1. Field of the Invention
The invention pertains to a traceable method and system for encrypting and/or decrypting broadcast data, and to recording media for implementing the method.
More precisely, the invention concerns a traceable method in which:                when encrypting broadcast data, the transmitter applies at least one first secret cryptographic function, and        when decrypting said broadcast data, all the decoders apply at least one same second secret cryptographic function identical to said first function or its inverse, each decoder for this purpose using a mathematical description of said second function recorded in a memory.        
Traceable encrypting methods are methods in which a method for tracing traitors may be implemented.
2. Description of Related Art
Traitor tracing methods are used to fight against the pirating of services which, on a broadcast channel, distribute encrypted multimedia contents such as video, television, images, music, texts, Web pages, electronic books, programmes etc. The purpose of traitor tracing methods is to prevent one or more lawful users of said services from re-distributing data deduced from the secret keys and decryption algorithms implanted in their decrypting equipment so as to enable unlawful users (pirates) to have in-clear access to said content. These methods guarantee that if such a fraud should occur, the identity of at least one of the lawful users at the source of the fraud may be reconstituted by the service operator distributing the content, or more generally be an authority, on the basis of data re-distributed to unlawful users. The lawful user at the source of the fraud is called a “traitor” in the remainder of the description.
The notion of tracing traitors was proposed for the first time by Benny Chor, Amos Fiat and Moni Naor in their 1994 article: “Tracing Traitors, Advances in Cryptology”—Crypto '94, Lecture Notes in Computer Science, vol. 839, Springer-Verlag, 1994, pp. 257-270. In this article, the first tracing techniques in a cryptographic system are put forward. The cryptographic systems in which a traitor tracing method may be implemented are called “traceable”. Almost all these techniques are of combinatory nature. In other words, each lawful user of the cryptographic system is allotted a sub-set of keys of a set (generally a fairly large set) of basic keys. This sub-set of basic keys allotted to a user is unique for each user and forms the user's own personal key.
The data broadcast within this system comprises encrypted messages. Each encrypted message is formed of a content, encrypted by means of a content-encrypting key, and of headers each encrypted with a basic key. Each header contains a value representing part of the content-encrypting key.
When users receive one of these messages, they use their sub-set of basic keys to decrypt some values contained in the received headers. They then combine these decrypted values to reconstitute the content-encrypting key, and this reconstituted content-encrypting key is used to decrypt the content of the message.
If one of the lawful users of the system communicates his/her personal key to an unlawful user, then in this traceable cryptographic system it is possible to trace the identity of the traitor from the personal key used by the unlawful user.
However, traitor tracing methods of combinatory nature have the disadvantage of requiring the broadcasting of a considerable volume of headers. In particular, the number of headers to be broadcast is proportional to the logarithm of the number of lawful users of the system, and to other parameters such as the maximum size k of traitor coalitions against whom protection is sought. By coalition here is meant a group k of traitors who group together to combine their personal keys in an attempt to create a new personal key which can be used to decrypt the encrypted content, without examination of this new personal key disclosing the identity of one of the traitors.
The invention sets out to remedy this drawback by proposing a new traitor using method which does not require the broadcasting of a large number of headers.