PStoPDF trial version. http://www.adultpdf.

Broadcast Encryption £
Amos FiatÝ Moni NaorÞ

Abstract We introduce new theoretical measures for the qualitative and quantitative assessment of encryption schemes designed for broadcast transmissions. The goal is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients while minimizing key management related transmissions. We present several schemes that allow a center to broadcast a secret to any subset of privileged users out of a universe of size Ò so that coalitions of users not in the privileged set cannot learn the secret. The most interesting scheme requires every user to store ¾ Ç ´ ÐÓ ÐÓ Òµ keys and the center to broadcast Ç ´ ¾ ÐÓ ÐÓ Òµ messages regardless of the size of the privileged set. This scheme is resilient to any coalition of users. We also present a scheme that is resilient with probability Ô against a random subset of users. This scheme requires every user to store Ç ´ÐÓ ÐÓ ´½ Ôµµ keys and the center to broadcast Ç ´ ÐÓ ¾ ÐÓ ´½ Ôµµ messages.

£ Preliminary version appeared in Advances in Cryptology - CRYPTO ’93 Proceedings, Lecture Notes in Computer
Science, Vol. 773, 1994, pp. 480–491. ÝDept. of Computer Science, School of Mathematics, Tel Aviv University, Tel Aviv, Israel, and Algorithmic Research Ltd. E-mail ÞIncumbent of the Morris and Rose Goldman Career Development Chair, Dept. of Applied Mathematics and Computer Science, Weizmann Institute of Science, Rehovot 76100, Israel. Research supported by an Alon Fellowship and a grant from the Israel Science Foundation administered by the Israeli Academy of Sciences. E-mail:

if decryption devices are captured from random users. In many applications. We also consider another scheme parameter. Naturally.e. We discuss a number of different scenarios with differing assumptions on the adversary strength. a key to decipher a video clip) to a dynamically changing privileged subset of the users in such a way that non-members of the privileged class cannot learn the message. This parameter represents the number of users that have to collude so as to break the scheme. the random-resiliency of a scheme which refers to the expected number of 1 Introduction We deal with broadcast encryption. We consider a scenario where there is a center and a set of users. A broadcast scheme is called resilient to a set Ë if for every subset Ì that does not intersect with Ë . (or were assigned at random to users). 1. This is the “information-theoretic” definition of security. To achieve our goal we add a new parameter to the problem. Knowledge here can have two different interpretations: ¯ The secret common to Ì has some a-priori distribution (usually the uniform distribution) and given the keys of Ë and the message transmitted by the center the conditional distribution of the secret is not changed. that have to collide so as to break the scheme. The obvious solution is: give every user its own key and transmit an individually encrypted message to every member of the privileged class. This requires a very long transmission (the number of members in the class times the length of the message). it suffices to consider only the (weaker) random-resiliency measure.e. Another simple solution is to provide every possible subset of users with a key. If cryptographic tools such as one-way functions exist then this problem can be translated into the problem of obtaining a common key. and may try to learn it. it is the random resiliency that determines how many devices need be captured so as to break the scheme. that has all secrets associated with members of Ë .adultpdf. The center provides the users with prearranged keys when they join the system. the center can broadcast messages to all users following which all members of Ì have a common key. For a given parameter . We also aim that the schemes should be computationally efficient. the non-members are curious about the contents of the message that is being broadcast. This requires every user to store a huge number of keys.g. For example. our schemes should be resilient to any subset of users that collude and any (disjoint) subset (of any size) of privileged users. At some point the center wishes to broadcast a message (e. no eavesdropper. The final goal of the broadcast encryption scheme is to securely transmit a message to all members of the privileged subset. can obtain “knowledge” of the secret common to Ì . http://www.PStoPDF trial version. We show that even powerful and adaptive adversaries are incapable of circumventing the protection afforded by our schemes. give every user the keys corresponding to the subsets it belongs to. transmission length and storage at the user’s end.1 Definitions A broadcast scheme allocates keys to users so that given a subset Ì of Í . chosen uniformly at random. The scheme is considered broken if a user that does not belong to the privileged class can read the transmission. i. 1 . The goal of this paper is to provide solutions which are efficient in both measures. Let the security parameter be defined to be the length of this key. i.

