Broadcast Encryption CMLAB, 2008 Outline

• Introduction • Definition • Key management • Secret key distribution • Traitor tracing for broadcast encryption Introduction

• Broadcast encryption ▫ Amos Fiat & Moni Naor, CRYPTO’93 ▫ Securely transmit a message to all members of the privileged subset

Privileged users Broadcast

Center

Non-privileged users Introduction

• How broadcast encryption works? ▫ Key management block  Is sent at the beginning of a broadcast  Is prerecorded on blank media ▫ Each recipient (device) reads the key management block and processes it to yield a management key Introduction • Simplest broadcast scheme Introduction • Applications ▫ Copy protection for PC games Introduction

• Broadcast encryption vs. public key cryptography ▫ Broadcast encryption is fast ▫ All calculations in broadcast encryption are done using simple symmetric encryptions ▫ Public key calculations require exponentiation operations over a finite field Introduction ▫ For classic cryptography, secrets are easier to be found while handshaking ▫ For broadcast encryption, secrets are hidden much more deeply in the software Definition-Preliminaries

• U ▫ The set of receivers (users) • S ▫ S U ▫ The set of revoked receivers (users who we do not want to be able to decrypt the next transmission) • T ▫ U \S ▫ The set of privileged (i.e., non-revoked) users

• F: KxMF→CF ▫ F: encryption algorithm K: key space MF: message space CF: ciphertext space Definition

• Broadcast encryption ▫ A broadcast encryption scheme is a triple of algorithm (SETUP, BROADCAST, DECRYPT) such that:  SETUP takes a user u  U and constructs that

receiver’s private information PuP  BROADCAST takes the list of revoked users S and the session key and outputs a broadcast message M  A user u  U runs the decryption algorithm

DECRYPT(M, Pu,u) to compute the K associated with M, assuming u  T 11

Definition-Resiliency

• Resiliency ▫ A broadcast scheme is called resilient to set S if for every subset T (T∩S=Φ), no eavesdropper that has all secrets associated with members of S, can obtain knowledge of the secret common to T ▫ k-resilient  The scheme is resilient to any set S  U of size k

U T S k Definition-Resiliency

▫ (k,p)-resilient  The scheme is resilient to a 1-p fraction of sets S  U of size k

U T S k 13

Definition-Resiliency

• Example: A basic scheme

▫ For every set B  U, 0|B|k, define a key KB and give KB to every user xU-B ▫ The common key to the privileged set T is the

exclusive or of all keys KB, BU-T ▫ Every coalition S with less than k users will all be

missing key KS and will therefore be unable to compute the common key for any privileged set T (T∩S=Φ) K B1 KB2

S B2 Bj B1 T KBj 14 Key management • Issues ▫ How to assign and store the keys ▫ How to save the key storage for both the server and clients ▫ How to update the keys when users join or leave • A comprehensive survey  A. Wool, 2000  A simple scheme  The extended-header scheme Suppose that a program p belongs to t packages for t users

Broadcast ENCKp(p) to users Header: ID Key

1 Es1(Kp) …. …

t Est(Kp) Key management

▫ Matrix-based schemes  Content protection for recordable media (CPRM)  Content protection for prerecorded media (CPPM) (for the DVD audio)  Media key block  Device keys  Drawbacks:  The size of the matrix  Sensitive to insider attacks

15 Key management

▫ The media key block is prerecorded on blank media at manufacturing time ▫ The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk ▫ The media key block is the encryption of the media key using different device key 16

Ed00(km) Ed01(km) …… >2500 Ed10(km) ….. ….. Ekm(data) 16 Key management

– CPRM key matrix

16 device keys

17 18

Key management • Other possible scenarios 19 Key management

• The state update problem ▫ Content is encrypted using a group key which is known to a group of users in many scenarios ▫ When users leave or join the group, the group key must be changed  Prevent leaving members from decrypting content in the future  Prevent joining members from decrypting previous content (backward secrecy)  O(n) messages ▫ How to reduce the overhead of the key update messages? Key management

▫ When a group member leave, GC must change the group key and inform all group members

 Kg(Kg’) ? Forward secrecy?  S1(Kg’), S2(Kg’), S3(Kg’), … ▫ Tree-based schemes  Wallner, 1997 and Wong, 1997 → Logical key hierarchy (LKH) trees  Manage key changes

20 Key management

– LKH (Logical Key Hierarchy) trees – A central server (key server) for each group holds a key tree – Each device is associated with a leaf of the tree – Each member holds a key path, from leaf up to the root

