Apparatus and method for protection of conditional access broadcasting and datacasting

The subject of the apparatus and method in this present patent is the conditional access module for conditional access digital broadcasting and data transmission and reception, which has an execution unit, with input and output, for encoding information and/or decoding received information, and an encoding and/or decoding key-automaton is connected to one of its further inputs. PRIOR ART

During conditional access digital broadcasting and datacasting, encoding and decoding, encrypting internet or network communication, are such applications, where safe broadcasting and datacasting are excessively threatened due to the high number of parties (in the case of digital television it may very well exceed a hundred million) interested in cr'a'ckiήg the ^' code. Furthermore, many hackers make the cracked code available on. the MMiet, rrorii 'where it spreads fast. This unfortunate fact causes a huge problem for brδ'adca ^' sting companies these days. Digital Video Broadcasting (DVB) standards are set by ITU-T Recommendation H.222.0 - Audiovisual and Multimedia Systems: Infrastructure of audiovisual services - Transmission multiplexing and synchronisation - Information technology (Generic coding of moving pictures and associated audio information systems, 2004). The mechanism is rather complicated (see e.g. Walter Fischer, Digital Television, Springer, 2004), and there is only a tiny section dedicated to the topic of controlling access to various kinds and huge amounts of data.

Authorization check, recovery of broadcast and data reception for authorized users is done though a Conditional Access Module (CAM). CAMs can generally be classified into two groups: for the so called embedded type the primary supplementary unit for conditional access applications is integrated into an integrated receiver and decoder or a set-top box or an access point. The so called attached type uses one of the above mentioned devices connected to a module through a standard port or a standard (normally PCMCIA) code card reading interface, that accepts an authorization code card, or a device (e.g. a computer) to which the authorization hardware key is attached through a standard (e.g. USB 2.2) port. The theoretical structure, purpose and functioning of all the above solutions are practically the same (see e.g. Tibor Wein, Fundamentals of conditional access DVB CATV broadcasting (in Hungarian), Kabelkon Hungary, 2004, www.kabelkon.hu): -; the transmitter's multiplexer produces the codeword and has it integrated into the authorization control message with the authorization control message generator;

- in this process the authorization control message generator prepares the content: this message contains the encoding words, access parameters (current date, time, etc.) as well as the provider identifications, program-call information and the connected authorization information, encoding variables, the digital signature to ensure that the authorization control message cannot be manipulated;

- next the transmitter forwards the authorization control message, embedded in the transmission to the recipient;

- using the code words the conditional access module restores the coded audio/video/data signal flow.

Wlien using a code card, the card is installed as follows. After retrieving certain data about the card (type of conditional access, serial number of the card, identifiers of the service providers included on the card, etc.) the conditional access module registers the card and uses the information to identify and separate the messages intended for the card from the signal flow. The code card will continuously restore the authorization control messages, then compare the current date and time, the provider identifier, as well as the program reference and authorization information with those stored in its memory. If, according to these data, the user is authorized to have access to the program, the code card provides the code word for the conditional access module to restore the incoming signal flow. In the case of an embedded mechanism, the above mentioned tasks are carried out by an appropriate microcontroller. The process is very similar when a hardware key is used.

Conditional Access (CA) is such a content protection, where certain requirements must be met before accessing the content. The concept is used in connection with digital television systems, especially with satellite televisions. A basic method of content protection is encryption. There are two methods most frequently used in encryption: sending the symmetric keys from the provider (i.e. from the provider's broadcasting or datacasting device) to the user (i.e. to the user's set-top-box or smart card) in a message, encrypted with a public key (asymmetric), while the service itself (i.e. the broadcast or the data transmitted) is encrypted and decrypted with a symmetric key. The most often used asymmetric key encryption system is RSA, while for symmetric key encryption, it is DES or triple DES, recently. Symmetric key encryption takes place in blocks, with code words (CW), which are frequently changed (can be 10-30 seconds) for increased security. Identifiers and code words are sent using multi-session key (MSK) public-key encryption. The validity of multi-session keys is relatively long, they are changed hourly, daily or even longer periods. (G.H. Pinder, M.S. Palgon; Encryption devices for use in a conditional access system, US P 6,424,717, 2002; EP 1-000-509-B1. 2002).

This rather complicated mechanism is necessary to prevent the possible sophisticated cracking attempts from unauthorized recipients. In this present patent we describe apparatuses based on a novel method, which makes frequent key changes unnecessary.