More general schemes (Section 3) may require that the center transmit many messages. we distinguish between the set identification transmission and the broadcast encryption transmission. In fact.g. Thus. chosen at random from Í . Since the user may be weak. The computation effort involved in retrieving the common key by the members of the privileged class. [4] or [10]. If nothing is known about the privileged subset Ì . no computationally bounded (by probabilistic polynomial time) eavesdropper can distinguish between the secret and a truly random string. Zero-message schemes (Section 2) have the property that knowing the privileged subset Ì suffices for all users Ü ¾ Ì to compute a common key with the center without any transmission. Thus.2 Results As a function of the resiliency required. i. simply representing a subset Ì Í requires Í bits. There are distinct advantages that the identification numbers be assigned at random to new users. Using our schemes. Of course. any broadcast scheme requires that the transmission be sufficiently long to uniquely identify the privilege subset Ì .e. For more information on pseudorandomness. Otherwise. security is available for “free”. and thus the set representation can be a bit vector. even if the eavesdropper is provided with the keys of the coalition Ë the secret of Ì remains pseudorandom. Thus. a smart card. see [15]. Our goal is the study of broadcast encryption transmissions and their requirements.adultpdf. This is the computational definition of security. The relevant “resources” which we attempt to optimize are ¯ ¯ ¯ The number of transmissions used by the center to create the common secret. We distinguish between zero-message schemes and more general schemes. We also deal with random coalitions: a scheme is called ´ Ôµ-random-resilient if with probability at least ½   Ô the scheme is resilient to a set Ë of size . to actually use a zero-message scheme to transmit information implies using this key to encrypt the data transmitted. this should be minimized. Ì and Ì ¼ . Let Í Ò. E. there would be two non-identical sets.PStoPDF trial version. Ô transmitting an additional Ó´ Í µ bits guarantees security against all coalitions of size Ç ´ Í µ users and randomly chosen coalitions of Ç ´ Í µ users. 1. The number of keys associated with each user. the center will identify every user with a unique identification number. by a simple counting argument. A scheme is called -resilient if it is resilient to any set Ë Í of size .e. we use Ò and Í interchangeably hereinafter. http://www. All the schemes we describe require that the length of the center generated messages be equal in length to 2 . (this is “wasted” bandwidth).com ¯ The secret of Ì is pseudo-random. we discuss this hereinafter in the context of random resiliency. we provide a large set of schemes that offer a tradeoff between the two relevant resources: memory per user and transmission length. in some sense. The computational and memory requireÔ ments for these schemes are Ç´ Í µ. both of which somehow manage to obtain the same common key. if the set can somehow be computed from an old privileged set or the set representation can be compressed.. In general. in general. i. in many contexts the privileged set may be identified by sending a relatively short transmission.

which may be problematic). Other points along the tradeoff between memory and transmission length are given in Theorem 4. 3 . it suffices to store ÐÓ ÐÓ ´½ Ôµ keys per user. the levels refer to a sets of hash functions that partition and group users in a variety of ways. For low resiliency schemes. 1. and the keys must be updated after every use. [2. either the existence of a one way function or the more explicit assumption that RSA is secure. There is nothing to stop him or her from doing so (except for tamper-proof hardware. 6. However. all these schemes are “one-time”. Thus. receives a decryption box and then opens it and duplicates it. or a coalition of such users. Our general approach to constructing schemes is to use a two stage approach. These results are described in Theorems 1. 14]). 2 Zero Message Schemes In this section we present several schemes that do not require the center to broadcast any message in order for the member of the privileged class to generate a common key. The latter are not zero-message type schemes. 3.3 Related Work Several papers considered the problem of a center who wants to broadcast to a group (cf. when counting messages transmitted by the center. We then deal with the more general case. http://www.PStoPDF trial version. The main significance of the schemes presented in this section is their application as building blocks for the schemes presented in Section 3. Chor.adultpdf. For clarity of exposition. These can be repeated until the box is rendered useless. Our proofs are all based upon applications of the probabilistic method [1]. while the number of messages transmitted by the center is Ç ´ ÐÓ ÐÓ ´½ Ôµµ (Corollary 2). it suffices to store ÐÓ ÐÓ Ò keys per user. a traitor is traced and its name is removed the privileged list. with probability Ô. 2. To obtain a resiliency of . Fiat and Naor [7] have recently designed such traitor tracing schemes. To obtain a random resiliency of . Blundo and Cresti [3] have recently provided tight lower bound for the information-theoretic version of the broadcast encryption problem discussed in this paper. that are based upon no cryptographic assumption (the equivalent of a one-time pad). First. we describe assumption-free constructions. However. we describe more efficient schemes based upon a some cryptographic assumptions. while the number of messages transmitted by the center is Ç ´ ¾ ÐÓ ¾ ÐÓ Òµ (Theorem 5).com the security parameter. each messages is × bits in length. it is possible to trace at least one “traitor”. Then. and describe schemes of high resiliency (Section 3). Then such a tracing scheme would work very well in conjunction with broadcast encryption: given the illegal box. we describe our constructions in terms of the number of “levels” involved in the scheme construction. Informally. we construct low resiliency zero-message schemes and then use these to construct higher resiliency schemes. The complexity of their schemes (in terms of the length of broadcast and number of keys stored) is similar to the schemes of this paper. Suppose that a user subscribes to a Pay-TV service. suppose that given an illegal box manufactured by such a user.

