Method and system for conditional access to a digital content, associated terminal and subscriber device

Abstract

A secure method for transmitting a control word between a server and a plurality of processing entities so as to respectively produce and utilize the control word. Preferably such a method is applied to the field of conditional access methods and systems for preventing the fraudulent use of compromised decryption keys resulting from a coalition of pirate hackers.

Claims

1. A method for conditional access to digital content comprising: encoding, by a broadcast server of protected digital content, a digital content M and generating, by the broadcast server, an encoded content C using an encoding function implemented by the broadcast server; generating, by said broadcast server of protected digital contents, an encrypted control word c whose plaintext k is intended for use by a plurality of subscriber processing entities for decoding said encoded content C; transmitting, by said broadcast server, said encoded content C and encrypted control word c for subscriber entities through a distribution network connected to said broadcast server; receiving, by each subscriber processing entity, said encoded content C and encrypted control word c; generating the plaintext k of the encrypted control word c, by each subscriber processing entity, from the encrypted control word c; decoding, by each subscriber processing entity, the encoded content C and generating a content M from a decoding function and k; retrieving said content M using an interface adapted to said content; wherein: the broadcast server generates the encrypted control word c from: i. a vector s of d.sub.s elements each belonging to a set custom character *.sub.p of random non-zero integers modulo p, p being a prime number, d.sub.s being an integer strictly greater than 1 and small compared to a number of subscriber processing entities; ii. a secret value γ known to the broadcaster server and belonging to the set * .sub.p of non-zero integers modulo p; iii. two generators belonging respectively to two cyclic groups custom character .sub.1 and .sub.2 of order p, parameters of a bilinear group β=(p,.sub.1,.sub.2,.sub.T,e(.,.)) of order p where e(.,.) is a coupling such that e:.sub.1×.sub.2.fwdarw..sub.T, .sub.T being a third cyclic group of order p; and each subscriber processing entity generates a control word k from: i. the encrypted control word c; ii. a decryption key DK.sub.i known to an i.sup.th entity and previously generated from: a) a vector x.sup.(i) of d.sub.x elements each belonging to the set custom character *.sub.p of random non-zero integers modulo p, d.sub.x being an integer strictly greater than 1 and small compared to the number of processing entities, the vector x.sup.(i) being dedicated to the i.sup.th entity; b) the secret value γ; c) a generator belonging to one of the cyclic groups of the bilinear group β.

2. The method according to claim 1, each processing entity comprising a terminal in association with a secure subscriber device implementing respectively the decoding of an encoded content and the generating of the plaintext of an encrypted control word, wherein: receiving an encoded content C and an encrypted control word c by a processing entity comprises: i. receiving the encoded content and encrypted control word by the terminal; ii. transmitting the encrypted control word c by the terminal to the secure subscriber device cooperating with said terminal; generating the plaintext of a control word k in a processing entity comprises generating the plaintext by the secure subscriber device which delivers it to the terminal; decoding an encoded content C comprises implementing by the terminal the decoding function for generating a content M from the encoded content C and from said control word k.

Description

(1) Other features and advantages will become more apparent upon reading the following description and examining the accompanying figures, among which:

(2) FIG. 1 shows a conditional access system according to the prior art;

(3) FIG. 2 describes a conditional access system according to the invention;

(4) FIG. 3 depicts an embodiment of a conditional access method according to the invention.

(5) FIG. 1 shows a conditional access system to digital content according to the prior art. It consists of a broadcast network 4 implemented by a protected content broadcast operator. Thus, control words c and contents C, respectively encrypted, and encoded, are issued jointly from a content server 3. For that purpose, server 3 encodes a content M using an encoding function enc and a control word k, the latter being generated by said server 3. The result is an encoded content C such that C=enc(k,M). An encrypted version c of control word k is also issued or “broadcast” together with the encoded content C. For that purpose, the server encrypts said control word k using an encryption function E to obtain c such that c=E(k).

(6) The encrypted control words c and encrypted, contents C are transmitted via the broadcast network 4 to terminals 2a to 2m. These are responsible respectively for decoding in real time the encoded, contents C issued by server 3. Thus a terminal—such as, for example, the decoder 2a—implements a decoding function dec and applies it to the encoded content C to obtain the content M. The latter can be viewed using a living room television 5 or any other interface suited, to retrieve the content. To apply the decoding function dec, a terminal must know the value of control word k that was used by server 3 to encode content M. According to the prior art, and as shown in FIG. 1, a terminal 2a to 2m receives an encrypted, control word c such that c=E(k) and sends it to a secure electronic device 1a to 1m, usually dedicated to a subscriber. Terminal 2a regularly receives, through network 4, couples (C,c) and transmits encrypted control words c to a device 1a. Device 1a can decrypt an encrypted control word c using a decryption function D to obtain the control word k used to encode content M. Thus k=D(c). The same applies to any other device, such as 2b to 2m, each respectively cooperating with a device 1b to 1m. According to a variant embodiment, server 3 can use a secret, for example in the form of a key Kc to encrypt a control word k. Thus c=E(Kc,k). In this case, a device, such as device 1a to 1m, implements a reciprocal decryption function D, such that k=D(Kd,c) where Kd is a decryption key known by the device. According to the encryption function E and decryption function D, keys Kc and Kd can be identical. This is the case for a symmetrical encrypt ion/decryption. Alternatively, according to a pattern called “broadcast encryption” Kc is a public or secret key dedicated to the operator and Kd is a secret key dedicated to the device (or, alternatively, to a group of devices) and known to the operator. According to this variant, there are therefore several individual decryption keys and each of the devices lawfully issued and delivered to the subscribers of said operator has such a personal decryption key.

