Author(s): Jean-Pierre Andreaux, Sylvain Chevreau, Eric Diehl (2001) Submitted by Thomas Genet (06/03/2003)
This view-only protocol is part of the SmartRight
system designed by Thomson for copy protection
for the Digital Video Broadcasting technology.
Its purpose is to ensure that the digital content
broadcasted can be view only once.
It uses symmetric key cryptography with nonces and xor.
The above presentation and these explanations
are extracted from [GTTT03]:
The protocol is deployed between two smartcards:
CC (Converter Card) and TC (Terminal Card),
respectively in an access device (i.e. a digital receiver)
receiving a scrambled digital content
and a presentation device (i.e. a television) which is
supposed to descramble the content before rendering it.
The keys used to scramble the content are called control wordsCW.
The cards CC and TC share a secret symmetric encryption
CC generates first the random values VoKey and VoR,
and sends them encrypted to TC (in message 1),
together with a CW which has been received
(by the access divice) with the scrambled content.
The operator + is xor.
TC then sends in return a random challenge VoRi (message 2).
The message 3 is the answer of CC to the challenge.
After receiving the message 3, TC checks if the answer
is correct, by comparing the hashed value h(VoRi)
with its own value, and if so, it extracts CW
and uses it to descramble the content.
Note on memory management:
After sending the message 3,
CC deletes VoR and VoKey from its memory.
After receiving and accepting the message 3,
TC deletes VoRi from its memory.
This is very important (with respect to the property below)
because of the control aspects given below.
Note on control:
The principal CC and TC switch to the next state
only once they have received the next message expected
(and not once they have send a message as usual).
After sending message 2, TC will continue
to accept a (new) message 1 and reply by a (new) VoRi
(message 2) until it receives the message 3 and
After sending message 2, TC will
process all the messages 3 it shall receive until
it receives a new message 1.
cited from [GTTT03]:
The control word CW may be extracted by TC only once
at the time where the protocol is played.
Thomas Genet, Yan-Mei Tang-Talpin, and Valérie Viet Triem Tong.
Verification of copy-protection cryptographic protocol using
approximations of term rewriting systems.
In Proc. of WITS'03, Workshop on Issues in the Theory of