FR2885752A1 - Digital message e.g. paid audiovisual program, transmitting system for wireless broadcasting network, has decryption modules distributed in specific groups, and memories of each module of same group storing decryption key specific to group - Google Patents

Abstract

The system has electronic decryption modules (17) distributed in k+1 decryption module groups whose composition is secret, where k is collusion threshold. Each module has memories (21, 22) to store information. The memories of each module of a same group contain a decryption key specific to the group. The different decryption keys specific to the groups permit the decryption of a same encrypted message for the group and avoid the decryption of an encrypted message for another group. An electronic encryption module (10) encrypts a digital message for a particular decryption module group. An independent claim is also included for a method for transmitting a digital message.

Description

The invention relates to a secure transmission system and method

  a digital message, an encryption module and a key synthesis process for that system.

  There are secure transmission systems including.

  an electronic encryption module capable of encrypting a digital message by using an encryption key and a traceable Kiayas and Yung cryptographic algorithm making it possible to identify all the traitors of a collusion of k traitors, k being a Integer strictly greater than zero, at least 2 (k + 1) electronic decryption modules each capable of using the cryptographic algorithm of Kiayas and Yung and a decryption key for decrypting the messages encrypted by the encryption module, each decryption module being equipped with a means of information storage, For more information on tracing-tracing cryptographic algorithms, it is possible to consult: Tracing traitors Benny Chor, Fiat Amos, Moni Naor, Benny Pinkas, IEEE Transactions on Information Theray, Vol. 46, No. 3, 2000.

  For more information on the cryptographic algorithm of Kiayas and Yung, see the following article: Aggelos Kiayas, Moti Yung, DRM 2002, Breaking and repairing asymmetric public-key traitor tracing.

  The higher the collusion threshold k, the higher the security level of the transmission system. It is therefore desirable to choose a collusion threshold k as large as possible. k is an integer strictly greater than zero.

  However, the larger the collusion threshold k, the larger the length of the encryption and decryption keys, and the longer the encrypted messages are. Large encryption keys make the use of security processors such as smart cards difficult or impossible because the memory of these security processors is too small to contain the encryption or decryption key. Long, encrypted messages pose problems in terms of bandwidth.

  The invention aims to remedy these drawbacks by proposing a secure transmission system of a digital message in which, at equal level of security, the collusion threshold k is smaller.

  The subject of the invention is therefore a system for the secure transmission of a digital message in which: the decryption modules are divided into groups of at least k + 1 decryption modules each, the composition of each group being secret, the information storage means of each decryption module of the same group contains a decryption key specific to this group, the various decryption keys specific to this group all allowing the decryption of the same encrypted message for this group and not allowing the decryption of an encrypted message for another group, and - the encryption module is able to encrypt the digital message for a particular group of decryption modules.

  In the above system, k + l keys must be combined to make a new key that does not disclose the identity of any of the (treacherous) possessors of any of these k + l keys. In other words, the malicious individual (pirate) who wants to make a new key without revealing the identity of a traitor, must gather k + l keys of the same group. To do this, in the above system, since the decryption modules are divided into groups whose compositions are secret, the hacker must randomly extract a number of decryption keys in the decryption modules of the system which is significantly greater than k + l to have a reasonable chance that, among the set of keys extracted, k + 1 keys belong to the same group. For example, in the particular case where the number of groups is equal to 365 and the collusion threshold k is equal to 1, the hacker must randomly extract 23 decryption keys to have a chance on two of these 23 keys. there are two keys from the same group. It is thus understood that the fact of dividing the decryption modules into groups and of using decryption keys specific to each of the groups increases the difficulty for an attacker to gather the k + 1 keys necessary to fabricate a new non-traceable key, without as long as it is necessary to modify the value of collusion threshold k. Thus, for the same value of collusion threshold k, the above transmission system is safer.

  Embodiments of this transmission system may include one or more of the following features.

  - all the keys specific to a group i are different from each other and are built from the same polynomial Q, (x, y) or Q, (x) so that any encrypted message for this group is only decipherable using the specific key of any of the decryption modules of this group; the decryption module comprises a first and a second calculation unit each equipped with a connector to allow the coupling and the mechanical uncoupling of these two units, the two units being able to cooperate with one another to achieve decryption operations of the encrypted message when they are mechanically coupled to each other, and 5. a memory containing components of the decryption key.

