Cryptography Reference
In-Depth Information
proach is also possible, where some degree of statefulness is required and the
system introduces phases or periods over which the receiver has to maintain a
state, cf. [
7
,
37
,
45
,
74
,
82
,
90
]. The notion of long-lived broadcast encryption
introduced by Garay et al. [
47
] where the revoked or compromised keys of the
receivers are discarded. A long-lived scheme will minimize the cost of rekeying
as well as maintaining the security for enabled users even as the compromised
keys are discarded.
A natural extension to the broadcast encryption setting is to allow mul-
tiple content providers to broadcast to the same receiver population. An in-
centive for such an extension is that it accommodates dynamically changing
content providers. As a result of using the same broadcast channel for all
different providers, the underlying broadcasting infrastructure will be unified
and simplified, with decreased storage and equipment costs for the receiver
side. However, a shared broadcast channel raises the problem of handling the
private information shared between the content providers and the broadcast
center as it might be the case that the broadcast channel is entirely separated
from the subscription service where the receivers acquire their secret keys.
A trivial solution to that problem is to distribute the same broadcasting
key to all content providers. This risks a violation of the content protection
if any of the providers is corrupted. On the other hand, distributing different
broadcasting keys and their corresponding user keys will isolate providers but
not scale properly as the number of content providers grows. This discussion
recalls the similar deficiencies of encryption in the symmetric key setting, and
leads to investigating broadcast encryption in the public key setting where the
content providers all share a publicly known encryption key while the receivers
are given the secret decryption keys uniquely assigned to them subject to their
subscription levels. A number of early works in designing broadcast encryption
schemes in the public key setting include [
35
,
36
,
37
,
90
].
While these works have transmission overhead dependent on the size of
the revocation list, this barrier was overcome by Boneh and et al. in [
18
]. They
presented a construction that achieves constant size transmission overhead.
As the public key size is linear in number of receivers, this scheme is not
particularly practical. A number of constructions (cf. [
19
,
33
,
34
,
103
]) gave
trade-offs between the e
ciency parameters indicated above. We would like
to note that all these constructions are based on pairings over elliptic curves,
a technique which has received a lot interest in the design of cryptographic
schemes. See [
46
] for an overview of pairing-based cryptography. The latter
constructions also support identity-based encryption (see [
106
,
17
]) which sug-
gests the fact that the public key associated to the scrambling of a transmission
can be any string.
