Broadcast Encryption

Joseph Tsun Kiet Man (3407294)

Introduction
In the recent years, digital television has been replacing analog television as the preferred
transmission medium as it offers more services (e.g. interactive television, electronic program
guides), programs and higher video and audio quality. This transition has allowed cable
operators to increase their revenues by increasing the amount of paid services and programs.
But this would be meaningless if non-subscribers can easily view the paid services and
programs from their cables. This is the main reason why cable companies use scrambling
techniques to prevent non-subscribers to view the content.
In the past, simple methods were used to prevent non-subscribers to view paid
channels. One of these methods includes adding or removing filters according to their
subscription. As the amount of channels grew, this method became increasingly impractical.
An alternative was adding interference signals to the original signal, however this could be
easily bypassed using filters. As technology progresses dedicated hardware, set-top boxes
(STB), are used to descramble signals. This enables the combination of scrambling and
encryption methods. The main difference between scrambling and encryption methods is that
scrambling methods change the values of some bits in a data block or stream with the purpose
of spreading the signal across spectrums to decrease the electromagnetic interference or to
introduce security, whereas encryption methods processes the information (plain-text) through
an algorithm (cipher) to make it unreadable for others that do not poses certain knowledge
about the key. In this article no difference will be made between scrambling and encryption
method as it does not add additional relevance in the article purpose.
The purpose of this article is to provide an introduction on how digital television
signals are encrypted and decrypted using the Digital Video Broadcasting (DVB) Common
Scrambling Algorithm (CSA) and some cryptanalysis that has been done on it. This paper
also briefly addresses the problem when subscribed users are sharing their keys as this would
give non-subscribers access to paid programs. The article has been divided in four sections,
the second section gives a briefly overview on the general view of from transmission to
receiver. The second section explains the common scrambling algorithm including and
discussing its weaknesses. The last section briefly summarizes this article.

Overview
Before explaining how DVB CSA works, knowledge of the data that it encrypts is needed.
The broadcaster provides a set of programs, in which each are composed of different elements,
namely audio, video and text. These elements are then converted using the MPEG2-codec and
each program is broken up into packages. The total of these packages for each program are
called the program elementary stream (PES) (Haskell, Puri, & Netravali, 1996). The PES of
each program is then multiplexed together with those of other programs and divided into 188bytes packages for transmission. This stream of data is called the Digital Video Broadcasting
(DVB) MPEG2 transport stream (TS). DVB CSA can be either implemented at the PES level
or the TS level. This is unspecified in the guidelines for television broadcasting. At the
receivers side the STB together with a conditional access module (CAM). The CAM is used
to include a smartcard that can derive short-term control words (see Section 3). If the security
is breached, the smartcard then can be easily replaced.

DVB Common Scrambling Algorithm

The DVB common scrambling algorithm is an ETSI (European Telecommunications and
Standards Institute) specified algorithm for securing MPEG2 transport streams1. This is one
element of the set of internationally accepted open standards for digital television, which is
called the Digital Video Broadcasting (DVB). Until 2002, this algorithm was non publically
available as licensees had to sign a Non-Disclosure Agreement from the ETSI custodian.
However after the software implementation of the algorithm in a program called FreeDec, the
CSA was reversed engineered and details became publically known. The in-depth explanation
given below is largely based on the work by Ralf-Philipp Weinmann and Kai Wirt
(Weinmann & Wirt, 2005; Wirt, 2005).

General Overview
The DVB Common Scrambling Algorithm can be seen as a combination of a block and
stream cipher. It can be thought as cascading the block and stream cipher. Both ciphers use a
64-bit key, which is called a common key to encrypt the data. This key is renewed every 10 to
1

Note this can also be applied to PES. It is actually unspecified for other usages other than digital
terrestrial television.

120 seconds. For encrypting a payload of m-bytes, the payload is first divided into blocks of 8
bytes (

). If the payload is undividable by 8 bytes, then a residue will remain ( ) and the

residue will not be processed by the block cipher. The MPEG2 states that the payload can be
different than a multiple of 8 due to the use of an adaption field, which contains ancillary data
(i.e. non-video information, e.g. audio). The blocks

are then processed by the block

cipher using cipher block chaining in reversed order (see Figure 3.1). Cipher block chaining is
mode invented by IBM in 1976 (Ehrsam, Meyer, & Smith, 1976), which uses the cipher text
of the previous block and XOR it with the plaintext before encryption. The block cipher used
will be explained more in-depth in later sections. The block cipher encryption results in
intermediate blocks

, which will then be encrypted using the stream cipher.

, the last

block of the sequence will be used as nonce (i.e. an arbitrary number used only once in
cryptographic communication) to set up the initial state and is left unprocessed by the stream
cipher. The first

8 bytes generated by the key stream (

XORed with the block cipher encrypted intermediate blocks

, ,
with

) are then
1 followed by the

residue. The decryption diagram can be seen in Figure 3.2, which uses the same principle as
encryption.

