Cryptography Reference
In-Depth Information
2
Broadcast Encryption
A broadcast channel enables a sender to reach many receivers in a very effec-
tive way. Broadcasting, due to its very nature, leaves little room for controlling
the list of recipients N — once a message is put on the channel any listening
party can obtain it. This may very well be against the objectives of the sender.
In such case, encryption comes in mind as a potential way to solve the prob-
lem: it can be employed to deny eavesdroppers free access to the content that
is broadcasted. Nevertheless, the use of encryption raises the issue of how to
do key management. Enabled receivers should be capable of descrambling the
message while eavesdroppers should just perceive it as noise. It follows that
receivers that are enabled for reception should have access to the decryption
key, while any other party should not. The major problem that springs up in
this scenario is that receivers might get corrupted and thus become coopera-
tive with the adversary. As a result one cannot hope that a party that owns
a key will not use it to the fullest extend possible, i.e., for as long as such key
allows descrambling which can be the moment that a global rekey operation
takes place. Moreover, such a key can even be shared with more than a single
listening party and thus enable the reception of the transmission for a multi-
tude of rogue receivers. If a traditional encryption scheme is used then a single
corrupted receiver is enough to bring forth such undesired effects. The subject
of this chapter, broadcast encryption deals with solving the above problem in
an effective way.
Based on the above, a path to effective broadcast encryption that avoids
rekeying is that all recipients should have different but related keys. Taking
advantage of the structure of the key space, the sender should be capable
of choosing on the fly any set R of revoked receivers to be excluded from
a transmission, and given such R prepare an encryption that can only be
decrypted by the set of receivers N\R.
We can classify broadcast encryption schemes in two major categories.
The first one, that can be called combinatorial, is characterized as follows :
the key-space contains cryptographic keys suitable for a standard encryption
scheme. Each user receives a subset of those keys according to some assign-
