As is generally known, it is necessary for the scrambled broadcast system to execute the scrambling to transmit not only a television signal which contains a video signal or an audio signal to a receiver terminal of each subscriber from the broadcast station but to control information for controlling the receiver terminal.
In the conventional scrambling, the message data to be transmitted is first subjected to redundancy adding processing, and then is subjected to the decrypting processing which is composed by the first and the second processings. For instance, if the message data is "83", it executes the redundancy adding processing by adding the fixed redundancy data "23" to the message data so as to generate a redundancy added data "8323".
Then by adding 1 to each digit of the redundancy added data "8323", EQU 8+1=9 EQU 3+1=4 EQU 2+1=3 EQU 3+1=4
the first operation processing for generating data "9434" is executed.
From the original data "9424" which is achieved by the first operation processing, the digits are converted into the binary numbers as shown in FIG. 1 as the bits "3" (MSB) through "0" (LSB) in the table, and then these are also converted into hexadecimal numbers by reading out the bits "3" (MSB) through "0" (LSB) laterally in the table and then reading out the hexadecimal numbers starting from the bottom "A" to the top "8" vertically in the table. Thus, the second operation processing for producing an encrypted data "A258" is executed. Therefore, the message data "83" is scrambled to be the data "A258".
Further, at the receiver terminal the same processing is executed on the received data in the reverse order, so as to discriminate whether a tampering has been made in the course of transmission by determining whether the added redundancy data "23" is reproduced or not.
However, in the conventional scrambled television broadcast system, the redundancy added data is fixed and the scrambling of the same message data always results in the same data. So, there are problems in that, when the message is transmitted over and over, the possibility of decrypting the message becomes high and tampering is easily executed.
As is generally known, it is necessary in subscriber television broadcast systems to transmit not only a television signal carrying a video signal and an audio signal but also control information for controlling a receiver terminal to the receiver terminal of each subscriber.
In the transmission systems for the control information, there are two kinds of control, i.e., an outband control and an inband control. The former is for independently transmitting the television signal and the control information through separate transmission channels, and the latter is for transmitting them using a common transmission channel by multiplexing the control information to the television signal.
The inband control is more useful than the outband control since it does not need separate transmission lines, and it can be put into practice in the future. However, in the inband control, the control information is not always transmitted by multiplexing it to the television signals in all channels. For instance, in some channels it is transmitted by multiplexing it to the television signals, and in some channels it is not multiplexed to the television signals at all. Furthermore, when it is transmitted by multiplexing it to the television signal in some channel, it may be transmitted at regular or irregular intervals.
Thus, in the conventional receiver terminal, the latest control information is obtained by controlling the receiver to automatically receive the channel containing the control information at all times except when a channel which does not contain the control information is selected by a user, especially when the power switch of the receiver terminal is turned OFF. However, since when the channel containing the control information is received the power is kept applied to most circuits of the receiver terminal, there is an economical disadvantage which results from high power consumption, and some measures must be taken in response to the generated heat.
One example of the subscriber pay television broadcast system is presented in "Report to Technical Conditions on a Pay Television Broadcast System by Satellite Broadcast" (hereinafter referred as Document 1) submitted in November 1988 in response to the inquiry from the Telecommunicating Technical Council.
FIG. 2 shows the arrangement of the pay broadcast system presented in Bibliography 1 and a PN (pseudo random noise) signal adding system which is used as the scramble system.
In the pay broadcast system, a broadcast signal transmitted from a broadcast station 110 to a decryptor 210 contains scrambled video signals and sub-signals. The sub-signals contain scrambled digital audio signals, program information and peculiar information regarding the decryptor 210.
At the broadcast station 101 using a decryptor ID in peculiar information regarding the decryptor 210 including a work-key Kw, subscription conditions and the decryptor ID, a muster-key Kmi is obtained from a master-key file 110g to encrypt the peculiar information in an encryptor 110f using the master-key Kmi. Further, using the work-key Kw, program information such as the scramble-key Ks, a broadcast station ID, service information, date information, etc. are encrypted in an encryptor 110e.
Although details of the scramble system will not be described here as it is not directly concerned with the present invention, video and audio signals are scrambled in a video scrambler 110a and an audio scrambler 110b using the PN signal. The PN signals for scrambling are random data which change successively. and the signals are fed from a PN signal generator 110c. The initial state of the PN signal generator 110c is set up by the scramble-key Ks.
The scrambled audio signals are multiplexed with timing information which initializes the PN generator 110c, encrypted program information and peculiar information in a multiplexer 110d and provides sub-signals as a result of such multiplexing. The sub-signals and the scrambled video signals are output from the broadcast station 110 as a broadcast signal (radio broadcast signal).
A privacy of the broadcast signal is enhanced by the triple encrypted structure using the work-key Kw, the master-key Kmi and the scramble-key Ks. Further, the peculiar information can be sent to the subscriber terminal decryptor 210 through a telephone line or an IC card.
In the decryptor 210, audio signal, program information and peculiar information are extracted from the sub-signal of the broadcast signal in an extractor 120d. The extracted peculiar information is decrypted and restored at a decryptor 210f of using the master-key which has been imparted beforehand to the decryptor. As the decrypting can be correctly executed only by the same master-key Kmi as for the encrypting in the encryptor 210f, the decryptor imparted with the master-key Kmi is able to decode the peculiar information.
Program information is decrypted in a decryptor 210e using the work-key Kw from the encrypted peculiar information received in the receiver. In this case, unless using the same work-key Kw for the encrypting in the encryptor 210e, the program information cannot be correctly decrypted.