The suggested method is based on a Hungarian application for a patent (no. P0600208, 2006, Budapest, Hungary) 'Symmetric key cryptographic method and apparatus for encoding and decoding information, by Pal BeIa Dδmδsi'. Compared to the above mentioned application there are considerable novelties:

-in this description, the role of the microcontroller (unlike in the application) is taken over by a computer with a hardware key connected to it in a standard way (like a USB 2.2 port), or a microcontroller embedded in a broadcasting/datacasting device or a user device (set- top-box, access point) or a smart card in the subscriber's card reader; - some of the properties of the key automaton in the above application also differ from those of the key automaton described here;

- the method used for encryption and decryption makes it possible to start decoding at any time during service provision (i.e. not only at the beginning).

The patent has all the advantages of the known encryption systems, but without knowing the key automaton, it is impossible to crack the encrypted message. Besides, its simplicity makes encryption and decryption fast. Due to its simplicity, the present patent also lends itself to micro-sized realisations (microcontroller, smart card, etc.) for transmission and reception devices in conditional access digital broadcasting and datacasting systems.

SUMMARY OF THE INVENTION

The essence of the apparatus in the invention is that the key automaton used in the apparatus has the following properties:

- to each element of the character set of the plaintext there is one or more final states of the key automaton (7) assigned and each final state is assigned to one and only one element of the character set

- the initial state of the key automaton is distinct from any of its final states - one of the input signals is the synchronizing signal of the automaton

- for each state there is an input signal, so that the transition function assigns to this state and input signal a state, which is not a final state

- the transition function assigns to each state and the synchronizing signal the initial state

- for each state pair there are many input signal strings, not shorter than a given length and not longer than an other given length, for which the last element of the string of states assigned to the first element of the state pair and the given input signal string by the extended transition function coincides with the second element of the state pair and none of the other elements of the state string is a final state -for the security, the following are expedient : - there exists a permutation signal

- for each state pair there exists a non-empty input signal string that does not contain the synchronizing signal of the key automaton, so that the extended transition function assigns state strings to the first element of the pair and this input signal string as well as the second element of the pair and the input signal string such that the last elements of these state strings are the same

- each input sign takes the automaton into each final state from various states in the same multiplicity,

- none of the input signals takes the key-automaton from a final state into another final state.

The essence of the method in the invention is that

- in encryption mode the key automaton

- reads in the plaintext character by character, starting from the initial state

- generates a randomly chosen character string of length falling into a given, adjustable length interval for each character in the plaintext, taking the key automaton into a final state assigned to the readed character, without an intermediate final state

- where the current state is the initial state, first, and then the previously reached final state

- the cipher text is created by linking these character strings together

- the first character of the cipher text is the synchronizing signal of the automaton, and later the synchronizing signal occurs at a given frequency

- in decryption mode, the key automaton

- reads in the cipher text character by character starting from the initial state

- after reading in the first input signal that coincides with the synchronizing signal of the automaton, decryption is accomplished by linking together the input signals associated with the occurring final states, which provides the message in its original form.

DEFINITϊONS

An initial automaton with an initial state and final states and no output signal (which is also referred to as Rabin-Scott automaton in the literature for short) is an algebraic structure which consists of two non-empty sets and a function. One of the two non-empty sets is called the state set and the other is the input signal set. The function which maps the product of the state set and the input signal set into the state set is usually called transition function. The elements of the state set are the states and the elements of the input signal set are the input signals. A transition function can, thus, also be given as the function that associates a state with each pair whose first element is a state and its second element is an input signal. If the transition function assigns to a state a and an input signal x of the automaton the state b, then we say that the input signal x takes the automaton from state a into state b. We also say that the automaton is taken from state a into state b by the input signal x. The state set has a distinguished element, the initial state; and a distinguished subset, the set of final states. The elements of the set of final states are the final states. In the present description we assume that the initial state and the final states are all distinct. Furthermore, those elements of the state set that are not final states are sometimes called non-final states.

Initial automata with no output, and with an initial and final states are henceforth called automata.

A finite list of the elements of the state set is called a state string; a finite list of elements of the input signal set is called an input signal string. (Input signal strings and state strings of length one that is of one element are not excluded.) Strings of binary elements that is of 0 and 1 are also called bit strings. The commas between the elements either in state strings or in input signal strings will be omitted (as is customary). If a state string a _! a ₂ ...a _s has at least three elements, the states a ₂ , a ₃ , . . . , a _s-1 are also called intermediate states. A sequence of one or two elements has no intermediate states. State strings of one or two elements have no intermediate states.

