Conditional access systems are well known and widely used in conjunction with currently available pay television systems. At present, such systems are based on the transmission of services encrypted with control words (also referred to as service encryption keys) that are received by subscribers having a set-top box and a smartcard for each subscription package. Typically these services are transmitted by a head-end system in a broadcast stream. Implementations are known wherein set-top box functionality is integrated into a device like a television, a personal video recorder, a mobile phone, a smart phone or a computer appliance. Smartcard implementations are known wherein the smartcard is a separate card that is manually inserted into the set-top box before operation or a surface mounted device integrated into the set-top box. Software implemented smartcards are known that run as a software module in the set-top box. The smartcard for a subscription package from a particular service provider allows the encrypted services within the package to be decrypted and viewed. The broadcast stream further contains entitlement management messages (EMMs), also referred to as key management messages (KMMs), and entitlement control messages (ECMs), which are necessary for the smartcard to decrypt the service. The control word is the primary security mechanism for protecting the service data and changes relatively frequently. ECMs are used to carry the control word in encrypted form, and are therefore sent relatively frequently. EMMs are used to convey the secret keys used to decrypt the ECMs to extract the control word, to decrypt other data related to the addition or removal of viewing/usage rights, and/or to decrypt other user-specific data. As such there are different kinds of EMMs, which are sent with varying degrees of frequency, but invariably somewhat slower or much slower than the frequency at which ECMs are sent.
Elliptic curve cryptography is a known technique for encrypting and digitally signing messages such as EMMs and ECMs. An elliptic curve cryptosystem implementing an elliptic curve cryptographic technique performs arithmetic operations on an elliptic curve over a finite field determined by predefined elliptic curve domain parameters. The elliptic curve domain parameters are stored in the head-end system for encryption and signing purposes and stored on the smartcard for decryption and signature verification purposes.
Elliptic curve cryptography typically uses one of the following elliptic curve domain parameters: elliptic curve domain parameters over finite field IFp and elliptic curve domain parameters over IF2^m.
The elliptic curve domain parameters over IFp are p, a, b, G, n and h. Parameter p is a prime specifying the finite field IFp. Parameters aεIFp and bεIFp specify the elliptic curve E(IFp) defined by the equation y2=x3+a*x+b. Parameter G is a base point (Gx,Gy) of a cyclic subgroup of points on the elliptic curve. Parameter n is the order of G, i.e. the smallest non-negative prime number n such that n·G=O (O being a point at infinity). Parameter h is the cofactor |E(IFp)|/n.
The elliptic curve domain parameters over IF2^m are m, f(x), a, b, G, n and h. Parameter m is an integer specifying the finite field IF2^m. Parameter f(x) is an irreducible binary polynomial of degree m specifying the representation of IF2^m. Parameters aεIF2^m and bεIF2^m specify the elliptic curve E(IF2^m) defined by the equation y2+x*y=x3+a*x2+b inIF2^m. Parameter G is a base point (Gx,Gy) of a cyclic subgroup of points on the elliptic curve. Parameter n is the order of G, i.e. the smallest non-negative prime number n such that n·G=O (O being a point at infinity). Parameter h is the cofactor |E(IF2^m)|/n.
Encryption is the process of transforming information (also known as plaintext) using an algorithm (also known as a cipher) to make it unreadable to anyone except those possessing a decryption key. A known public-key encryption scheme based on elliptic curve cryptography is the Elliptic Curve Integrated Encryption Scheme (ECIES). ECIES is described in e.g. ‘M. Abdalla, M. Bellare, P. Rogaway, “DHAES: An encryption scheme based on the Diffie-Hell man problem”, http://www-cse.ucsd.edu/users/mihir/papers/dhies.html, 18 Sep. 2001’ and is standardized in e.g. ANSI X9.63 and IEEE P1363A, which are incorporated by reference in its entirely in the present application. ECIES uses the receiver's private key (denoted as parameter dreceiver) and public key (denoted as parameter Qreceiver) in the encryption/decryption process. Herein, parameter dreceiver is typically a randomly selected integer in the interval [1,n−1]. Parameter Qreceiver typically equals dreceiver·G.
To encrypt a plaintext message using ECIES, the head-end system performs the following. Firstly, a random number r is generated and a random point R=r·G is calculated resulting in R=(Rx,Ry). Secondly, a shared secret S=Px is derived, where P=(Px,Py)=r·Qreceiver (and P is not a point at infinity). Thirdly, a key derivation function (KDF), such as KDF1 or KDF2 as defined in ISO/IEC 18033-2, is used to derive a symmetric encryption key by calculating kE=KDF(S). Fourthly, the message is encrypted using the encryption key kE by calculating E(kE;message). Fifthly the result of the encryption is output as R∥encrypted_message, i.e. random point R concatenated with the encrypted message.
