Cryptanalysis of BGW Broadcast Encryption Schemes for DVD Content Protection

  • Qianhong Wu
  • Willy Susilo
  • Yi Mu
  • Bo Qin
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4610)


Security systems should not only be correctly devised but also be correctly used. In Crypto 2005, Boneh, Gentry and Waters (BGW) proposed two efficient broadcast encryption schemes proven secure in their security definition. They also suggested for a number of applications of their schemes including satellite TV subscription services and DVD content protections. In contrast to this suggestion, we show that any legitimate decoder(s) can collude with the revoked decoders to produce exponentially many equivalent decryption keys, and moreover, this activity cannot be traced by the dealer. Our results remind of abuse that their schemes are not suitable for the satellite TV subscription services or DVD content protection applications, although their schemes may be applicable in trusted environments such as conference key distribution.


Broadcast Encryption Decryption Oracle Bilinear Group Pirate Attack Pirate Behavior 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Anderson, R. (ed.): Security Engineering: A Guide to Building Dependable Distributed Systems. John Wiley and Sons, New York (2001)Google Scholar
  2. 2.
    Touretzky, D.S.: Gallery of CSS descramblers. Webpage, Computer Science Department of Carnegie Mellon University (November 17, 2005),
  3. 3.
    Boneh, D., Franklin, M.: Identity-based Encryption from the Weil Pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  4. 4.
    Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)Google Scholar
  5. 5.
    Dodis, Y., Fazio, N.: Public Key Broadcast Encryption for Stateless Receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003)Google Scholar
  6. 6.
    Fiat, A., Naor, M.: Broadcast Encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)Google Scholar
  7. 7.
    Goodrich, M.-T., Sun, J.Z., Tamassia, R.: Efficient Tree-based Revocation in Groups of Low-state Devices. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 511–527. Springer, Heidelberg (2004)Google Scholar
  8. 8.
    Halevy, D., Shamir, A.: The lsd Broadcast Encryption Scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Joux, A., Nguyen, K.: Separating Decision Diffie-Hellman from Diffie-Hellman in Cryptographic Groups. Cryptology ePrint Archive, Report 2001/003, 2001 (Ocotomber 5, 2006),
  10. 10.
    Joux, A.: A One Round Protocol for Tripartite Diffie-Hellman. In: Bosma, W. (ed.) Algorithmic Number Theory. LNCS, vol. 1838, pp. 385–394. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  11. 11.
    Naor, D., Naor, M., Lotspiech, J.: Revocation and Tracing Schemes for Stateless Receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001)CrossRefGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Qianhong Wu
    • 1
  • Willy Susilo
    • 1
  • Yi Mu
    • 1
  • Bo Qin
    • 2
    • 3
  1. 1.Centre for Computer and Information Security Research, University of Wollongong, Wollongong NSW 2522Australia
  2. 2.National Key Laboratory of Integrated Service Networks, Xidian University, Xi’anChina
  3. 3.Department of Mathematics, School of Science, Xi’an University of Technology, Xi’anChina

Personalised recommendations