Broadcast Encryption

Our system consists of a center and a set, U of n users. The center provides keys to the users when they join the system. Later on, the center wants to broadcast an encrypted message (such as the password to view “Matrix”) which can be deciphered only by a dynamically changing privileged subset of users, T , i.e., the non-privileged users should not be able to learn the message. To achieve this, the members of T should be able to agree on a common secret key, based only on the keys present with each member and the broadcasts of the center. One approach is for the center to give every user a key and broadcast an individually encrypted message |T | times corresponding to each privileged user. Another approach is to provide every possible subset of users with a key (give each user the keys corresponding to the subsets it belongs to). The former requires a very long transmission whereas the latter requires each user to store exponentially many keys. Fiat and Naor [1] describe schemes that are efficient in both these measures and are also computationally efficient. A broadcast scheme is resilient to a set of users S if for every subset T that is disjoint from S, no eavesdropper that has all the secrets of S, can obtain “knowledge” about the secret common to T . We could either consider the information-theoretic or the computational definition of security. The scheme is k − resilient if it is resilient to any set S ⊂ U of size k.