1. Technical Field
The present application relates generally to broadcast encryption and, more particularly, to a long-lived broadcast encryption scheme that adapts to the presence of pirate decoders and maintains the security of broadcast to authorized users as encryption keys are compromised over time.
2. Description of Related Art
In general, broadcast encryption (BE) techniques are employed to encrypt digital content to ensure that only privileged users are able to recover the content from an encrypted broadcast. Keys are allocated in such a way that users may be prevented on a short-term basis from recovering the message from the encrypted content. This short-term exclusion of users occurs, for example, when a proper subset of users request to view a movie. The long-term exclusion (or, revocation) of a user is necessary when a user leaves the system entirely.
In practice, broadcast encryption schemes are typically smartcard-based, wherein key material is held in a “tamper-resistant”, replaceable smartcard. These smartcards, however, may be used to construct pirate smartcards (or pirate decoders) that allow nonpaying customers to recover content. For instance, a coalition of unscrupulous users may conspire to attack a BE system by breaking open their smartcards to extract the keys and build pirate decoders using the extracted decryption keys, allowing non-authorized, nonpaying users to utilize the pirate decoders to recover the content of encrypted broadcasts.
There are various conventional methods that have been employed to guard against the use of such pirate decoders. For instance, a broadcast encryption scheme may be coupled with a traceability (or traitor tracing) scheme to offer some protection against piracy. The traceability scheme is employed to render the practice of building pirate smartcards risky. This is accomplished by allocating keys to users in such a way that, once such a pirate smartcard is confiscated, at least one of the cards that was used to construct it can be identified.
There are disadvantages associated with such conventional schemes. For instance, traitor tracing schemes are typically designed having x-traceability, wherein it is possible to identify at least one of the smartcards used to construct a given pirate card only if x smartcards, at most, are used to construct the pirate card. Therefore, the security achieved in traceability schemes is limited by the necessity to have a bound on the number of users in a coalition. Another disadvantage associated with traceability schemes, as well as other conventional broadcast encryption schemes, is that they do not take into account the effect of the compromised keys when encrypting the content. Indeed, conventional broadcast encryption schemes do not provide a mechanism for providing continued, secured broadcasting to privileged sets of users after compromised keys that are contained on pirate decoders and/or smartcards of revoked users (whose contract has expired) have been identified. Instead, some schemes require that a private communication be made to each of the remaining users (e.g., over a network) when a single user is revoked in order to maintain the ability to revoke (or exclude) a certain amount of users. In a BE scheme employing smartcards, however, the cost of reprogramming or replacing a large number of cards each time a user is revoked or a pirate smartcard is identified is extremely costly.
Accordingly, a broadcast encryption scheme that is not dependent on the size of the coalition constructing a pirate decoder and that retains an ability to broadcast securely in the presence of pirate smartcards, and consequently, compromised keys, is highly desirable.