  In the latter case, the specific decryption key is divided into several components, the memory of the first calculation unit contains only a part of the components of the specific key while the memory of the second calculation unit contains the other part of the components of the specific key to create a functional pairing between these two units.

  These embodiments of the transmission system 15 furthermore have the following advantages: the use of the same polynomial Qi (x, y) or Qi (x) specific to a group i makes it possible to create decryption keys specific to this group; the distribution of the components of the specific decryption key between a first and a second calculation unit makes it possible to match these two calculation units.

  The invention also relates to a decryption module adapted for use in the above system.

  The subject of the invention is also a process for the synthesis of specific decryption keys for the above transmission system. This synthesis process comprises: a construction step, for each decryption module j of each group i, of a decryption key of the form Kpriv-i, = <); ai, J% 2k,> a i, i 2k; Ni, J 2885752 where. E Qi (x, y) = Qi, i (x) + bi. y, where Ql, i (x) is a polynomial with coefficients in Zq, the set Zq being the set of integers between 0 and q-1, where q is a prime prime number, and where bi is a random number taken in Zq.

  ai, j and (3i, j are two values specific to the decryption module j, a systematic verification operation that the specific key constructed for a decryption module of a group differs from all the specific keys constructed for all the groups.

  The subject of the invention is also another synthesis process identical to the preceding one, except that the decryption key is of the following form: Kpriv-i, j- <Qi (a i, j); a i, j; a i, j '; ...; The invention also relates to a method of secure transmission of a digital message in which: an electronic encryption module encrypts the digital message for a group of decryption modules using an encryption key and an algorithm Kiayas and Yung's cryptographic tracing system for tracing collectors with at most k traitors, where k is an integer strictly greater than zero, - each decryption module decrypts the encrypted message for its group using Kiayas and Yung algorithm with a decryption key specific to its group, the different group-specific decryption keys all allowing the decryption of the same encrypted message for this group and not allowing the decryption of an encrypted message for another group.

  Embodiments of this transmission method may include the following feature: - the specific decryption key is divided into several components, and the first computational unit executes only computation instructions involving a part of the components of the specific key contained in its memory while the second computing unit executes the rest of the calculation instructions to decrypt the message, the number of instructions executed by the first unit being strictly less than the number of instructions executed by the second unit.

  The above embodiment further has the advantage of making it possible to accelerate the execution of the transmission method by affecting the execution of the largest number of instructions to the fastest computing unit.

  The invention will be better understood on reading the description which will follow, given solely by way of example and with reference to the drawings, in which: FIG. 1 is a schematic illustration of the architecture of a control system. secure transmission of a digital message; FIG. 2 is a flowchart of a secure transmission method implemented in the system of FIG. 1.

  In the rest of this description, all the multiplication, exponentiation or division operations are operations with modular reduction of argument q (denoted modulo q or mod q) unless otherwise indicated. The symbol (mod q) is therefore omitted to simplify the following relations when in these relations the operations are modulo q.

  FIG. 1 represents a system 2 for secure transmission of a digital message. For example, system 2 is a system for transmitting paid multimedia programs such as pay audio programs. In this context, the encrypted digital message is, for example, one or more control words used to confuse the pay multimedia programs. These encrypted control words are inserted in an ECM message (Entitlement Control Message). It is this application of the method of encryption of the control words in the ECM which serves as a support for the description which follows. In another possible application of the method, the digital message may also be a decryption key transmitted in encrypted form within an Entitlement Management Message (EMM).

  In this system 2, the digital messages are encrypted by a transmitter 4, and then distributed via an information transmission network 6 to a multitude of reception terminals.

  The number of receiving terminals is preferably greater than 730.

  To simplify FIG. 1, only four receiving terminals 7, 8, 9 and 11 are shown. These terminals are, for example, structurally identical and only the structure of the terminal 8 will be described here in detail.

  The transmitter 4 comprises an electronic encryption module 10 capable of executing an encryption process of the digital messages.

  The module 10 is connected to a prerecorded memory 12 containing public encryption keys Kpub_I, the index i being the number of a group of terminals.

  The module 10 is, for example, made using a programmable conventional electronic processor capable of executing instructions recorded on an information recording medium 14. For this purpose, the support 14 comprises instructions for the execution of the method of Figure 2, when these instructions are executed by the electronic processor.

  The module 10 can also be integrated in an integrated security circuit. In this case, typically, the memory 12 is also integrated in this integrated security circuit and corresponds to a secure memory in which the data can be recorded only before the commissioning of the module 10. The recording medium 14 can also be integrated in this integrated security circuit.