The transition function of the automaton can be extended in the customary way, so that the extended transition function assigns to each state and input signal string a state string in the following way:

Let a be a state and let X ₁ X ₂ -X _s an input signal string (where X ₁ , x ₂ ... x _s are input signals). Let ai denote the state the automaton is taken into from the state a by the input signal X ₁ , a ₂ be the state, the automaton is taken into from state &ι by the input signal X ₂ , a ₃ be the state the automaton is taken into, from state a ₂ by the input signal X ₃ , ..., and a _s be the state, the automaton is taken into from the state a^ by the input signal x _s , respectively. Then to the pair consisting of state a and the input signal string X ₁ X ₂ -X _s the extended transition function assigns by definition the state string a ₁ a ₂ ...a _s . Then we say that the input signal string xix ₂ ...x _s takes the automaton from state a through the state string aa^—a _s to state a _s .

Furthermore, we assume that the automaton has a given input signal, called synchronising signal, which takes the automaton to the initial state from any state. A permutation signal is an input signal, which takes the automaton from any two distinct states into two distinct states. A permutation signal cannot take the automaton into the same state from two distinct states.

Finally, if an automaton has the properties described above in the invention, then it is called a key automaton. When encrypting with a key automaton, to each character of the plaintext there is a character string generated with no initial- or end marker, which we call encrypted block, and the cipher text is obtained by linking these character strings together. We shall assume that there is a lower limit to the length of these random character strings, which is the minimal block length, and that it has an upper limit, which is called the maximal block length. It is also assumed that there is a lower bound and an upper bound to the number of encrypted blocks between two synchronising signals and after the last synchronising signal, which will be called the minimal number of blocks and the maximal number of blocks, respectively.

It is assumed here, that the state set and the input signal set (as well as the final state set) of the key automaton is finite. In the discussion, it is also assumed, that both the state set and the input signal set are ordered sets, and thus we shall refer to their zeroth, first, second, ..., last elements. (For technical reasons the numbering begins with zero and not one.) It is also assumed that the largest ordinal for the final states is less than the least ordinal for non- final states, that is the numbering of states begins with the final states. For finite state sets and input signal sets the transition function can also be represented as a matrix, which is called transition matrix. The number of the rows and columns of the transition matrix equals the number of the input signals and states of the automaton, respectively. The element k in the i ^th row (numbering beginning with zero) and j ^ώ column of the transition matrix is the ordinal of the state (numbering beginning with zero), which is assigned to the j ^th state and i ^th input signal by the transition function.

DETAILED DESCRIPTION OF THE INVENTION Since the present invention is concerned only with access control used in content provision, other aspects and mechanisms of access controlled digital broadcasting and datacasting are disregarded here.

The example of access control module illustrated in Figure 1 has two input/output units: 1 I/O-l gate , and 2 I/O-2 gate 2. Both are connected to 3 an I/O control . 4 The execution unit has a direct two-way connection, through 5 a data bus, to 3 the I/O control, 6 the program memory, 7 the key-automaton, 8 the data memory, 9 the validity and access range information storage unit, 10 the operational data storage unit and the random number source, preferably 11 a random number generator.

The access control module described in the invention is suitable for both safely controlling access to information transmitted by a content provider and for receiving valid broadcast and data within the access range of the receiver. When using the access control module in a content provision device, 1 I/O-l gate is for data traffic between the access control module and the other units of the content provision device, while 2 I/O-2 gate is for data traffic between the access control module and the receivers. When using the access control module in a receiver, 1 I/O-l gate is for data traffic between the access control module and the other unit of the receiver, while 2 I/O-2 gate is for data traffic between the access control module and the content provision device. 3 I/O control controls data traffic between 1 I/O-l gate, 2 I/O-2 gate and 5 data bus. 4 Execution unit makes the device work.

6 Program memory stores the program that controls the functioning of the device. 7 Key automaton provides the encryption and decryption key. Basic data needed for the functioning of the device is stored in 8 data memory. Data needed for reception authorization are in the unit storing the validity and access range information, and data directly needed during the functioning of the device are in the unit storing 10 operational data. 11 Random number generator provides random 8-bit random numbers for the device.