Figure 3.1: An image describing how Cipher Block Chaining works during encryption of three different blocks of
plaintext (Source: Wikipedia).

Figure 3.2: An image showing how to decrypt the common scrambling algorithm. The variables are defined in the
text section General Overview (Wirt, 2005).

The Stream Cipher

The stream cipher uses two feedback-shift-registers, each of them consisting of 10 4-bit wide
( , ). Furthermore it uses three bit registers ( , , ) and 5 four bit registers ( , , , , ).
It also uses another feedback register D (8 bit wide) for calculating the initial states of A and

B . The stream cipher consists of two phases, the initialization phase, in which the starting
state of the cipher is set up and the generating phase, in which the cipher produces two
pseudo-random bits per clock cycle. A schematic overview can be seen in Figure 4.1.

Figure 4.1: A schematic overview of the stream cipher used by the common scrambling algorithm (Weinmann &
Wirt, 2005).

In the initialization phase, all registers are first set to 0, then the common key ,
consisting of

,,

are loaded into the shift registers

and . The shift registers

can be represented by matrices as follows (see Equation (1.1)).

a0,0 a0,3
b0,0 b0,3

A , B
a

9,0 a9,3
9,0 b9,3

(1.1)

A different notation that will be used in the document will be the following equation
(see Equation (1.2)), where ai ai ,0

A a0

ai ,3 and bi bi ,0

a9 , B b0
T

bi ,3 2

b9

(1.2)

Each key element is loaded in to the corresponding register and location determined
by the following rules (see Equation (1.3)).
i7
k
ai , j 4i j
else
0
i7
k
bi , j 32 4i j
else
0

(1.3)

After the key is loaded, IB0 is used together with feedback register D to calculate the
input for A and B , which are called I A and I B , using 32 clock cycles. These are determined
by Equation 1.3. Thus in every odd cycle the input I A contains the high nibble (i.e. the four
highest order bit3) of IB0 and the I B contains the lower nibble of IB0 . In an even cycle this is
reversed.
4
4
( IB 2 , IB0 mod 2 )
( I A , I B ) : 0
4
4
( IB0 mod 2 , IB0 2 )

ti , i 1,3,5,...,31
else

(1.4)

The feedback a0 ' of shift register A is given by the following equation (see Equation
(1.5)). This results in the new register A ' : a0
calculated by X : S4,0

S3,0

S 2,1

a0

a8 . The register X will be

T

S1,1 , where the input comes from the bits in register

A shown in Table 4.1 with the corresponding S-formulas that used in the algebraic notation

of the S-formulas used can be found in equation (1.13)4). The letters a to e are referring to
the highest order bit to the lowest order bit. The D register will be defined later.

2
3
4

Notice that these are vector representations of the matrices.

Notice that one of these represent a hexadecimal value.
Due to the size of equation 1.8 it has been moved to Appendix A.

a X
a0 : 9
a9 X D I A

init phase
else

(1.5)

The feedback b0 of shift register B is given by the following equation (see Equation
(1.6)). This result in register B , which is given by the next equation (see Equation (1.7)). The
will be calculated by Y : S6,0

register

S5,0

S4,1

b b9 Y I B
b0 : 6
b6 b9 Y

b0 b0
B :
b0 1

S3,1 and p : S7,1 .

init phase

(1.6)

else

b8

b0

p0

b8

(1.7)

else

S1

a3,0

a0,2

a5,1

a6,3

a8,0

S2

a1,1

a2,2

a5,3

a6,0

a8,1

S3

a0,3

a1,0

a4,1

a4,3

a5,2

S4

a2,3

a0,1

a1,3

a3,2

a7,0

S5

a4,2

a3,2

a5,0

a7,1

a8,2

S6

a2,1

a3,1

a4,0

a6,2

a8,3

S7

a1,2

a2,0

a6,1

a7,2

a7,3

Table 3.1: The input values from the

register that is used for calculating the S-box formulas (Weinmann & Wirt,
2005).

The stream cipher then uses a combiner to calculate two bits of output per clock. It
uses the register and and to calculate these outputs. The states of E and F are
determined using the following equation (see Equation (1.8)). The register Z is calculated by

Z S2,0

S1,0

S6,1

S5,1 and register q S7,0 . The register c is determined by the

equation (1.9).
( F , E )
( E , F ) :
4
( F , E Z c mod 2
c

c 1
0

q0
else

(1.8)

q0
E Z c 24
else

(1.9)

The output of the generator can then be calculated by concatenating D2 D3 and

D0 D1 , where Dv : E Z Bv and Bv is shown in equation (1.10).

