# Distribution of the number of encryptions in revocation schemes for stateless receivers.

We study the number of encryptions necessary to revoke a set of users in the complete subtree scheme (CST) and the subset-difference scheme (SD). These are well-known tree based broadcast encryption schemes. Park and Blake in: Journal of Discrete Algorithms, vol. 4, 2006, pp. 215-238, give the mean number of encryptions for these schemes. We continue their analysis and show that the limiting distribution of the number of encryptions for these schemes is normal. This implies that the mean numbers of Park and Blake are good estimates for the number of necessary encryptions used by these schemes.Keywords: Key distribution schemes, subset-difference scheme (SD), complete subtree scheme (CST), broadcast encryption, Hwang's quasi-power theorem, Heuberger's two dimensions quasi-power theorem.

1 Introduction

We consider the problem of a center broadcasting an encrypted message to a group of users such that some subset is revoked, and hence should not be able to obtain the content of the broadcasted message even if they collaborate. Various encryption schemes have been proposed to solve this practical problem which arises in pay-TV, satellite communications, real-time information update and media content protection. In one class of proposed schemes, the center distributes a unique combination of keys to each user, and users decrypt the message individually. If keys cannot be updated once distributed, the receivers are called stateless. The keys are distributed so that no revoked (or excluded) user has a decryption key and every privileged (non-revoked) user has at least one decryption key. If the subset of privileged users is arbitrary and dynamically changing, one is faced with the problem of minimizing the number of encryptions necessary to ensure system security.

To achieve the above goals, several key distribution schemes use a balanced binary tree data structure implementation. Two examples that we consider are the subset-difference scheme (SD), introduced by Naor, Naor and Lotspiech (6), and the complete subtree scheme (CST), introduced independently by Wallner, Harder, Agee (8) and Wong, Gouda and Lam (9).

In the CST scheme each user is represented as a unique leaf node in a balanced binary tree. Every node, including the leaves, is assigned a unique decryption key, and each user holds the keys which are on the path from its leaf node to its root node. A user can decrypt a transmission if he or she holds at least one key with which the transmission was encrypted. When a user is revoked, all keys in the path from its leaf to the root become unavailable. As users dynamically change, the number and actual decryption keys available also change. Given a set of users, we are interested in the minimum number of encryption keys that the center needs to broadcast in order to guarantee that every privileged user in the system is able to decrypt the transmission (and every revoked user is not able to decrypt it). This scheme was introduced in (8; 9) and can be adapted to the stateless case (that is, when keys are assigned by the broadcasting center and they cannot be updated during the operation of the system). A more detailed explanation of the CST scheme, and how the algorithm handles the revocation of users while still guaranteeing that every privileged user has at least one decryption key, can be found in Section 3.1 of (6) and in Section 2.1 of (7).

A modification of the complete subtree scheme is the subset-difference scheme (SD). In this scheme, the users are again considered as leaves of a complete binary tree, but the key assignment scheme is altered. First, for any vertex i of the binary tree, and any descendant j of the subtree rooted at i, we define the set [S.sub.i,j] to be the set of leaves (i.e. users) of the complete binary tree that are descendants of i but not descendants of j. Then, [S.sub.i,j] is naturally called a subset difference, and to each subset difference set, the broadcaster assigns a key [K.sub.i,j]. Hence, any leaf u will be assigned the collection of keys {[K.sub.i,j]} where i, j runs through all pairs of vertices in the tree such that i is an ancestor of u but j is not an ancestor of u.

The broadcaster associates an m bit label for each vertex i in the complete binary tree. The broadcaster then recursively assigns keys [K.sub.i,j] for every descendant j of i as follows: first, a psuedo random generator takes as input the m bit label x given to i and outputs a 3m bit label [x.sub.new]. The first m bits of [x.sub.new] is then a temporary m bit label of the left child of j, the last m bits of [x.sub.new] is a temporary m bit label of the right child of j, and [K.sub.i,j] is the middle m bits of [x.sub.new]. This process is then continued inductively with the temporary labels of the children of j.

The appealing property of the subset difference scheme is that given a specific key [K.sub.i,j] for the subset difference [S.sub.i,j], one can easily determine the key for the subset difference [S.sub.i,j], if j' is a descendant of j, and vice-versa. Revoking users is also relatively easy. Given a set of revoked users R, the strategy to revoke users is to simply send out keys only to subset differences [S.sub.i,j] where [S.sub.i,j] [intersection] R = 0. An efficient implementation of this is given in Naor, Naor and Lotspiech (6).

