## Cryptology ePrint Archive: Report 2006/324

Sarang Aravamuthan and Sachin Lodha

Abstract: We consider broadcast encryption schemes wherein a center needs to broadcast a secret message to a privileged set of receivers. We prescribe a probability distribution $P$ on the privileged set. In this setting, the transmission overhead can be viewed as a random variable over $P$ and we define its expected value as the average transmission overhead (or ato).

Given $P$, the Shannon's entropy function $H(.)$ provides a lower bound on the average number of bits required to identify every privileged set. This provides a natural lower bound for the ato in terms of $H(P)$. For session key distribution, we consider the subset cover framework and bound the ato in terms of the size of the cover. We further specialize our bound to accommodate storage constraints at receivers.

We consider two families of distributions for $P$ that occur naturally in broadcast networks.

-- Each receiver independently joins the privileged set with probability $p$. -- The privileged set is selected uniformly from a collection of subsets of receivers.

We evaluate the ato of some practical schemes such as the subset difference method, the LSD scheme and the Partition-and-Power scheme under these distributions. Our investigations lead us to conclude that each scheme is inherently tailored to perform optimally for specific distributions.