B0 : b8,2 b5,2 b2,1 b7,0
B1 : b4,3 b7,2 b3,0 b4,1

(1.10)

B2 : b5,0 b7,1 b2,3 b3,2

B3 : b2,0 b5,1 b6,2 b8,3

The Block Cipher

The common scrambling algorithm uses an iterated block cipher that uses the 64 bits
block of data and the 64 bits common key . The 64 bits common key is first expanded using
E
the following function (1.11). This results in K E k0E ,..., k447
, which consists of a total of

448 bits. The function (...) that is used can be found in Table 3.2.
E
K 0,...63
k0 ,...k63
E
E
K 64i ,...,64i 63 (k64(
i 1),...,64 i 1 ) 0 0i 0i 0i 0i 0i 0i 0i 0i

(1.11)

1 i 6

10

11

12

13

14

15

(i )

17

35

41

48

28

20

27

53

61

49

18

32

58

63

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

(i )

23

19

36

38

52

26

33

12

13

56

39

25

40

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

(i )

50

34

51

11

21

47

29

57

44

30

24

22

46

60

16

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

(i )

59

55

42

10

43

31

62

45

14

37

15

54

Table 3.2: The bit permutation function

, it maps bit i

to (i ) .

The round function is then applied 56 times to the internal state S s0

s7 ,
T

which can be represented as a vector of bytes. The round function is defined in equation
(1.12).

( s0 ,..., s7 , k ) ( s1 , s2 s0 , s3 s0 , s4 s0 ,

(1.12)

s5 , s6 f (k s7 ), s7 , s0 f (k s7 ))

The function f can be found in Appendix B and the function f is defined as

f f , where is a bit permutation described in Table 3.4.

(i )

Table 3.4: The bit permutation function

Cryptanalysis
Two attacks have been proposed to retrieve the common key. The first attack is called a fault
attack, which targets the block cipher by injecting random errors into the decryption process.
This could be used to determine the round keys used in the block cipher. The attacker then
can use Equation (1.11) to reconstruct the common key. It should be noted that this attack
works even though the stream cipher is completely ignored. For a more detailed explanation I
refer to Fault attack on the DVB Common Scrambling Algorithm.
The second attack that can be used is by targeting the stream cipher by solving a
number large number of systems of equations. Ralf-Philipp Weinmann, Kai Wirt, have shown
that the stream cipher is weak and can be cracked efficiently.

Summary
The common scrambling algorithm is made public and the process is completely understood
including the substitutions and permutations used. The common scrambling algorithm
consists of cascading the block cipher and the stream cipher to encrypt broadcasting messages.
However even though two ciphers are used, only one key is used for encryption in both
phases, this design has allowed attacks to be focused on a single cipher rather on the complete
algorithm. Two attacks have been proposed, however no real implementations of it has yet to
be found outside universities.

Appendix A
S1,0 abce abc abd bde ab ae be ce b d
S1,1 abcd abde abc abd acd ade bcd bce
ab ae be bd be cd ce de a d e 1
S 2,0 abce abde ade bce bde ab ac ce c
d e 1
S 2,1 abde abc abd abe acd cde cd ce b
d e 1
S3,0 ce de a b d
S3,1 abcd acde abe ac abc acd ace ade bcd
bde cde ad bc bd be cd ce a b d e 1
S 4,0 abcd abde acde abc abe bde ab ad ae bc
be de c d 1
S 4,1 abcd abde acde abc abe bcd cde ad ab
ae de a b c e 1
S5,0 abde acde acd abe abd ace bce cde ab
ac ae bd be ce de c
S5,1 abcd abce acde abd abe acd bcd bce bde
cde ac ad ae be cd ce de b d e 1
S6,0 abcd abde acde acd ade bcd cde bc bd
cd c e
S6,1 abe ade bce bde bc ce a d

(1.13)

S7,0 abde abd cde bc cd de a b c e

S7,1 abcd abbcde acde acd ade bde ac ae de b
cd e

10

Appendix B

Figure B: The

function permutation, where the lower nibble is located column wise and the higher nibble located
row wise (Weinmann & Wirt, 2005).

References
Ehrsam, W. F., Meyer, C. H. W., & Smith, J. L. (1976). In International Business Machines
Corporation (Ed.), Message verification and transmission error detection by block
chaining. United States:

Haskell, B. G., Puri, A., & Netravali, A. N. (1996). Digital video: An introduction to MPEG-2
(1st ed.) Springer.

Weinmann, R., & Wirt, K. (2005). In Chadwick D., Preneel B.(Eds.), Analysis of the DVB
common scrambling algorithm Springer Boston. doi:10.1007/0-387-24486-7_15

Wirt, K. (2005). In Gervasi O., . . . Tan C.(Eds.), Fault attack on the DVB common
scrambling algorithm Springer Berlin / Heidelberg. doi:10.1007/11424826_61

11