(7) To jeopardize such a conditional access system, hackers have developed their knowledge of cryptographic hardware, algorithms or secrets implemented in particular by the subscriber devices. Some know—or could—“break” the security of such subscriber electronic devices and be able to read the value of one or more decryption keys used to generate valid control words to ultimately decode encrypted messages. All it takes then, is to fraudulently put these keys—which we call “treacherous keys”—on a parallel market for unscrupulous users to integrate a treacherous key in a hacked terminal and thus benefit from unauthorized access to protected content. This type of criminal act can be greatly facilitated when a broadcast operator operates a conditional access system for which the content decoding function and decrypt ion function of encrypted control words are performed by a single and same processing entity made available to a subscriber. Thus, such an entity does not necessarily include security features to protect the means for storing the decryption keys and/or algorithms and methods used to generate the control words. Leaks resulting from, the insufficiently secure implementation of such algorithms allow revealing the decryption key manipulated, etc.

(8) A hacker can thus provide certain “reproductions” of decryption keys to unscrupulous customers without necessarily operating a pirate network to distribute the control words or contents.

(9) To try to counter such activities, it is useful to be able to trace or detect the “treacherous” or compromised decryption key which is the source of the reproduction. Such a key must therefore be traceable, that is to say, have a marker or a component that is dedicated to a subscriber. Thus, when in possession of a hacked terminal or the software implemented by the hacker, it is possible for a tracer to use certain methods of analysis to detect the secret data that was manipulated. The tracer's task becomes complicated when several treacherous keys are combined by a hacker or by a coalition of hackers.

(10) The invention makes it possible to defeat these different hacking scenarios.

(11) FIG. 2 helps to illustrate a conditional access system as an example of preferred embodiment of the invention. As with a known system, the invention provides a broadcast network 4 implemented by a protected content broadcast operator—or, more generally, any means—to transmit, from a content server 3, encoded contents C destined for a plurality of subscriber processing entities such as Ea, Eb, . . . Em entities. The invention further provides that the encoded contents C are emitted in conjunction with encrypted control words c whose plaintexts allow decoding said encoded contents by each subscriber entity. To do this, server 3 encodes a content M using an encoding function enc. The result is an encoded content C such that C=enc(M).

(12) The security of such a system essentially lies in the fact that the control words can be generated, exchanged, and used securely by the server and the plurality of subscriber processing entities. Such control words could just as well be used in a different application context of a conditional access system to protected digital content.

(13) The invention is based on the mathematical concept of coupling in first-order groups, a concept exploited in many publications including documents US2008/0075287A1 or WO2007/138204 mentioned above. Such coupling is a bilinear application typically used in cryptography, particularly in the field of elliptic curves.

(14) Let β be a bilinear group β=(p, custom character .sub.1,.sub.2,.sub.T,e(.,.)) of first order p such that |p|=λ, λ defining the size of elements as a security parameter. .sub.1, .sub.2 and .sub.T are three cyclic groups of order p and e:.sub.1×.sub.2.fwdarw..sub.T is a coupling. A cyclic group is an algebraic set such that g.sup.p+1 is equal to g, p defining the order of the cyclic group and g being an element of the group that is called “generator”. Within the meaning of the invention, a special relationship between groups custom character .sub.1 and .sub.2 is not required. The two groups may be the same or, more generally, an isomorphism Ψ between .sub.1 and .sub.2 can be defined. The invention provides that any possible, effectively computable, isomorphism and coupling be preferred.

(15) According to a preferred embodiment, a processing entity Ei consists of a terminal 2i coupled to a secure device 1i, e.g. a smart, card, to respectively perform the decoding of an encoded content and the generating of control words required for said decoding. FIG. 2 shows the entities Ea, Eb and Em as resulting respectively from terminal 2a, 2b, 2m coupled to a secure subscriber device 1a, 1b, 1m.

(16) Within the meaning of the invention, such an entity could be one and the same device that would encompass the two main functions previously described.

(17) A secret and dedicated decryption key is known to each subscriber device (or subscriber entity). Thus, according to FIG. 2, device 1a of entity Ea associated with subscriber a, knows the decryption key DK.sub.a. This key is distinct from key DK.sub.b, itself distinct from key DK.sub.m. These keys are only known respectively to entities Eb and Em (or, more precisely, to respective secure subscriber devices 1b and 1m). Although dedicated, and distinct, the decryption keys according to the invention are traceable (that is to say, identifiable in an action of discrimination or tracing, as discussed below). They are all generated from a master secret key MK known to server 3, said key being possibly associated with public parameters P—including bilinear group β—parameters known to said server, but also to the different processing entities, specifically, according to the preferred example described in connection with FIG. 2, known to devices 1a to 1m.

(18) Decryption keys allow processing entities Ea to Em to generate a control word k which allows decoding the encoded contents. This control word k is generated from an encrypted control word c issued jointly with the encoded content C by server 3. According to the preferred example described in connection with FIG. 2, the secure devices 1a to 1m are responsible for generating the control word k within each processing entity Ea to Em. For this purpose, terminals 2a to 2m are able to receive the encrypted control words c and are also able to transmit said encrypted words c to the respective secure device. The control words generated by devices 1a to Am are transmitted, back to the respective terminals so that they can decode the encoded contents C and thereby in turn produce a content M returned by a man-machine interface adapted 5 to a subscriber.

(19) FIG. 3 is used to describe an example of application of the invention in the form of a conditional access method to protected content implemented by a system such as that described in connection with FIG. 2. By way of simplification, the plurality of processing entities is represented by entity Ei as terminal 2i associated with a secure subscriber device 1i. Encoded contents C are transmitted from, server 3 to entity Ei via a network 4. Any other broadcasting means could, be used for this purpose. The encoded contents are associated with encrypted control words c whose plaintexts allow decoding the encoded contents. Terminal 2i is able to receive the encoded contents and the encrypted control words. The latter are transmitted by the terminal to the subscriber device which, using the secret decryption key DK.sub.i and the public parameters PP, generates the control words and transmits them back to the terminal 2i. This terminal can decode the encoded contents C using the control word k and deliver the contents M to the interface 5. In order to achieve this, a conditional access method according to the invention consists of the main steps 310, 110 and 210, corresponding respectively to: 310: producing and issuing encoded content C associated with encrypted control words c to processing entities; 110: producing control words k from the encrypted control words c and the decryption key DK.sub.i; 210: decoding the encoded contents from the control words k.

