**Tree Based Symmetric Key Broadcast Encryption**

*Sanjay Bhattacherjee and Palash Sarkar*

**Abstract: **The most influential broadcast encryption (BE) scheme till date was introduced in 2001 by Naor, Naor and Lotspiech (NNL) and is based on binary trees. This paper generalizes the ideas of NNL to obtain BE schemes based on $k$-ary trees for any $k\geq 2$. The treatment is uniform across all $k$ and essentially provides a single scheme which is parameterized by the arity of the underlying tree. We perform an extensive analysis of the header length and user storage of the scheme. It is shown that for a $k$-ary tree with $n$ users out of which $r$ are revoked, the maximum header length is $\min(2r-1,n-r,\lceil n/k\rceil)$. An expression for the expected header length is obtained and it is shown that the expression can be evaluated in $O(r\log n)$ time. Experimental results indicate that for values of $r$ one would expect in applications such as pay TV systems, the average header length decreases as $k$ increases. The number of keys to be stored by any user is shown to be at most $(\chi_k-2)\ell_0(\ell_0+1)/2$, where $\ell_0=\lceil\log_k n\rceil$ and $\chi_k$ is the number of cyclotomic cosets modulo $2^k-1$. In particular, when the number of users is more than $1024$, we prove that the user storage required for $k=3$ is less than that of $k=2$. For higher values of $k$, the user storage is greater than that for binary trees. The option of choosing the value of $k$ provides a designer of a BE system with a wider range of trade-offs between average header length and user storage.

**Category / Keywords: **secret-key cryptography / Broadcast encryption; subset difference; trees; general arity; probabilistic analysis; header length; transmission overhead; cyclotomic cosets

**Date: **received 25 Nov 2013

**Contact author: **sanjay bhattacherjee at gmail com

**Available format(s): **PDF | BibTeX Citation

**Version: **20131130:041201 (All versions of this report)

**Discussion forum: **Show discussion | Start new discussion

[ Cryptology ePrint archive ]