È   ¡ 2. 4 .3 A 1-resilient scheme based on one-way functions Consider the 1-resilient version of the scheme described above. The result is a forest of ÐÓ Ò trees. ¼ . Given a label of a root of a subtree it is easy to compute the labels of the leaves of that subtree. Í   Ì. On the other hand. We therefore have Ò Theorem 1 There exists a -resilient scheme that requires each user to store keys and the ¼ center need not broadcast any message in order to generate a common key to the privileged class.2 1-Resilient Schemes using Cryptographic Assumptions We now see how to improve the memory requirements of the scheme described above using cryptographic assumptions such as “one-way functions exist” and that extracting prime roots modulo a composite is hard. Hence user Ü can compute the all leaf labels (except Ã Ü ) without additional help. [15])). then Ã Ü is indistinguishable from a random key (recall that Ã Ü was generated by an iterative application of a pseudo-random generator. Ã Ü is still pseudo-random for user Ü. as can be seen by a hybrid argument: if the labels provided to users Ü are (truly) random. We first explain how the key distribution is done. given this information. To meet this goal remove the path from the leaf associated with the user Ü to the root. this can be reduced to Ð Ð ÐÓ Ò keys per user if the keys are pseudorandomly generated from a common seed.  Ò¡ È The memory requirements for this scheme are that every user is assigned 2. Associate the Ò users with the leaves of a balanced binary tree on Ò nodes.PStoPDF trial version. With ¼ these requirements we need make no assumptions whatsoever. 12])). The idea is very simple. Assume that one-way functions exist and hence pseudo-random generators exist (see [13.adultpdf. However.1 The Basic Scheme The basic scheme we define allows users to determine a common key for every subset. This is similar to the construction of the tree in the generation of a pseudo-random function in [11].1. Consider the distributions ½ ÐÓ Ò such that is the distribution where the first labels are random and the rest are pseudo-random. The improvements are applicable to any . resilient to any set Ë of size . It requires every user to store Ò · ½ different keys. For every set The common key to the privileged set Ì is simply the exclusive or of all keys à . Clearly. define a key à and give à to every user Ü ¾ Í   . every coalition of Ë users will all be missing key ÃË and will therefore be unable to compute the common key for any privileged set Ì such that Ë Ì is empty. http://www. By the scheme of Section 2. every user Ü should get all the keys except the one associated with the singleton set Ü . Since by assumption ¼ and ÐÓ Ò are distinguishable. ¼ ½ ¼ ½ ¾ be a pseudo-random generator (the length of the output of is twice the Let length of the input). however they are the most dramatic ½. as we explain below. for 2. Í. which is in itself a pseudo-random generator (cf. Provide user Ü with the labels associated with the roots of these trees. The root is labeled with the common seed × ¾ ¼ ½ and other vertices are labeled recursively as follows: apply the pseudo-random generators to the root label and taking the left half (first bits) of ´×µ to be the label of the left subtree while the right half (last bits) of ´×µ to be the label of the right subtree.

