CN102394744B - Systems and methods for content distribution using broadcast encryption - Google Patents

Abstract

A system and method for content distribution using broadcast encryption, the method comprising: initially performing, by a server hosting a content distributor, a boot process that generates a public key and one or more private keys; performing, by a server hosting the content distributor, an encryption process to distribute one or more private keys, an initial password or a new password, and encrypted content to one or more content receiving clients in a distribution network; wherein the subscriber set is a subset of all content receiving clients in the distribution network and only those content receiving clients in the subscriber set can decrypt the encrypted content to the original content; wherein the subscriber set changes when one or more new subscribers join the subscriber set or one or more existing users within the subscriber set are removed from the subscriber set; and wherein the differential password generation method calculates a new password by reusing the saved calculation result of the original password calculation.

Description

Systems and methods for content distribution using broadcast encryption

technical field

The invention claimed herein relates to networks in general, and in particular to computer networks or broadcast networks, such as television. In particular, the invention claimed herein relates to encryption mechanisms for encrypting licensed content distributed in a network.

Background technique

In broadcast encryption schemes, content distributors encrypt their licensed content for users or clients listening to a broadcast channel or distribution network. Any user or client can use its private key to decrypt received encrypted content, but only a selected subset of users or clients can decrypt encrypted content to the original content. Content distributors can control and select this subset. Broadcast encryption has several applications, including access control in encrypted file systems, television subscription services, and media content protection.

Traditional broadcast encryption mechanisms, such as those using public key infrastructure (PKI) or bilinear pairing, create cryptographic headers based in part on the set of subscribers that are capable of decrypting the encrypted content and by This subset of content receiving clients views the original content. One of these traditional broadcast encryption mechanisms is the Boneh-Gentry-Waters broadcast encryption mechanism. The Boneh-Gentry-Waters broadcast encryption mechanism is described in Dan Boneh, Craig Gentry, and Brent Waters, Collusion Resistant Broadcast Encryption With ShortCiphertexts and Private Keys, Crypto, 2005, the entire disclosure of which is hereby incorporated by reference. In this broadcast encryption mechanism, new cryptographic headers are created and distributed when the set of subscribers is changed as new subscribers are added and expired subscribers are removed. The calculation of the new cryptographic header is performed without reusing any of the original calculation results. Furthermore, decryption of encrypted content is also performed without reusing any original calculation results. Thus, when the subscriber set is updated, the calculation amount of cipher header generation and decryption of encrypted content is large and time-consuming, and causes deterioration of overall content distribution performance. Existing broadcast encryption mechanisms are disclosed in US Patent Application No. 12/397635 filed March 4, 2009, the entire contents of which are hereby incorporated by reference.

Another disadvantage of the traditional broadcast encryption mechanism is that the encryption mechanism requires that the total number of content receiving clients in the distribution network be fixed at the initial establishment of the system, and cannot be increased thereafter.

Therefore, a new broadcast encryption mechanism is required. When the subscriber set changes, the new broadcast encryption mechanism can better utilize the original calculation results in the process of cipher header generation and encrypted content decryption, and the new broadcast encryption mechanism Robust enough to handle an unlimited total number of total content receiving clients.

Contents of the invention

It is an object of the invention claimed herein to provide a method and system for content distribution using a broadcast encryption mechanism with optimized cipher header generation and decryption.

Another object is to achieve optimization by reusing original calculation results in cryptographic header generation and decryption when the set of subscribers changes. By using a differential cipher text generation method, which is based on the original cipher text value, the amount of computation used to generate the cipher header can be reduced. For the decryption process, the reconstructed part of the encrypted secret is precomputed and saved using a wide window point addition method. Thus, subsequent cryptographic secret reconstructions can rely on precomputed results to speed up computation time.

Another purpose is to provide a clustering scheme in content distribution through a broadcast encryption mechanism that can scale as desired to accommodate an unlimited number of content receiving clients.

Description of drawings

Embodiments of the invention are described in more detail below with reference to the accompanying drawings, in which:

Figure 1 shows a block diagram schematically illustrating an example content distribution system using broadcast encryption.

