System for efficient generation and distribution of challenge-response pairs

What is claimed is: 1. A method for generating and storing challenge-response pairs for the authentication of a consumer electronics (CE) device, the method comprising: sharing at least one challenge K CHALLENGE-i and a series of integers i with a service provider, wherein said CE device is configured to receive a service from said service provider; sharing at least one proxy response K IRD-i with said service provider, wherein each of said K IRD-i is associated with one of said at least one K CHALLENGE-i according to said series of integers i; for each said K CHALLENGE-i , generating an associated K RESPONSE-i by inputting said K CHALLENGE-i to a response generator associated with said CE device; producing one of said challenge-response pairs from each said K CHALLENGE-i and its said associated K RESPONSE-i , wherein at least one of a response function of said response generator and a parameter required for said response function is withheld from said service provider; for each of said K RESPONSE-i , deriving EK IRD-i , from both said K RESPONSE-i and said associated K IRD-i ; and storing each of said EK IRD-i on said CE device according to said series of integers i, wherein a given said K IRD-i is derivable from said K RESPONSE-i received from said response generator in response to said K CHALLENGE-i paired with said K IRD-i and said EK IRD-i associated with said paired K CHALLENGE-i . 2. The method according to claim 1 and also comprising: deriving said at least one said challenge K CHALLENGE-i from meta-key MK CHALLENGE and said series of integers i, wherein said MK CHALLENGE is shared with said service provider; and deriving said at least one said proxy response K IRD-i from meta-key MK IRD and said series of integers i, wherein said MK IRD is shared with said service provider. 3. The method according to claim 2 wherein at least one of said meta-key MK CHALLENGE or said meta-key MK IRD is common to more than one said CE device. 4. The method according to claim 2 wherein said meta-key MK CHALLENGE is equal to said MK IRD on said CE device, wherein said deriving said at least one challenge K CHALLENGE-i uses a different algorithm than said deriving said at least one said proxy response K IRD-i . 5. The method according to claim 1 wherein said at least one K CHALLENGE-i comprises at least two K CHALLENGE-i and said at least one K IRD-i comprises at least two K IRD-i . 6. The method according to claim 1 wherein said storing each of said at least one EK IRD-i comprises storing each of said at least one EK IRD-i in non-volatile memory. 7. The method according to claim 1 wherein said parameter required for said response function is withheld from the manufacturer of said CE device. 8. The method according to claim 1 wherein said response generator either: uses a key-based computation, wherein the key used in said key-based computation is withheld from said service provider; or the response generator uses a physically unclonable function (PUF) device. 9. The method according to claim 1 and also comprising: receiving RK CHALLENGE-i and Ri from said service provider, wherein said RK CHALLENGE-i is equal to one of said at least one K CHALLENGE-i and Ri is equal to one of said series of integers i associated with said one of at least one K CHALLENGE-i ; inputting RK CHALLENGE-i to an operation phase response generator; in response to said inputting, receiving RK RESPONSE-i from said operation phase response generator; deriving unencrypted UK IRD-i from said RK RESPONSE-i and said EK IRD-i , wherein said EK IRD-i is associated with said Ri; and returning said UK IRD-i to said service provider in response to said RK CHALLENGE-i , thereby authenticating said CE device. 10. A method for decrypting media on a consumer electronics (CE) device, the method comprising: sharing at least one challenge K CHALLENGE-i and a series of integers i with a media provider; sharing at least one proxy response K IRD-i with said media provider, and wherein each of said at least one K IRD-i is associated with one of said at least one K CHALLENGE-i ; according to said series of integers i; for each K CHALLENGE-i , generating an associated K RESPONSE-i by inputting said K CHALLENGE-i to an initialization phase response generator associated with said CE device, wherein at least one of a response function for said initialization phase response generator and a parameter required for said response function of said initialization phase response generator is withheld from said media provider; for each of said associated K RESPONSE-i , deriving EK IRD-i from both said associated K RESPONSE-i and said associated K IRD-i ; storing each of said EK IRD-i on said CE device according to said series of integers i; receiving encrypted media, received challenge RK CHALLENGE-i and Ri from said media provider, wherein said RK CHALLENGE-i is equal to one of said at least one K CHALLENGE-i derived from said meta-key MK CHALLENGE and Ri is equal to one of said series of integers i associated with said one of at least one K CHALLENGE-i ; generating RK RESPONSE-i by inputting said RK CHALLENGE-i to an operation phase response generator on said CE device, wherein said operation phase generator is configured with the same response function as said initialization phase response generator; deriving unencrypted UK IRD-i from said RK RESPONSE-i and said EK IRD-i , wherein said i associated with EK IRD-i equals Ri; and using UK IRD-i to decrypt said encrypted media. 11. The method according to claim 10 and also comprising: deriving said at least one challenge K CHALLENGE-i from meta-key MK CHALLENGE and said series of integers i, wherein said MK CHALLENGE is shared with said service provider; and deriving said at least one said proxy response K IRD-i from meta-key MK IRD and said series of integers i, wherein said MK IRD is shared with said service provider. 12. The method according to claim 11 wherein at least one of said meta-key MK CHALLENGE or meta-key MK IRD is common to more than one said CE device. 13. The method according to claim 11 wherein said meta-key MK CHALLENGE is equal to said MK IRD on said CE device, wherein said deriving said at least one challenge K CHALLENGE-i uses a different algorithm than said deriving said at least one said proxy response K IRD-i . 14. The method according to claim 11 wherein said at least one K CHALLENGE-i comprises at least two K CHALLENGE-i and said at least one K IRD-i comprises at least two K IRD-i . 15. The method according to 10 wherein said using comprises: either decrypting said encrypted media with UK IRD-i , wherein said encrypted media is encrypted with said K IRD-i associated with said K CHALLENGE-i ; or deriving a decryption key from UK IRD-i , wherein said K IRD-i associated with said K CHALLENGE-i was used to secure said encryption key, and decrypting said encrypted media with said encryption key, wherein said encrypted media is encrypted with said encryption key. 16. The method according to 10 wherein said storing each of said at least one EK IRD-i comprises storing each of said at least one EK IRD-i in non-volatile memory. 17. The method according to 10 wherein said parameter required for said response function is withheld from the manufacturer of said CE device. 18. The method according to 10 wherein said response function either: uses a key-based computation, wherein the key used in said key-based computation is withheld from said ser