21 Key management

– Suppose device 13 is revoked – Using sibling keys(gray nodes) to encrypt the new management key and delivering the encrypted management key to sub-trees of these gray nodes

22 23

Key management

• But how to deliver new internal keys? Key management

– NNL trees – IBM, 2001 – The photographic negative of the LKH tree – The device has every key in the tree except the keys between its leaf and the root

24 Secret key distribution

• Secret Sharing Schemes

Xn: a set of users, Γ  2X is a set of subsets called autorized subsets. In a secret sharing scheme, the TA (trusted authority) has one secre t value k G F ( q ), called the key. The TA will distribute secret information to each user in X , in such a way that any authorized subset can compute k from the shares they jointly hold, but no una uthorized subset has any information about k .

The secret information given to user iu will be denoted i and is called the share of user i .

25 Secret key distribution

• Shamir threshold KPS (Key pre-distribution scheme)

Let qn 1 be a prime power 1. The TA chooses n distinct non-zero ran dom numbers

xii G F( q ), and gives x to user i (1  i  n ). These values do not need to be secret. 2. The TA constructs a random polynomial of degree at most t- 1

t-1 f ( x ) a x  ii i  0 having coefficients in G F ( q ).

The key is the constant term a 0 . 3. The TA computes the polynimail

yii f ( x )

and gives yii to user . 26 Secret key distribution

• Shamir threshold KPS

e.g. Suppose we construct a scheme in GF (17 ) and

the public values are xi  i,1  i  5. Suppose that the TA chooses the polynomail f ( x)  13  10 x  2 x 2 , so the key is 13. The shares that are distribute d are

y1  f (1)  8, y 2  f (2)  7 ,y3  f (3)  10 ,

y 4  f (4)  0 ,y 5  f (5)  11 Any 3 of the ordered pairs (1,8), (2,7), (3,10), (4,0), (5,11) can be used to reconstruc t the polynomial f . 27 28

Traitor tracing for broadcast encryption

• Tracing traitors ▫ B. Chor, A. Fiat, M. Naor, & B. Pinkas, CRYPTO’94 & 98 ▫ Confiscate a pirate decoder to determine the identity of a traitor ▫ Randomly assign the decryption keys to users ▫ Make the probability of exposing an innocent user negligible 29 Traitor tracing for broadcast encryption

• A simple scheme ▫ Keys 2k2

… a a 2 a1,1 1,2 1,2 k … a 2 a 2 ,1 a 2,2 2,2 k l … … … …

… a a a 2 l ,1 l ,2 l ,2 k

▫ l hash functions h1, h2, …, hl 2 hi: {1,…,n}{1,…,2k } hi(u) the ith key for user u 30 Traitor tracing for broadcast encryption

▫ Personal key of user u P(u)  {a , a ,..., a } … 1,h1 (u ) 2,h2 (u ) l ,hl (u ) a a a 2 1,1 1, 2 1,2 k Enabling ▫ 2k2l encrypted keys block … a a a 2 2 ,1 2,2 2 ,2 k

… s E a (s1 ), E a (s1 ),..., E a (s1 ) … … … 1 ,1 1 , 2 2 Cipher 1, 2 k block ... … a 2 a l ,1 a l , 2 l ,2 k E (s ), E (s ),..., E (s ) a l ,1 l a l ,1 l a 2 l Decrypt l , 2 k ▫ Decrypt si and compute secret s

s  s1  s2  ...  sl 31

Traitor tracing for broadcast encryption

• Tracing

s {a }{a a }{a a a }...{ a a ,... a 2 } 1 1,1 1,1 1,2 1,1 1,2 1,3 1,1 1,2 1,2 k

s {a }{a a }{a a a }...{ a a ,... a 2 } 2 2 ,1 2 ,1 2 ,2 2 ,1 2 ,2 2 ,3 2,1 2 ,2 2 ,2 k ....

s {a }{a a }{a a a }...{ a a ,... a 2 } l l ,1 l ,1 l ,2 l ,1 l ,2 l ,3 l ,1 l ,2 l ,2 k

{a1,3 , a 2,2 ,..., a l ,2 }  F 1 1 1 Compute h1 (3), h2 (2),..., hl (2) {user 1, user 5}, {user 2, user 3, user 5}, {user5, user 6}, …,{user 2, user 7, user 9}, ….,{…} user 1 x x user 2 x …. user 5 x x x x x … user n x x Traitor tracing for broadcast encryption-Examples