Detailed ways

In the following, a system and method for broadcast encryption optimization by reusing original cipher header generation and encryption calculation results and scalability by using clusters is described as a preferred example. It will be apparent to those skilled in the art that changes, including additions and/or substitutions, can be made without departing from the spirit and scope of the present invention. Certain details may be omitted so as not to obscure the characteristics of the present invention; however, the disclosure is written to enable one skilled in the art to practice the teachings herein without undue experimentation.

A content distribution network includes at least a content distributor and one or more users or clients that receive content. Broadcast encryption is primarily a sequenced combination of multiple processes including initiation, encryption, and decryption processes.

According to some traditional broadcast encryption mechanisms, including the Boneh-Gentry-Waters broadcast encryption mechanism, the main output of the boot process is the public key and the private key. The start-up process first selects a random number generator g∈G and a random number α∈Z _p . It calculates the public parameter g _i = g ^(αi) ∈ G, i = 1, 2, ..., n, n+2, ..., 2n, where n is the total number of content receiving clients in the content distribution network . Then choose a random number _γ∈Zp and set v=g ^γ∈G . The public key is defined as:

PK=(g, g ₁ , . . . , g _n , g _n+2 , . . . , g _2n , v)∈G ²ⁿ⁺¹

The private key is defined as:

d _i = g _i ^γ ∈ G, i ∈ {1, . . . , n}, where i represents a certain content receiving client in the content delivery network.

The private keys d _i , . . . , d _n are to be distributed to content receiving clients. Each content receiving client receives and stores a private key to be used in the subsequent decryption process.

The encryption process employs the generated public key PK and the subscriber set S to generate an encrypted secret and ciphertext for encrypting the original content to be distributed as part of the cipher header for distribution with the encrypted content to content receiving customers end. The encryption process first selects a random number t∈Z _p . An encrypted secret is defined as:

K=e(g _n+1 , g) ^t

The cipher text is defined as:

Hdr＝(g ^t ，(v∏ _j∈S g _n+1-j ) ^t )∈G ²

=(C ₀ ,C ₁ )

Decryption processing is performed by each content receiving client in the distribution network. In a television broadcast network, the content receiving client is usually a receiver set-top box. When the content receiving client i receives the cryptographic header (which includes the password) and the encrypted content, the decryption process adopts the client private key d _i received and stored originally, and the ciphertext Hdr to reconstruct the encrypted secret K for decryption encrypted content. The encryption secret K can be computed as follows:

K=e(g _i , C ₁ )/e(d _i ∏ _{j∈S, j≠i} g _n+1-j+i , C ₀ )

The encrypted content is decrypted using the encryption secret K by reconstructing the encryption secret K from the private key d _i and the ciphertext Hdr. The result is that the decrypted content is equal to the original content. Because the encryption process takes into account the subscriber set S when encrypting the original content, only subscribers valid within the subscriber set S can successfully decrypt the encrypted content.

Figure 1 shows a block diagram schematically illustrating an example content distribution system using broadcast encryption. According to FIG. 1 , the content receiving client 120 receives the global public value and operates as follows.

Step 1, the content receiving client 120, that is, the set-top box shown in the figure, sends an authentication request to the authentication server;

Step 2, the authentication server sends an authorization confirmation request to the cluster management server, and after receiving the request, the cluster management server searches from its corresponding instance of the authorization server, and sends the authorization confirmation obtained after the search back to the authentication server;

Step 3: The authentication server sends a request for the specified private key to the cluster management server. After receiving the request, the cluster management server searches from the instance of the corresponding key server according to the cluster scheme 130, and specifies the private key obtained by the search. The private key is sent back to the authentication server;

Step 4, the authentication server sends the private key specified by the content back to the content receiving client 120;

Step 5, put the content receiving client 120 into the distribution network specified by the content, wherein the encryption server 110 encrypts the clear content into encrypted content with the public value specified by the content, and sends the encrypted content and the current subscriber set to the distribution network, and then the content receiving client 120 receives the encrypted content and the current subscriber set;

In step 6, the content receiving client 120 decrypts the encrypted content according to the global public value using the private key specified by the content to obtain clear content.

