Cryptanalysis of BGW Broadcast Encryption Schemes for DVD Content Protection
Security systems should not only be correctly devised but also be correctly used. In Crypto 2005, Boneh, Gentry and Waters (BGW) proposed two efficient broadcast encryption schemes proven secure in their security definition. They also suggested for a number of applications of their schemes including satellite TV subscription services and DVD content protections. In contrast to this suggestion, we show that any legitimate decoder(s) can collude with the revoked decoders to produce exponentially many equivalent decryption keys, and moreover, this activity cannot be traced by the dealer. Our results remind of abuse that their schemes are not suitable for the satellite TV subscription services or DVD content protection applications, although their schemes may be applicable in trusted environments such as conference key distribution.
KeywordsBroadcast Encryption Decryption Oracle Bilinear Group Pirate Attack Pirate Behavior
Unable to display preview. Download preview PDF.
- 1.Anderson, R. (ed.): Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley and Sons, New York (2001)Google Scholar
- 2.Touretzky, D.S.: Gallery of CSS descramblers. Webpage, Computer Science Department of Carnegie Mellon University (November 17, 2005), http://www.cs.cmu.edu/~DeCSS/gallery
- 4.Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)Google Scholar
- 5.Dodis, Y., Fazio, N.: Public Key Broadcast Encryption for Stateless Receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003)Google Scholar
- 6.Fiat, A., Naor, M.: Broadcast Encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)Google Scholar
- 7.Goodrich, M.-T., Sun, J.Z., Tamassia, R.: Efficient Tree-based Revocation in Groups of Low-state Devices. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 511–527. Springer, Heidelberg (2004)Google Scholar
- 9.Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups. Cryptology ePrint Archive, Report 2001/003, 2001 (Ocotomber 5, 2006), http://eprint.iacr.org/