• Efficient Methods for Integrating Traceability and Broadcast Encryption, E. Gafni, J. Staddon, and Y. L. Yin, CRYPTO’99, LNCS 1666, pp. 372-387, 1999 33

Traitor tracing for broadcast encryption-Examples

• Jessica Staddon ▫ Combinatorial properties of frameproof and traceability codes. J. Staddon, D. R. Stinson and R. Wei. IEEE Transactions on Information Theory (2001), 1042-1049. ▫ Efficient traitor tracing algorithms using list decoding. A. Silverberg, J. Staddon and J. Walker. Asiacrypt 2001. 34

Traitor tracing for broadcast encryption-Examples

• Paper introduction • Preliminaries • Related works • Optimal broadcast encryption schemes with OR protocols • Integrating traceability and broadcast encryption Traitor tracing for broadcast encryption-Examples

• Let C b any coalition of at most c users who produce a pirate decoder F. A scheme is called a c-traceability scheme if for any user u, such that for all users w≠u the following inequality holds: |U∩F|≧|W ∩ F| then the probability that u is not a member of the coalition C is negligible. • A scheme is fully scalable or has full scalability if when new users are added, no rekeying of existing users is necessary. 36

Traitor tracing for broadcast encryption-Examples

• Broadcast encryption ▫ Keys are allocated to users in such a way that broadcasts can be made to selected sets with security ▫ Broadcasting capability (m-resiliency) • Traceability ▫ If at most c users pool their keys together to construct a “pirate decoder”, then at least one of the users involved can be identified by examining the keys in the decoder. (c-traceability) 37

Traitor tracing for broadcast encryption-Examples

• The goal is to have both high broadcasting capability and high traceability • The contribution of this paper: to study general methods for integrating traceability and broadcasting capability ▫ Adding any desired level of traceability to an arbitrary broadcast encryption scheme ▫ Adding any desired level of broadcasting capability to an arbitrary traceability scheme 38

Traitor tracing for broadcast encryption-Examples

• Idea ▫ Adds a dimension of randomness to broadcast encryption to achieve high traceability ▫ Adds a dimension of structure to traceability scheme to achieve high broadcast capability • The important feature of the methods ▫ Preservation of the properties of the underling broadcast encryption schemes ▫ One can construct broadcast encryption schemes with  High resiliency  High traceability  Full scalability • Storage requirements ▫ The number of keys per user↓ ▫ The total number of keys ↓ 39

Traitor tracing for broadcast encryption-Examples

• Related works ▫ One–time broadcast encryption scheme (1991) ▫ Resiliency (1994) ▫ OR protocols (1996) ▫ Entropy of a broadcast (1996) ▫ Trade-off: communication and storage (1996~) ▫ Combinatorial schemes (1996~) ▫ Information theoretic ratio (1996~) ▫ Rekeying (1997)  Tradeoff: storage and the rekeying communication cost ▫ A hierarchical tree-based scheme (1997) 40

Traitor tracing for broadcast encryption-Examples

• Related works ▫ First introducing (1994)  Tracing traitors  B. Chor, A. Fiat, M. Naor, & B. Pinkas, CRYPTO’94

▫ Threshold traceability (1998)  Threshold traitor tracing  M. Naor & B. Pinkas, CRYPTO’98 41

Traitor tracing for broadcast encryption-Examples

• Preliminaries ▫ {u1,…,un} is the set of all users ▫ {k1,…,kK} is the set of all keys ▫ SP is the set of keys used to broadcast to privileged set P ▫ BP is the message (e.g., a broadcast key) that is broadcast to P in encrypted form ▫ n is the total number of users ▫ K is the total number of keys ▫ r is the number of keys per user ▫ m is the number of users who are excluded ▫ t is the number of transmissions. ▫ c is the traceability of the scheme ▫ OR Protocol for Broadcasting to P: Any one of the keys in SP suffices to recover BP from the broadcast ▫ AND Protocol for Broadcasting to P: All of the keys in SP are necessary to recover BP from the broadcast 42

Traitor tracing for broadcast encryption-Examples

▫ Only two previous works study the integration of broadcast encryption and traceability  J. Staddon, “A Combinatorial study of Communication, Storage and Traceability in Broadcast Encryption Systems”, Ph. D. thesis, University of California at Berkeley, 1997.  D. Stinson and R. Wei, “Key Preassigned Traceability Schemes for Broadcast Encryption”, Proc. SAC’98, LNCS, 1556(1999), pp.144-156. 43

