Broadcast encryption

Last updated

Broadcast encryption is the cryptographic problem of delivering encrypted content (e.g. TV programs or data on DVDs) over a broadcast channel in such a way that only qualified users (e.g. subscribers who have paid their fees or DVD players conforming to a specification) can decrypt the content. [1] [2] [3] The challenge arises from the requirement that the set of qualified users can change in each broadcast emission, and therefore revocation of individual users or user groups should be possible using broadcast transmissions, only, and without affecting any remaining users. As efficient revocation is the primary objective of broadcast encryption, solutions are also referred to as revocation schemes. [4] [5] [6]

Rather than directly encrypting the content for qualified users, broadcast encryption schemes distribute keying information that allows qualified users to reconstruct the content encryption key whereas revoked users find insufficient information to recover the key. [1] The typical setting considered is that of a unidirectional broadcaster and stateless users (i.e., users do not keep bookmarking of previous messages by the broadcaster), which is especially challenging. [4] In contrast, the scenario where users are supported with a bi-directional communication link with the broadcaster and thus can more easily maintain their state, and where users are not only dynamically revoked but also added (joined), is often referred to as multicast encryption. [7]

The problem of practical broadcast encryption has first been formally studied by Amos Fiat and Moni Naor in 1994. [1] Since then, several solutions have been described in the literature, including combinatorial constructions, one-time revocation schemes based on secret sharing techniques, and tree-based constructions. [2] In general, they offer various trade-offs between the increase in the size of the broadcast, the number of keys that each user needs to store, and the feasibility of an unqualified user or a collusion of unqualified users being able to decrypt the content. Luby and Staddon have used a combinatorial approach to study the trade-offs for some general classes of broadcast encryption algorithms. [3] A particularly efficient tree-based construction is the "subset difference" scheme, which is derived from a class of so-called subset cover schemes. [4] The subset difference scheme is notably implemented in the AACS for HD DVD and Blu-ray Disc encryption. A rather simple broadcast encryption scheme is used for the CSS for DVD encryption.

The problem of rogue users sharing their decryption keys or the decrypted content with unqualified users is mathematically insoluble. Traitor tracing algorithms aim to minimize the damage by retroactively identifying the user or users who leaked their keys, so that punitive measures, legal or otherwise, may be undertaken. [8] [4] In practice, pay TV systems often employ set-top boxes with tamper-resistant smart cards that impose physical restraints on a user learning their own decryption keys. Some broadcast encryption schemes, such as AACS, also provide tracing capabilities. [9]

See also

Related Research Articles

<span class="mw-page-title-main">International Association for Cryptologic Research</span> Scientific organization for research in cryptology

The International Association for Cryptologic Research (IACR) is a non-profit scientific organization that furthers research in cryptology and related fields. The IACR was organized at the initiative of David Chaum at the CRYPTO '82 conference.

A chosen-ciphertext attack (CCA) is an attack model for cryptanalysis where the cryptanalyst can gather information by obtaining the decryptions of chosen ciphertexts. From these pieces of information the adversary can attempt to recover the hidden secret key used for decryption.

<span class="mw-page-title-main">David Chaum</span> American computer scientist and cryptographer

David Lee Chaum is an American computer scientist, cryptographer, and inventor. He is known as a pioneer in cryptography and privacy-preserving technologies, and widely recognized as the inventor of digital cash. His 1982 dissertation "Computer Systems Established, Maintained, and Trusted by Mutually Suspicious Groups" is the first known proposal for a blockchain protocol. Complete with the code to implement the protocol, Chaum's dissertation proposed all but one element of the blockchain later detailed in the Bitcoin whitepaper. He has been referred to as "the father of online anonymity", and "the godfather of cryptocurrency".

ID-based encryption, or identity-based encryption (IBE), is an important primitive of ID-based cryptography. As such it is a type of public-key encryption in which the public key of a user is some unique information about the identity of the user. This means that a sender who has access to the public parameters of the system can encrypt a message using e.g. the text-value of the receiver's name or email address as a key. The receiver obtains its decryption key from a central authority, which needs to be trusted as it generates secret keys for every user.

An adaptive chosen-ciphertext attack is an interactive form of chosen-ciphertext attack in which an attacker first sends a number of ciphertexts to be decrypted chosen adaptively, and then uses the results to distinguish a target ciphertext without consulting the oracle on the challenge ciphertext. In an adaptive attack, the attacker is further allowed adaptive queries to be asked after the target is revealed. It is extending the indifferent (non-adaptive) chosen-ciphertext attack (CCA1) where the second stage of adaptive queries is not allowed. Charles Rackoff and Dan Simon defined CCA2 and suggested a system building on the non-adaptive CCA1 definition and system of Moni Naor and Moti Yung.

In cryptography, an oblivious transfer (OT) protocol is a type of protocol in which a sender transfers one of potentially many pieces of information to a receiver, but remains oblivious as to what piece has been transferred.

Traitor tracing schemes help trace the source of leaks when secret or proprietary data is sold to many customers. In a traitor tracing scheme, each customer is given a different personal decryption key. (Traitor tracing schemes are often combined with conditional access systems so that, once the traitor tracing algorithm identifies a personal decryption key associated with the leak, the content distributor can revoke that personal decryption key, allowing honest customers to continue to watch pay television while the traitor and all the unauthorized users using the traitor's personal decryption key are cut off.)

A group signature scheme is a method for allowing a member of a group to anonymously sign a message on behalf of the group. The concept was first introduced by David Chaum and Eugene van Heyst in 1991. For example, a group signature scheme could be used by an employee of a large company where it is sufficient for a verifier to know a message was signed by an employee, but not which particular employee signed it. Another application is for keycard access to restricted areas where it is inappropriate to track individual employee's movements, but necessary to secure areas to only employees in the group.