18]. this sequence is derived from applying the Euclidean GCD algorithm on the modular ÐÓ of Ü and Ý ). it follows that Ì can be computed by user in this manner. Ü 2. then there exists a ½-resilient (under the relaxed definition) scheme that requires each user to store one key (of length proportional to the composite) and the center need not broadcast any message in order to generate a common key to the privileged class. This scheme is not 2-resilient since any two user can collude and compute . Therefore if this is assumed to be hard. since any two users have (together) all the keys à . Note however that this is not strong enough for our definition of security 9even the computational one). However. A common É ÔÌ key for a privileged subset of users Ì is taken as the value Ì ÑÓ Æ where ÔÌ ¾Ì Ô . the user could compute the Ô ’th root of Ô while knowing only the composite Æ . since the key for Ì is pseudo-random. (All users know what user index refers to what Ô ). then we have: Theorem 3 If extracting root modulo composites is hard. Every user ¾ Ì can compute Ì by evaluating É ¾Ì   Ô ÑÓ Æ Suppose that for some Ì Í and some ¾ Ì user could compute the common key for . ¾ Ì 5 .4 A 1-resilient scheme based on Computational Number Theoretic Assumptions A specific number theoretic scheme. È ¡ É where È and É are primes. We claim that it implies that the user could also compute : given Ü ÑÓ Æ and Ý ÑÓ Æ ´Ü Ý µ and Ü and Ý one can compute ÑÓ Æ by performing a sequence of modular exponentiÜ Ý ations/divisions on and (see [18]. If we relax this requirement to one that says that it is computationally hard to construct the common key. and ܼ such that Ü is associated with a leaf in the left subtree of the root and ܼ is associated with a leaf in the right subtree of the root have the labels of both subtrees. For instance. As the GCD of Ô and Ô is 1. then the user cannot get the key common to Ì . http://www. this is impossible since it would imply a distinguisher for .adultpdf. This scheme is cryptographically equivalent to the RSA scheme [17] and motivated by the DiffieHellman key exchange mechanism. User is assigned key . This scheme is not 2-resilient. The center chooses a random hard to factor composite Æ Ô It also chooses a secret value of high index. where Ô Ô are relatively prime for all ¾ Í . and the original Shamir cryptographically secure pseudo-random sequence. [8. cryptographically equivalent to the problem of root extraction modulo a composite. Therefore we have: Theorem 2 If one-way functions exist.PStoPDF trial version. can further reduce the memory requirements for ½   Ö × Ð ÒØ schemes. then there exists a ½-resilient scheme that requires each user to store ÐÓ Ò keys and the center need not broadcast any message in order to generate a common key to the privileged there must be an such that and ·½ are distinguishable. Thus.

Å to a subset Ì Í the center generates random strings Å Å such that ½Å The center broadcasts for all ½ and ½ Ñ the message Å to the privileged subset Ü ¾ Ì ´Üµ using scheme Ê´ µ. with the following property: Ð. This can be seen via a probabilistic construction. Given the transmissions of Ê´ µ only. or any of the cryptographic assumption variants. equal to the security parameter. In order to send a secret message ÄÐ ½ Å. then by assumption. even if Å is known to ÄÐ the eavesdropper for all ¼ . Throughout this section we assume the existence of a 1-resilient scheme for any number of users. The number of keys each user must store is Ñ times the number needed in the 1-resilient scheme. 3.PStoPDF trial version. Claim 1 The scheme described above is a -resilient scheme Proof. Fix Ë Í of size . The length of the transmission is ¡ Ñ times the length of the transmission for a zero message 1resilient scheme. Every user Ü ¾ Í receives the keys associated with schemes Ê´ ´Üµµ for all ½ . given the combined information of the schemes Ê´ µ. Our schemes are based on a method of converting 1-resilient schemes into -resilient schemes. Furthermore. (See [16] or [9] for more information on perfect hash functions. exponential in . For any coalition Ë of size at most there is an ½ such that is 1-1 on Ë . ½ Ñ the coalition Ë has at most the keys of a single user (which is not part of Ì ). Ë gets no information about Å (in the information theoretic definition of security) or Å is pseudo-random (in the computational definition of security).adultpdf. no knowledge is gained about Å ¾ ½Å . The latter can be seen by hybrid argument. Å is still random (in the information theoretic case) and remains pseudo-random in the ¼ computational case. Therefore. I. Û ÐÓ Ò if we assume that one-way functions exists and Û ½ if we assume that it is hard to extract roots modulo a composite. Every user Ü ¾ Ì can obtain all the messages Å ½ Å and by Xoring them get Å .e Û Ò · ½ if no cryptographic assumptions are made. The probability that a random is 1-1 on Ë is at least ½   ¾ ¡ ½ Ñ ½   ´ ¾   ½µ ¾ ¿ 6 . It turns out that setting Ñ ¾ ¾ and ÐÓ Ò is sufficient. Let Û denote the number of keys that a user is required to store in the 1-resilient 3 Low Memory -Resilient Schemes The zero message -resilient schemes described in the proceeding section require for ½ a great deal of memory.1 One Level Schemes Consider a family of functions ½ Í ½ Ñ . The efficiency of our schemes will be measured by how many Û’s they require. In this section we provide several efficient constructions of resilient schemes for ½. For every ½ Ð and ½ Ñ use an independent 1-resilient scheme Ê´ µ. We now see what values can Ñ and take.) Such a family can be used to obtain a -resilient scheme from a 1-resilient scheme. This can be taken as the no-assumption scheme. In the schemes Ê´ µ. there exists some ½ Ð such that for all Ü Ý ¾ Ë : ´Üµ ´Ý µ. For every subset Ë Í of size . This is equivalent to the statement that the family of functions contains a perfect hash function for all size subsets of Í when mapped to the range ½ Ñ . http://www.

