由於現代電腦網路科技及多媒體技術的蓬勃發展，近年來付費電視系統已成為最流行、熱門的應用之一。為了保護付費電視中的各頻道，限制存取系統(CAS)則是付費電視中最基本且必須的一項元件。透過限制存取系統的保護，只有被授權的訂閱者可以正確取得節目內容，同時，這些使用者需要根據訂閱的節目繳費。在本論文中，我們定義了一個名為彈性訂閱的付費電視模式讓使用者可以一次訂閱一群大量的頻道並且在付費期間中任意停止訂閱。為了達成此彈性訂閱機制的必要條件，我們提出了一個四層式金鑰管理架構的限制存取系統。本系統可以適用在大規模的付費電視環境中，允許大量使用者並容納大量的頻道。在本系統架構下使用者可以自由地選擇喜歡的頻道。除此之外，使用者亦可隨時任意的訂閱或取消某些頻道，並且，當發現非法使用者時，本系統亦可迅速撤銷其使用權限。

The pay-TV system becomes one of the popular applications in recent years because of the advancement in modern network technique. The Conditional Access System (CAS) is the essential function to provide the channel protection in pay-TV system. Only the authorized subscribers can precisely receive the TV program, and they were charged by the service provider according to their subscription. In this paper, we defined a new pay-TV model named Flexible-PPC (F-PPC) which allowed subscribers subscribe to a large number of channels and unsubscribed each of them anytime. In order to accomplish the requirements of F-PPC, we also proposed a CAS with a four-level hierarchical key management scheme. The proposed CAS can be applied on a large scale pay-TV system with lots of subscribers and channels. The subscribers can freely choose the channels. Besides, subscribers can subscribe and unsubscribe channels arbitrarily, and the proposed CAS can also revoke illegal subscribers rapidly.

Abstract I
摘 要 II
誌 謝 III
TABLE OF CONTENTS IV
List of Tables VI
List of Figures VII
Chapter 1 Introduction 1
1.1 Overview 1
1.2 Overview of the Thesis 2
Chapter 2 Related Work 3
2.1 Conditional Access System (CAS) Overview 3
2.1.1 Two Levels Hierarchy 4
2.1.2 Three Levels Hierarchy 4
2.1.3 Four Levels Hierarchy 5
2.1.4 The Environment of the Receiving End 7
2.2 Broadcast Encryption and User Revocation 8
Chapter 3 Key Management Scheme for User Revocation 10
3.1 System Overview and Notation 10
3.2 Group Key Update Phase 11
3.2.1 Single Revocation 11
3.2.2 Comparison to the LKH scheme 12
3.2.3 Group Revocation 13
3.2.4 Comparison to the SD scheme 13
3.3 Key Assignment 14
3.4 Capacity Extension 16
Chapter 4 Proposed Scheme 18
4.1 System Overview 18
4.2 Complete Scheme 20
4.2.1 Initial Phase 20
4.2.2 User Registration Phase 21
4.2.3 Subscribing Phase 21
4.2.4 RGK Updating Phase 22
4.2.5 AK Updating Phase 22
4.3 Further Discussion 23
4.4 Security Analysis 27
4.4.1 The Security of the RGK 27
4.4.2 The Security of the AK 27
4.4.3 The Security of the Modified Key Tree 28
Chapter 5 Performance Analysis and Comparison 30
5.1 Comparison for single channel 30
5.2 Extra storage of subscribers 32
5.3 Transmission load of server 34
5.4 The limit of the receiving groups 38
Chapter 6 Conclusion 39
6.1 Summary 39
6.2 Future works 39
BIBLIOGRAPHY 41

[1] F. K. Tu, C. S. Laih, and S. H. Toung, "On key distribution management for condition access system on Pay-TV system," in 1998 IEEE Int. Symp. Consumer Electronics (ISCE'98), vol. 45, pp. 151–159, 1998.

[2] Y. L. Huang, S. Shieh, F. S. Ho, and J. L. Wang, "Efficient Key Distribution Schemes for Secure Media Delivery in Pay-TV Systems," in IEEE Trans. Multimedia, vol. 6, no. 5, pp. 760–769, Oct. 2004.

[3] "Conditional-Access Broadcasting Systems," ITU Rec. 810, 1992.

[4] E. Cruselles, J. L. Melus, and M. Soriano, "An overview of security in Eurocrypt conditional access system," in IEEE Global Telecommunications Conf., vol. 1, pp. 188–193, 1993.

[5] B. M. Macq and J. J. Quisquater, “Cryptology for digital TV broadcasting,” in Proceedings of the IEEE, vol. 83, no. 6, pp. 944-957, June 1995.

[6] W. Lee, "Key Distribution and Management for Conditional Access System on DBS," in Proceedings of International Conf. Cryptology and Information Security, pp. 82–86, 1996.

[7] H. Sakakibara et al., “The ID-based noninteractive group communication key sharing scheme using smart cards,” in Proc. Int. Conf. Network Protocols, 1994, pp. 91-98.

[8] T. D. C. Little and D. Venkatesh, “Prospects for interactive video-on-demand,” IEEE Multimedia, pp. 14-23, Fall 1994.