A practical application of the work of Naor, Naor and Lotspiech (6) is found in the Blu-ray technology. This technology, which is the successor of the DVD technology, relies on the Advanced Access Content System (AACS) for its security features (1). AACS was developed by several leading technology and media companies and includes the use of Naor, Naor and Lotspiech's SD scheme for the encryption of the media content (see (2), Section 3.2.1). In the case of the subset-difference scheme by AACS each device capable of decoding the Blu-ray device is treated as a user in the system, so it is possible to block compromised playback devices from viewing future releases by revoking the corresponding user in the SD scheme.

Yet another revocation scheme is the layered subset-difference scheme (LSD), which is a modification of the subset-difference scheme. Instead of assigning keys to all subset differences [S.sub.i,j], the LSD scheme restricts to subset differences [S.sub.i,j] j where i, j are relatively close to each other. In particular, the vertices of the complete binary tree which users are leaves of are partitioned into classes by their distance from the root (i.e. their level). There are [square root of [log.sub.2] n] partition classes each with [square root of [log.sub.2] n] levels, and levels k x [square root of [log.sub.2] n] where k = 0, 1, ..., [square root of [log.sub.2] n] are called special levels. Subset differences [S.sub.i,j] are used in the LSD scheme if and only if both i and j lie in the same partition class or i is at a special level. As shown by Halevy and Shamir (3) (Lemma 2), every subset difference [S.sub.i,j] in the SD scheme is the disjoint union of at most two valid subset differences in the LSD scheme. The revocation process for this scheme is the same as that of the SD scheme. Though revocation may seem more difficult for a broadcaster using the LSD scheme (because the number of sets needed to cover a set of revoked users doubles at worst), an advantage to using it is a significant reduction in the number of keys any user needs to hold (see Halevy and Shamir (3), Lemma 3).

In (7), Park and Blake give generating functions that entail the exact mean number of encryptions for the key distribution schemes CST and SD. They also considered the LSD scheme. We shall need the results of Park and Blake, and indeed, our analysis can be regarded as a continuation of their work. We show that the number of encryptions in all these schemes is asymptotically normally distributed. Our results imply that the average number of encryptions provided by Park and Blake are indeed very good estimates for the number of encryptions in these methods.

The structure of this paper is as follows. In Section 2, we review the results of Park and Blake (7). Our proofs require a two dimensional extension of Hwang's (5) quasi-power theorem due to Heuberger (4). We recall this result in Section 3. In Section 4, we give the main results of this paper: the limiting distributions of the number of encryptions for the CST and the SD schemes are normal. The number of encryptions for the LSD scheme is also normal but we do not include the proof here. We also give joint distributions for the number of encryptions and number of privileged users for the above schemes. Conclusions are given in Section 5.

2 Mean Number of Encryptions

We now start from the analysis and notation of Park and Blake (7). They suppose that there are N = [2.sup.n] users in the system. It seems possible to generalize their generating functions to the case where n = [[log.sub.2] N], but for simplicity we only consider the case N = [2.sup.n] users.

We observe that when we have j [less than or equal to] [2.sup.n] users to be served (privileged users), they could require any number of encryptions i [less than or equal to] j. We denote by (i, j)-privileged users a set of j privileged users that require i encryptions. In the complete binary tree representation, a given set of privileged users can be partitioned into users in the left subtree and users in the right subtree. The number of (i, j)-privileged users in a system of [2.sup.n] users can be expressed as the number of (i', j')-privileged users in the left subtree in a system of [2.sup.n-1] users, and (i - i', j - j')-privileged users in the right subtree in a system of [2.sup.n-1] users. Let [a.sup.(n).sub.ij] denote the number of subsets of j privileged users which require exactly i encryptions. We have the generating function for the numbers [a.sup.(n).sub.ij]

[[2.sup.n].summation over (j=0)] [j.summation over (i=0)] [a.sup.(n).sub.ij][x.sup.i][y.sup.j].

If there are j' users in the left subtree and j - j' users in the right subtree we have

[a.sup.(n).sub.ij] = [j.summation over (j'=0)] [i.summation over (i'=0)] [a.sup.(n-1).sub.i'j'][a.sup.(n-1).sub.i-i' j-j'].

Using this recurrence, Park and Blake (7) give a recurrence for the generating function of the numbers [a.sup.(n).sub.ij] in the CST scheme.

Theorem 2.1 (Park-Blake) The generating function for the CST scheme is

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

In this generating function, y represents privileged users while x marks the number of encryptions. For the initial condition n = 0, the number of users is N = 1. It is clear that the set of no users require no encryptions, and one user requires one encryption, hence the expression 1 + xy.

