1. Field of the Invention
The present invention relates generally to broadcast data encryption that uses encryption keys.
2. Description of the Related Art
U.S. Pat. No. 6,118,873, incorporated herein by reference, discloses a system for encrypting broadcast music, videos, and other content. As set forth therein, only authorized player-recorders can play and/or copy the content and only in accordance with rules established by the vendor of the content. In this way, pirated copies of content, which currently cost content providers billions of dollars each year, can be prevented.
In the encryption method disclosed in the above-referenced patent, authorized player-recorders are issued software-implemented device keys from a matrix of device keys. The keys can be issued simultaneously with each other or over time, but in any event, no player-recorder is supposed to have more than one device key per column of the matrix. Although two devices might share the same key from the same column, the chances that any two devices share exactly the same set keys from all the columns of the matrix are very small when keys are randomly assigned. The keys are used to decrypt content.
In the event that a device (and its keys) becomes compromised, deliberately or by mistake, it is necessary to revoke the keys of that device. Revoking a set of keys effectively renders the compromised device (and any clones thereof) inoperable to play content that is produced after the revocation. In the above-disclosed patent, for each revocation about 320 message bytes are required. The present invention understands that while this is effective, it is desirable to reduce the length of the revocation message even further, for efficiency.
While the system disclosed in the above-referenced patent is effective, the present invention recognizes that owing to size constraints of the header area of the message (referred to as “media key block” in the patent), only a relatively limited (10,000 for a 3M header such as DVD-Audio) number of revocations can be made during the life of the system. This number can be increased by increasing the header size, but the added revocations would be applicable only to newly made devices, and not to devices that were made before the header size increase. The present invention understands that it is desirable to be able to execute a large number of revocations of both “old” and “new” devices, i.e., to account for stateless receivers. Also, since more than one device can share any particular key with the compromised device in the above-referenced patented invention, revoking a set of device keys might result in revoking some keys held by innocent devices. As understood by the present invention it is desirable to further reduce the chances of accidentally revoking a “good” device, preferably to zero.
Moreover, the present invention is directed to the difficult scenario of “stateless” receivers, i.e., receivers that do not necessarily update their encryption state between broadcasts to accept countermeasures against compromised devices. For example, a television that subscribes to a pay channel might have its set-top box deenergized for a period of time during which updated encryption data might be broadcast over the system. Such a device would be rendered “stateless” if it happens to be unable to update itself after being reenergized, and would thus not possess updates that would be necessary for future content decryption.
In addition, there is a growing need for protecting the content of media, such as CDs and DVDs, that is sold to the public and for which it is desirable to prevent unauthorized copying. The recorders in such a system ordinarily do not interact with the players, and no player will get every possible piece of encryption data updates, since no player receives every vended disk. Consequently, as understood herein, content protection of vended media is an example of the problem of broadcast encryption to stateless receivers.
Moreover, the present invention recognizes that the presence of more than a few “evil” manufacturers (i.e., manufacturers who legally or illegally obtain keys but who in any case make many unauthorized devices having the keys) can be problematic. The present invention recognizes the desirability of accounting for potentially many “evil” manufacturers.
Other methods for broadcast encryption include those disclosed in Fiat et al., Broadcast Encryption, Crypto '93, LNCS vol. 839, pp. 257-270 (1994). This method envisions removing any number of receivers as long as at most “t” of them collude with each other. However, the Fiat et al., method requires relatively large message lengths, a relatively large number of keys be stored at the receiver, and each receiver must perform more than a single decryption operation. Furthermore, the Fiat et al. method does not envision the stateless receiver scenario. The present invention recognizes the need to avoid assuming a priori how many receivers might collude. Also, the present invention recognizes that the message size and number of stored keys be minimized, and that the number of decryption operations that must be performed by a receiver be minimized, to optimize performance.
Other encryption systems, like the Fiat et al. system, do not provide for the scenario of stateless receivers, and thus cannot effectively be applied as is to content protection of recorded media. Examples of such systems include the tree-based logical key hierarchy systems disclosed in Wallner et al., Key Management for Multicast: Issues and Architectures, IETF draft wallner-key, 1997; Wong et al., Secure Group Communication Using Key Graphs, SIGCOMM 1998; Canetti et al., Multicast Security: A Taxonomy and Some Efficient Constructions, Proc. of INFOCOM '99, vol. 2, pp. 708-716 (1999); Canetti et al., Efficient Communication-Storage Tradeoffs for Multicast Encryption, Eurocrypt 1999, pp. 459-474; and McGrew et al., Key Establishment in Large Dynamic Groups Using One-Way Function Trees, submitted to IEEE Transactions on Software Engineering (1998).
With more specificity regarding the methods of Wallner et al. and Wong et al., keys are assigned by assigning an independent label to each node in a binary tree. Unfortunately, in the referenced methods some of the labels change at every revocation. Clearly, as is, the method would be inappropriate for the stateless receiver scenario. Even were a batch of revocations to be associated with a single label change for every node, the referenced methods of Wallner et al. and Wong et al., as understood by the present invention, would require at least log N decryptions at the receiver and the transmission of r log N encryptions (wherein r is the number of devices to be revoked and N is the total number of receivers in the system), unfortunately a relatively high number. The present invention has made the critical observations noted above and has provided the below solutions to one or more of the observations.