In the key automaton stored in the access control module in the present invention, to each element in the character set of the plaintext there is one or more final states of 7 the key automaton assigned, and each final state is assigned to one and only one element of the character set. The input data set has a fixed synchronising signal, which takes the 7 key automaton from each of its states to its initial state. Furthermore, at least one of the input signals is a permutation signal, and for each state pair there is an input signal distinct from the synchronising signal, that takes the key automaton from each of the two states to one and the same state. For each state pair there exist a given number of input signal strings, not shorter than a given length and not longer than an other given length, which takes 7 the key-automaton from the first state in the pair into the second state of the pair that no final states are reached as intermediate states. One of the possible realisations of the communication between the content provider and the receivers is as customary: For the application of the invention both the content provider and the receivers need to have an access control module described in this invention, which have the same 7 key-automaton. The receiver's device, when turned on, encrypts the validity and access range data and forwards it to the content provider. The content provider's device decrypts this message, and when it is valid data from within the access range, then sends an encrypted message to the receiver, which contains the received data that is considered valid and within the access range, and authorizes reception. If the received data is not valid or not in the appropriate access range, then the encrypted message sent by the content provider does not allow reception. The device in the receiver decrypts this message, and if reception is not authorized, then it signals this to the receiver. If reception is authorized, then it checks, whether the received validity and access range data are the same as its own validity and access range data, and if not, it also signals this, else it turns into reception mode, and henceforth the messages sent by the content provider, the encoded parts decoded, of course are forwarded to the appropriate units of the receiver.

Another possible realisation of communication between the content provider and the receivers is the following: The invention is used so that the content provider is equipped with an access control module in encrypting mode and the receiver has one decrypting mode, both of which use the same 7 key automaton. After each synchronising signal sent by the access control module of the content provider, there comes an encrypted message, which contains data regarding validity and access range. When turned on, the access control unit in the receiver waits for the first incoming synchronising signal, and after receiving it, it uses its 7 key automaton to decrypt the validity and access range data, and then compares them to those of its own. If it finds its own data invalid, then it gives a signal, or else, the messages sent by the content provider, the encoded parts decoded, of course are forwarded to the appropriate units of the receiver. One possible realisation is when this comparison is done by the access control module after each synchronising signal, or the other possibility is that after the first authentication, there is no further checking during decryption.

The various blocks of the cryptographic device shown in the example are realised using the following products: 1 I/O-l gate and 2 1/0-2 gate as well as 3 the I/O controller are built into the microcontroller's I/O unit. 4 Execution device is a RISC SC200, 32-bit central unit with ARM architecture together with Jazelle architecture extension and a memory support. 5 The data bus providing for communication between the units is an AMBA Bus (Advanced Microprocessor Bus Architecture Bus) with ARM specifications. The program controlling the functioning of the device is burnt into the program memory 6, which is 70 kilobytes out of the 256 kilobytes of ROM memory, while 7 the key automaton is burnt into the 128 kilobytes portion of the same ROM memory. The rest of the ROM memory is made up of 8 data memory, which contains the necessary parameters for the functioning of the device. The 128-kilobyte EEPROM stores the validity and access range data, and the operational data 10 is stored in the 8-kilobyte static part of the 10-kilobyte RAM memory. 11 The random number generator of the device is a unit for generating 16 and 32 bit random numbers, where only the lower 8 bits are used by the device.

The access control module in the invention performs encryption and decryption as follows:

When used as an encryption device, the plain text message arrives in the form of a character flow at 4 the execution unit 1 from I/O-l gate through 3 FO controller and 5 data bus. The encrypted message is transferred to 3 I/O controller from 4 execution unit through 5 data bus, and is displayed on 2 1/0-2 gate. Encryption takes place as follows:

1. Storage space is allocated in 8 data memory for the current number of blocks, the current block length, the initial state, the current state, the goal state, work arrays and the pointer, the starting state will be given the value of initial state of 7 key automaton. (The value of the initial state is then distinct from any of the final states.)

2. The number of blocks is determined by 11 the random number generator , which is between the minimal and maximal number of blocks possible between to synchronising signals and after the last synchronising signal.

3. 4 Execution unit sends a synchronising signal in the form of output data to 3 I/O controller through 5 data bus, which is displayed on 2 1/0-2 gate and the blocks counter takes the value zero.

4. The next character in the character string providing validity and access range data is read in (first read in first) from the storage space for 9 validity and access range data and it jumps to step 6.