Referring to FIG. 1, according to various embodiments of the presently claimed invention, encryption processing is performed by an encryption server 110 residing in a content distributor. Encryption server 110 may be implemented by one or more computer servers. When the set of subscribers changes, the cipher text Hdr needs to be recalculated. According to an embodiment of the presently claimed invention, a new ciphertext Hdr' is calculated from an original ciphertext Hdr by a differential ciphertext generation method, the calculation steps are listed below:

1. When the ciphertext Hdr is first generated, the variant pHdr is retained, where

pHdr=(g, H)=(g, (v∏ _j∈S g _n+1-j ))

2. When changing the subscriber set S, calculate the new variant pHdr' = (g, H') from pHdr

a. When a new content receiving client set S ⁺ is added to S, then H'=H∏ _j∈S ⁺ g _n+1-j

b. When the existing content receiving client set S ^- is removed from S, then H'=H/∏ _j∈S ^- g _n+1-j

3. Calculate Hdr' from pHdr':

a. Generate a new random number t'∈Z _p

b. Calculate Hdr'=(g ^t ', (H') ^t ')

Still referring to FIG. 1 , according to various embodiments of the presently claimed aspects, the decryption process is performed by each content receiving client 120 in the distribution network. In a television broadcast network, the content receiving client 120 is typically a receiver set-top box, including electronic circuitry and a processor for performing the decryption process. The decryption process first consists of reconstructing the encrypted secret K for decrypting the received encrypted content according to the following formula:

K=e(g _i , C ₁ )/e(d _i ∏ _{j∈S, j≠i} g _n+1-j+1 , C ₀ )

This computation involves two bilinear pairings, a division and m+1 point additions, where m is the number of subscribers in the subscriber set S. According to an embodiment of the presently claimed invention, the decryption process can be accelerated by using a wide window point addition method. The wide-window _{point addition method} can speed up _{∏ j∈} Calculation of _{s, j≠i} g _n+1-j+i . The wide window point addition method includes the following steps:

1. Choose wide window width k

2. Rename the public parameter group {g, _g1 , ..., _gn , _gn+2 , ..., _g2n } to { _r1 , ..., _rn , rn ₊₂ , ..., _r2n }

3. Divide the group {r ₁ , ..., r _n , r _n+2 , ..., r _2n } into [2n/k] subgroups such that:

R ₁ ={r ₁ ,...,r _k }

R ₂ ={r _k+1 ,...,r _2k }

R _[2n/k] = {r _{([2n/k]-1)k+1} ,...,r _2n }

4. Compute and save {P ₁ , P ₂ , ..., P _[2n/k] }, where:

An exemplary demonstration for the wide-window point addition method, where two wide window widths are used:

k=2

R ₁ ={r ₁ , r ₂ }→P ₁ ={r ₁ ,r ₂ ,r ₁ +r ₂ }

Another exemplary demonstration for the wide-window point-add method, where four wide window widths are used:

k=4

R ₁ = {r ₁ , r ₂ , r ₃ , r ₄ }→

P ₁ = {r ₁ , r ₂ , r ₃ , r ₄ ,

r ₁ +r ₂ , r ₁ +r ₃ , r ₁ +r ₄ ,

r ₂ +r ₃ , r ₂ +r ₄ , r ₃ +r ₄ ,

r ₁ +r ₂ +r ₃ , r ₁ +r ₂ +r ₄ ,

r ₁ +r ₃ +r ₄ , r ₂ +r ₃ +r ₄ ,

r ₁ +r ₂ +r ₃ +r ₄ }

确定在预先计算的值P_i中的所有元素U_i的积。最后∏_{j∈S，j≠i}g_n+1-j+l＝∏_i＝1 ^[2n/k]u_j，u_j∈U_i，其中

因为P_i可以被预先计算并保存，所以减少了用于随后重建加密机密K的时间，增加了解密处理的性能。To compute ∏ _j∈S,j≠i g _n+1-j+i for reconstructing the encrypted secret K, first set S'={g _n+1-j+i |j∈S,j≠i}, then All sets U _i ={R _i ∩S'} are determined. and for all

Determine _{the product of all elements U i in} the precomputed values Pi. Finally ∏ _{j∈S, j≠i} g _n+1-j+l =∏ _i=1 ^[2n/k] u _j , u _j ∈ U _i , where

Since _Pi can be pre-computed and saved, the time for subsequent reconstruction of the encrypted secret K is reduced, increasing the performance of the decryption process.

