystem, the following expression is established: EQU ED.ident.1 mod .phi.(n)
wherein .phi.(n) is an Euler number of n.
It is then assumed that the result of encryption of a plain text M with n and E is expressed as C=M.sup.E mod n.
1) Alice generates a random number r and calculates the expression C'=r.sup.E C mod n, and transmits C' to Bob.
2) Bob calculates the expression R=C'.sup.D mod n and transmits R to Alice.
3) Alice obtains r.sup.-1 which satisfies the expression r.sup.-1 r.ident.1 mod n, and calculates the expression M'=r.sup.-1 R mod n.
With the following expression, it is possible to confirm that Alice can obtain a correct decryption result according to the above procedures: EQU M'.ident.r.sup.-1 R.ident.r.sup.-1 C'.sup.D.ident.r.sup.-1 (r.sup.E C).sup.D.ident.r.sup.-1 (r.sup.E M.sup.E).sup.D.ident.r.sup.-1 rM.ident.M mod n (1)
In this method, Bob and a third party intercepting the communication between Bob and Alice can only know C'=r.sup.E C mod n and R=C'.sup.-D.ident.rM mod n. The encrypted text C that Alice wanted to decrypt and its decryption result M cannot be known to Bob and the intruder intercepting the communication. This method thus resolves the above two problems of the assigned decryption.
Japanese Patent Application Laid-Open No. 10-247905 suggests a device for controlling the access to the digital data, which employs the blind decryption.
The device for access controlling disclosed by the above application consists of a proving device for proving an ownership of the access right to the data and a verification device for verifying the proof by the proving device. The verification device stores encrypted digital data and another piece of data generated by encrypting a key for decrypting the digital data with an RSA public key (the another piece of data is referred to as an encrypted key). The proving device is an RSA decryption device. The verification device delegates the decryption of the encrypted key by using the blind decryption to the proving device and then decrypts the digital data with a result of the delegated decryption. If the digital data is correctly decrypted, it is considered that the proving device succeeded in proving the ownership of the access right.
Owing to the use of the blind decryption, the content of the delegated encrypted key and the decryption key of the digital data cannot be known to the proving device or an intruder intercepting the communication between the verification device and the proving device.
The technique of the Japanese Patent Application Laid Open No. 10-247905 is particularly characterized by the configuration of the proving device which is of the RSA type. The Japanese Patent Application Laid Open No. 10-247905 suggests embedding of the RSA decryption key in changeable data called an access ticket for enabling the decryption of multiple RSA public keys with a single proving device. To prevent stealing the RSA decryption key from the access ticket, the access ticket is created by masking the RSA decryption key. Thereby it is possible to open the access ticket. The proving device disclosed by the Japanese Patent Application No. 10-247905 contains tamper resisting hardware such as an IC card. The masking effect of the access ticket is removed only by the tamper-resisting the hardware.
The access controlling disclosed by the above application is now described in detail.
The verification device holds encrypted data and an encrypted key K* generated by encrypting a key K for decrypting the encrypted data with the RSA modulus n and an encryption key E. The proving device has an IC card with a function for operating a modulus exponentiation and calculating a one-way hash function f(x, y). The IC card further stores secret data d. If the decryption key for the RSA modulus n and the encryption key E is D, the access ticket is t=D-f (d, n).
The proof and verification of ownership of the access rights are executed according to the following procedures.
1. The verification device generates a random number r.
2. The verification device calculates C=r.sup.E K* mod n and transmits n and C to the proving device, provided that K* is K.sup.E.
3. The proving device calculates R.sub.1 =C.sup.f (.sup.d, n) mod n in the IC card.
4. The proving device calculates R.sub.2 =C.sup.t mod n.
5. The proving device calculates R=R.sub.1 R.sub.2 mod n and transmits the result to the verification device.
6. The verification device obtains r.sup.-1 that satisfies r.sup.-1 r.ident.1 mod n and then calculates K'=r.sup.-1 R mod n.
If the above procedures are correctly executed, K.ident.K' mod n is obtained. Therefore, ownership of the access rights can be proved according to the following expression. EQU K'.ident.r.sup.-1 R.ident.r.sup.-1 R.sub.1 R.sub.2.ident.r.sup.-1 C.sup.f(d,n)+1 C.sup.t.ident.r.sup.-1 C.sup.f(d,n)+1.ident.r.sup.1 C.sup.D.ident.r.sup.-1 (r.sup.E K*).sup.D.ident.r.sup.-1 (r.sup.E K.sup.E).sup.D.ident.r.sup.-1 rK.ident.K mod n (2)
In this method, if a user possesses an IC card having d different for each user, an access ticket for decrypting an encrypted key of the digital data is also different for each user. Although a user copies and uses an access ticket of another person, it is impossible to prove the ownership of the access right. Therefore, an access right of each user can be controlled by limiting issuance of the access ticket to each user. Moreover, if the RSA modulus n and the encryption key E are changed for each piece of the digital data, an access ticket for a certain piece of data cannot be used for other pieces of data. Thus, it is possible to control the access to each piece of the digital data.
The problem of the blind decryption originates in its strong blindness. According to the blind decryption, the decryption device can obtain information only about reception of delegation of decryption for a certain piece of data when the decryption is delegated. No information about the data assigned to be decrypted is transmitted to the decryption device. However, there are many requests for transmitting a specific type of information about the data to the decryption device when the decryption is assigned. Examples of the requests are as follows:
1) If a fee is charged for the delegated decryption service, and if the decryption fee is different for each piece of data, the decryption fee should be informed to the decryption device together with the transmission of the encrypted data.
2) If a term of the use is fixed for each piece of data, the term of the use should be informed to the decryption device together with the transmission of the encrypted data, and it should be checked by the decryption device.
3) If users of each piece of the data are limited, a list of users of the data should be transmitted with the encrypted data and it is checked by the decryption device whether the person delegating the decryption is a qualified user of the data.
4) If the delegated decryption of a confidential document is executed, an identifier of encrypted data should be transmitted to the decryption device with the encrypted data and the decryption device must store them for a later inspection.
However, suppose that these pieces of information are transmitted to the decryption device together with the encrypted data without any contrivance. It is then possible for the person who delegates the decryption to replace a piece of information to be attached to the data with another one at his/her own convenience if he/she has a malicious intent. Several types of illegitimate actions become possible, for example, to transmit information including a fee for delegated decryption of a piece of data lower than the actual fee, to transmit information including a term of use prescribed to be longer than the actual term, to transmit a list of accessible persons or an identifier that is different from the reality, or the like.
The same is true with the technique of the Japanese Patent Application Laid Open No. 10-247905 that controls the access to the digital data applying the conventional blind decryption. The invention disclosed by the above application includes a tamper-resisting IC card. It is hardly possible to change the process executed in the IC card or to tamper with the information stored in the IC card. Therefore, if the information is correctly transmitted to the IC card, the security in the IC card can be guaranteed. It is desirable to store the fee for accessing the data or to check the term of the access to the data within the IC card. However, in the Japanese Patent Application No. 9-418, there is no means to securely transmit those pieces of information to the IC card because the application utilizes the conventional blind decryption without any changes.