5. The next character of the plain text is read in (first read in first) from 1 I/O-

1 gate through 3 I/O controller.

6. The goal state in 10 the operative data memory takes the same numeric value as that of the incoming character.

7. 11 The random number generator gives a (random) block length between the minimal and maximal encrypted block length.

8. The value of the current sate is now the starting state.

9. The value of the pointer in the operative data memory is set to zero.

10. The following iterative steps are repeated until as the values of the current state and the goal state are equal.

- If the value of the pointer is less than the length of the (random) block length minus one, and each input signal takes

the key automaton from the current state into a final state, then leave the cycle and go to step 8.

- If the value of the pointer is less than the length of the (random) block length minus one, 11 the random number generator generates a random input signal, which takes the automaton from the current state into a non-final state, and this input signal will be the element (numbering beginning with zero) of the work array, where the pointer points.

- If the value of the pointer is equal to the length of the (random) block length minus one, and there is no input signal, that would take the current state into the goal state, the cycle is left and step 8 follows.

- If the value of the pointer is equal to the length of the (random) block length minus one, and there is an input signal, that takes the current into the goal state, then this input signal will be the element (numbering beginning with zero) of the work array, where the pointer points.

- The value of the pointer is increased by one.

- The new current state will be that element of the key automaton's transition matrix, whose row number (beginning with zero) is the numeric value of the last input signal in the work array, its column number (beginning with zero) will be the numeric value of the current state. 11. The starting state will be the current state. 12. The content of the work array is sent to 3 I/O controller in a length determined by the value of the pointer by 4 execution unit through 5 data bus, and the character flow received will be displayed as output data in 2 I/O-2 gate.

13. The value of the block counter is increased by one. 14. If the value of the block counter is greater than the value of the block number and length of the character string representing validity and access range data summed, go to step 2. 15. If the character string representing validity and access range data has not been read in completely, go to step 4. 16. If the plain text has not been finished yet, go to step 5.

17. 11 The random number generator generates a (random) value between the minimal and maximal block length, and this value is multiplied by the difference of the block number and the clock counter.

18. An input signal string is generated, and is transferred to 2 the I/O-2 gate by 4 execution unit through 5 data bus and then through 3 I/O controller, whose length is equal to the value calculated in the previous step and none of its non-empty initial segment takes the current state into a final state. 19. Encryption is finished.

When used as a decryption device, the encrypted message is transferred in the form of a character flow from 2 I/O-2 gate through 3 I/O controller and 5 data bus to 4 execution unit The (decrypted) plain text message thus achieved is transferred in the form of a character flow from 4 execution unit through 5 data bus to 3 I/O controller, which in turn displays it on IfO-I gate 1. Decryption takes place as follows:

I . Space allocation in data memory 8 for the work array, the pointer and the current state, which takes the value of the initial state of 7 key automaton as- its initial value. 2. The next character is read in ^' (first one first).

3. If the character read in is a synchronising signal, then the value of the pointer in the operative data memory is zero, and step 5 follows.

4. If there is a further input/incoming character, then step 2 follows. If there are no more input/incoming characters, decryption is finished. 5. The following iterative steps are repeated as long as the validity and access range data of content provision are generated (until the pointer takes a certain given value).

- The next character is read in.

- The next current state in 10 the operative data memory, is the element in 11 the transition matrix of 7 key automaton, whose row number (starting with zero) is given by the numeric value of the character read in, the column number (beginning with zero) is the numeric value of the current state. - If the numeric value of the current state is equal to the numeric value of some character, then numeric value of the current state is stored in that element of the work array, whose ordinal (beginning from zero) is given by the pointer, and then the value of the pointer is increased by one.

6. The validity and access range data of content provision (generated in the work array) is compared to the data validity and access range data stored in the receiver's access control module.

7. If the receiver's validity and access range data are found invalid in step 6, the error is reported, otherwise, access is authorised (which leaves the value of the current state of 7 key automaton unchanged).

8. The next character is read in.

9. If the character read in is a synchronising signal, the pointer takes the value zero, the current state will take as its initial value the value of the initial state of key automaton 7, and step 5 follows.

10. The next current state in 10 the operative data memory, is the element in the transition matrix of 7 key automaton, whose row number (starting with zero) is given by the numeric value of the character read in step 8, the column number (beginning with zero) is the numeric value of the current state.

I 1. If the numeric value of the current state equals the numeric value of some character, this character is transferred through 4 data bus to 3 I/O controller, and is displayed on 1 1/O-l gate.

