The present invention relates to the cryptographic techniques used, in particular, for protecting the broadcasting of content.
It applies in particular to the case where an entity (provider) wishes to broadcast a content on a public channel that is unprotected so that only legitimate users are capable of accessing this content. The legitimate users are for example those who have paid for access rights. The provider wants the content to be kept confidential from illegitimate users, which requires the use of a particular encryption scheme accepting, for one and the same encryption key, a plurality of different but equivalent decryption keys. Each key is initially entered in the memory of a decryption device such as a decoder provided to each legitimate user.
In this context, it is desirable to prevent or discourage the manufacture of illegitimate (pirate) decoders, and the broadcasting of illegitimate keys, on the Internet network for example. When a user obtains such a key or such an illegitimate decoder, it is useful to have a means making it possible to determine the identity of at least one legitimate user (traitor) having contributed to producing it. This capability is called traceability.
Another useful operation in this context of application of cryptography is that consisting in revoking the decryption keys of certain users. It allows the provider to disable certain decryption keys of his choice. A disabled (or revoked) key cannot be used to correctly decrypt an encrypted content after revocation.
In a typical application, the provider or broadcaster encrypts the content with the aid of a symmetric session key K of relatively small size, then broadcasts this encrypted content accompanied by a cryptogram transporting an encrypted version of the session key K. Each user then uses his decryption key suitable for recovering the session key K, then uses this key K in order to decrypt the broadcast content. The session key K is renewed at regular time intervals, for example of the order of a few seconds, so that its publication in real time is too constricting for the pirates. All the technical difficulty therefore resides in the design of a safe method (encryption scheme) in order to encrypt the session key K, accepting multiple equivalent decryption keys.
The known methods for responding to this need have a certain limitations. In particular, the encryption procedure usually requires prior knowledge of the group of legitimate users, which greatly complicates the management thereof in the applications where the legitimate users may be extremely numerous.
A particularly marked disadvantage is that the size of the cryptogram transporting the session key grows with the number of legitimate users. If n is the number of legitimate users, most of the known solutions produce a cryptogram of a size proportional to n. Even the best known solution, according to the Cryptology ePrint article “Fully Collusion Resistant Traitor Tracing With Short Ciphertexts and Private Keys” by D. Boneh, A. Sahai and B. Waters, available on the Internet, imposes a cryptogram of a size proportional to √{square root over (n)}.
Certain encryption schemes are only partially traceable, in the sense that the analysis of a pirate decoder or an illegitimate key will not make it possible to determine one of the traitors at the origin of its design unless the number of traitors is less than a threshold number smaller than n. In this case, the higher the threshold k, the less effective (in terms of size of the cryptogram and/or size of the decryption keys) are these schemes.
Other schemes, as in the article “New Traitor Tracing Schemes Using Bilinear Map”, by To, Safavi-Naini and Zhang (DRM'03), are not resistant to certain attacks, which make them untraceable.
In certain encryption schemes, the size of the decryption keys is very large, which makes these solutions unusable in practice, particularly in embedded environments, such as for example mobile telephones, which have only small memory and/or computing capabilities.
Most of the existing schemes are not compatible with the “Black Box” model. In this model, the functionality of traceability operating on a pirate decoder does not require the logical or physical disassembly of the decoder, but can on the contrary identify a traitor from simple executions of the decoder. Therefore, this model is particularly relevant when the pirate decoder is a program that can be executed partially or totally obfuscated in order to hide the decryption key that it uses.
Certain encryption schemes do not allow the revocation of keys, which forces the broadcaster to renew all the decryption keys with the legitimate users at regular time intervals.
Other schemes (such as in “A public-key traitor tracing scheme with revocation using dynamic shares” by Wen-Guey Tzeng and Zhi-Jia Tzeng, PKC 2001) allow the revocation of keys, but provide for the broadcasting of the decryption keys to be revoked, which makes the revocation permanent. For applications such as the broadcasting of pay television channels, it may be necessary to revoke decryption keys only for the broadcasting of certain programs. It is therefore required that this revocation does not reveal the decryption keys to be revoked, so that they can be usable again for the broadcasting of other programs for example.
Certain schemes such as in “Revocation and Tracing Schemes for Stateless Receivers” by Naor et al (Crypto 2001) provide that the decryption keys are of inconstant size, depending on the total number of users, and having certain portions in common with one another. Therefore, the memory space necessary on the receiver side must be fairly large.
Relating to the broadcasting of content on mobile telephones (applications called mobile TV), the limitations in terms of memory space and computing time are such that there is currently no solution that can be traced, even partially, or that can be revoked. The current technique assigns the same decryption key to all the users, which is not protective for the providers since a traitor-user who manages to find out his key, and who for example broadcasts it on the Internet, cannot be identified.
There is therefore a need for an encryption/decryption method which provides both traceability and revocability, while minimizing the costs for the content broadcaster and the users.