The remarks of this section are applicable to both single and multi level schemes.e that storing the resulting structure may be prohibitively expensive.2 Remarks After having seen the single-level schemes above. However. The center could in fact generate all required functions from a pseudo-random function and a single seed. Simply choose Ñ effectively. the scheme can be constructed effectively with arbitrarily high probability by increasing the scheme parameters appropriately. since we can take to be ÐÓ ´½ Ôµ: Corollary 1 For any ½ that requires each user to store messages. In some applications using probabilistic constructions is problematic because of representation problem. our schemes do not absolutely require that the functions be computable. they seem to be at least a factor of more expensive. The results regarding the probabilistic construction of this section require only pairwise independence (we need to worry about collisions). such as random polynomials of degree (see [1] for information on limited independence functions).com Therefore the probability that for no we have that is 1-1 on Ë is at most ½   ¡ ½ Ò¾ . we wish to clarify certain points that can be discussed only after seeing an example of the types of schemes we deal with. The advantage is that there is a succinct representation for the functions now.adultpdf. We continue with more efficient multi-level schemes in the next section. The proof implies that against a randomly chosen subset efficient scheme. Alternatively.2. instead of using completely random functions one can use function with limited independence. Hence ½ the probability that for all subsets Ë Í of size there is a 1-1 is at least ½   Ò ¡ Ò½ ½  . 7 .PStoPDF trial version. This could be chosen at random. 3. One possibility of construction is via error-correcting-codes of large relative distance (say ½   ½ ¾ ) over an alphabet of size Ç ´ ¾ µ. Storing such function representations in the user decryption devices is not much more expensive than storing the keys required in the above schemes. the scheme can be constructed As for explicit constructions for the family ½ . and those of the next section require ÐÓ -wise independence. ¾ Ò We therefore conclude Theorem 4 There exists a -resilient scheme that requires each user to store Ç ´ ÐÓ Ò ¡ Ûµ keys and the center to broadcast Ç ´ ¿ ÐÓ Òµ messages. as described above.1 Representing the Functions. Ò Ë Í of size we can have a more and ¾ ¼ Ôµ Ç ´ÐÓ ´½ ¡ Ô Ûµ and ½ there exists a ´ Ôµ-random-resilient scheme keys and the center to broadcast Ç ´ ¾ ÐÓ ´½ Ôµµ ÐÓ Ô. http://www. i. Moreover. Ò ÐÓ ÐÓ Òµ and 3. the user could simply be assigned ´Üµ. Consider the family Ô ´Üµ Ü ÑÓ Ô Ô ¾ ÐÓ Ò and is a prime satisfies the above requirement. For a simple construction. The number of keys stored per user in this explicit construction is Ç ´ ¾ ÐÓ the number of messages that the center broadcasts is Ç ´ ÐÓ ¾ Ò ÐÓ ÐÓ Òµ. Moreover.