(20) Optionally, these steps may be preceded by steps 300 and 100 which consist in generating public parameters PP and saving them in the processing entities Ei, specifically the secure devices. FIG. 3 also describes the preliminary steps 301 and 101 of generating the decryption keys DK.sub.i and storing them in processing entities Ei, specifically in devices 1i.

(21) Beyond the preferred example applied to the conditional access method, and system, the invention relates primarily to a secure method for transmitting a control word between a server and a plurality of processing entities to respectively produce and exploit said control word.

(22) Let us examine through two embodiments how to implement such a method—applied to the application example described in connection with FIG. 3.

(23) Let β be a bilinear group β=(p, custom character .sub.1,.sub.2,.sub.T,e(.,.)) of first order p such that |p|=λ, λ defining the size of elements as a security parameter. .sub.1, .sub.2 and .sub.T are three cyclic groups of order p and e:.sub.1×.sub.2.fwdarw..sub.T is a coupling.

(24) A method according to the invention comprises: a step 310 for generating by a server an encrypted control word c whose plaintext k is intended to be used 210 by the processing entity; a step for transmitting the encrypted control word c generated to the processing entities; a step for receiving the encrypted control word c by said entities; a step for generating 110 a control word k by each processing entity from the encrypted control word c received.

(25) To maintain the traceability of the decryption keys DK.sub.i while allowing high efficiency (in terms of bandwidth and processing power), step 310 for generating the encrypted version of a control word is performed by server 3 from: a vector s of d.sub.s elements each belonging to the set custom character .sub.p* of non-zero integers modulo p, p being a prime number, d.sub.s being an integer strictly greater than 1 and small in terms of the number of processing entities; a secret value γ known to server 3 and belonging to the set .sub.p* of non-zero integers modulo p; two generators belonging respectively to cyclic groups custom character .sub.1 and .sub.2, parameters of bilinear group β=(p,.sub.1,.sub.2,.sub.T,e(.,.)).

(26) Each processing entity Ei generates 110 a control word k from: the encrypted control word c; a decryption key DK.sub.i known to the entity Ei and previously generated from: a vector x.sup.(i) of d.sub.x elements each belonging to the set custom character .sub.p* of non-zero integers modulo p, d.sub.x being an integer strictly greater than 1 and small in terms of the number of processing entities, the vector x.sup.(i) being dedicated to the concerned entity; the secret value γ; a generator belonging to one of the cyclic groups of the bilinear group β.

(27) The invention provides that the integer values of d.sub.x and of d.sub.s be small in terms of a number of entities and therefore ultimately in terms of the number of subscribers or hackers.

(28) These two integers are security parameters used to determine and adjust the compromise “efficiency vs. resistance” depending on the dishonest collusions. The parameter d.sub.x is used to scale the size of a decryption key according to the invention. The parameter d.sub.s is used directly to scale the size of encrypted control words.

(29) Therefore, d.sub.s has a direct impact on the bandwidth of the broadcast network of encrypted control words. d.sub.x (just as d.sub.s) has itself a direct impact on the processing capabilities of the entity (or the secure device) that must store and handle the decryption keys to produce the plaintexts of the control words from their ciphertexts.

(30) Unlike known solutions for which the sizes of keys and encrypted versions grow linearly with the size of the collusions or with the square root of the number of subscribers or groups of subscribers, the invention allows maintaining particularly advantageous sizes and without comparison with known solutions. So, if we consider that there is a risk t of coalitions, then a process according to the invention will help define d.sub.x and d.sub.s such that

(31) $t = C_{d_{x} + d_{s} - 1}^{d_{x}} = \frac{(d_{x} + d_{s} - 1)!}{d_{x}! (d_{s} - 1)!} .$
By way of examples, the invention allows obtaining (depending on the embodiment) the following compromises: for t=120: d.sub.x=3 et d.sub.s=7; for t=126: d.sub.x=4 et d.sub.s=5; for t=105: d.sub.x=2 et d.sub.s=13.

(32) These results allow emphasizing the particularly significant contribution of the invention compared to of the prior art.

(33) As shown in FIG. 3, a method, for securely transmitting a control word between a server and a plurality of processing entities, according to the invention, may comprise a step 300 to develop and store a master secret key MK comprising the secret component γ associated with public parameters, such as the bilinear group β. It may also include a step 100 to store said public parameters within each processing entity—more specifically and preferably—within, the secure subscriber device of said entity. Upon purchasing a subscription, for example, in order to be able to deliver material to a subscriber knowing the secret and dedicated decryption key DK.sub.i, such a method may also include a step to produce 301, transmit and record 101 the decryption key DK.sub.i within the processing entity—more specifically and preferably—within the subscriber secure device of said entity.

(34) We will successively describe two embodiments of such a method. These two embodiments have particularly in common that the decryption key DK.sub.i generated has a component of the form

(35) $z^{\frac{1}{P (γ)}},$
z being a generator belonging to one of the cyclic groups and the bilinear group β and P being a polynomial in γ.

(36) According to a first embodiment, for a bilinear group β=(p, custom character .sub.1,.sub.2,.sub.T,e(.,.)) and the security parameters d.sub.x and d.sub.s selected, the master secret key MK consists of γ and g, such that MK=(γ,g). γ is a secret value belonging to the set .sub.p* of non-zero integers first modulo p. g is a generator of the group .sub.1. The value of g can advantageously be randomly selected. Similarly, a generator h of the group custom character .sub.2 is possibly randomly selected. Advantageously, v=e(g,h) can be calculated and value v can be associated with the components γ and g of key MK.