To decrypt the message using ECIES, the smartcard performs the following. Firstly, the shared secret S=Px is derived, where P=(Px,Py)=dreceiver·R. Secondly, the KDF is used to derive the symmetric encryption key by calculating kE=KDF(S). Thirdly, the message is decrypted using the encryption key KE by calculating E−1(kE;encrypted_message).
A digital signature is a type of asymmetric cryptography used to simulate the security properties of a handwritten signature on paper. A digital signature provides authentication of a message. A known public-key signature algorithm based on elliptic curve cryptography is the Elliptic Curve Digital Signature Algorithm (ECDSA). ECDSA is standardized in e.g. ANSI X9.62, FIPS 186-2, IEEE P1363 and ISO 15946-2, which are incorporated by reference in its entirely in the present application. ECDSA uses the sender's private key (denoted as parameter dsender) and public key (denoted as parameter Qsender) in the signing/verification process. Herein, parameter dsender is typically a randomly selected integer in the interval [1,n−1]. Parameter Qsender typically equals dsender·G.
To digitally sign a message using ECDSA, the head-end system performs the following. Firstly, a hash e of the message is calculate as e=H(message), where H is a cryptographic hash function such as SHA-1 as defined in FIPS PUB 180-1. Secondly, a random integer k is selected from [1,n−1]. Thirdly, signature component rsignature=x1(mod n) is calculated, where (x1,y1)=k·G. If rsignature equals 0, the second operation is repeated. Fourthly, signature component ssignature=k−1*(e+rsignature*dsender)(mod n) is calculated. If ssignature equals 0, the second operation is repeated. Fifthly, the resulting signature is output as rsignature∥ssignature, i.e. signature component rsignature concatenated with signature component ssignature.
To verify the digital signature of the message using ECDSA, the smartcard performs the following. Firstly, it is verified that signature component rsignature and signature component ssignature are integers in [1,n−1]. If not, the signature is invalid. Secondly, the hash e of the message is calculated as e=H(message), where H is the same function used in the signature generation. Thirdly, w=ssignature−1(mod n) is calculated. Fourthly, u1=e*w(mod n) and u2=rsignature*w(mod n) are calculated. Fifthly, (x1,y1)=u1·G+u2·Qsender is calculated. Sixthly it is concluded that the signature is valid if x1=rsignature(mod n) or invalid otherwise.
The process of both encrypting and digitally signing data is also known as signcryption.
In FIG. 1A a prior art example of an EMM or ECM before and after applying ECIES encryption is shown. The unencrypted ECM/EMM 10 in this example has a 6-byte header 11 and a 50-byte payload 12. The payload 12 is encrypted using ECIES and a 192-byte public key. This is also known as encrypting using ECC-192. The resulting encrypted EMM/ECM 20 contains the header 11, a 48-byte random point R=(Rx,Ry) 21 and a 50-byte encrypted payload 22. Thus, the encrypted EMM/ECM packet 20 in this example is 48 bytes longer after encryption due to a 48-byte overhead of random point R 21. It is possible to use a public key of a different size, resulting in a random point R=(Rx,Ry) of a different size.
In FIG. 1B a prior art example of an encrypted EMM or ECM before and after applying ECDSA digitally signing is shown. The encrypted EMM/ECM 20 in this example has a 6-byte header 11, a 48-byte random point R(Rx,Ry) 21 and a 50-byte encrypted payload 22. The encrypted EMM/ECM is digitally signed using ECDSA and a 192-byte public key. This is also known as digitally signing using ECC-192. The resulting signed and encrypted EMM/ECM 30 contains the encrypted ECM 20, a 24-byte signature component rsignature 31 and a 24-byte signature component ssignature 32. Thus, the digitally signed and encrypted ECM packet 30 in this example is 48 bytes longer after digitally signing due to a 24-byte overhead of signature components rsignature 31 and a 24-byte overhead of signature component ssignature 32. It is possible to use a public key of a different size, resulting in signature components of a different size.
ECIES and ECDSA increase the size of messages. In the example of ECC-192 a total of 96 bytes are added to the message after applying ECIES and ECDSA. For EMMs and ECMs with a typical data packet size of 184 bytes, this overhead is significant.
In EP0874307A1 a method is disclosed for multiplication of a point P on elliptic curve E by a value k in order to derive a point kP. The method is disclosed for elliptic curves in a binary field IF2^m only. The method comprises representing the number k as vector of binary digits stored in a register and forming a sequence of point pairs (P1, P2) wherein the point pairs differed most by P and wherein the successive series of point pairs are selected either by computing (2mP,(2m+1)P) from (mP,(m+1)P) or ((2m+1)P,(2m+2)P) from (mP,(m+1)P). The computations may be performed without using the y-coordinate of the points during the computation while allowing the y-coordinate to be extracted at the end of the computations, thus, avoiding the use of inversion operations during the computation and therefore, speeding up the cryptographic processor functions. EP0874307A1 also discloses a method for accelerating signature verification between two parties. In EP0874307A1 signcrypted messages disadvantageously have an increased size due to overhead added to the messages by encrypting and digitally signing the messages.