Given a ´Î ½ ¾µ randomized resilient scheme. -wise independent functions as described above). 8 .2. it may be possible to learn the user identification by monitoring transmissions and user behavior. the expected number of devices that the adversary must capture to break the scheme is at least Î ¾. However. If we assume that the functions can be computed by anyone (e.PStoPDF trial version. by guessing the short secret keys)... this means that irrespective of how the adversary goes about choosing the coalition. Every Ê´ µ scheme above deals with a subset of the users. If we assume that the functions are kept secret then the results we can get for ´ Ôµ-immune schemes are very similar to the results for ´ Ôµ-random-resilient schemes. We now describe yet another tradeoff that may reduce storage requirements.adultpdf. if user indices are assigned at random any set of devices captured will be a random set irrespective of the adversary strategy used. The adversary may capture devices at random. no coalition of size smaller than will be of any use to the adversary. We can get a certain tradeoff: instead of hashing to a range of size ¾ ¾ we hash to range of size Ñ ¡ ¾. in this case the random resiliency measure is directly applicable. The definition of ´ Ôµ random resiliency is somewhat problematic for two reasons: 1.g. A possibly legitimate assumption is that a user of the decryption device does not even know his unique index amongst all users. such a smartcard is probably vulnerable. The probability Ô is an absolute probability. This is true since the random constructions for both single level schemes and multi level schemes (described in the next section). Suppose that we are interested in limiting the number of keys that a user must store (at the the expense of the number of keys that the center must broadcast). But. this leads to a saving in the memory requirements described in the scheme. To avoid both these problems we define a new notion of resiliency and say that a scheme is ´ Ôµimmune if for any adversary choosing adaptively a subset Ë of at most users and a disjoint subset Ì we have: the probability that the adversary (knowing all the secrets associated with Ë ) guesses the value the center broadcasts to Ì is larger by at most (additive) Ô than the probability the adversary would have guessed it without knowing the secrets of Ë . However. the user index and all user secrets could be stored on a (relatively) secure smartcard. we do not know whether this holds in general for all random-resilient schemes.g. For 3. 3. A -resilient scheme is resilient to any coalition of size . this does not make sense if the underlying one resilient schemes we are using can be themselves broken with relatively high probability (e. but not to a casual user. http://www. This is true for both -resilient schemes and for ´ Ôµ-random-resilient schemes. the scheme is resilient to many sets of size much larger than . The assignment of users ids (index numbers) to users is assumed to be random and secret. depending on the underlying 1-resilient scheme.3 Adversary Limitations and Resiliency. Thus. then the Ê´ µ 1-resilient schemes can be devised so as to deal with the true number of users associated with the scheme. The results that we get in this case are that the memory requirements are smaller by a ÐÓ factor and the broadcast requirements are larger by a factor of .2.2 Reducing Storage. at the expense of some additional computation. 2.

Proof. i. ´ µ ÅÛ ½ µ Å . it would be very useful for the adversary to capture pairs of devices that belong to the same 1-resilient Ê´ µ scheme described above. The adversary may attempt to actively subvert the system by publishing a solicitation for dishonest users that meet certain criteria. and Ñ random strings ½ ÅØ ´ Ž ´ µ . Every user Ü ¾ Ì can obtain for ´ ´Üµµ all ½ and ½ Ö Û messages ÅÖ .PStoPDF trial version. by assumption. tion of sets of schemes. an ½ and Ö½ ½ Û such that the schemes Ê´ Ö µ are resilient to Ë .3 Multi-Level Schemes We now describe a general multi-level scheme that converts a scheme with small resiliency to one Í ½ Ñ and a collecwith large resiliency. Claim 2 The scheme described above is a -resilient scheme. a true -resilient scheme is the only prevention. the center generates: ¯ ¯ Strings Å ½ For every ÄÛ Ø Å Ð such that Ð ÄÐ ½ ½Å Å and Å ½ Å Ð  ½ are chosen at random.e. A user Ü ¾ Í receives for every ½ Ð and every ½ Ö Û the keys associated with Ü in scheme Ê´ ´Üµ Ö µ. Therefore. Specifically. for all ½ ÄÛ ´ µ ´ of ÅÖ is random or pseudo-random for Ë and hence the value of Å ÅØ Ø ½ or pseudo-random for Ë which implies that no knowledge is gained about Å .. Since the adversary does not know the values of the hash functions ( for single level schemes) when adding a user to Ë . such that ´ µ . For any coalition Ë of size at most there is.adultpdf. These functions and schemes obey the following condition: For every subset Ë Í of size . ¾ 9 Ö¾ Ñ ÖÑ ¾ µ the value is random . To reconstruct the message Å . In this case. resilient to the set Ü ¾ Ë ´Üµ We claim that such a structure can be used to obtain a -resilient scheme: Generate independently chosen keys for all schemes Ê´ Ö µ. If is sufficiently large and the number of traitors does not exceed then the scheme is secure. The center broadcasts for all ½ and ½ Ñ and ½ Ö Û the message ÅÖ to the privileged subset Ü ¾ Ì ´Üµ using scheme Ê´ Ö µ. in all schemes Ê´ Ö µ such that ´Üµ . The length of a broadcast is equal to the number of messages transmitted in an Ê´ Ö µ scheme times Ð ¢ Ñ ¢ Û . although it may be rather difficult in practice. Ê´ µ½ Ð ½ Ñ where each Ê´ µ consists of Û schemes labeled Ê´ ½µ Ê´ Û µ. Given a subset Ì Í and a secret message Å . we note that yet another attack is theoretically possible. the user Ü ¾ Ì takes the bitwise exclusive or of all messages transmitted to the user in all schemes to which the user belongs. For completeness. any choice of Ë has the same probability of being bad. http://www. if he captures pairs ´ µ such that ´ µ ´ µ then he has corrupted our scheme the analysis fixes the subset Ë and evaluates the probability that it is good for a random construction. Consider a family of functions ½ Ð. there exists some ½ Ð such that for all ½ Ñ there exists some ½ Ö Û such that the scheme Ê´ Ö µ is . The number of keys associated with user Ü is therefore the number of keys associated with a scheme Ê´ Ö µ times Ð ¢ Û . 3.