[9] K. C. Almeroth and M. H. Ammar, “The use of multicast delivery to provide a scalable and interactive video-on-demand service,” IEEE J. Selected areas Commun., vol. 14, Aug. 1996.

[10] S. Viswanathan and T. Imielinski, “Metropolitan area video-on-demand service using pyramid broadcasting,” Multimedia Syst., vol. 4, no. 4, pp. 197-208, 1994.

[11] L. S. Juhn and L. M. Tseng, “Staircase data broadcasting and receiving scheme for hot video service,” IEEE Trans. Consumer Electron., vol. 43, no. 4, pp. 1110-1117, Nov. 1997.

[12] D. Wallner, E. Harder, and R. Agee, “Key Management for Multicast: Issues and Architectures,” RFC 2627, 1999.

[13] S. G. Akl and P. D. Taylor, "Cryptographic Solution to a Problem of Access Control in a Hierarchy," in ACM Trans. Computer Systems, vol. 1, no. 3, pp. 239–248, 1982.

[14] R. L. Rivest, A. Shamir, and L. Adleman, “A Method for Obtaining Digital Signatures and Public-Key Cryptosystems,” Comm. ACM, vol. 21, no. 2, pp. 120-126, Feb. 1978.

[15] S. J. Mackinnon, P. D. Taylor, H. Meijer, and S. G. AKl, "An Optimal Algorithm for Assigning Cryptographic Keys to Control Access in a Hierarchy," in IEEE Trans. Computers, vol. 34, no. 9, pp. 797–802, Sept. 1985.

[16] B. Liu, W. Zhang, and T. Jiang "A Scalable Key Distribution Scheme for Conditional Access System in Digital Pay-TV System," in IEEE Trans. Consumer Electronics, vol. 50, no. 2, pp. 632–637, May 2004.

[17] W. G. Tzeng, "A Time-Bouned Cryptographic Key Assignment Scheme for Access Control in a Hierarchy," in IEEE Trans. Knowledge and Data Eng., vol. 14, no. 1, pp. 182–188, Jan./Feb. 2002.

[18] X. Yi and Y. Ye, “Security Analysis of Tzeng’s Time-Bound Key Assignment Scheme for Access Control in a Hierarchy,” IEEE Trans. Knowledge and Data Eng., vol. 15, no. 4, pp. 1054-1055, July/Aug. 2003.

[19] H. Y. Chien, “Efficient Time-Bound Hierarchical Key Assignment Scheme,” IEEE Trans. Knowledge and Data Eng., vol. 16, no. 10, pp. 1301-1304, Oct. 2004.

[20] S. Y. Wang, C. S. Laih, "Merging: An Efficient Solution for a Time-Bound Hierarchical Key Assignment Scheme," in IEEE Trans. Dependable and Secure Computing, vol. 3, no. 1, pp. 91–100, Jan.-Mar. 2006.

[21] A. Fiat and M. Naor, "Broadcast Encryption," Advances in Cryptology - CRYPTO '93, Lecture Notes in Computer Science 733, Springer, pp. 480–491, 1994.

[22] D. Naor, M. Naor, J. Lotspiech, "Revocation and Tracing Schemes for Stateless Receivers," in Proc. Crypto 2001, Lecture Notes in Computer Science, pp. 41–62, Aug. 2001.

[23] D. Halevi and A. Shamir, “The LSD Broadcast Encryption Scheme,” in M. Yung (Ed): Proceedings of Crypto 2002, vol. 2442 of LNCS, pp. 47-60, Aug. 2002.

[24] Y. Dodis and N. Fazio. “Public Key Broadcast Encryption for Stateless Receivers,” in Proceedings of the Digital Rights Management Workshop 2002, vol. 2696 of LNCS, pp. 61-80, 2002.

[25] C. K. Wong, M. Gouda and S. Lam, "Secure Group Communications Using Key Graphics," SIGCOMM, 1998.

[26] B. Chor, A. Fiat, M. Naor and B. Pinkas, “Tracing traitors,” in IEEE Transactions on Information Theory, vol. 46, No. 3, pp. 893-910, May 2000.

[27] S. Mitsunari, R. Sakai and M. Kasahara, "A New Traitor Tracing," in IEICE Trans. Fundamentals of Electronics, vol. E85-A, No. 2, pp. 481–484, Feb. 2002.

[28] V. D. To, R. Safavi-Naini, F. Zhang, "New Traitor Tracing Schemes Using Bilinear Map," in ACM Workshop on DRM'03, Washington, DC, USA, pp. 67–76, Oct. 27, 2003.

[29] M. Naor, B. Pinkas, “Efficient Trace and Revoke Schemes,” in Proceedings of the 4-th international Conference on Financial Cryptography, vol. 1962 of LNCS, pp. 1-20, 2000.

[30] NITS. “Secure hash standard,” Tech. Rep. FIPS 180-1, NITS, US Department Commerce, April 1995.

[31] R. Rivest, “The MD5 message digest algorithm,” Tech. Rep. RFC 1321, April 1992.