For n [greater than or equal to] 1, using the above partition of (i, j)-privileged users in a system of [2.sup.n] users in terms of the number of (i', j')-privileged users in the left subtreein a system of [2.sup.n-1] users, and (i-i', j-j')-privileged users in the right subtree in a system of [2.sup.n-1] users, we obtain the term [T.sup.2.sub.n-1](x, y). An adjusting term has to be added when the number of privileged users is j = [2.sup.n] (all users are in the system) since in that case only one encryption is required, more precisely, the root key. Thus, the correct expression is [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] and we must add the correcting term [MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII].

The generating function for the SD scheme can be obtained in a similar but more complicated derivation (see Section 3.2 in (7)).

Theorem 2.2 (Park-Blake) The generating function for the SD scheme is

[S.sub.0](x, y) = 1 + xy,

[S.sub.n](x, y) = [S.sup.2.sub.n-1](x, y) + [D.sub.n-1](x, y) for n [greater than or equal to] 1,

where

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

and, for n [greater than or equal to] 4, we have that [D.sub.n-1](x, y) equals

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Park and Blake use the above generating functions to give exact expressions for the mean number of encryptions over all privileged sets for the considered schemes. Since we have N users there are [2.sup.N] possible privileged sets of users. They assume that each of these [2.sup.N] possible privileged sets have the same probability. Then, the mean number of encryption is defined by

m(n) = [[summation].sub.j][[summation].sub.i][ia.sup.(n).sub.ij]/[2.sup.N] = 1/[2.sup.N] [partial derivative][G.sub.n](x, y)/[partial derivative]x (1, 1), (1)

where [G.sub.n] (x, y) can be either [T.sub.n] (x, y) or [S.sub.n] (x, y), as defined in Theorems 2.1 and 2.2, respectively. They prove the following exact mean number estimates.

Theorem 2.3 (Park-Blake) The mean number of encryptions over all privileged sets for the CST scheme is given by

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

With [m.sub.CST](0) = 0.5.

Theorem 2.4 (Park-Blake) The mean number of encryptions over all privileged sets for the SD scheme is given by

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

with [m.sub.SD](0) = 0.5, [m.sub.SD](1) = 0.75, [m.sub.SD](2) = 1.1875 and [m.sub.SD](3) = 2.324.

We take the Park-Blake analysis a bit further by providing limiting distributions for the number of encryptions for these schemes. They also considered the LSD scheme providing a complicated generating function and its mean number of encryptions; see (7), Theorems 4 and 7. Our results also apply to this scheme, though the proof is not presented here.

Park and Blake derive asymptotic estimates for the means which they find to be accurate numerical estimates in comparison with the approximations given in (3; 6). Our results prove that their mean estimates are accurate estimates for the actual number of encryptions required in these schemes. Our results also provide precise variance and other moments for the number of encryptions.

3 Background

In this section we present a two dimensional version of a result of Hwang (5) due to Heuberger (4). Hwang's results, the so-called quasi-power theorem, give a central limit theorem and convergence rate for a sequence of random variables with moment generating function obeying a quasi-power form (that is, the moment generating function is asymptotically exponential). This theorem is useful in combinatorics since many combinatorial structures have asymptotic moment generating functions of this form.

Since in our problem we have two sequences of random variables (the number of encryptions and privileged users in a random privileged set), we require a bivariate version of Hwang's quasi-power theorem to deal with the joint distribution. We use the extension to two dimensions of Hwang's results due to Heuberger (4).

We use the following notation: [parallel](s, t)[parallel] = max {[absolute value of s], [absolute value of t]}; for a given function u(s, t), we define

[[mu].sub.1] = [partial derivative]u/[partial derivative]s [|.sub.(0,0], [[mu].sub.2] = [partial derivative]u/[partial derivative]t [|.sub.(0,0)],

and

[[sigma].sup.2.sub.1] = [[partial derivative].sup.2]u(s,t)/[partial derivative][s.sup.2] [|.sub.(0,0)], [[sigma].sup.2.sub.2] = [[partial derivative].sup.2]u(s,t)/[partial derivative][t.sup.2] [|.sub.(0,0)], [[sigma].sub.12] = [[partial derivative].sup.2]u(s,t)/[partial derivative]s[partial derivative]t [|.sub.(0,0);

finally, we denote by [summation] the matrix

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

We now state Heuberger (4) result that will be used to prove our theorems.