Set ¾ ÐÓ Ò. The first level consists of a family of functions ´ µ Í ½ Ñ . 10 . ¾ for all ½ .PStoPDF trial version. For a set Ë Í of size we say that is good if: for all ½ Ñ 1. ´ We prove that randomly chosen and Ö probability. then the scheme is constitute a good scheme with reasonably high . Ü ¾ Ë ´Üµ Ö Û Ø . the scheme can be constructed effectively with high probability. The probability that Condition 1 above is not ½ ¾ ´ µ ¾ ½ ¾ Ñ Ø ¡´½ µ Ñ Ø ´ ¾ ÐÓ µ ¾ ÐÓ ¡ ´ ÐÓ µ ¾ ÐÓ ÐÓ Suppose that condition 1 is satisfied.½ Ñ and ½ Ö Û . As in Theorem 4. http://www. Ñ ÐÓ . Every such ´ Ö µ and ½ ¾Ø defines a 1-resilient scheme Ê´ Ö µ as in the scheme of Section 3. Moreover. The probability that no is good for Ë is at most ½ ¾ ½ Ò¾ We now describe a concrete two level scheme using this method.1. then for any ½ Ö Û the probability that Ö is 1-1 on ½ ½ Ü ¾ Ë ´Üµ is at least ½   Ø ¾Ø . Hence the probability that all subsets Ë Í of size have a good is at least ½ ´ µ   Ò ¡ ½ ¾ Ò ½   ½ Ò We therefore conclude: Theorem 5 There exists a -resilient scheme that requires each user to store Ç ´ ÐÓ ÐÓ Ò ¡ Ûµ keys and the center to broadcast Ç ´ ¾ ÐÓ ¾ ÐÓ Òµ messages. there exists ½ such that µ is 1-1 on Ü ¾ Ë ´Üµ . Hence the probability that condition 2 is not satisfied ¾ is at most ½ ¾Û ½ ¾ and therefore the probability that Conditions 1 and 2 are both satisfied for every ½ Ñ is at least ½ ¾. The second level consists of functions Ö Í ½ ¾Ø¾ ½ Ð. ´ Ö 2. Moreover. the scheme can be constructed effectively with high probability. Every user Ü receives the keys of ´ ´Üµµ schemes Ê´ ´Üµ Ö Ö ´Üµµ for all ½ and ½ Ö Û. Fix a subset Ë Í of size and ¾ ½ satisfied is at most ¾ µ Í of size there is a good . Ø ¾ ÐÓ and Û ÐÓ · ½. By Claim 2 we know that if for every set Ë -resilient. the proof implies that against a randomly chosen subset Ë can have a more efficient scheme: Í of size we Ò and ¼ Ô ½ there exists a ´ Ôµ-random-resilient scheme Corollary 2 For any ½ with the property that the number of keys each user should store is Ç ´ÐÓ ÐÓ ´½ Ôµ ¡ Ûµ and the center should broadcast Ç ´ ÐÓ ¾ ÐÓ ´½ Ôµµ messages.