The program information and peculiar information thus obtained are collated in a subscription condition collator 210g. Here, when both subscription conditions agree with each other it is determined that the information can be descrambled, and a PN generator 210c is placed in the operating state by the determining signal.
The PN generator 210c generates the PN signal using the scramble-key Ks of the program information which is obtained in the decryptor 210e. In the video descrambler 210a and the audio descrambler 210b, the descrambling is executed through addition, etc. using the PN signal.
The scramble-key Ks is information essential to descrambling video and audio signals and only when it is the same value as in the scrambling can the audio and video signals be descrambled to be output. As the work-key Kw is needed to restore the scramble-key Ks, a decryptor that does not have the work-key Kw cannot obtain the proper descramble-key Ks.
Further, peculiar information containing the work-key Kw is transmitted from the broadcast station 110 to make the work-key Kw changeable so as to supply the peculiar information to a decryptor of a subscriber who desires to continue the subscription. And to restore the peculiar information containing the work-key Kw, the master-key Kmi is needed and only a decryptor that has the master-key Kmi can receive the peculiar information.
The master-key Kmi is set at a different value in every peculiar decryptor. The values are factory-preset before their delivery to subscribers.
In such a decryptor used in the pay broadcast system as described above, such processings as encrypting/decrypting, and collating of subscription conditions in a decryptor are generally executed using a data processing system which uses a microcomputer (hereinafter referred as the microcomputer system). A circuit containing the microcomputer system is incorporated intp an IC card so as to make it exchangeable. FIG. 3 shows an example of the structure of a decryptor which executes the encrypting/decrypting processing and the collation of subscription conditions using the IC card.
The decryptor, as shown in FIG. 3, has the same arrangement as the decryptor 210 shown in FIG. 2 and a microcomputer system for executing the processing is incorporated into an IC card 220. The IC card 220 and the main body of the decryptor can communicate signals through a connector.
The IC card 220 has non-volatile memories 210j and 210k (hereinafter referred to the master-key housing memory and the ID housing memory) such as a ROM for storing the master-key Kmi, and an ID collator 210h is provided in the main body of the decryptor. The ID contained in the peculiar information extracted from the sub-signal of the broadcast signal is collated with the ID in the IC cord 220 in the ID collator, and the peculiar information is fed to the IC card 220 when both ID agree with each other.
When program information and peculiar information are decrypted (210e, 210f) to collate the subscription conditions and these conditions agree with each other, a switch 210i is turned ON and the scramble-key is fed to the PN generator 210c. Thus, the peculiar information is selected and subscribers are limited to those who subscribe to the peculiar information being fed to the IC card 220. Here, the ID collator 210h is a circuit required as the communication data velocity with the IC card 220 is limited.
FIG. 4 shows the arrangement of the PN generator 210c shown in Bibliography 1. The PN generator is comprised of linear feedback shift registers (LFSR) 211a, 211b and 211c and nonlinear function (NF) logic 212a, 212b and 212c.
The scramble-key Ks is taken into the LFSRs 211a through 211c for initializing the PN generator when there are load timing pulses obtained from the sub-signal of the broadcast signal. 13 bits of the scramble-key Ks are fed to registers of the LFSR 211a, 11 bits are fed to registers of the LFSR 211b, and 8 bits are fed to registers of the LFSR 211c.
As a general arrangement of the LFSRs 211a through 211c, it is generally known to generate M-series PN code as shown in FIG. 5. The LFSRs are comprised of an n-stage shift register 2111 and an EX-OR 2112, wherein a k-th state (1 .quadrature. k .quadrature. n) of the shift register 2111 is sequentially subjected to the EX-OR operation and fed to the first stage of the shift register 2111 as an input. A shift clock is fed to the shift register 2111 so as to change the stages.
A shift clock which is synchronizing with the audio signal and the video signal has been fed to the LFSRs 211a through 212c and outputs from six registers in the LFSRs 211a through 211c are fed to the NF logics 212a through 211c.
The NF logics 212a through 212c are constructed using a ROM and convert 6-bit outputs from the LFSRs 211a through 211c by a fixed nonlinear logic according to mask patterns to output them by 1-bit.
A selector switch 214 changes over the NF logics 212a and 212c according to the switching signal from the NF logic 212b and provides the outputs to an exclusive OR (EX-OR) circuit 213. The output from a register cell of the LFSR 211a has been fed to the EX-OR 213 and the output of the NF logic 212a or the NF logic 212c is applied to the video descrambler 210a and the audio descrambler 210b as the ON signal.
The states of the LFSR 211a through 211c are shifted from the initial state when the scramble-key Ks wan fed according to the shift clock and the outputs of the NF logics 212a through 212c also shift following the shift of the states. Thus, the descramble is executed using the random PN signal obtained from the state which randomly varies.
Although the NF logics 212a through 212c are used in this example, there is such an arrangement where 1-bit register outputs of the LFSR 211a through 211c are fed directly to the selector switch 214 or the EX-OR 213 or used the PN signal.
However, in the conventional decryptor, the system security may be reduced if the master-key Kmi, the decrypting algorithm and mechanism of the PN generator are known to persons skilled in the art. Therefore, for example, in the example shown in FIG. 2 it is required to incorporate the video descrambler 210a, audio descrambler 210b, the PH generator 210c and personal computer system which are used in the decryptor 210 in a single IC chip.
Further, in case of a decryptor using the IC card 220 as shown in FIG. 3, there was a problem that the arrangement of the PN generator 210c becomes easily known to persons skilled in the art from the relation of the scramble-key Ks and the PN signal because the scramble-key Ks is fed to the PN generator 210c from the IC card 220.