Broadcast encryption

This article focuses only on one specialized aspect of the subject. Please help improve this article by adding general information and discuss at the talk page. (April 2012)

This article needs additional citations for verification. Please help improve this article by adding citations to reliable sources. Unsourced material may be challenged and removed. Find sources: "Broadcast encryption" – news · newspapers · books · scholar · JSTOR (February 2012) (Learn how and when to remove this message)

Broadcast encryption is the cryptographic problem of encrypting broadcast content (e.g. TV programs or data on DVDs) in such a way that only qualified users (e.g. subscribers who have paid their fees or DVD players conforming to a specification) can decrypt the content. The challenge arises from the requirement that the set of qualified users can change in each broadcast emission, and therefore revocation of individual users or user groups should be possible using unidirectional broadcast transmissions, only, and without affecting any remaining users.

Rather than directly encrypting the content, broadcast encryption schemes distribute keying information that allows qualified users to reconstruct the content encryption key whereas revoked users find insufficient information to recover the key. The problem of practical broadcast encryption has first been formally studied by Amos Fiat and Moni Naor in 1994. Since then, several solutions have been described offering various trade-offs between the increase in the size of the broadcast, the size of keys that each user needs to store, and the feasibility of an unqualified user or a collusion of unqualified users being able to decrypt the content. One particular solution is the "subset difference" scheme, which is derived from a general class of so-called subset cover schemes. The subset difference scheme is notably implemented in the AACS for HD DVD and Blu-ray Disc encryption. A rather simple broadcast encryption scheme is used for the CSS for DVD encryption.

The problem of rogue users sharing their decryption keys or the decrypted content with unqualified users is mathematically insoluble. Traitor tracing algorithms aim to minimize the damage by retroactively identifying the user or users who leaked their keys, so that punitive measures, legal or otherwise, may be undertaken. In practice, pay TV systems often employ set-top boxes with tamper-resistant smart cards that impose physical restraints on a user learning their own decryption keys. Some broadcast encryption schemes, such as AACS, also provide tracing capabilities.^[1]

• Multicast encryption
• Threshold cryptosystem
• Digital Rights Management

This cryptography-related article is a stub. You can help Wikipedia by expanding it.

• v
• t
• e