(37) To constitute the public parameters, g.sup.γ, g.sup.γ.sup.2, . . . ,

(38) $g^{γ^{d_{s} - 1}},$
h.sup.γ, . . . ,

(39) $h^{γ^{d_{x} - 1}}$
are calculated. In addition to β and h, all these values represent the public parameters.

(40) Ail these calculations or random selections can be performed by the server 3 or be performed and obtained from a separate and dedicated server for this purpose.

(41) According to this first embodiment, the step to generate a decryption key consists in generating said key as a result of two components, such as DK.sub.i=(x.sup.(i),A.sub.i) where

(42) $A_{i} = g^{\frac{1}{P (γ)}}$
with P(γ)=(γ+x.sub.1.sup.(i)).Math.(γ+x.sub.2.sup.(i)) . . . (γ+x.sub.d.sub.x.sup.(i)). Thus, upon the subscription of a new user or subscriber i, the unique and dedicated key DK.sub.i is generated then transmitted and recorded—preferably securely—in the processing entity Ei which will exploit said key to generate the control words. More specifically, such a key is stored in a secure device 1i component of the entity Ei.

(43) To produce an encrypted control word, the server 3 generates said word as the result of two components such as

(44) $c = (s, h^{\frac{1}{Q (γ)}})$
with Q(γ)=(γ+s.sub.1).Math.(γ+s.sub.2) . . . (γ+s.sub.d.sub.s), s being a vector of the elements d.sub.s of custom character .sub.p*. Vector s can be written as s=(s.sub.1, s.sub.2, . . . , s.sub.d.sub.s).

(45) Upon receiving an encrypted control word c, a processing entity Ei implements a step to produce the plaintext of the control word. This step aims to retrieve a control word k whose value should be

(46) $k = {e (g, h)}^{\frac{1}{γ + s}} .$

(47) This step consists in generating k such that

(48) $k = e (g^{α}, h^{\frac{1}{Q (γ)}}) .Math. e (A_{i}, h^{ξ}) .Math. {e (A_{i}, h^{\frac{1}{Q (γ)}})}^{θ} .$

(49) The computing elements α, ξ and θ are such that:

(50) 0 $α = 1 - θ (\frac{1}{P} [Q] (γ)), ξ = - θ (\frac{1}{Q} [P] (γ)) and$ $θ = \frac{1}{{.Math. \frac{1}{P} [Q] .Math.}^{0}}, \frac{1}{P} [Q]$
being the notation to designate the opposite of the polynomial P modulo, the polynomial Q and

(51) ${.Math. \frac{1}{P} [Q] .Math.}^{0}$
designating the term of 0 degree of the polynomial

(52) $\frac{1}{P} [Q] .$

(53) We can see that θ is a constant computable from the coefficients of P and Q, and that the values ξ and α (which are polynomials in γ) are not required in the calculation to produce the plaintext of the control word. Indeed, combinations of successive powers of g.sup.γ and h.sup.γ contained in the public parameters) are used to reconstruct the desired polynomials in exponents of g and h and thereby to obtain g.sup.α and h.sup.ξ which allows generating the plaintext of the control word.

(54) The elements α, ξ and θ can also be described as follows:

(55) $α = 1 - \frac{{.Math.}_{l = 1}^{d_{s}} \frac{Q_{l} (γ)}{R_{l} (- s_{l})}}{{.Math.}_{l = 1}^{d_{s}} \frac{{.Math.}_{j \neq l}^{d_{s}} s_{j}}{R_{l} (- s_{l})}}, ξ = - \frac{{.Math.}_{l = 1}^{d_{x}} \frac{P_{l} (γ)}{R_{l + ds} (- s_{l})}}{{.Math.}_{l = 1}^{d_{s}} \frac{{.Math.}_{j \neq l}^{d_{s}} s_{j}}{R_{l} (- s_{l})}} and$ $θ = \frac{1}{{.Math.}_{l = 1}^{d_{s}} \frac{{.Math.}_{j \neq l}^{d_{s}} s_{j}}{R_{l} (- s_{l})}}$
with:

(56) $Q_{l} (γ) = {.Math.}_{\underset{j \neq l}{j = 1}}^{d_{s}} (s_{j} + γ), P_{l} (γ) = {.Math.}_{\underset{q \neq l}{q = 1}}^{d_{x}} (x_{q}^{(i)} + γ), R_{l} (γ) = {.Math.}_{\underset{j \neq l}{j = 1}}^{d_{s} + d_{x}} (s_{j} + γ)$ $and s_{d_{s} + m} = x_{m}^{(i)}$
for m=1, . . . , d.sub.x.

(57) In this first, embodiment, the size of the decryption key DK.sub.i is linear in d.sub.x. As for the size of the ciphertext, it is linear in d.sub.s.

(58) In a variant of this first embodiment, it is possible to reduce the size of the ciphertexts c and the secret decryption keys DK.sub.i. Indeed, first of all, the vector x.sup.(i)=(x.sub.1.sup.(i), . . . , x.sub.d.sub.x.sup.(i)) may be generated during the production of a key DK.sub.i by server 3 from a seed μ.sub.i. This seed is then a component of the secret key such that DK.sub.i=(μ.sub.i,A.sub.i). Reciprocally, the vector x.sup.(i) can be recovered by the processing entity using said seed during decryption of the control word. Furthermore, the vector s=(s.sub.1, . . . , s.sub.d.sub.s) may be generated during the production of a ciphertext c by server 3, from a seed η. This seed is then a component of the ciphertext such that

(59) $c = (η, h^{\frac{1}{Q (γ)}}) .$
Reciprocally, the vector s can be recovered by the processing entity using said seed η during the decryption of the control word.

