Cryptography Stack Exchange
Cryptography Stack Exchange

Questions tagged [broadcast-encryption]

Broadcast encryption is the cryptographic problem of delivering encrypted content (e.g. TV programs or data on DVDs) over a broadcast channel in such a way that only qualified users (e.g. subscribers who have paid their fees or DVD players conforming to a specification) can decrypt the content

The challenge arises from the requirement that the set of qualified users can change in each broadcast emission, and therefore revocation of individual users or user groups should be possible using broadcast transmissions, only, and without affecting any remaining users. As efficient revocation is the primary objective of broadcast encryption, solutions are also referred to as revocation schemes

The problem of practical broadcast encryption has first been formally studied by Amos Fiat and Moni Naor in 1994.

29 questions
10
votes
1 answer

Advanced Access Content System (AACS) and Subset Difference techniques for Broadcast Encryption

I'm trying to get a grasp on AACS and Subset Difference (archived version with images) for a project I'm working on and am having a hard time coming up with a technically valid layman explanation, let alone implementation. Is it fair to say that the…
makerofthings7
  • 2,631
  • 1
  • 22
  • 37
6
votes
1 answer

How to select corresponding ciphertext in anonymous Identity-based broadcast encryption?

In identity-based broadcast encryption, suppose the broadcast ciphertext $(r_1,r_2,\dots,r_i,U,W,V)$ is sent to the receiver. It does not describe which user corresponds to which ciphertext part. User $i$ should decrypt using the corresponding $r_i$…
myat
  • 353
  • 1
  • 9
4
votes
3 answers

Scheme that encrypt with $n$ pk that any sk of the pks can decrypt?

Suppose there are $n$ users each with public/private key pair $(pk_i,sk_i)$ $i=1,\cdots,n$. Is there any scheme that I can encrypt $m$ using the set of public keys $(pk_1,\cdots,pk_n)$, and can decrypt it using any $sk_i$? That is…
Felix LL
  • 321
  • 1
  • 7
4
votes
1 answer

A standard extension of ECIES for multiple recipients (broadcast / multiparty)?

I have one sender, and a small number (~5) of recipients. The sender knows each recipient's public EC key. I want the sender to broadcast a single message in such a way that any one of the recipients can decrypt it. For reasons that aren't…
RhinoGuy
  • 43
  • 3
3
votes
1 answer

efficient authentication with broadcast encryption?

(I am not a crypto expert, so I apologize if the terminology I use is incorrect.) Suppose I have the following simple broadcast encryption scheme for securely sending content to $n$ authorized recipients using only symmetric-key algorithms: each…
Richard Hansen
  • 133
  • 3
3
votes
1 answer

(Lightweight) Multicast one-way Authentication

Problem: I'm thinking about a lightweight solution to provide source authentication (only one source) to multiple receivers (multicast message). Context: Taking the problem to ground, we can think of use cases like firmware update (one to many), or…
renzoe
  • 31
  • 5
3
votes
1 answer

Multi-key decryption

Let's assume I want to send a secret message to $N$ recipients in an asymmetric way. My message could be encrypted with $N$ different public keys $p_i$ one after another and send to each user individually. In practice only a symmetric key $k$ is…
RomeoAndJuliet
  • 175
  • 1
  • 6
2
votes
1 answer

KP-ABE Key Generation

In Key Policy Attribute-based encryption if we need a targeted broadcast where the set of attributes are the same for a group of users. It means they all share the same secret key right? Or is it that every user needs to have at least 1 attribute…
Crypto_Research
  • 719
  • 3
  • 10
2
votes
1 answer

Is it possible to convert a selective secure broadcast encryption scheme to an adaptive secure broadcast encryption scheme?

I was reading the paper, entitled "Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation", by Boneh et al. On page 23, the authors have claimed the following. "Remark 6.2. We note that for private linear…
Mriganka Mandal
  • 23
  • 4
2
votes
1 answer

Compute euclidian distance on encrypted data

The scenario is described as following: Let $A$ an user that is transmitting an encrypted (with its own public key $PK_A$) data vector containing its position as $p = Enc(PK_A, [x,y])$ towards a group of users $U = [u_1, u_2, \dots, u_n]$. Is it…
CipherX
  • 381
  • 3
  • 12
2
votes
0 answers

Group receiver and sender, only parts of them can decrypt

suppose there is a group $\mathcal{N}$ of $n$ people with public/private key pairs $(pk_i,sk_i)$ $i=1,\cdots,n$. Is there any scheme that I can send message to a subset of users $i_1, \cdots, i_m$, only the users in $i_1, \cdots, i_m$ can decrypt…
Felix LL
  • 321
  • 1
  • 7
2
votes
3 answers

Broadcast encryption not using symmetric keys

Is there a common scheme for broadcast encryption that doesn't involve an exchange of a shared key? I'm aware that traditionally a common symmetrical key would be given to all parties and exchanged securely using the recipients' public keys. I'm…
Alex Godwin
  • 21
  • 1
2
votes
0 answers

Which Attribute Based Encryption method is better for broadcast encryption? (KP-ABE or CP-ABE)

I have a basic understanding of public-private and symmetric crypto, but I keep struggling with the concept of ABE. I know the difference between the two variants: Key-Policy: A key is linked to a specific access policy. A cipher text is linked to…
user1226868
  • 121
  • 3
2
votes
0 answers

How to use maps in the Boneh Gentry Waters encryption scheme?

I am reading the source of pbc_bce library which implements the Boneh Gentry Waters broadcast encryption scheme. In this paper the authors use for their construction a bilinear group $G$ and a bi-linear map $e$ but in the source of pbc_bce I find…
ab3l
  • 21
  • 1
2
votes
0 answers

on broadcast encryption

I've read the following paper and have one question on it. M. Luby and J. Staddon, "Combinatorial Bounds for Broadcast Encryption", EUROCRYPT'98. On page 523 (12th page of the paper) the authors say …there are at most $2^{tm}$ petals in…
tmac
  • 21
  • 2
1
2