In cryptography the standard model is the model of computation in which the adversary is only limited by the amount of time and computational power available. Other names used are bare model and plain model.

In cryptography, a pseudorandom permutation (PRP) is a function that cannot be distinguished from a random permutation (that is, a permutation selected at random with uniform probability, from the family of all permutations on the function's domain) with practical effort.

Distributed key generation (DKG) is a cryptographic process in which multiple parties contribute to the calculation of a shared public and private key set. Unlike most public key encryption models, distributed key generation does not rely on Trusted Third Parties. Instead, the participation of a threshold of honest parties determines whether a key pair can be computed successfully. Distributed key generation prevents single parties from having access to a private key. The involvement of many parties requires Distributed key generation to ensure secrecy in the presence of malicious contributions to the key calculation.

<span class="mw-page-title-main">BackupHDDVD</span> AACS decryption software

BackupHDDVD is a small computer software utility program available in command line and GUI versions which aids in the decryption of commercial HD DVD discs protected by the Advanced Access Content System. It is used to back up discs, often to enable playback on hardware configurations without full support for HDCP. The program's source code was posted online, but no licence information was given.

<span class="mw-page-title-main">Moni Naor</span> Israeli computer scientist (born 1961)

Moni Naor is an Israeli computer scientist, currently a professor at the Weizmann Institute of Science. Naor received his Ph.D. in 1989 at the University of California, Berkeley. His advisor was Manuel Blum.

<span class="mw-page-title-main">Advanced Access Content System</span> Standard for content distribution and digital rights management

The Advanced Access Content System (AACS) is a standard for content distribution and digital rights management, intended to restrict access to and copying of the post-DVD generation of optical discs. The specification was publicly released in April 2005. The standard has been adopted as the access restriction scheme for HD DVD and Blu-ray Disc (BD). It is developed by AACS Licensing Administrator, LLC, a consortium that includes Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony. AACS has been operating under an "interim agreement" since the final specification has not yet been finalized.

In cryptography, post-quantum cryptography (PQC) refers to cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with currently popular algorithms is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

Amos Fiat is an Israeli computer scientist, a professor of computer science at Tel Aviv University. He is known for his work in cryptography, online algorithms, and algorithmic game theory.

<span class="mw-page-title-main">Moti Yung</span>

Mordechai M. "Moti" Yung is a cryptographer and computer scientist known for his work on cryptovirology and kleptography.

Attribute-based encryption is a generalisation of public-key encryption which enables fine grained access control of encrypted data using authorisation policies. The secret key of a user and the ciphertext are dependent upon attributes. In such a system, the decryption of a ciphertext is possible only if the set of attributes of the user key matches the attributes of the ciphertext.

Matthew Keith "Matt" Franklin is an American cryptographer, and a professor of computer science at the University of California, Davis.

<span class="mw-page-title-main">Amit Sahai</span> American cryptographer (born 1974)

Amit Sahai is an American computer scientist. He is a professor of computer science at UCLA and the director of the Center for Encrypted Functionalities.

References

  1. 1 2 3 Amos Fiat; Moni Naor (1994). "Broadcast Encryption". Advances in Cryptology — CRYPTO' 93. pp. 480–491. doi:10.1007/3-540-48329-2_40. ISBN   978-3-540-57766-9.{{cite book}}: |journal= ignored (help)
  2. 1 2 Noam Kogan; Yuval Shavitt; Avishai Wool (May 2003). A Practical Revocation Scheme for Broadcast Encryption Using Smart Cards. 24th IEEE Symposium on Security & Privacy (Extended abstract).
  3. 1 2 Michael Luby; Jessica Staddon (1998). "Combinatorial bounds for broadcast encryption". Advances in Cryptology — EUROCRYPT'98. pp. 512–526. doi:10.1007/BFb0054150. ISBN   978-3-540-64518-4.{{cite book}}: |journal= ignored (help)
  4. 1 2 3 4 Dalit Naor; Moni Naor; Jeff Lotspiech (2001). "Revocation and Tracing Schemes for Stateless Receivers". Proc. Advances in Cryptology – CRYPTO '01. Lecture Notes in Computer Science. Vol. 2139. pp. 41–62. doi: 10.1007/3-540-44647-8_3 . ISBN   3-540-42456-3.
  5. Scott C.-H. Huang; Ding-Zhu Du (March 2005). "New constructions on broadcast encryption and key pre-distribution schemes". Proceedings IEEE 24th Annual Joint Conference of the IEEE Computer and Communications Societies. pp. 515–523. CiteSeerX   10.1.1.401.9780 . doi:10.1109/INFCOM.2005.1497919. ISBN   978-0-7803-8968-7. S2CID   17709190.{{cite book}}: |journal= ignored (help)
  6. Noam Kogan; Tamir Tassa (2006). Improved Efficiency for Revocation Schemes via Newton Interpolation (PDF). ACM Transactions on Information and System Security. Vol. 9. pp. 461–486.
  7. Ran Canetti; Tal Malkin; Kobbi Nissim (1999). "Efficient communication-storage tradeoffs for multicast encryption". Proc. Theory and application of cryptographic techniques – EUROCRYPT '99. Lecture Notes in Computer Science. Vol. 1592. pp. 459–474. ISBN   3-540-65889-0.
  8. Benny Chor; Amos Fiat; Moni Naor (1994). Tracing traitors. pp. 257–270. ISBN   978-3-540-58333-2.{{cite book}}: |journal= ignored (help)
  9. ""AACS Specifications: Introduction and Common Cryptographic Elements Book"" (PDF). Archived from the original (PDF) on 2010-08-27. Retrieved 2010-10-14.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.