Pay-TV & Content Protection logo

STONE is the industry’s first efficient cryptographic solution that enables CAS vendors and content providers to identify and remotely disable compromised smart cards used by pirate emulators. A smart card implementation of STONE is in preparation.

Who can I contact?

Dr. Pascal Paillier

Pascal Paillier, PhD

CEO, Senior Security Expert


Dr. Cécile Delerablée

Cécile Delerablée, PhD

Senior Security Expert


Related service

Cryptographic Protocols

Security by design is not an abstract concept.

Beware of alleged "military grade secure" products. It is one thing to use AES-256 or RSA-4096, using it correctly is a different kettle of fish.
We can help you build innovative products that require any standard or advanced cryptographic tools, such as elliptic curves, identity-based encryption, anonymous signatures, e-cash, DRM, Pay-TV and many others.


Related research project


Innovative and cost-effective broadcast encryption for pay TV and Galileo geo-positionning.

Innovative techniques to securely broadcast content to large groups of users over an insecure channel with applications to pay TV, wireless networks, military radio communications and Galileo.


Secure Traceable ONe-to-many Encryption (STONE) is a new cryptography technology that solves a longstanding problem known as traitor tracing. In this scenario, a broadcaster delivers an encrypted content such as a movie to a number of subscribers in real time over a one-way channel. Each subscriber is provided beforehand a decryption utility such as a set-top box empowered by a smartcard. The card decrypts the stream of encrypted session keys (aka. ECMs) transmitted by the broadcaster and returns the session keys in clear to the set-top box for content access. In a typical Conditional Access System, a copy of the same decryption key is contained in all the cards, or cards belonging to the same group. When a card is reverse-engineered and its key material is revealed – the key is then referred to as a traitor key – pirates can clone the card at will or issue a decryption software. Even if the broadcaster later identifies which decryption key is used by the pirate software, a specific user cannot be incriminated since the traitor key is shared among several cards. STONE is a revolutionary encryption system that specifically solves this identification problem.


With the STONE encryption system, each subscriber is given an individual decryption key. Each decryption key is unique, even though functionally equivalent to all other keys. Generating a new key requires a master secret information which is kept securely by the broadcaster, so that decryption keys are similar to digital signatures; they cannot be generated without the master key, which plays the role of a signing key. This is why compromised user keys are useless to a pirate who would try to construct a new decryption key. This would imply a form of forgery, and the cryptography involved just forbids it. Pirates are left with the only option of reusing existing keys which can be identified by the broadcaster.

The tracing capability of STONE assumes that a pirate decryption software is available. Using a new identification technique, the traitor key from which the pirate software originates is efficiently recovered from the code, regardless of the level of obfuscation possibly used to protect the key. This even works on combinations of traitor keys in case the pirate software uses many of them in some complex ways in an attempt to evade identification. It’s mathematical, and there is nothing the pirate can do about it. Traitor keys and their original owners will be traced in any case, assuming the illegitimate software is functional in the first place.


Once a compromised key is identified by the broadcaster, the stream of STONE-encrypted session keys can be adapted to disable the target key on a global scale in further transmissions. The encryption procedure of STONE is specifically modified to exclude the traitor key, which cannot be used to decrypt anymore. Once identified and revoked, a traitor key becomes totally useless to pirates. STONE supports multiple key exclusions, so that newly identified traitor keys can be cumulatively disabled over time. Combining white-box traceability with revocation, the piracy business cannot be sustained anymore since pirates will have to keep breaking new cards indefinitely and at a fast pace.


STONE is the first encryption system that complies with the real-life functional requirements of current broadcasting channels. All previous methods were purely theoretical, with either critically large decryption keys or ciphertexts which made them irrelevant for current satellite or terrestrial bandwidths. As a comparison, a STONE ciphertext holds in a fraction of a single SMS, and a decryption key can be made smaller than an RSA modulus. Besides, our technology uses elliptic curves, for which APIs are already available on many devices. We have the first true solution for piracy-free conditional access systems even when cards get broken on the field. With that efficiency and the tracing capability, STONE can even be used to secure software-only content protection solutions with unprecedented security benefits.

Our R&D phase is almost over and we are now working on reference implementations of STONE on several devices to demonstrate the technology. An engineering phase is still necessary to select the best suited elliptic curves and optimize the use of scalar multiplications and bilinear maps in the encryption and decryption procedures. Our first smart card implementation will be based on a crypto-enabled core designed by Invia. We need all the flexibility we can get from a cryptographic engine, and Invia’s MEXPA accelerator is particularly efficient for finite field arithmetic. We should be ready to demonstrate STONE on this platform soon.

Related publications

  • Identity-Based Broadcast Encryption with Constant Size Ciphertexts and Private Keys.
    portrait ofCécile Delerablée.
    In ASIACRYPT 2007, pp. 200-215, 2007.
  • Dynamic Threshold Public-Key Encryption.
    portrait ofCécile Delerablée, David Pointcheval.
    In CRYPTO 2008, pp. 317-334, 2008.
  • Fully Collusion Secure Dynamic Broadcast Encryption with Constant-Size Ciphertexts or Decryption Keys.
    portrait ofCécile Delerablée, portrait ofPascal Paillier, David Pointcheval.
    In Pairing 2007, pp. 39-59, 2007.
  • White-Box Security Notions for Symmetric Encryption Schemes.
    portrait ofCécile Delerablée, Tancrède Lepoint, portrait ofPascal Paillier, portrait ofMatthieu Rivain.
    In Selected Areas in Cryptography 2013, pp. 247-264, 2013.