Broadcast Encryption - Encryption for Digital Content

Cryptography Reference

In-Depth Information

Definition 2.2. We say an s-ary broadcast encryption BE is ε-insecure if for

any probabilistic polynomial-time adversary A, it holds that

Adv re A (1 n ) = |Prob[Exp re A (1 n ) = 1] − 1

2 |≤ ε

where the experiment is defined as in figure 2.1 . It is also possible to extend

the definition to accept a vector of messages M = hm 1 ,...,m s i ∈ M s as an

input; it will be considered to be correct if Decrypt returns m i for some

i ∈ [s].

We note that ε in general is not supposed to be a function n, i.e., the

security property should hold for any A i.e., independently of the number of

users n.

2.2 Broadcast Encryption Based on Exclusive-Set

Systems

In this section we will focus on concrete combinatorial broadcast encryption

schemes. These are also the only such schemes that are currently widely de-

ployed in commercial products (a notable example of such deployment is the

AACS 2 ) . Recall that in combinatorial schemes there is a pool of cryptographic

keys for an underlying encryption scheme such as a block cipher. The message

m to be broadcasted is encrypted with some of these keys. In order to receive

it, the user will need to either possess or be able to derive at least one of these

keys.

Given that the keys in the pool are shared by many users, we can obtain a

correspondence between such keys and subsets so that a key would correspond

to the set of users who possess that key. Hence, the set of keys corresponds

to a collection of subsets of users, who without loss of generality are subsets

of [n]. This collection defines a set system over the user population. The set

of keys that are used in a certain transmission of a plaintext is mapped to

a set of subsets from the collection that we call the “broadcast pattern” or

simply pattern of the transmission. Hence, encryption in this case involves the

problem of finding a set of subsets, i.e. a broadcast pattern, that covers the

enabled set of receivers.

The reader should observe that the choice of the set system that underlies

the assignment of cryptographic keys will play a crucial role in the effectiveness

of revocation. As it is quite clear, not any set system would provide a feasible

way to revoke any subset of receivers. We will start the investigation of this

topic by formally defining exclusive set systems, that are instances of set

systems useful for broadcast encryption.

2 The Advanced Access Content System (AACS, see [ 1 ]) is a standard for content

distribution and digital rights management, intended to restrict access to and

copying of optical discs such as Blu-Ray disks.

Search WWH ::

Custom Search

Home