(60) In this variant, the sizes of the decryption key DK.sub.i and of the ciphertext become constant.

(61) In a second embodiment, for a bilinear group β=(p, custom character .sub.1,.sub.2,.sub.T,e(.,.)) and the security parameters d.sub.x and d.sub.s selected, the master secret key MK consists of γ and g, such that MK=(γ,g). γ is a secret value belonging to the set .sub.p* of non-zero integers first modulo p. g is a generator of the group .sub.1. The value of g can advantageously be randomly selected. Similarly, we choose, possibly randomly, a generator h of the group custom character .sub.2. Advantageously, we can calculate v=e(g,h) and associate value v with components γ and g of key MK.

(62) Public parameters are β.

(63) All these calculations or random selections can be performed by server 3, or be performed and obtained from a separate server dedicated to this purpose.

(64) According to this second embodiment, the step for generating a decryption key consists in generating said key as a result of two components such that DK.sub.i=(A.sub.i,B.sup.(i)) where

(65) $A_{i} = g^{{.Math.}_{j = 1}^{d_{x}} \frac{x_{j}^{(i)}}{γ + x_{j}^{(i)}}}$
and vector B.sup.(i) of elements d.sub.x such that:

(66) $B^{(i)} = (B_{1}^{(i)}, x_{1}^{(i)}), (B_{2}^{(i)}, x_{2}^{(i)}), .Math., (B_{d_{x}}^{(i)}, x_{d_{x}}^{(i)}) = (h^{\frac{1}{γ + x_{1}^{(i)}}}, x_{1}^{(i)}), (h^{\frac{1}{γ + x_{2}^{(i)}}}, x_{2}^{(i)}), .Math., (h^{\frac{1}{γ + x_{d_{x}}^{(i)}}}, x_{d_{x}}^{(i)})$

(67) Thus, upon the subscription of a new user or subscriber i, the unique and dedicated key DK.sub.i is generated then transmitted and stored—preferably securely—in the processing entity Ei which will use said key to generate the control words. More specifically, such a key is stored in a secure device 1i component of the entity Ei.

(68) To generate an encrypted, control word, server 3 generates the encrypted control word as the result of four components such as c=(W.sub.1,W.sub.2,s,U) with U=(U.sub.1, . . . , U.sub.d.sub.s) vector of d.sub.s values. The vector U is such that

(69) $U_{1} = h^{\frac{1}{γ + s_{1}}}, U_{2} = h^{\frac{1}{(γ + s_{1}) .Math. (γ + s_{2})}}, .Math., U_{d_{s}} = h^{\frac{1}{(γ + s_{1}) .Math. (γ + s_{d_{s}})}} .$
Components W.sub.1=(g.sup.γ).sup.m,

(70) $W_{2} = h^{\frac{m}{(γ + s_{1}) .Math. (γ + s_{d_{s}})}} = U_{d_{s}}^{m}$
being an integer.

(71) Upon, receiving an encrypted control word, c, a processing entity Ei implements a step to generate the plaintext of said control word. The purpose of this step is to retrieve a control word k whose value should be

(72) 0 $k = {e (g, h)}^{\frac{m .Math. d_{x}}{{.Math.}_{j = 1}^{d x} (γ + s_{j})}},$
m being the integer previously selected.
This step consists in calculating k such that

(73) $k = e (g^{γ}, {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(1)})}^{\frac{1}{{.Math.}_{l = 1}^{d_{s}} (γ + s_{l})}}) .Math. e (A_{i}, W_{2}) where {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(i)})}^{\frac{1}{{.Math.}_{l = 1}^{d_{s}} (γ + s_{l})}} = {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(i)} .Math. {.Math.}_{y = 1}^{d_{s}} U_{y}^{{(- 1)}^{i + d_{s}} .Math. {.Math.}_{n = 1}^{y - 1} (x_{j}^{(i)} - s_{n})})}^{\frac{1}{{.Math.}_{l = 1}^{d_{s}} (x_{j}^{(i)} - s_{l})}}$

(74) According to this second embodiment, the size of the decryption key DK.sub.i is linear in d.sub.x. The size of the ciphertext is itself linear in d.sub.s.

(75) A particularly advantageous choice may be to determine d.sub.s and d.sub.x such that the number of collusions t is exponential in (d.sub.x+d.sub.s).

(76) Whether in the first or second embodiment, it is particularly advantageous that the component A.sub.i of key DK.sub.i be stored by means of secure storage in each processing unit. This is particularly relevant when a processing unit comprises a secure device. It suffices, in this case—to ensure the robustness of the system—that said, component A.sub.i be at least stored in it or, alternatively, the entire key DK.sub.i. Storing only the component A.sub.i can reduce the safe storage capacity necessary for the robustness of the system.

(77) As an example, and to illustrate the ability of a tracer to detect a decryption key, we are now presenting a method, for tracing. To describe this method, we will use a notation such as custom character U,V to describe such a coupling (or pairing) equivalent to the notation e(U,V) previously used. Let us consider that the tracer was able to recover a pirate decoder. The analysis of the latter allows him to get the pirate software and to implement a white-box type tracing method.

(78) In a first step, the pirate decoder is interpreted as a sequence of formal instructions. Each instruction consists of a reference operation, one or more input variables and one output variable. Conventionally, the operations known as reference operations are listed in a dictionary (the instruction set) and can be of various kinds: arithmetic or logic operations, conditional jumps or not, subprogram calls, etc.

