Towards Making Broadcast Encryption Practical
The problem we address is how to communicate securely with a set of users (the target set) over an insecure broadcast channel. In order to solve this problem, several broadcast encryption schemes have been proposed. In these systems, the parameters of major concern are the length of transmission and number of keys held by each user’s set top terminal (STT). Due to the need to withstand hardware tampering, the amount of secure memory available in the STTs is quite small, severely limiting the number of keys each user holds. In such cases, known the- oretical bounds seem to indicate that non-trivial broadcast encryption schemes are only feasible when the number of users is small.
In order to break away from these theoretical bounds, our approach is to allow a controlled number of users outside the target set to occasionally receive the multicast. This relaxation is appropriate for low-cost transmissions such as multicasting electronic coupons. For this purpose, we introduce ƒ-redundant establishment key allocations, which guarantee that the total number of recipients is no more than ƒ times the number of intended recipients. We measure the performance of such schemes by the number of transmissions they require, by their redundancy, and by their opportunity, which is the probability of a user outside the target set to be part of the multicast. We first prove a new lower bound and discuss the basic trade-offs associated with this new setting. Then we present several new ƒ-redundant establishment key allocations. We evaluate the schemes’ performance under all the relevant measures by extensive simulation. Our results indicate that, unlike previous solutions, it seems possible to design practical schemes in this new setting.
KeywordsFree Rider Broadcast Encryption Redundancy Factor Full Binary Tree Actual Redundancy
Unable to display preview. Download preview PDF.
- CEFH95.J.L. Cohen, M.H. Etzel, D.W. Faucher, and D.N. Heer. Security for broadband digital networks. Communications Technology, pages 58–69, August 1995.Google Scholar
- CFN94.B. Chor, A. Fiat, and M. Naor. Tracing traitors. In Yvo G. Desmedt, editor, Advances in Cryptology-CRYPTO’94, LNCS 839, pages 257–270. Springer-Verlag, 1994.Google Scholar
- FN94.A. Fiat and M. Naor. Broadcast encryption. In Advances in Cryptology-CRYPTO’93, LNCS 773, pages 480–491. Springer-Verlag, 1994.Google Scholar
- Gem98.Gemplus: Catalog of products and services. http://www.gemplus.com/global offer/index.htm, 1998.
- GW98.E. Gabber and A. Wool. How to prove where you are: Tracking the location of customer equipment. In Proc. 5th ACM Conf. Computer and Communications Security (CCS), pages 142–149, San Francisco, November 1998.Google Scholar
- Hoc95.D.S. Hochbaum. (ed.) Approximation Algorithms for NP-Hard Problems. PWS Publishing Company, Boston, MA, 1995.Google Scholar
- Jai91.R. Jain. The Art of Computer Systems Performance Analysis. John Wiley & Sons, 1991.Google Scholar
- McC96.J. McCormac. European Scrambling Systems 5. Waterford University Press, Waterford, Ireland, 1996.Google Scholar
- MM92.W.H. Mills and R.C. Mullin. Coverings and packings. In J.H. Dinitz and D.R. Stinson, editors, Contemporary Design Theory: A Collection of Surveys, pages 317–399. John Wiley & Sons, 1992.Google Scholar
- NP98.M. Naor and B. Pinkas. Threshold traitor tracing. In Advances in Cryptology-CRYPTO’98, LNCS 1462. Springer-Verlag, 1998.Google Scholar
- Woo98.A. Wool. Key management for encrypted broadcast. In Proc. 5th ACM Conf. Computer and Communications Security (CCS), pages 7–16, San Francisco, November 1998.Google Scholar