  The network 6 comprises, for example, a radio broadcast network.

  The terminal 8 is typically formed of: - a decoder 16 used to receive the audiovisual programs and decode them, - an electronic descrambling module 19 able to descramble a multimedia program scrambled by the transmitter, - a module Decryption electronics 17 for decrypting a digital message encrypted by the transmitter 4.

  The module 17 is here formed of two calculation units, that is to say more precisely a decryption complement unit 18 and a security processor 20.

  The descrambling unit 19 is able to descramble, with the control words decrypted by the module 17, the audiovisual programs scrambled with the aid of the control words.

  The unit 18 is able to cooperate with the processor 20 to decrypt the encrypted messages by the transmitter 4 by implementing the method of FIG. 2. For this purpose, the unit 18 is equipped with a memory 21 in which the following components of a private decryption key Kpriv_i, j where the index i is the terminal group number and the index j is the serial number of this terminal in the group i: 2 3 2k ( <ai, 7, a1, 7, ai, J ai, J, Ni, J where - aj and / is a pair of values each chosen from a set Zq, this pair of values being unique for each decryption module j d the same group i, and - k is the threshold of collusion and its value is an integer strictly greater than 0.

  The set Zq is the set of integers between 0 and q-1, q being a prime number.

  The processor 20 is able to cooperate with the unit 18 to decrypt the message encrypted by the transmitter 4. For this purpose, the processor 20 is equipped with a memory 22 comprising another component Qi (ao, / 3 i) of the Kpriv-i key, necessary to decrypt an encrypted message.

  The processor 20 is typically a smart card and the memory 22 a prerecorded secure memory.

  The unit 18 and the processor 20 are each equipped with a connector 23, 24 for coupling and mechanical disconnection of these two calculation units. The cooperation between the unit 18 and the processor 20 is only possible when they are mechanically coupled to each other.

  The association of the memories 21 and 22 forms a means of storage of all the components of the key Kpriv-i, i Each private key Kpriv_i, j, whatever the group i and the rank j in a group, recorded in the memories 21 and 22 of the terminals 7, 9 and 11 are unique in the system 2 and differ from the key Kpriv-i recorded in the terminal 8.

  The terminal 8 is connected to a television set 26, which is capable of displaying the scrambled multimedia programs.

  The operation of the system 2 will now be described with reference to the method of FIG.

  The method of transmitting digital messages between the module 10 and the module 17 uses the Kiayas and Yung algorithm. The algorithm of Kiayas and Yung being known, only the details of this algorithm necessary for understanding the invention are presented.

  Initially, during a phase 30, the public and private keys used in the system 2 are defined.

  This phase 30 begins with a step 31, during which all the terminals of the system 2 are distributed in at least two, and preferably at least ten distinct groups. For example, all the terminals of the system 2 are distributed in 365 groups and the collusion threshold k is chosen equal to 1. The index i therefore varies from 1 to 365. Here, by way of example, it is assumed that terminals 7 and 8 belong to the same group and terminals 10 and 9 belong to another group.

  Then, in a step 32, a different public key Kpub_1 is defined for each of the groups i. In a first operation 34: a large prime number p is chosen, then a prime number q is also chosen in the prime number decomposition of p-1, and a generator g of a subgroup of order q of group of invertible elements of Zp is chosen. Zp is the set of integers between 0 and p-1.

  During an operation 36, a polynomial Q1, 1 (x) with coefficients in the set Zq is chosen. Zq is the set of integers between 0 and q-1.

  The polynomial Q1,1 (x) has the following form: Q1, i (x) = a0 + al.x + a2. x2k + ... + a2k.x2k (1) where. a0, a1, a2, ... a2k are the coefficients of the polynomial Q1,1 (x); - x is the variable; 5 - k is the threshold of collusion and its value is an integer strictly greater than 0; the symbol + designates the addition operation defined on Zq; and - the symbol. denotes the multiplication operation defined on Zq.

  Then, during an operation 38, an integer bi is randomly selected from the set Zq.

  Finally, during an operation 40, the public key Kpub-i of the Kiayas and Yung algorithm is constructed using the following relation: Kpub i Cga0r g, g-a1r g-a2r ..., g where y, ho, h1, h2r ..., h2kr h 'denote Operations 34 to 40 are repeated as many times as there are groups. At each iteration, the polynomial Ql, i (x) and the value bi are chosen such that the polynomial Qi (x, y) = Ql, i (x) + bi.y is unique and corresponds to a single group i of the system 2.