(79) In this phase of classical abstract interpretation, the decoder is therefore rewritten in the form of a sequence of instructions among which will stand out the operations associated with the bilinear system (p, custom character .sub.1,.sub.2,.sub.T) implemented by the encryption method according to the invention: operations of multiplication T=U.Math.U′ in .sub.1, operations of multiplication S=V.Math.V′ in .sub.2, operations of exponentiation U=T.sup.a in .sub.1, operations of exponentiation V=S.sup.b in custom character .sub.2, operations of bilinear coupling α=U,V (called pairing) of .sub.1×.sub.2.fwdarw..sub.T, operations of multiplication γ=α.Math.β in .sub.T, operations of exponentiation β=α.sup.c in .sub.T.

(80) These operations are called algebraic while all others will be classified as related operations. In this same phase of interpretation, the input and output variables of each, instruction are written in a way know as SSA (Static Single Assignment) so that the computation graph of any variable manipulated, by him during his formal execution can easily be deducted from this representation of the pirate decoder. The input variables of the instructions can only be of the following four types:

(81) 1. a. constant variable belonging to the starting program,

(82) 2. an intermediate variable,

(83) 3. an input variable of the program representing a portion of the ciphertext, or

(84) 4. a random variable resulting from a call, to a random source external to the decoder program.

(85) The output variable or the program, represents the data, k and comes from a computation graph of output value in custom character .sub.T.

(86) In a second step known as specialization, the rewritten program is modified to make it suitable for the subsequent identification of traitors. By rewriting the program, all instructions that do not participate in the computation graph of the output variable k (instructions not related to the graph) can be removed from it. It is then necessary to try to set all the input variables of the program (those of types 3 and 4) at constant values that the program is able to decrypt correctly.

(87) This search for constant values may be conducted randomly and exhaustively and, if the decoder originally given is functional enough (that is to say decrypts in a significant fraction of cases on average), this search step will quickly be completed after a few tries.

(88) When the values are suitable, they are substituted for the corresponding variables in the program, so that said program will always run the same way. Thus, an example of successful implementation is instantiated by the new program composed only of instructions performed on constants.

(89) The tracing process now includes a step to simplify the program by obtaining a single sequence of instructions without jump: a propagation of constants is performed to remove all secondary instructions whose input variables are all constants; this transformation excludes therefore the algebraic operations. instructions whose execution is tautological are eliminated: conditional jumps are either eliminated or replaced by unconditional jumps; function calls are replaced by a copy of the body of the called function; unnecessary instructions or dead codes are eliminated.

(90) At the end of this step, unconditional jumps are deleted by juxtaposing sequences of linear instructions end to end in chronological order of execution. The program then becomes a series of sequential algebraic instructions without control flow.

(91) At this point, several transformations are applied in an inductive and concurrent manner to the program obtained. To this end, the following is introduced: a formal instruction expo.sub.i(u,a) that represents the calculation of u.sup.a in custom character .sub.i with i∈{1,2,T}; a formal instruction of extended “pairing” U,V; a which represents the calculation of U,V.sup.a.

(92) The following algebraic simplifications are then executed, in an inductive and concurrent manner, until the program is stabilized: each exponentiation instruction u.sup.a is replaced by expo.sub.i(u,a) for the appropriate i∈{1,2,T}; each variable u is replaced by expo.sub.i(u,1) for the appropriate i∈{1,2,T}; each combination of instructions of the type expo.sub.i(u.Math.v,a) is replaced by expo.sub.i(u,a).Math.expo.sub.i(v,a); each combination of instructions of the type expo.sub.i(u,a).Math.expo.sub.i(u,b) is replaced by expo.sub.i(u,a+b mod p); each combination of instructions of the type expo.sub.i(expo.sub.i(u,a),b) is replaced by expo.sub.i(u,ab mod p); each “pairing” instruction custom character U,V is replaced by U,V;1; each combination of instructions of the type U.Math.U′,V;a is replaced by U,V;a.Math.U′,V;a; each combination of instructions of type U,V.Math.V′;a is replaced by U,V;a.Math.U,V′;a; each combination of instructions of type expo.sub.1(U,a),V;b is replaced by custom character U,V;ab mod p; each combination of instructions of type U,expo.sub.2(V,a);b is replaced by U,V;ab mod p; each combination of instructions of type U,V;a.Math.U,V;b is replaced by U,V;a+b mod p; each combination of instructions of type expo.sub.T(U,V;a,b) is replaced by U,V;ab mod p; expo.sub.i(u,0) is replaced by 1, custom character U,V;0 by 1 and 1.Math.u by u.

(93) At the end of this simplification step, the calculation of k∈ custom character .sub.T can therefore be represented as the result of a product k=k.sub.1.Math.k.sub.2 where: k.sub.1 is a product of n extended “pairings” whose inputs (U.sub.i,V.sub.i,a.sub.i) for i=1, . . . , n consist of two points U.sub.i and V.sub.i and an integer a.sub.i modulo p such as (U.sub.i,V.sub.i)≠(U.sub.j,V.sub.j) for i≠j. The variables U.sub.i, V.sub.i and a.sub.i are constant values due to the specialization step. Each variable U.sub.i, V.sub.i is necessarily either a constant stored in the program, or an input variable which is part of the ciphertext given at the beginning; k.sub.2 is a product of m elements of custom character .sub.T i.e. k.sub.2=expo.sub.T(α.sub.1,b.sub.1) . . . expo.sub.T(α.sub.m,b.sub.m) where α.sub.i≠α.sub.j for 1≦i≠j≦m. Each variable α.sub.i is necessarily either a constant stored in the program, or a portion of the ciphertext.

(94) In a third step, the coefficient corresponding to each algebraic element of ciphertext c given at the beginning is identified.

