There are currently many message encryption methods, these methods each having specific characteristics with regards to their application or their security level.
In most cases, the content is first encrypted by means of a plurality of keys which can each have a relatively short life, these keys being called “control words”. The content encrypted in this way, is transmitted to multimedia units which are subscribed to the supplier. The control-words are themselves encrypted by means of a transmission key and sent in the form of control messages (Entitlement control message ECM).
The extraction and the decryption of the control words is carried out in a security module which can have notably the form of a smart card. When the control-words have been decrypted, they can be used to decrypt the content. As this method is well known to those skilled in the art, it is not described in more detail here.
There are also methods in which the use of a security module is not necessary or desired. An example of such a method uses a specific encryption type, such as notably proposed by Blaze & Strauss (Matt BLAZE, Martin STRAUSS. Atomic Proxy Cryptography, Technical report, AT&T Research, (http://www.research.att.com/resources/trs/TRs/98/98.5/98.5.1.body.ps).
This document describes an encryption method in which a message is encrypted by means of a key bound to the emitter and sent in a conversion module, which transforms the message received into another message that can be decrypted by means of a key bound to the receiver. This conversion module does neither deliver the message in plaintext, nor the key bound to the emitter, nor the one bound to the receiver. This module also contains a particular function, called thereafter conversion function, which allows the modification of the message according to the constraints defined above.
The conversion module according to Blaze & Strauss operates in the following way:
From the encryption side, that is to say the emitter side, one has a secret key “a” and a random number generator, which generates a value “k”. This value belongs to the set 9*2q that is to say the set of integers between 0 and 2q−1 which are prime numbers with 2q. For example, if q=5, the set 9*10={;1;2;3;5;7;9}. Two values “p” and “q” are also determined such that “p” and “q” are large prime numbers and such that p=2q+1. The idea of a large number is not defined by a precise numerical value. The larger the used numbers are, the more difficult it is for a third party to find these values by successive attempts. The security level is therefore connected to the size of the used numbers.
The emitter also has a value “g” belonging to the set 9*p.
From the encryption side, these messages are also generatedC1=(mgk)mod p andC2=[(ga)k]mod p 
The value (ga)mod p is the public key of the emitter.
The couple <C1;C2> forms the message which is generated by the emitter and which is transmitted to the conversion module.
The conversion module assigns a conversion key and a conversion function.
The key is equal to:
      π          a      →      b        =            (              b        *                  1          a                    )              mod      ⁢                          ⁢      2      ⁢      q      
The conversion function associated to this key is:C2′=[(C2)(πa→b)]mod p 
When the couple <C1;C2> is introduced into the conversion module, the value of C1 is not modified. C2 instead changes to C2′ according to the above conversion function.
The couple <C1;C2> entering into the conversion module is transformed into an output couple <C1;C2′>. The latter is transmitted to the receiver and more precisely to the secured part of the receiver which contains the secret key b1 specific to this receiver. In principle, each receiver is provided with his own key “b”.
From the received values, the receiver can deduce the message by applying the following formula:
  m  =            (              C        ⁢                                  ⁢        1        *                  1                                    (                              C                ⁢                                                                  ⁢                                  2                  ′                                            )                                                      (                                  1                  /                  b                                )                            ⁢              mod              ⁢                                                          ⁢              2              ⁢              q                                          )              mod      ⁢                          ⁢      p      
Although perfectly functional, this method suffers a major disadvantage when it is put into practice, in particular in an environment in which an emitter supplies a great number of receivers. In fact, by knowing the key b1 of a specific receiver and the conversion function πa→b, it is relatively simple to calculate the key “a” of the emitter such that
      π          a      →              b        ⁢                                  ⁢        1              =                    (                              b            1                    *                      1            a                          )                    mod        ⁢                                  ⁢        2        ⁢        q              .  
From that point, it is possible for a person with bad intentions to make the key “a” of the emitter available to third parties. This then allows to calculate the keys bi of all the receivers supplied by this emitter and using the same conversion function. This means that a user who has subscribed to at least one channel managed by the data supplier can freely have access to all the other channels of this supplier.
The following description explains in more detail, the aforementioned problem.
Imagine a user having a multimedia unit STB2 with the secret key b2. This user is a subscriber of channels 1, 2 and 3 having respectively the keys a1, a2 and a3. Suppose that this user knows his secret key b2. Since he is subscriber, he receives the conversion keys
      π                  a        ⁢                                  ⁢        1            →              b        ⁢                                  ⁢        2              ,                    π                              a            ⁢                                                  ⁢            2                    →                      b            ⁢                                                  ⁢            2                              ⁢                          ⁢      and      ⁢                          ⁢              π                                            a              ⁢                                                          ⁢              3                        →                          b              ⁢                                                          ⁢              2                                ,                    ⁢                          ⁢      where      ⁢                          ⁢              π                  ai          →                      b            ⁢                                                  ⁢            2                                =                            (                                    b              2                        *                          1              ai                                )                          mod          ⁢                                          ⁢          2          ⁢          q                    .      
From these elements, it is relatively simple to calculate a1, a2 and a3. The user with bad intentions can therefore make these keys a1, a2 and a3 available, for example, by a network such as Internet.
Imagine another user having a multimedia unit STB1 with the secret key b1. This user is subscriber of channel 1 using the key a1. This channel, for example, can be a part of a cheap basic offer. The subscriber therefore receives the conversion key
      π                  a        ⁢                                  ⁢        1            →              b        ⁢                                  ⁢        1              =                    (                              b            1                    *                      1                          a              ⁢                                                          ⁢              1                                      )                    mod        ⁢                                  ⁢        2        ⁢        q              .  From this point, he can easily determine b1, that is to say the secret key of his own multimedia unit. He can also receive a2 and a3 from the user having the previously mentioned multimedia unit STB2. With these elements, he can create the conversion key for channels 2 and 3 using
            (                        b          1                *                  1                      a            ⁢                                                  ⁢            2                              )              mod      ⁢                          ⁢      2      ⁢      q        =                    π                              a            ⁢                                                  ⁢            2                    →                      b            ⁢                                                  ⁢            1                              ⁢                          ⁢      and      ⁢                          ⁢                        (                                    b              1                        *                          1                              a                ⁢                                                                  ⁢                3                                              )                          mod          ⁢                                          ⁢          2          ⁢          q                      ⁢                  =                  π                              a            ⁢                                                  ⁢            3                    →                      b            ⁢                                                  ⁢            1                              .      In this way, he will have access to channels 2 and 3 without having acquired the corresponding subscription rights. The same is true for a person having cancelled his subscription and who has calculated the specific key b1 of his receiver before the cancellation.
In this way, if the security of one of the receivers is compromised, the security of all of the other receivers is also compromised.
Another disadvantage of the method described above is the fact that the construction of the conversion key requires the knowledge of the secret key “a” of the emitter and that of the encryption stage b, which is not optimal from a security point of view.