A Signature-Like Primitive for Broadcast-Encryption-Based Systems

The area of cryptography called broad- cast encryption has been used very successfully in content protection systems, especially protecting physical media. Today, however, a basic symmetric- key broadcast encryption system would depend on message authentication codes, not digital signatures, to "sign" data items. Message authentication codes are very efficient, but have other significant limi- tations. As commercial content protection systems based on broadcast encryption have continued to be introduced, each with more complexity than the previous one, the limitations have become apparent. The systems' designers have had to consider adding a public-key infrastructure on top of their broadcast encryption mechanism, with redundent credentials and revocation, just to add a digital signature feature. This paper presents a new broadcast-encryption- based attestation scheme that mimicks a digital sig- nature scheme, without the computational overhead inherent in public-key calculations. Although the scheme has limitations compared to public-key sig- natures, they do not reduce its effectiveness, because they are the same limitations that are present in any broadcast encryption system.