(95) More specifically, if the ciphertext given at the beginning contains u.sub.1, . . . , u.sub.r.sub.1∈ custom character .sub.1, v.sub.1, . . . , v.sub.r.sub.2∈.sub.2 and w.sub.1, . . . , w.sub.r.sub.T∈.sub.T, for any v.sub.i,j∈[1,r.sub.2], all the values a.sub.i such as v.sub.j=V.sub.i are collected and U.sub.i.Math.{u.sub.1, . . . , u.sub.r.sub.1} is not an element of the ciphertext; a vector

(96) $coef (v_{j}) = (a_{i_{1}}, .Math., a_{i_{d_{j}}})$
is thereby formed; for any v.sub.i,j∈[1,r.sub.2], the values a.sub.i, such as v.sub.j=V.sub.i are collected and U.sub.i.Math.{u.sub.1, . . . , u.sub.r.sub.1} is not an element of the ciphertext; a vector

(97) $coef (v_{j}) = (a_{i_{1}}, .Math., a_{i_{d_{j}}})$
is thereby formed; for any w.sub.i,j∈[1,r.sub.T], coef(w.sub.j)=b.sub.i such as w.sub.j=α.sub.i is collected;

(98) For each pair (u.sub.l,v.sub.l), (l,j)∈[1,r.sub.1]×[1,r.sub.1], coef(u.sub.l,v.sub.j)=a.sub.i where (u.sub.l,v.sub.l)=(U.sub.i,V.sub.i) is collected.

(99) In each of these identification steps, the coefficient is set to 0 by default when a corresponding index i cannot be found.

(100) We now focus on the values of {coef (u.sub.i),coef (v.sub.j),coef(w.sub.ε),coef (u.sub.i,v.sub.j)}. The mathematical properties of the invention ensure that these values are functions known in advance involving elements x.sub.1, . . . , x.sub.ε∈ custom character .sub.p composing the compromised keys and fixed parameters s.sub.1, . . . , s.sub.l∈.sub.p composing the ciphertext c given at the beginning.

(101) This forms a system of multivariate equations:

(102) $coef (u_{1}) = f_{1} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (u_{2}) = f_{2} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $.Math.$ $coef (u_{r_{1}}) = f_{r_{1}} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (v_{1}) = g_{1} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (v_{2}) = g_{2} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $.Math.$ $coef (v_{r_{2}}) = g_{r_{2}} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (w_{1}) = h_{1} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (w_{2}) = h_{2} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $.Math.$ $coef (w_{r_{T}}) = h_{r_{T}} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $coef (u_{1}, v_{1}) = q_{1, 1} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$ $.Math.$ $coef (u_{r_{1}}, v_{r_{2}}) = q_{r_{1}, r_{2}} (x_{1}, .Math., x_{.Math.}, s_{1}, .Math., s_{l})$

(103) Knowing the numerical values of these coefficients, the fixed parameters s.sub.j and functions ƒ.sub.i, g.sub.j, h.sub.ε, q.sub.a,b′ the system can be reversed to retrieve at least one of the elements x.sub.1, . . . , x.sub.ε composing one of the compromised keys and thus fully identify this key. This step may require having ε≦B(r.sub.1,r.sub.2,r.sub.T) where B(r.sub.1,r.sub.2,r.sub.T) is a terminal which depends on the embodiment of the invention. Functions ƒ.sub.i, g.sub.j, h.sub.k, q.sub.a,b also depend on the embodiment of the invention.

(104) As an example, if we are operating in the context of the second embodiment described above, any decryption program shows the vector x.sup.(i) of one (or more) user(s) i in a masked or unmasked form. The tracer has therefore access to x.sup.(i) which were distributed to one or more users, who are therefore identified as traitors.

(105) The invention also provides that a processing entity can be revoked if, for example, it has been, identified as a traitor or for any other reason, and thus prevent said entity from generating a valid control word to allow, for example, the decoding of an encoded content.

(106) The invention provides that two types of revocations can be implemented: a temporary or a permanent revocation.

(107) A temporary revocation results in one or more treacherous entities being temporarily unable to generate more valid control words. A permanent revocation inhibits such generating.

(108) To illustrate this variant, and as an example, we are going to describe the adaptations made to a secure method consistent with the invention and based, on the second embodiment.

(109) Similar adaptations could be made as well to other methods consistent with the invention.

(110) To implement a permanent revocation, the invention provides two additional steps to the methods described above. The first step is to generate revocation data D custom character that are transmitted to all of the processing entities. These data are used to define the exclusion of a set of one or more treacherous entities. The second additional step is to update the decryption key DK.sub.i of the entities which do not belong to so they can continue to generate valid control words.

(111) Let us consider that the treacherous entities are entities E1 to Er (or secure subscriber devices 1.sub.1 to 1.sub.r). Let us number such entities from 1 to r. The first step to define the revocation data D custom character consists in calculating, according to this example, D=(R.sub.1, . . . , R.sub.r) with

(112) $R_{1} = h^{\frac{1}{γ + x_{j}^{(i)}}}, R_{2} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(2)})}}, .Math., R_{r} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(r)})}},$
for a value of j∈[1,d.sub.x], for example, j=1. The value of the generator h is then modified to take the value of

(113) $R_{r} : h \leftarrow R_{r} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(r)})}} .$
Revocation data D custom character =(R.sub.1, . . . , R.sub.r) are then distributed to all entities.