Theorem 3.1 (Heuberger) Let [{[X.sub.n], [Y.sub.n]}.sub.n [greater than or equal to] 1] be a sequence of two dimensional integral random vectors. Suppose that the moment generating function satisfies the asymptotic expression

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

where the 0-term is uniform for [parallel](s, t)[parallel] [less than or equal to] [tau], (s, t) [member of] [C.sup.2], [tau] > 0, and

(1) u(s, t) and v(s, t) are analytic for [parallel](s, t)[parallel] [less than or equal to] [tau] and independent of n; the matrix [summation] is nonsingular; and

(2) [lim.sub.n[right arrow][infinity]][phi](n) = [infinity], and [lim.sub.n[right arrow][infinity]] [[alpha].sub.n] = [infinity].

Then, the distribution of ([X.sub.n], [Y.sub.n]) is asymptotically normal, i.e.,

P ([X.sub.n] - [[mu].sub.1][phi](n)/[square root of [phi](n)] [less than or equal to] x, [Y.sub.n] - [[mu].sub.2][phi](n)/[square root of [phi](n)] [less than or equal to] y) = [[PHI].sub.[summation]](x, y) + 0 (1/[square root of [phi](n)] + 1/[[alpha].sub.n]),

where [[PHI].sub.[summation]] denotes the two dimensional normal distribution with mean (0, 0) and covariance matrix [summation]

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

4 Limiting distributions

Let [X.sub.n] and [Y.sub.n], respectively, be random variables representing the number of encryptions and privileged users in a random privileged set. In this section we show that [{[X.sub.n], [Y.sub.n]}.sub.n[greater than or equal to]1] is asymptotically normal. We then, as a corollary, obtain that the marginal distributions of the number of encryptions and number of privileged users are also normally distributed.

More precisely we prove the following result.

Theorem 4.1 With the above notation and for the CST and SD schemes, we have

P ([X.sub.n] - [2.sup.n][[mu].sub.1]/[2.sup.n/2] [less than or equal to] x, [Y.sub.n] - [2.sup.n][[mu].sub.2]/ [2.sup.n/2] [less than or equal to] y) = [[PHI].sub.[summation]](x, y) (1 + O ([2.sup.-n/2])),

where [[mu].sub.1], [[mu].sub.2] and the covariance matrix [summation] are independent of n and can be computed efficiently.

We now prove in detail Theorem 4.1 for the CST scheme.

Lemma 4.2 For all n [greater than or equal to] 0, [absolute value of x - 1] [less than or equal to] 1/10, and [absolute value of y - 1] [less than or equal to] 1/10, we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

PROOF. We use Theorem 2.1 and induction on n. It is clear that

[absolute value of [T.sub.0](x, y)] = [absolute value of 1 + xy] = [absolute value of 2 + (x - 1)(y - 1) + (x - 1) + (y - 1)] [greater than or equal to] 2 - 1/100 - 1/5 > [(4/3).sup.2].

For the induction step, we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Lemma 4.3 For all n [greater than or equal to] 0, [absolute value of x - 1] [less than or equal to] 1/10, [absolute value of y - 1] [less than or equal to] 1/10, x = [e.sup.s] and y = [e.sup.t], we have,

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII], (2)

where

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (3)

is an analytic function in a neighbor of (s, t) = (0, 0).

PROOF. In the following we assume x = [e.sup.s], y = [e.sup.t], and s and t are in a neighborhood of 0 such that [absolute value of x - 1] < 1/10 and [absolute value of y - 1] [less than or equal to] 1/10.

We derive an asymptotic estimate for [G.sub.n](s, t) = ln [T.sub.n]([e.sup.s], [e.sup.t]). From Theorem 2.1, we obtain

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Since

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Hence, the series

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

converges uniformly in a neighbor of (x, y) = (1, 1). This implies that

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

is an analytic function in a neighbor of (s, t) = (0, 0). Thus we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

and so we have derived Equation (2).

PROOF OF THEOREM 4.1. For convenience, we define

[A.sub.j] = [partial derivative][T.sub.j](x,y)/[partial derivative]x [|.sub.(1,1)], [B.sub.j] = [partial derivative][T.sub.j](x,y)/[partial derivative]y [|.sub.(1,1)],

and let us write [T.sub.j] for [T.sub.j](x, y). Then we have, from Equation (3),

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

and consequently

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The Number of Encryptions in Revocation Schemes

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The first few values of [A.sub.j] and [B.sub.j] can be computed using the following recursions

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

We note that all the series appearing above converge very rapidly as the general terms decrease doubly exponentially. By taking the first 4 terms (j from 0 to 3), we obtain the following values (correct to 9 decimal places)

[[mu].sub.1] = 0.358885765, [[sigma].sup.2.sub.1] = 0.094122395, [[sigma].sub.1,2] = 0.091789245.