Traitor tracing for broadcast encryption-Examples

• Two new constructions ▫ The Cube Scheme (geometric construction) ▫ The Polynomial Scheme (algebraic construction)

• Both schemes are fully scalable and m-resilient • Both schemes are close to optimal in terms of the total number of keys 44

Traitor tracing for broadcast encryption-Examples • Optimal Broadcast Encryption Schemes with OR Protocols- The Cube Scheme ▫ For a fixed number of keys per user, r, the construction is based on an r-dimensional cube  Points (entries): users  Subspaces of dim r-1 (slices): keys

Key

User Traitor tracing for broadcast encryption-Examples

▫ e.g. r=2, consider n1/2×n1/2 square, each of the n users is an entry in this square indexed by (i1, i2) where 1/2 i1,i2{1,2,…,n }. For 1≤i ≤ n1/2

 Ci: the the set of users in column i  Ri: the set of users in row i For each i, we create two unique keys and allocate one of the keys only to the users in Ci and allocate the other only to the user in Ri.  each user has exactly 2 keys.

To exclude a given user ui, the center broadcasts according to an OR protocol with all keys except the 2 keys stored by user u. Since each two users share at most 1 key, every user except u can receive the broadcast. i2

i1 46

Traitor tracing for broadcast encryption-Examples

▫ r-dimension cube

 The entries are indexed by r-tuples, (i1,…,ir), 1/r ij{1,2,…,n }.  The slices are the subspaces of dimension r-1, Sj,w={(i1,…,ir): ij=w}  a slice consists of all the r-tuples which are identical in the jth entry (e.g. in the 2D case, a unique key is created for each slice, therefore, each user has exactly r keys)  To excluded a given user u, the center broadcasts according to an OR protocol with all the keys except the r keys that u has. Since each pair of users share at most r-1 keys, every user except u can recover BP from the broadcast. → This scheme can exclude one user 47

Traitor tracing for broadcast encryption-Examples

▫ A simple extension to exclude m users  By making copies of the cube scheme  Assign independent keys to m different r-dim cube scheme  each user has rm keys

 We can exclude m users {u1,…um} by excluding the r keys that user i has in the ith cube scheme  The broadcast protocol is then an AND on the union of the sets of keys in each cube scheme  K=mrn1/r, the number of keys per user is mr, t=K-mr  The resulting scheme is still 1-resilient 48

Traitor tracing for broadcast encryption-Examples

• Optimal Broadcast Encryption Schemes with OR Protocols- The Polynomial Scheme ▫ The scheme uses a set system construction based on polynomials over a finite field  r: the number of keys per user m: the number of excluded users  Polynomials: users Points: keys  p: a prime larger than r A: a subset of the finite field Fp of size r Consider the set of all polynomials over Fp of degree at most (r-1)/m  there are p(r-1)/m+1 such polynomials  Associate each of the n users with a different polynomial  p(r-1)/m+1 n  pnm/(r-1+m) 49

Traitor tracing for broadcast encryption-Examples

 A unique key k(x,y) is created for each pair (x,y), where xA and y Fp  If a polynomial f is given to a user u, u is allocated all the keys in the set {k(x,f(x))|x A}  Any two of the polynomials intersect in at most (r-1)/m points  any two users share at most (r-1)/m keys  if all the keys belonging to the m excluded users are removed, then each privileged user will still have at least 1 key  the center can broadcast with an OR protocol to any set of n-m users  K=rprnm/(r-1+m), the number of keys per user is r, t≤K-r  m-resiliency 50

Traitor tracing for broadcast encryption-Examples

 Fully scalable

 Increasing the size of the field Fp, allows significantly more users to be added with no rekeying of the old users (e.g. if K is doubled, then 2(r-1)/m+1 more users can be added to the scheme) 51

Traitor tracing for broadcast encryption-Examples

• Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys ▫ The total number of keys is close to optimal in both the cube scheme and the polynomial scheme ▫ A collection of n sets can be used as a broadcast encryption scheme with OR protocols that can exclude any set of m users m 1  U i ,..., U i distinct ,U i   j2 U i 1 m 1 1 j 52

Traitor tracing for broadcast encryption-Examples

• () assume we have such a broadcast encryption

scheme and  a set of m+1 users, u1,…,um+1, U   m 1U s.t. 1 j2 j

 if OR protocols are used, at least one of u2,…um+1 will be able to recover the message from a broadcast to u1. →←