Still referring to FIG. 1 , in addition to generating public keys PK and private keys _di ,..., _dn , the initiation process typically includes authenticating and authorizing content receiving clients and determining their authorization or subscription to access certain content operation. From this the set S of subscribers is determined. Since the number of private keys generated in the initial startup process is fixed by the number n of the total content receiving client population, the client population cannot be increased thereafter.

According to various embodiments of the presently claimed invention, this limitation may be eliminated by using a clustering scheme 130 in which content receiving clients are divided into different clusters. The division may be based on the geographic location of the content receiving client. The cluster scheme 130 includes a key server for public and private key generation, an authorization server for storing and providing authorization information for content receiving clients, and multiple instances of a cluster management server. The cluster management server contains information of each content receiving client, the key server and the instance of the authorization server to which the content receiving client belongs. By utilizing multiple instances of key servers, the content distribution system has multiple sets of public and private keys. Each content receiving client receives the private key from its corresponding instance of the key server.

Using the clustering scheme, the public parameters and subscriber sets are generated separately for each instance. The encryption process is modified to generate multiple sets of encrypted content and cryptographic headers corresponding to instances and distributed to content receiving clients according to their instance to which they belong.

New instances of key servers and authorization servers can then be added to the content distribution system, thereby expanding its capacity. According to an embodiment of the claimed invention, the cluster management server provides a user management interface for configuring mapping information between content receiving clients and instances of key servers and authorization servers.

Embodiments disclosed herein may be implemented using general or special purpose computing devices, computer processors, or electronic circuitry including, but not limited to, digital signal processors (DSPs), application specific integrated circuits (ASICs), field programmable gate arrays (FPGA) and other programmable logic devices configured or programmed according to the teachings of the present invention. Computer instructions or software codes to run on a general or special purpose computing device, computer processor or programmable logic device can be readily prepared by one skilled in the software or electronics arts from the teachings of the present invention.

In some embodiments, the present invention includes computer storage media having stored therein computer instructions or software code that can be used to program a computer or microprocessor to perform any of the procedures of the present invention . Storage media may include, but is not limited to, floppy disks, optical disks, Blu-ray disks, DVD, CD-ROM and magneto-optical disks, ROM, RAM, flash memory, or any type of medium or device suitable for storing instructions, code and/or data.

The foregoing description of the invention has been presented for purposes of illustration and description. It is not intended to exclude or limit the invention to the precise forms disclosed. Many modifications and variations will be apparent to those skilled in the art.

Those embodiments were chosen and described in order to better explain the principles of the invention and its practical application, thereby enabling those skilled in the art to understand the invention for various embodiments and with various modifications as are suited to the practical application contemplated. The scope of the invention is defined by the appended claims and their equivalents.

Claims (7)

1. a content distribution method that uses broadcast enciphering, comprising:

By the server of supervisor's content distributor, initially carry out one-shot and process, described startup is processed and is produced public-key cryptography and one or more private cipher key;

Server by supervisor's content distributor performs encryption processing, and described encryption comprises:

Use public-key cryptography and subscriber's collection initially to calculate initial password text one time;

When subscriber collects change, calculate new cryptogram, the calculating of described new cryptogram is based on difference cryptogram generation method;

Generate encrypted confidential;

Use encrypted confidential that original contents is encrypted to the content after encryption;

Contents distribution by one or more private cipher keys, initial password text or new cryptogram and after encrypting is to the one or more content reception clients in distributing network;

Each content reception client in distributing network is carried out decryption processing to the content after encrypting, and described decryption processing is based on wide window point adding method;

Wherein subscriber's collection is the subset that in distributing network, all the elements receive client, and only the concentrated content reception client of subscriber can be original contents by the contents decryption after encrypting;

Wherein when one or more new subscribers add subscriber to collect or subscriber collection in one or more existing subscriber while removing from subscriber's collection, subscriber collects change;

Wherein difference cryptogram generation method is calculated new cryptogram by reusing the result of calculation of the preservation of original cryptogram calculating; And

Wherein wide window point adding method is reused the result of calculation in advance of the preservation that the grouping point of open parameter adds in the reconstruction of encrypted confidential.