(114) The second, additional step consists now in changing the decryption keys DK.sub.i of the entities which do not belong to custom character so that they can continue to generate valid control words. The key DK.sub.i,, corresponding to the i.sup.th user or subscriber, that was generated from D, is such that DK.sub.i,=(A.sub.i,B.sup.(i,.sup.)). The vector B.sup.(i,.sup.)=(B.sub.1.sup.(i,.sup.),x.sub.1.sup.(i)), (B.sub.2.sup.(i, custom character .sup.),x.sub.2.sup.(i)), . . . , (B.sub.d.sub.x.sup.(i,.sup.),x.sub.d.sub.x.sup.(i)) of the d.sub.x elects is such that

(115) $B_{j}^{(i, .Math.)} = {(B_{j}^{(i)})}^{\frac{1}{{.Math.}_{j = 1}^{r} (γ + x_{w}^{(l)})}} = {(B_{j}^{(i)} .Math. {.Math.}_{m = 1}^{r} R_{m}^{{(- 1)}^{i + r} .Math. {.Math.}_{n = 1}^{m - 1} (x_{j}^{(i)} - x_{w}^{(n)})})}^{\frac{1}{{.Math.}_{j = 1}^{r} (γ - x_{w}^{(l)})}}$
for a value of w∈[1,d.sub.x], for example, w=1.

(116) The calculation of the new value DK.sub.i, custom character be implemented by each processing entity in accordance with the invention. This calculation can alternatively be carried out by a third entity. Any other procedure to update said key can also be used.

(117) The invention provides as an alternative that revocation data can be transmitted, to processing entities in conjunction with encrypted control words. Thus, it is not necessary to transmit said data in a dedicated mode. These can, for example, be an integral part of the ciphertext such that c=(W.sub.1,W.sub.2,s,U,D custom character ) according to the second embodiment of a method provided by the invention for transmitting a control word.

(118) In addition, it may be provided that the modification of the decryption key DK.sub.i←DK.sub.i, custom character be performed by the processing entity just before the step to generate a control word.

(119) We can see that to implement a permanent revocation, the step performed by the server to generate the key DK.sub.i, as well as the one performed by the entities to generate the plaintext of the control word k, are unchanged. The generator h, in turn, is no longer fixed to generate the ciphertext. Indeed, h depends on all the entities revoked. The decryption key is also no longer fixed when generating the plaintext k.

(120) The invention further provides to adapt a method consistent with the invention, to implement a temporary revocation. As before, let us use the example of the second embodiment of a method according to the invention to illustrate this feature. Similarly, let us consider that the treacherous entities are entities E1 to Er (or the secure subscriber devices 1.sub.1 à 1.sub.r) numbered from 1 to r.

(121) A first additional step consists—just as for the permanent revocation—in calculating revocation data D custom character such that D=(R.sub.1, . . . , R.sub.r) with

(122) $R_{1} = h^{\frac{1}{γ + x_{j}^{(i)}}}, R_{2} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(2)})}}, .Math., R_{r} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(r)})}}$
for a value of j∈[1,d.sub.x], for example, j=1. The value of the generator h is then modified to take the value of

(123) $R_{r} : h \leftarrow R_{r} = h^{\frac{1}{(γ + x_{j}^{(1)}) .Math. (γ + x_{j}^{(r)})}} .$

(124) The server produces the encrypted control word as a result of components such that c=(W.sub.1,W.sub.2,s,U,D custom character ,x.sub.j.sup.(1), . . . , x.sub.j.sup.(r)). The first four components W.sub.1, W.sub.2, s and U are typically generated (with the difference that h is modified in advance) such that h←R.sub.r). U=(U.sub.1, . . . , U.sub.d.sub.s) is a vector of the d.sub.s values such that

(125) 0 $U_{1} = h^{\frac{1}{γ + s_{1}}}, U_{2} = h^{\frac{1}{(γ + s_{1}) .Math. (γ + s_{2})}}, .Math., U_{d_{s}} = h^{\frac{1}{(γ + s_{1}) .Math. (γ + s_{d_{s}})}}, W_{1} = {(g^{γ})}^{m}, W_{2} = h^{\frac{m}{(γ + s_{1}) .Math. (γ + s_{d_{s}})}} = U_{d_{s}}^{m},$
m being an integer. The ciphertext also includes D custom character and x.sub.j.sup.(1), . . . , x.sub.j.sup.(r) for the chosen value of j.

(126) Upon receiving an encrypted control word c, a processing entity Ei implements a step to generate the plaintext of said control word.

(127) This step is adapted to calculate k such that

(128) $k = e (g^{γ}, {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(i, ℛ)})}^{\frac{1}{{.Math.}_{l = 1}^{d_{s}} (γ + s_{l})}}), .Math. e (A_{i}, W_{2})$ $where {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(i, .Math.)})}^{\frac{1}{{.Math.}_{l = 1}^{d_{s}} (γ + s_{l})}} = {.Math.}_{j = 1}^{d_{x}} {(B_{j}^{(i)} .Math. {.Math.}_{y = 1}^{r} U_{y}^{{(- 1)}^{i + r} .Math. {.Math.}_{n = 1}^{y - 1} (x_{j}^{(i)} - s_{n})})}^{\frac{1}{{.Math.}_{l = 1}^{r} (x_{j}^{(i)} - s_{l})}} .$

(129) We can see that to implement a temporary revocation, the step to generate key DK.sub.i remains unchanged. The generator h is no longer fixed because it depends on all the revoked entities. The step to generate a ciphertext is simply preceeded by the assignment of said generator before generating a ciphertext. The production of the plaintext of the control word k is adapted to implement the temporary revocation.

(130) The invention has been described in connection with the field of conditional access to protected content as an example of preferred application. The invention could be applied to other fields where it is necessary to transmit to a plurality of processing entities a ciphertext whose plaintext is used, by such entities.

Method and system for conditional access to a digital content, associated terminal and subscriber device

Assignee

Inventors

Cpc classification

Classification Explorer

H04L9/083

ELECTRICITY

Classification Explorer

H04L9/0816

ELECTRICITY

Classification Explorer

H04L2209/60

ELECTRICITY

Classification Explorer

H04L9/3073

ELECTRICITY

International classification

Classification Explorer

H04L9/00

ELECTRICITY

Classification Explorer

H04L9/08

ELECTRICITY

Classification Explorer

H04L9/30

ELECTRICITY

Abstract

Claims

Description