() if for every set of m users u1,…,um and for every m user, u, outside of this set, UU  jj  1 S  S   n U to broadcast to P={um+1,…,un}, let P i m  1 i .This SP can be used to broadcast to P with OR protocols. 53

Traitor tracing for broadcast encryption-Examples

• Let U={k1,k2,…,kK} be a set of K elements. Let U1,…,Un be a collection of n subsets of U such that j, m 1 |U |=r, and U i ,..., U i distinct ,U i   j2 U i j 1 m 1 1 j  K  , then      r / m  n   r  1       r / m  1

• Combining last Lemma and this Theorem, we can establish a relationship between K and r. 54

Traitor tracing for broadcast encryption-Examples

• In a broadcast encryption scheme with OR protocols, the total number of keys, K, is (( n / m) m / r r) , where rm is the number of keys per user and m is the number of users that can be excluded in the scheme. 55

Traitor tracing for broadcast encryption-Examples

• From , it follows that any broadcast encryption scheme with OR protocol must satisfy the condition of .  the lower bound of K can be easily derived from the inequality given in . 56

Traitor tracing for broadcast encryption-Examples

•

A summary of the proposed Broadcast Encryption Schemes 57

Traitor tracing for broadcast encryption-Examples

• This paper presents two methods for integrating traceability with broadcasting capability. Both of them are efficient and conceptually quite simple. ▫ Adding traceability to broadcast encryption schemes ▫ Adding broadcasting capability to traceability schemes 58

Traitor tracing for broadcast encryption-Examples

• Adding traceability to broadcast encryption schemes ▫ Any broadcast encryption scheme that can exclude m (m1) users has at least 1- traceability. In addition, a broadcast encryption scheme that can exclude m users may have no more than 1-traceability. →The traceability of an arbitrary broadcast encryption scheme can be quite limited. → The central idea in the proposed method is to incorporate some randomness into the way in which the keys are assigned to users in a broadcast encryption scheme. 59

Traitor tracing for broadcast encryption-Examples

• The first statement follows from the definition. To prove the second statement, it suffices to produce a broadcast encryption scheme with 1- traceability. In [13], a scheme using AND protocols is described and it’s proven that the scheme has 1-traceability for sufficiently large n. 60

Traitor tracing for broadcast encryption-Examples

▫ Let B be a broadcast encryption scheme with parameters (n,m,K,r,t). If r>4c2logn,   a broadcast encryption scheme, B’, which has c-traceability and parameters (n,m,K’,r’,t’), where K’=2c2K, r’=r, and t’=2c2t. 61

Traitor tracing for broadcast encryption-Examples

• All the assertions about B’ except its c-traceability follow from the construction of Method 1. The argument for traceability is very similar to the argument for the “open on-level scheme in “Traitor Tracing”, A. Fiat and M. Naor. In particular, if we set h=2c2 and a pirate decoder contains at least s>4c2logn keys, then the probability that a user who has at least s/c keys in common with the decoder in innocent, is negligible. By definition, B’ has c-traceability. 62 Traitor tracing for broadcast encryption-Examples • Adding traceability to broadcast encryption schemes 63

Traitor tracing for broadcast encryption-Examples

• Adding Broadcasting Capability to Traceability Schemes ▫ In a c-traceability scheme with users u1,…,un, the following must be true: U ,..., U distinct ,U   c1 U i1 ic 1 i1 j2 i j ▫ A c-traceability scheme can be used as a broadcast encryption scheme with OR protocols that can exclude any set of m users for any m≤c. 64

Traitor tracing for broadcast encryption-Examples

•

If for some m≤c,  distinct sets U1,…,Um+1 s.t. U   m 1U 1 j2 j then clearly those sets cannot be part of a c-traceability scheme. The result follows from . 65

Traitor tracing for broadcast encryption-Examples • Adding Broadcasting Capability to Traceability Schemes 66

Traitor tracing for broadcast encryption-Examples

• Let T be a traceability scheme with parameters (n,c,K,r,t) and broadcasting capability c.   a traceability T ’ which has broadcasting capability m and parameters (n,c,K’,r’,t’), where K’=mK/c, r’=mr/c, and t’=mt/c. 67

Traitor tracing for broadcast encryption-Examples

• We first show the broadcasting capability of T ’. Since for any excluded user u,  a j s.t. uPj, u is unable to j obtain B P , and hence, u is unable to obtain the message BP. To see that T ’ has c-traceability we note that a decoder contains sr keys, where s=m/c. Since there are s copies of T, one of the copies must contain at least r keys. Hence, the c-traceability of T ’ follows from the c-traceability of T. All the other assertions about T ’ follow from . 68

