Annual International Cryptology Conference

CRYPTO 2002: Advances in Cryptology — CRYPTO 2002 pp 47-60

The LSD Broadcast Encryption Scheme

  • Dani Halevy
  • Adi Shamir
Conference paper

DOI: 10.1007/3-540-45708-9_4

Volume 2442 of the book series Lecture Notes in Computer Science (LNCS)
Cite this paper as:
Halevy D., Shamir A. (2002) The LSD Broadcast Encryption Scheme. In: Yung M. (eds) Advances in Cryptology — CRYPTO 2002. CRYPTO 2002. Lecture Notes in Computer Science, vol 2442. Springer, Berlin, Heidelberg


Broadcast Encryption schemes enable a center to broadcast encrypted programs so that only designated subsets of users can decrypt each program. The stateless variant of this problem provides each user with a fixed set of keys which is never updated. The best scheme published so far for this problem is the “subset difference” (SD) technique of Naor Naor and Lotspiech, in which each one of the n users is initially given O(log2(n)) symmetric encryption keys. This allows the broadcaster to define at a later stage any subset of up to r users as “revoked”, and to make the program accessible only to their complement by sending O(r) short messages before the encrypted program, and asking each user to perform an O(log(n)) computation. In this paper we describe the “Layered Subset Difference” (LSD) technique, which achieves the same goal with O(log1+∈(n)) keys, O(r) messages, and O(log(n)) computation. This reduces the number of keys given to each user by almost a square root factor without affecting the other parameters. In addition, we show how to use the same LSD keys in order to address any subset defined by a nested combination of inclusion and exclusion conditions with a number of messages which is proportional to the complexity of the description rather than to the size of the subset. The LSD scheme is truly practical, and makes it possible to broadcast an unlimited number of programs to 256,000,000 possible customers by giving each new customer a smart card with one kilobyte of tamper-resistant memory. It is then possible to address any subset defined by t nested inclusion and exclusion conditions by sending less than 4t short messages, and the scheme remains secure even if all the other users form an adversarial coalition.

Download to read the full conference paper text

Copyright information

© Springer-Verlag Berlin Heidelberg 2002

Authors and Affiliations

  • Dani Halevy
    • 1
  • Adi Shamir
    • 1
  1. 1.Applied Math. Dept.The Weizmann Institute of ScienceRehovotIsrael