It is only users that belong to the same underlying 1-resilient schemes that he belongs to that matter. and if we have captured one of the adversary eavesdropping devices. and 100 keys transmission per broadcast encryption scheme.Eurocryp’91. How to Broadccast a Secret.PStoPDF trial version. It is still a relatively simple matter to disable all adversary devices by disabling one group of 1000 users. and the resiliency gets too small. (Vs. 1991. Say we’ve got a user group of one billion subscribers. The Probabilistic Method. the subscriber is apathic to the presence or absence of most of the users. assume that our goal is that to discourage any possible pirate box manufacturer. Say we split the billion users above into randomly assigned broadcast encryption groups of 1000 users. Another advantage of the scheme presented in this section is that if the adversary is in fact successful. after collecting 100. 1992. We use a non-random -resilient broadcast encryption scheme which requires about 10 keys stored per user. It seems that all subscribers will have to listen to one billion bits of set identification transmission without making a single error. Basing our 1-resilient scheme on the number theoretic scheme. By appropriately resynchronizing and labeling schemes. (We say such a scheme is broken if any of it’s component broadcast encryption schemes is broken). (The adversary must randomly select devices until he has 5 different devices from the same broadcast encryption scheme). Spencer. Transmissions are 50 times longer than before. and if one seeks a solution to a concrete example then other considerations creep in. there are advantages to splitting up users into independent broadcast encryption schemes. all is not lost. Lecture Notes in Computer Science 547. then the (multiple) birthday paradox enters into consideration. Advances in Cryptology . but still significantly shorter than individual transmissions. References [1] N. [2] S. Wiley. 11 .adultpdf. and thus the expectation should be that he is required to capture ½¼¼ ¼¼¼ devices before seeing any return on his or her investment. the adversary effort has been in vain. and the length of a broadcast enabling transmission is on the order of two million keys. This is a practical scheme since there is no longer any serious error control problem. there is a major problem. if random resiliency suffices. 4 An Example and Implementation Considerations The schemes described in this paper are valid for all possible values of the parameters. http://www. Springer. In fact.. There is a tradeoff between error control issues and security. However.000 decryption devices. the decryption device will only have to deal with the set identification transmission dealing with one (smaller) scheme. Thus. Also. Berkovits. the number of keys stored in every subscriber decryption device is less than 20. for a total of ½¼ key transmissions. with the set identification transmission. However. and using our randomized ´½¼¼¼¼¼ ½ ¾µ-resilient scheme. If the number of broadcast encryption schemes gets too large. Alon and J. splitting these users amongst other groups. The total random resiliency is approximately ½ ¼¼¼ ¼¼¼ ½¼¼ ¼¼¼. determining what user gets assigned to what scheme at random. one billion keys transmitted for standard schemes). 536–541.

12 . A. Rivest. Goldreich. Berlin Heidelberg. [6] G. Advances in Cryptology . Springer-Verlag. Information Processing Letters.Eurocryp’94. Diffie and M. A. 38–44. L. pp. Lecture Notes in Computer Science 950 Springer. pp. Goldwasser and S. pp. Pseudo-randomenss and [3] C. [9] M. Carter and M. S. N.. on Software Engineering. Shamir. J. Storing a Sparse Table with o e Access Time.adultpdf. [16] K. Princeton Universtity Press. Chor. To appear. pp. 257–270. On the Generation of Cryptographically Strong Pseudo-Random Number Sequences. 21 (1978). New Directions in Cryptography . Luby. available in “http://www. of ACM. 1989. 1989.html”. Foundations of Cryptography (Fragments of a Book). Hellman.PStoPDF trial version. New Hash Functions and Their Use in Authentication and Set Equality. [11] O. 265-279 (1981). of the 20th ACM Symp. Carter. 1 (1983). [19] M. 929–934. 1989. vol 15. Hastad. Vol 31. pp. H. Advances in Computing Research. http://www. ACM Trans. 287–298. Ç ´½µ Worst Case [10] O. pp. Proc. pp.eccc. A Method for Obtaining Digital Signature and Public Key Cryptosystems. [17] R. Hirshfeld Pseudorandom generators and complexity classes. [5] J. Comput. [8] W. 143–154. IT-22. Pseudo-Random Generators under Uniform Assumptions. Journal of the ACM.L. 1986. How to Construct Random Functions Journal of the ACM 33. L. Tracing traitors. Comm. Cresti. Goldreich. Data Structures and Algorithms: Sorting and Searching. J. pp. A New Threshold Scheme and its Application is Desiging the conference Key Distribution Cryptosystem. Impagliazzo. 839. Naor. [18] A. [7] B. Journal of Computer and System Sciences 18 (1979). 792–807. Chen. [12] J. Harn. IEEE Trans. Boppana and R. 1990. Lee and L. Space Requirements for Braodcast Encryption. 1994. Fredman. Lecture Notes in Computer Science No. 6 (1976). Pseudo-random Generation given from a One-way Function. Blundo and A. Shamir and L. Sys. 538–544. [4] R.Crypto’94. IEEE Trans. Secure Broadcasting using the Secure Lock. 1995. [15] M. Micali. Journal of Computer and System Sciences 22. Levin and M. [14] C. Luby.uni-trier. L. N. Laih. Proc. Chiou and W. 1984. 120–126. Fiat and M. Szemer´ di. Wegman. on Information Theory. [13] R. Wegman and J. 19th Symposium on Theory of Computing. 1984. pp. Adleman. Universal Classes of Hash Functions. on Theory of Computing. 95–99. Volume 5 on Randomness and Computation. Springer Verlag. 644–654. Advances in Cryptology . Koml´ s and E. vol 32. T. pp. vol.