12. If there are further incoming characters, then step 8 follows. If there are no more incoming characters, decryption is finished.

In the process of encryption, the device described in this patent first generates a synchronising signal, then to each character, one by one, in the character string representing the validity and access range data, there is a character string of a random length from a given length interval is generated. This procedure is repeated after the device

described in the patent reads in a segment of the plain text that has a length from a given length interval. After each of these procedures, the device described in the patent reads in, character by character, a segment of the plain text, which has a length from a given length interval, and to each character read in, a character string is generated, of a changeable, random length from a given length interval, and by linking these character string with those generated after a synchronising signal we get the encrypted message. These randomly chosen character strings take the key automaton from the current state into the final state assigned to the character read in so that none of the intermediate states is a final state. The current state of the key automaton in the device is the initial state at first, and before reading in any further character (in the validity or access range character string, or the current segment of the plain text) it is the final state associated with the character read in last. If the procedure reaches the end of the plain text in encryption, and the number of encrypted blocks after the last synchronising signal is less than the minimal block length, there are random input signal strings added to the encrypted message, which has no non- empty initial segments that takes the key automaton from the current state into a final state.

During decryption, the segment after the first synchronising signal, is read in character by character, and the input signals assigned to the final states thus reached are linked together, and the message in its original form is retained. If the validity and access range data of the receiver, contained in the message are found to be valid by the device, then reception is authorised, and decryption continues, otherwise and error message is sent.

A possible realisation of the patent :

A drawback of the described encryption procedure is that theoretically, while generating an encrypted block, in steps 8-10 there can occur any number of aborted attempts. (P. Erdδs - A. Renyi: On the law of large numbers, J. Analyse Math. 23, 103-111.) More precisely, in theory it can happen infinitely many times, that while generating an encrypted block, the cycle in step 10 results in stepping back to step 8. This problem can easily be solved, if there is at least one input signal that takes the key automaton from any non-final state to all the final states. This condition is easy to meet, if the number of input signals is the same as the number of states, and the number of non-final states is big enough (it is greater than or equal to the number of final states). Another possible solution is to use a key automaton with a special transition matrix, and adjust the steps 7 and 10 of the encryption procedure.

For example, assume that the key automaton can be taken from each non-final state to each final state by an input string having at most length two. So, if the maximal block length is at least three, then adjusting steps 7 and 10 in the encryption procedure in the following way, will have the result that the cycle in step 10 need not be left, and encryption will take place faster, and the drawback mentioned above is also overcome.

7. Generation of a random number with 11 random number generator , whose value is greater than the minimal encrypted block length and and not greater than the maximal encrypted block length.

10. The following iterative steps are repeated until the current state and the goal state in the data memory are the same.

- If the pointer value is less than the number generated in step 7 minus one, then 11 the random number generator generates a random input signal, which

takes the automaton from the current state into a non- final state, and this random input signal will be the element (numbering beginning with zero) of the work array, where the pointer points. - If the pointer value is equal to the number generated in step 7 minus one and there are no input signals that takes the current state into the goal state, then - just like in the previous paragraph - 11 the random number generator generates a random input signal, which takes the automaton from the current state into a non-final state from which the goal state can be reached by at least one input signal, and this random input signal will be the element (numbering beginning with zero) of the work array, where the pointer points.

- If the pointer value is equal to the number generated in step 7 minus one and there is an input signal that takes the current state into the goal state, then this input signal will be the element (numbering beginning with zero) of the work array, where the pointer points.

- the pointer value is equal to the number generated in step 7, then the input signal that takes the current state into the goal state will be the element (numbering beginning with zero) of the work array, where the pointer points.

- The pointer value is increased by one.

- The new current state will be the element of the transition matrix of 7 key automaton, whose row number (beginning with zero) is the numeric value of the last input signal put into the work array, and whose column number is the numeric value of the current state. Other possible realisations of the patent

The realisation described is when to each character of the encrypted text the device assigns that state of 7 key automaton as final state, whose numeric value is equal to the character's numeric value. Apart from these realisations — in order to increase security — there are other realisations possible, where there can be more than one final states assigned to each character. In these realisations, the ROM memory has to store, besides 7 key automaton, what states are assigned as final states to each character (e.g. in a linked list). The only adjustment necessary to make in the realisation described, is that in step 6 uses either the 11 random number generator or another random number generator to determine, which of the final states assigned to the given character should be the current goal state. Decryption needs to be modified in step 7 only, so that in each case, when the current state is a final state, the character, which has the current state as final state assigned to it is to be displayed on 1 I/O-l gate.

