On Nov 15, 2011 was unveiled STONE, the industry’s first efficient cryptographic solution that enables CAS vendors and content providers to identify and remotely disable compromised smart cards used by pirate emulators. A smart card implementation of STONE is to be demonstrated by the end of 2011, with commercial availability anticipated early 2012.
Secure Traceable ONe-to-many Encryption (STONE) is a new cryptography technology that solves a longstanding problem known as traitor tracing. In this scenario, a broadcaster delivers an encrypted content such as a movie to a number of subscribers in real time over a one-way channel. Each subscriber is provided beforehand a decryption utility such as a set-top box empowered by a smartcard. The card decrypts the stream of encrypted session keys (aka. ECMs) transmitted by the broadcaster and returns the session keys in clear to the set-top box for content access. In a typical Conditional Access System, a copy of the same decryption key is contained in all the cards, or cards belonging to the same group. When a card is reverse-engineered and its key material is revealed – the key is then referred to as a traitor key – pirates can clone the card at will or issue a decryption software. Even if the broadcaster later identifies which decryption key is used by the pirate software, a specific user cannot be incriminated since the traitor key is shared among several cards. STONE is a revolutionary encryption system that specifically solves this identification problem.
With the STONE encryption system, each subscriber is given an individual decryption key. Each decryption key is unique, even though functionally equivalent to all other keys. Generating a new key requires a master secret information which is kept securely by the broadcaster, so that decryption keys are similar to digital signatures; they cannot be generated without the master key, which plays the role of a signing key. “This is why compromised user keys are useless to a pirate who would try to construct a new decryption key”, states Dr. Thomas Baignères, cryptographer and security expert at CryptoExperts. “This would imply a form of forgery, and the cryptography involved just forbids it. Pirates are left with the only option of reusing existing keys which can be identified by the broadcaster.”
“The tracing capability of STONE assumes that a pirate decryption software is available.”, explains cryptography researcher Dr. Cécile Delerablée who co-invented the technology. “Using a new identification technique, the traitor key from which the pirate software originates is efficiently recovered from the code, regardless of the level of obfuscation possibly used to protect the key. This even works on combinations of traitor keys in case the pirate software uses many of them in some complex ways in an attempt to evade identification. It’s mathematical”, she says, “and there is nothing the pirate can do about it. Traitor keys and their original owners will be traced in any case, assuming the illegitimate software is functional in the first place.”
Once a compromised key is identified by the broadcaster, the stream of STONE-encrypted session keys can be adapted to disable the target key on a global scale in further transmissions. The encryption procedure of STONE is specifically modified to exclude the traitor key, which cannot be used to decrypt anymore. “Again, it’s mathematical”, says Dr. Delerablée. “Once identified and revoked, a traitor key becomes totally useless to pirates. STONE supports multiple key exclusions, so that newly identified traitor keys can be cumulatively disabled over time. Combining white-box traceability with revocation, the piracy business cannot be sustained anymore since pirates will have to keep breaking new cards indefinitely and at a fast pace.“
According to Dr. Pascal Paillier, CEO of CryptoExperts and co-inventor, STONE is the first encryption system that complies with the real-life functional requirements of current broadcasting channels. “All previous methods were purely theoretical”, he says, “with either critically large decryption keys or ciphertexts which made them irrelevant for current satellite or terrestrial bandwidths. As a comparison, a STONE ciphertext holds in a fraction of a single SMS, and a decryption key can be made smaller than an RSA modulus. Besides, our technology uses elliptic curves, for which APIs are already available on many devices. We have the first true solution for piracy-free conditional access systems even when cards get broken on the field”, he claims. “With that efficiency and the tracing capability, STONE can even be used to secure software-only content protection solutions with unprecedented security benefits.”
“Our R&D phase is almost over”, says Dr. Matthieu Rivain, cryptographer and elliptic curve specialist at CryptoExperts. “We are now working on reference implementations of STONE on several devices to demonstrate the technology. An engineering phase is still necessary to select the best suited elliptic curves and optimize the use of scalar multiplications and bilinear maps in the encryption and decryption procedures. Our first smart card implementation will be based on a crypto-enabled core designed by Invia. We need all the flexibility we can get from a cryptographic engine”, he adds, “and Invia’s MEXPA accelerator is particularly efficient for finite field arithmetic. We should be ready to demonstrate STONE on this platform by the end of this year.”