  Then for each group, in a step 46, the key Kpriv-i, j of each decryption module 17 is defined.

  So that each module 17 has a key Kpriv-i,] which is unique among the set of private keys of the decryption modules of the same group i, is chosen during an operation 48, for each decryption module 17 of the group i, two values garl and each taken in the set Zq, such that these two values form a single pair in the group i of decryption modules.

  Then, during an operation 50, the private key Kpriv i, j of the Kiayas and Yung algorithm is constructed using the following relation: 2 3 2k Kp> (3) riv-i, j = < Qi (aj Ni, J); a, J; have ; a,>; ; garlic; where. - Qi (x, y) is the polynomial defined on the set Zq by the following relation Qi (x, y) = Ql, i (x) + bi. y, Qi, i (x) and bi being the polynomial and the value selected respectively during operations 36 and 38 to construct the key Kpub_i associated with this group; and - at and / 3 are the values chosen during the operation 48.

  Then, during an operation 52, it is systematically verified that the new key Kpriv-i, j constructed differs from all the keys Kpriv_i, j already built so far for all the decryption modules of the system 2 and this whatever group the key already built belongs to.

  In the case where the new key Kpriv-i, j is unique in the system 2, the operations 48 to 52 are repeated to build another key Kpriv_i, j + i to be used by another encryption module of the same group.

  In the opposite case, that is to say if the key Kpriv-i, j is identical to a key whatever j ', constructed for a decryption module j' belonging to another group i ', for example, then the operations 48 to 52 are reiterated to construct another key Kpriv_i, j for this decryption module: by redefining the pair of values a R 1, i at step 48, and / or by redefining the polynomial Qi of group i during operations 34 and 36, which requires to recalculate all Kpriv-i keys, j already calculated for this group.

  The operation 52 makes it possible to avoid that the components Q i (au, / 3) of two keys Kpriv-i, j and Kpriv_i ,, i, for decryption modules belonging to different groups i and i 'are identical. Indeed, the choice of two polynomials Qi (x, y) and (x, y) different to construct each of these keys Kpriv_i, i and Kpriv_i ,, i, is not enough on its own to guarantee the uniqueness of component 41 (a;, 1,) - Once the initialization phase of the keys is complete, encrypted messages are transmitted from the module 10 to the module 17, during a phase 60.

  During phase 60, when the module 10 wishes to send an encrypted message to a particular group, then, during an operation 62, the module 10 encrypts a message M using the public key Kp b_i associated with this group. The cryptogram C (M, Kpub_i) corresponding to the message M encrypted is obtained using the following relation: C (M, Kpub_i) = <M.yr (mod p); h'o (mod p); h; (mod p); h2 (mod p); .E; h2k (mod p); h'r (mod p)> = <C; Co; C1; C2; ...; C2k; C '> (4) where. - r is a random value drawn at each encryption operation; the symbol (mod p) is the modular reduction of argument 25 p; and p is a prime prime number.

  The cryptogram C (M, Kpub_1) is then transmitted, during an operation 64, to the module 17 via the network 6.

  The module 17 receives, during an operation 66, the cryptogram C (M, Kpub_1) and decrypts it, during an operation 68.

  More precisely, during the operation 68, the unit 18 transmits, during a sub-operation 70, the component Co of the cryptogram received to the processor 20. The processor 20 then calculates, during a sub-operation 72, the term R according to the component Qi (au, flu) recorded in its memory 22: R = Co (a; ,, e,;) (modp) (5) Then, during a sub-operation 74, the term R calculated by the processor 20 is sent to the unit 18.

  The unit 18, during a sub-operation 76, decrypts the cryptogram using the following relation: M = C / (RC, a '..C2kC'fl') (mod p) (6) where . - R is the term calculated by the processor during the sub-operation 72, 2 2k - a; j, a;; j, ... a; , and f3; are the components of the key Kpriv_i, j stored in memory 21, - the symbol / denotes the division operation, and - (mod p) is the modular reduction of argument p (modulo 20 p).

