TY - JOUR
T1 - A practical revocation scheme for broadcast encryption using smart cards
AU - Kogan, Noam
AU - Shavitt, Yuval
AU - Wool, Avishai
PY - 2003
Y1 - 2003
N2 - We present an anti-pirate revocation scheme for broadcast encryption systems (e.g., pay TV), in which the data is encrypted to ensure payment by users. In the systems we consider, decryption of keys is done on smartcards, and key management is done in-band. Our starting point is a recent scheme of Naor and Pinkas. The basic scheme uses secret sharing to remove up to t parties, is information theoretic secure against coalitions of size t, and is capable of creating a new group key. However, with current smartcard technology, this scheme is only feasible for small svstem parameters, allowing up to about 100 pirates to be revoked before all the smartcards need to be replaced. We first present a novel implementation method of their basic scheme that distributes the work in novel was among the smartcard, set-top terminal, and center. Based on this, we construct several improved schemes for many stateful revocation rounds that scale to realistic system sizes. We allow up to about 10000 pirates to be revoked using current smartcard technology before re-carding is needed. The transmission lengths of our constructions are on par with those of the best tree-based schemes. However, our constructions have much lower smartcard CPU complexity: only O(l) smartcard operations per revocation round, as opposed to a poly-logarithmic complexity of the best tree-based schemes. We evaluate the system behavior via an exhaustive simulation study. Our simulations show that with mild assumptions on the piracy discovery rate, our constructions can perform effective pirate revocation for realistic broadcast encryption scenarios.
AB - We present an anti-pirate revocation scheme for broadcast encryption systems (e.g., pay TV), in which the data is encrypted to ensure payment by users. In the systems we consider, decryption of keys is done on smartcards, and key management is done in-band. Our starting point is a recent scheme of Naor and Pinkas. The basic scheme uses secret sharing to remove up to t parties, is information theoretic secure against coalitions of size t, and is capable of creating a new group key. However, with current smartcard technology, this scheme is only feasible for small svstem parameters, allowing up to about 100 pirates to be revoked before all the smartcards need to be replaced. We first present a novel implementation method of their basic scheme that distributes the work in novel was among the smartcard, set-top terminal, and center. Based on this, we construct several improved schemes for many stateful revocation rounds that scale to realistic system sizes. We allow up to about 10000 pirates to be revoked using current smartcard technology before re-carding is needed. The transmission lengths of our constructions are on par with those of the best tree-based schemes. However, our constructions have much lower smartcard CPU complexity: only O(l) smartcard operations per revocation round, as opposed to a poly-logarithmic complexity of the best tree-based schemes. We evaluate the system behavior via an exhaustive simulation study. Our simulations show that with mild assumptions on the piracy discovery rate, our constructions can perform effective pirate revocation for realistic broadcast encryption scenarios.
UR - http://www.scopus.com/inward/record.url?scp=0037810691&partnerID=8YFLogxK
M3 - ???researchoutput.researchoutputtypes.contributiontojournal.conferencearticle???
AN - SCOPUS:0037810691
SN - 1063-7109
SP - 225
EP - 235
JO - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
JF - Proceedings of the IEEE Computer Society Symposium on Research in Security and Privacy
T2 - 2003 IEEE Symposium on Security And Privacy
Y2 - 11 May 2003 through 14 May 2003
ER -