If the key automaton had certain special features, then the system could be attacked by automatic learning algorithms. (D. Angluin: Inference or reversible languages. In: J. Assoc. Comput. Mach., 29 (1982), 741-765. This is avoidable (P. Dδmδsi : A practical stream cipher based on finite Automata without Outputs, kezirat) if the following hold: - there exists a permutation signal

- for each state pair there exists a non-empty input signal string that does not contain the synchronizing signal of the key automaton, so that the extended transition function assigns state strings to the first element of the pair and this input signal string as well as the second element of the pair and the input signal string such that the last elements of these state strings are the same

Nevertheless, the following properties are expedient avoiding the simple statistical attacks:

- each input sign takes the automaton into each final state from various states in the same multiplicity, - none of the input signals takes the key-automaton from a final state into another final state.

A brief discussion of the figure

Figure 1. The block diagram of the invention: it shows how the two-functional device in the invention (encryption and decryption) is built up and how the structural elements are connected. The number of key automata

We confine ourselves to key automata, which utilize the 128 kilobyte segment of the ROM memory in the mentioned S3CJ9QD microcontroller most economically. In this realisation it is reasonable to use a key automaton with 256 input signals and 256 states, where there pennutation signal in 128 ways. For the simplicity, we assume that every column of the transition matrix is a permutation of the state set and let be fixed the ordinal of the synhronised signal. Then, to the contrary of our restrictions, there are ((255) !) ²⁵⁶ -2.74 x IQ ¹²⁹¹⁵⁸ possibilities to choose the key automaton. Advantages of the invention

1) Resistance to code breaking and tampering. Resistance to code breaking and tampering when using the invention for encryption is also due to the difficulty of finding the encryption key from an encrypted message or a message and its encryption. The key- automaton is randomly chosen out of a set with a huge number of elements. Breaking such an encryption system using brute force is obviously impossible. It is also evident that the more security we want the longer the minimal (and maximal) block length should be, that is the higher the security the less economical the service becomes. Finding the right balance needs further research. If, for example, the minimal block length is 16, each character in the plain text is randomly chosen out of a set with 2 elements. In this case, not only brute force, but the adaptive method of given plain text - given encrypted message is hopeless. Furthermore, attacks with the methods of encrypted message only, known plain text, given plain text, given encrypted message or their adaptive versions are also useless (P. Dδmδsi: A practical stream cipher based on finite Automata without Outputs, manuscript). Since encryption is not based on that the plaintext and the generated

character string is merged with the operation ,,exclusive or", attacks with the recycled key or substitution have no effect either. 2) The length of the decrypted message depends on the length of the plain text (in statistical sense). However, with a longer minimal and maximal block length for a shorter and a shorter minimal and maximal block length for a longer plaintext, unauthorised parties cannot, even if they have the encrypted message estimate even the length of the plain text, while no dummy characters are used.

3) Fast operations. The simplicity of the key-automaton allows for the fast performance of the operations. A software simulation of the present invention for testing was implemented by a computer program written in the programming language C++. The implementation was tested on a conventional, 1.1 GHz PC (IBM X40). Test results show for a big key- automaton (256 input signals and 256 states) and a long (16 byte minimal and 18 byte maximal) block lengths, an encryption speed of 142 kilobyte/second and a decryption speed of 328 kilobyte/second. In physical implementation with suitable hardware appliances (microcontrollers, smart cards, etc.) these encryption and decryption speeds can be considerably increased.

4) Applicability of the invention for conditional access broadcasting and datacasting. As test results have shown, the invention seems to be efficient even with conditional access broadcasting and datacasting, when the encryption module in the program and data providing device is relatively fast (at least twice as fast) compared to the decryption module(s) in the receiving device(s). Furthermore due to the special properties of the broadcast- and data providing and receiving devices, decryption of the encrypted message can start right after the first received synchronising signal, even if reception of the content provision does not start with the beginning of the program and data transmission, but later.

List of Items 1. I/O-l gate

2. I/O-2 gate

3. I/O controller

4. Execution unit

5. Data bus 6. Program memory

7. Key automaton

8. Data memory

9. Validity and access range information storage unit 10. Operational data storage unit 11. Random number generator