  If a message is encrypted with the key Kpub_i associated with the group i containing the terminals 7 and 8, only the terminals of this group, including the terminals 7 and 8, are able to decrypt this message. Indeed, only the terminals j, j ', of this group i are respectively equipped with a key Kpriv_i, j built from the same polynomial QI (x, y) as that used to build the key Kpub_i. On the other hand, terminals 9 and 11 which belong to another group i 'can not decipher this message because their respective keys Kpriv-i', 9 and Kpriv_ ii do not allow it, being different from i.

  The fact that each component of the key Kpriv-i, j is registered, either in the memory 21 or in the memory 22, makes it possible to create a pairing between the unit 18 and the processor 20. Thus, for example, the processor 20 can not be used in another terminal of system 2 to decrypt a cryptogram.

  The processor 20 is slower to execute calculation instructions than the descrambling unit. This difference in the computing power is here exploited by assigning to the processor 20 the operations requiring the least instructions, that is to say here the calculation of the term R, while the other operations are assigned to unit 18. This distribution of operations makes it possible to speed up the decryption of the cryptogram.

  Testing the uniqueness, during the operation 52 of the component Qi (a], Pu) contained in the processor 20 ensures that this processor 20 can be paired only to a single decryption complement unit in the system 2.

  Many other embodiments of this method are possible.

  For example, the two values a and f3i, j chosen during the operation 48 are dedicated to a decryption module. In one embodiment these two values may be chosen by the authority responsible for the overall security of the system which also defines the other parameters, generators and polynomials p, q, g, Q1,1 (x), b1. In another embodiment, the value is chosen by this authority and the value (3i, j is chosen by the user of the decryption module .The choice of this value by the user makes that the private key Kpriv- which in result thus has the characteristic of non-repudiation.

  The components h 'and f3 respectively of the keys Kpub-i and Kpriv-i, and the component C' of the cryptogram C (M, Kpub_i) provide the non-repudiation property of the Kiayas and Yung algorithm. In a system such as a pay multimedia broadcast system, where only unidirectional communication from the module 10 to the module 17 is used, these components can be removed. This accelerates the execution of the process of FIG. 2. The key Kpriv i, j is then written.

  K <(a) ai, j r c) (1,] 2, ÉÉr IXi, j2k> and step 38 of choice of the parameter bi during constitution of the public key Kpub-i can be deleted.

  Alternatively, the decryption process performed by the security processor 20 may also be performed by a programmable conventional electronic processor capable of executing instructions recorded on an information recording medium. For this purpose, this information recording medium comprises instructions for executing the method of FIG. 2.

  The role of the processor 20 and the unit 18 described here can be reversed. For example, the components are stored in the memory 22, while only the component Qi (a; i, / 3j) is stored in the memory 21.

  To match the unit 18 and the processor 20, other distributions of the components of the key Kpriv-i between these two calculation units are possible. For example, as a variant, the component / 3; j of the key Kpriv i, j is only stored in the memory 22 and the processor 20 is adapted to be the only one capable of calculating the term C 'fl "to be returned to the memory. unit 18 so that it can completely decipher the received cryptogram.

  In an alternative embodiment, the units 18 and 19 are merged. Thus, it is no longer necessary to provide means for mechanical coupling / uncoupling of these two units.

  In one variant, the prime numbers p and q and the generator g chosen during the operation 34 may be common to all the groups i. Thus operation 34 is executed once and only operations 36 to 40 are repeated as many times as there are groups.

Claims (1)