Traitor tracing for broadcast encryption

• Tracing algorithm ▫ Static tracing ▫ Dynamic tracing ▫ Sequential tracing 69

Traitor tracing for broadcast encryption

• Static tracing ▫ Confiscate a pirate decoder to determine the identity of a traitor ▫ Ineffective if the pirate were simply to rebroadcast the original content ▫ Use watermarking methods to allow the broadcaster to generate different versions of the original content ▫ Use the watermarks found in the pirate copy to trace its supporting traitors ▫ Drawback: requires one copy of content for each user and so requires very high bandwidth 70

Traitor tracing for broadcast encryption

• Dynamic tracing (Fiat & Tassa, 2001) ▫ The content is divided into consecutive segments ▫ Embed one of the q marks in each segment ( q versions of the segment )  Need the watermarking scheme ▫ In each interval, the user group is divided into q subsets and each subset receives on version of the segment ▫ The subsets are varied in each interval using the rebroadcasted content ▫ Trace all colluders with lower bandwidth ▫ Drawback:  Vulnerable to a delayed rebroadcast attack  High real-time computation for regrouping the users and allocating marks to subsets  Impractical in many scenarios 71

Traitor tracing for broadcast encryption

• Sequential tracing ( Reihaneh, 2003) ▫ The channel feedback is only used for tracing and not for allocation of marks to users ▫ The mark allocation table is predefined and there is no need for real-time computation to determine the mark allocation of the next interval  The need for real-time computation will be minimized  Protects against the delayed reboradcast attack ▫ The traitors are identified sequentially 72 Dynamic tracing

• q versions for every segment 73 Broadcast encryption

• Amos Fiat • http://www.math.tau.ac.il/~fiat/ • Born Dec. 1, 1956, Haifa, Israel. • Children: Itai (b. 1985), Yonatan (b. 1989), Nimrod (b. 1992) and Dina (b. 1995). • Married to Michal • 1976-1982: IDF Service. • 1987: Ph.D. Weizmann Institute, 1986, Advisor: Adi Shamir. Thesis: Fibonnacci Lattices: Theory and Practice. • Co-inventor (with Adi Shamir) of the Fiat-Shamir Signature and Identification schemes. 74 Broadcast encryption-key management

• Avishai • http://www.eng.tau.ac.il/~yash/ • I'm an Associate Professor in the School of Electrical Wool Engineering, Tel Aviv University. Before joining the university I was one of the founders of Lumeta Corporation, a startup company which spun out of Bell Labs. Prior to that I spent 3 years as a member of the Secure Systems Research Department at Bell Labs Research. I got my Ph.D. in 1997 from the Department of Applied Mathematics and Computer Science, at the Weizmann Institute of Science in Israel. • "Now, here, you see, it takes all the running you can do, to keep in the same place. If you want to get somewhere else, you must run at least twice as fast as that" [said the red queen] ..... Lewis Carroll, Through the looking glass, chapter 2. "I understand about indecision, But I don't care if I get behind; People livin' in competition, All I want is to have my peace of mind." ..... Boston, Peace of Mind, 1976 Reviews Citation Database. 75 Traitor tracing for broadcast encryption

• http://www.tau.ac.il/~bchor/ • Benny Chor • Academic experiences ▫ 1985-1987 : Postdoc at MIT and Harvard. ▫ 1987-2001 : Faculty member, Computer Science, Technion. ▫ 1999-2000 : Sabbatical visitor, Inst. of Fundemental Sciences, Massey Univ., New Zealand. ▫ 2001- present : Faculty member, Computer Science, Tel-Aviv University. • My current Erdos number is 3 (by various paths). For some time, the lower bound is 2. I hope to close the gap in the near future. In such case, the next goal will be to get my Ruppin Number as close to 1 as possible. Traitor tracing for broadcast encryption

• Jessica Staddon ▫ http://www2.parc.com/csl/members/jstaddon/ 77 Traitor tracing for broadcast encryption

• Doug Stinson • http://www.cacr.math.uwaterloo.ca/~dstins on/ • I am a Professor and University Research Chair in the David R. Cheriton School of Computer Science at the University of Waterloo. I am also the Director of Graduate Studies for the School of Computer Science. • My Erdos number is equal to 1. Click here for more information. My H-index computed using Google Scholar is 35; when computed using ISI Science Citations, it is 21; when computed using Scopus, it is 16. I have 935 citations in the Mathematical Reviews Citation Database.