In the context of the deployment of communications networks and audiovisual services, the distributing of digital contents is becoming problematic from the standpoint of intellectual property rights. This is because the copying of digital data in very large quantities, as well as their large-scale redistribution, has become both easy and inexpensive for individuals. For example, industries whose profits rely on the provision of digital data (such as music, video, electronic books, games software, and so on and so forth) desire to protect these digital data against use outside the framework defined by a commercial contract between digital content provider and consumer; this is the object of Digital Rights Management (DRM). The article by P. C. van Oorschot entitled “Revisiting Software Protection” (Proceedings of the 6th “Information Security” International Conference, pages 1 to 13, Springer-Verlag, 2003) may be consulted for a general presentation of the problems related to software protection.
To combat the fraudulent redistribution, by one or more legitimate consumers of content, of the secret identifiers, or of the decoding software itself, contained in their decoding equipment (“decoder”, or “set-top box” in English)—this redistribution allowing illicit consumers (called “pirates”) to access the plaintext contents—so-called “traitor tracing” methods are implemented. The concept, and certain techniques, of traitor tracing were proposed by B. Chor, A. Fiat and M. Naor in their article entitled “Tracing Traitors” (Advances in Cryptology—Crypto'94, Lecture Notes in Computer Science, vol. 839, pages 257 to 270, Springer-Verlag, 1994).
Methods for tracing traitors guarantee that, if such a fraud occurs, the identity of at least one of the legitimate consumers who are the instigators of the fraud (termed “traitors”) may be reconstructed by the contents provider (or by a control authority) on the basis of the data redistributed to the illicit consumers. Encryption/decryption systems in which a method for tracing traitors may be implemented are termed “traceable”.
These techniques are customarily of a combinatorial nature, that is to say each legitimate content consumer is allotted a personal secret identifier forming part of a set (generally fairly large) of secret identifiers. The data broadcast in this system comprise encrypted messages. Each encrypted message comprises:                a cryptogram Cr(M) formed on the basis of a content M encrypted with the aid of a content encryption key dependent on a parameter r the value of which is periodically varied so as to vary said encryption key, and        one or more header(s) containing certain information encrypted as a function of said identifiers.The data broadcast in this system also comprise, as plaintext, the current value of said parameter r.        
When a content consumer receives one of these messages, he decrypts said encrypted information with the aid of his personal identifier and of the parameter r. He then combines the information thus decrypted to obtain the key Kr for decrypting the content, and then he uses this key Kr for decrypting the content to decrypt said cryptogram Cr(M). The key Kr for decrypting the content is customarily called a “control word” in systems for pay-per-use consumption of broadcast audiovisual content.
In a “traceable” encryption/decryption system, if one of the legitimate consumers of content communicates his personal identifier to an illicit consumer, it is possible to retrieve the identity of the traitor on the basis of the personal identifier implemented by the illicit consumer.
However, methods for tracing traitors of a combinatorial nature exhibit the drawback that it is necessary to broadcast a considerable volume of headers.
European patent application No. 1 634 405 discloses a method for encrypting/decrypting broadcast digital data not requiring the broadcasting of a significant number of headers. According to this method:                during the encryption of the content to be broadcast, the sender implements at least one first secret cryptographic function, and        during the decryption of the content, all the decoders implement at least one same second secret cryptographic function inverse to said first function, each decoder employing for this purpose a mathematical description of said second function recorded in a memory.        
During the implementation of the second function, the mathematical description of this second function employed by each decoder is different from one decoder to another, in such a way that the mathematical description employed identifies in a unique manner each particular decoder from among all of the decoders.
In the method hereinabove, it is possible to retrieve a traitor who might have communicated the mathematical description of his second secret function to an illicit consumer, on the basis of the analysis of the mathematical description of this second function implemented by the illicit consumer to decrypt the transmitted data. This is because, by construction of each mathematical description of the system, said description is representative of the identity of the traitor.
Moreover, in the method hereinabove, by virtue of the fact that the identification of a traitor no longer relies on the implementation of personal identifiers, but on the implementation of different descriptions of one and the same cryptographic function, the number of headers necessary to broadcast an encrypted message is less than the number of headers necessary to broadcast the same message encrypted with the aid of a conventional combinatorial method.
However, the method succinctly described hereinabove presents the drawback that it offers only weak protection against so-called “white-box” attacks.
Indeed, for an unscrupulous user of decoding software, another way of behaving as a “traitor” than by redistributing his software consists in analyzing the main steps implemented in this software, so as to then be able to build forging software which is:                essentially equivalent to the copied software as regards its decryption capabilities, but        sufficiently different from the copied software for this forgery to be difficult to detect by the contents provider (or a control authority). Furthermore, the forging software will be easier to distribute by the traitor than the copied software if the forging software is of smaller size than the copied software.        
This context of piracy is called “white-box attack context”, according to the article by S. Chow, P. Eisen, H. Johnson and P. C. van Oorschot entitled “White-Box Cryptography and an AES Implementation” (Proceedings of the “International Workshop on Selected Areas in Cryptography”, Springer, pages 250 to 270, 2003), and in the article by the same authors entitled “A White-Box DES Implementation for DRM Applications” (Proceedings of the “Second ACM Workshop on Digital Rights Management”, Springer, pages 1 to 15, 2003). This name highlights the difference between this context and the well known “black-box” context, in which a pirate seeking to analyze a piece of software can only observe pairs (input data)/(output data) associated with this software, without having access to the intermediate processing steps implemented by the software; in the context of a white-box attack conversely, the pirate can observe the dynamic execution of a piece of software step by step, and even modify instructions of this software so as to be able to study the consequences of these modifications on the processing performed by the software.
In particular, a white-box attacker can seek to retrieve the values of secret keys recorded in a piece of software, so as to use these secret keys in an equivalent piece of software available to the attacker (indeed, the algorithm implemented by the software is often known in its main steps), or on another computerized platform. The protection of these secret keys is therefore essential, but rendered all the more difficult as the cryptographic keys generally obey a very particular format which distinguishes them from the other recorded data, thus allowing a pirate to spot them fairly easily.