18 Claims   A system for securely transmitting a digital message, the system comprising: an electronic encryption module (10) capable of encrypting the digital message by using an encryption key and a traceable Kiayas and Yung cryptographic algorithm, to identify the set of traitors of a collusion of k traitors, k being an integer strictly greater than zero, - at least 2 (k + 1) electronic decryption modules (17) each able to use the cryptographic algorithm of Kiayas and Yung and a decryption key for decrypting the encrypted messages by the encryption module, each decryption module being equipped with information storage means (21, 22), characterized in that.   the decryption modules are divided into groups of at least k + 1 decryption modules each, the composition of each group being secret, - the information storage means of each decryption module of the same group contains a key of decryption specific to this group, the different decryption keys specific to this group all allowing the decryption of the same encrypted message for this group and not allowing the decryption of an encrypted message for another group, and - the module of Encryption is capable of encrypting the digital message for a particular group of decryption modules.   2. System according to claim 1, wherein the decryption keys comprise components defined by the following relation: 3, 2 2 p 41 41 41 41 41 41 41 41 41 41 41 2 2 2 2 2 2; al, a i, J, ...; where. Q1 (x) is a polynomial with coefficients in Zq, the set Zq being the set of integers between 0 and q-1, q being a large prime number, - a; j is a value specific to a decryption module characterized in that all group-specific keys are different from each other and are constructed from the same Q1 (x) polynomial of that group so that any encrypted message for that group is uniquely decipherable to the group. using the specific key of any of the decryption modules of this group.   3. The system of claim 1, wherein the decryption keys comprise components defined by the following relation: Kpriv = <Q (ai, J, R 1,); a i, J i, J 2 'to 1, J 3; . . . ; a i, J 2 k 'p i, J where. - Q (x, y) = Q1 (x) + by, where Q1 (x) is a coefficient polynomial in Zq ,, the set Zq being the set of integers between 0 and q-1, q being a big prime number, and where b is a random number taken from Zq; a.and R are two values specific to a decryption module, characterized in that all the keys specific to a group are different from each other and are constructed from the same polynomial Q (x, y) specific to this group of so that any encrypted message for this group is only decrypted using the specific key of any of the decryption modules of this group.   4. System according to any one of the preceding claims, characterized in that the decryption module comprises a first and a second calculation unit (18, 20) each equipped with: connector (23, 24) to enable coupling and the mechanical uncoupling of these two units, the two units being able to cooperate with each other to perform decryption operations of the encrypted message when they are mechanically coupled to each other, and - a memory (21, 22), characterized in that the specific decryption key being divided into several components, the memory of the first calculation unit contains only a part of the components the second functional components of the unit of the specific key while the Calculation memory contains the other part of the specific key to create a matching between these two units.   5. decryption module (17) adapted to be implemented in a system according to any one of the preceding claims, said decryption module being able to use the cryptographic algorithm of Kiayas and Yung and a decryption key to decrypt the message encrypted by the encryption module, the decryption module being equipped with the information storage means, characterized in that the information storage means contains the group-specific decryption key for decrypting any encrypted message for this group and not allowing to decrypt an encrypted message for another group.   6. Process for synthesizing specific decryption keys for a system according to any one of claims 1, 2 and 4, this process comprising: a construction step (46) for each decryption module of each group of a decryption key of the form 2, Kpriv = <Q (ai, ai, ai,> 2k> where: - Q (x) is a polynomial defined on Zq, the set Zq being the set of integers between 0 and q-1, q being a large prime number, ai, j is a value specific to the decryption module, characterized in that the method comprises a systematic verification operation (52) that the specific key constructed for a module of decryption of a group differs from all the specific keys built for all groups.   7. Process for synthesizing specific decryption keys for a system according to any one of claims 1, 3 and 4, this process comprising: - a step (46) of construction for each decryption module of each group of a key of decryption of the form K riv = <Q (a) 2 É 2k É f where: - Q (x, y) = Q1 (x) + b. y, where Q1 (x) is a polynomial with coefficients in Zq, the set Zq being the set of integers between 0 and q-1, where q is a large prime number, ai, 3 and /.i; two values specific to the decryption module, characterized in that the method comprises a systematic verification operation (52) that the specific key constructed for a decryption module of a group differs from all the specific keys constructed for all the groups.   8. A method of secure transmission of a digital message, wherein decryption modules are divided into groups of at least k + 1 decryption modules each, the composition of each group being secret; characterized in that.   an encryption electronic module encrypts (in 62) the digital message for a group of decryption modules using an encryption key and a cryptographic algorithm of Kiayas and Yung with tracing of traitors making it possible to identify the traitors of a collusion of at most k tracers, k being an integer strictly greater than zero, each decryption module decrypts (in 68) the encrypted message for its group by using the Kiayas and Yung algorithm with a decryption key specific to its group, different decryption keys specific to a group all allowing the decryption of the same encrypted message for this group and not allowing the decryption of an encrypted message for another group.   9. A method according to claim 8, for a decryption module comprising a first and a second computing unit each equipped with: a connector to enable the coupling and the mechanical uncoupling of these two units, the units being able to cooperating with one another to perform decryption operations when they are mechanically coupled to each other, and - a memory, characterized in that the specific decryption key is divided into several components, and in that the first calculation unit executes (in 72) only computation instructions involving a part of the components of the specific key contained in its memory while the second calculation unit executes (in 74) the remainder of the calculation instructions to decipher the message, the number of instructions executed by the first unit being strictly less than the number of instructions executed by the second unit you.