One service that is required in a communication network is audio teleconferencing. This service allows a number of callers to talk together from a number of separated telephone instruments. In a secure conference call, two additional features are provided. The speech passed between the parties is encrypted, using keys known only to the sender and the receiver, so that the speech is not understandable by any eavesdropper who intercepts the call. In addition the parties in communication are authenticated so that each is assured of the identity and clearance level of the others.
To provide the conference feature, a bridge circuit is often employed. This circuit combines the signals from all parties and distributes the results to each listener. Unfortunately when the speech is encrypted the bridge circuit can no longer sum the signals as the encryption is typically a non-linear process.
In past implementations of secure conference circuits, the bridge would first decrypt the incoming signals, then sum the resulting clear speech, then encrypt the result and distribute it to all parties in the conference. This method requires the bridge circuit to know the encryption keys for all parties and clear speech signals are contained within the unit. This means that the conference bridge itself must be considered as a part of the security system. This introduces another point of weakness in the system and some users may not wish to trust the security of a bridge operating outside their direct control. It is thus desirable to make a conference unit that can operate without requiring recourse to clear speech.
Another approach to this problem has been described in a paper by Brickell et al. CRYPTO '87 Proceedings, entitled "Secure Audio Teleconference". In this method, an encryption process is used with certain linear properties which allows the bridge circuit to sum the signals in a normal manner for distribution. Unfortunately this limits the number of applicable encryption techniques and not all users would be willing to trust these schemes. This method also restricts the speech coding techniques allowed, produces some bandwidth expansion, and requires some synchronization (in time) of the signals from all of the conferees.
It is thus desirable to design a method and apparatus which can function independently of the encryption process being used and also does not suffer from the above mentioned limitations.