2. method according to claim 1, also comprises:

By content reception client logic be divided into a plurality of trooping;

The authorization message of each content reception client is provided from the Multi-instance of authorization server, and the example of authorization server is corresponding to trooping;

From the Multi-instance of key server, provide a plurality of public-key cryptography and a plurality of private cipher key, the example of key server is corresponding to trooping;

From with content reception client under the example of the corresponding key server of trooping private cipher key is distributed to content reception client;

Calculate a plurality of set of initial password text and new cryptogram, each troop a public-key cryptography of gathering and trooping based on this and subscriber's collection;

Generate a plurality of encrypted confidentials, each encrypted confidential of trooping, and the corresponding cryptogram that uses this to troop;

Original contents is encrypted to the content after a plurality of encryptions, each content after an encryption of trooping, and the corresponding encrypted confidential that uses this to troop; And

According to the contents distribution of trooping by initial password text or new cryptogram and after encrypting under content reception client to described content reception client.

3. method according to claim 2, wherein by content reception client logic to be divided into a plurality of trooping be the geographical position of content-based reception client.

4. a content distribution method that uses broadcast enciphering, comprising:

By the server of supervisor's content distributor, initially carry out one-shot and process, described startup is processed and is produced public-key cryptography and one or more private cipher key;

Server by supervisor's content distributor performs encryption processing, and described encryption comprises:

Use public-key cryptography and subscriber's collection initially to calculate initial password text one time;

When collecting change, subscriber calculates new cryptogram;

Generate encrypted confidential;

Use encrypted confidential that original contents is encrypted to the content after encryption;

Contents distribution by one or more private cipher keys, initial password text or new cryptogram and after encrypting is to the content reception client in distributing network;

Each content reception client in distributing network is carried out decryption processing to the content after encrypting, and described decryption processing is based on wide window point adding method;

Wherein subscriber's collection is the subset that in distributing network, all the elements receive client, and those content reception clients that only subscriber concentrates can be original contents by the contents decryption after encrypting;

Wherein when one or more new subscribers add subscriber to collect or subscriber collection in one or more existing subscriber while removing from subscriber's collection, subscriber collects change; And

Wherein wide window point adding method is reused the result of calculation in advance of the preservation that the grouping point of open parameter adds in the reconstruction of encrypted confidential.

5. method according to claim 4, wherein wide window point adding method also provides configurable wide window width, the group size adding for controlling the grouping point of open parameter.

6. method according to claim 4, also comprises:

By content reception client logic be divided into a plurality of trooping;

The authorization message of each content reception client is provided from the Multi-instance of authorization server, and the example of authorization server is corresponding to trooping;

From the Multi-instance of key server, provide a plurality of public-key cryptography and a plurality of private cipher key, the example of key server is corresponding to trooping;

From with content reception client under the example of the corresponding key server of trooping private cipher key is distributed to content reception client;

A plurality of set of calculating initial password text and new cryptogram, each is trooped one and gathers, and the public-key cryptography of trooping based on this and subscriber's collection;

Generate a plurality of encrypted confidentials, each encrypted confidential of trooping, and the corresponding cryptogram that uses this to troop;

Original contents is encrypted to the content after a plurality of encryptions, each content after an encryption of trooping, and the corresponding encrypted confidential that uses this to troop; And

According to the contents distribution of trooping by initial password text or new cryptogram and after encrypting under content reception client to described content reception client.

7. method according to claim 6, wherein by content reception client logic to be divided into a plurality of trooping be the geographical position of content-based reception client.

Images