Finally the proof of Theorem 4.1 for the CST scheme follows from Equation (2), Theorem 3.1, and the fact that the matrix

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

is nonsingular.

The following is an immediate corollary of Theorem 4.1 by taking the marginal distribution for [X.sub.n]. It can also be obtained directly using Hwang's (5) quasi-power theorem.

Corollary 4.4 Let [{[X.sub.n]}.sub.n[greater than or equal to]1] be a sequence of random variables for the number of encryptions in the CST scheme. Then, [X.sub.n] is asymptotically normal with mean [2.sup.n][[mu].sub.1] and variance [2.sup.n][[sigma].sup.2.sub.1]. More precisely, we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Clearly, this corollary provides all relevant statistical information about [X.sub.n]. If we want, in addition to the exact mean provided by Park and Blake in Theorem 2.3, the exact variance of [X.sub.n], it can be obtained by differentiating [T.sub.n](x, y) two times with respect to x and setting (x, y) = (1, 1).

Proposition 4.1 For the CST scheme we have that Var(0) = 0.25, and for n [greater than or equal to] 1

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

We now sketch a proof for the SD scheme. The only required modification from the CST scheme is the error estimate stated in the following lemma.

Lemma 4.5 For sufficiently small [delta] > 0, [absolute value of x - 1] [less than or equal to] [delta], [absolute value of y - 1] [less than or equal to] [delta], and for all n [greater than or equal to] 0, we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

for all n [greater than or equal to] 1, we have

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

PROOF. It is easy to check that the lemma holds for 0 [less than or equal to] n [less than or equal to] 3, as 1 + xy is close to 2 when x and y are both near 1.

For n [greater than or equal to] 4, we first note, by induction, that

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

Hence

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The following lemma follows immediately from the previous lemma and it is parallel to Lemma 4.3.

Lemma 4.6 For all n [greater than or equal to] 0, [absolute value of x - 1] [less than or equal to] [delta], [absolute value of y - 1] [less than or equal to] [delta], x = [e.sup.s] and y = [e.sup.t], we have,

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII] (4)

where

u(s, t) = ln (1 + xy) + [summation over j [greater than or equal to 0]] [2.sup.-j-1] ln (1 + [D.sub.j](x, y)[S.sup.-2.sub.j](x, y)) (5)

is an analytic function in a neighbor of (s, t) = (0, 0).

Define

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

With some algebra, we may obtain

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

The first few values of [c.sub.1] (j), [c.sub.2] (j), [d.sub.1] (j), [d.sub.2] (j) and [d.sub.3] (j) can be computed using the following recursions

[MATHEMATICAL EXPRESSION NOT REPRODUCIBLE IN ASCII]

We note again that all the series appearing above converge very rapidly as the general terms decrease doubly exponentially. By taking the first 5 terms (j from 0 to 4), we obtain the following values (correct to 9 decimal places)

[[mu].sub.1] = 0.2904691622, [[sigma].sup.2.sub.1] = 0.080396785, [[sigma].sub.1,2] = 0.013328463.

5 Conclusions

In this paper we proved that the mean number of encryptions for the complete subtree scheme (CST) and the subset-difference scheme (SD) studied by Park and Blake are indeed good estimates for the number of encryptions used by this scheme. We did so by proving a normal limiting distribution for the number of encryptions, as the number of users became large. Indeed, we not only provided the asymptotic normality for the number of encryptions, but also did so for the combined number of encryptions and number of privileged users in a random privileged set. The proofs required a two-dimensional quasi power theorem due to Heuberger. A normal limit distribution also holds for the number of encryptions for the layered subset-difference scheme (LSD), also studied by Park and Blake.

References

[1] AACS: Advanced Access Content System, http://www.aacsla.com/.

[2] AACS (Advanced Access Content System), Introduction and Common Cryptographic Elements, Rev. 0.91, Feb. 2006, http://www.aacsla.com/specifications/.

[3] D. Halevy and A. Shamir, The LSD broadcast encryption scheme, in CRYPTO 2002, Lecture Notes in Computer Science 2442 (2002), pp. 47-60.

[4] C. Heuberger, Hwang's quasi-power-theorem in dimension two, Quaestiones Mathematicae, 30 (2007), pp. 507-512.

[5] H.K. Hwang, On convergence rates in the central limit theorems for combinatorial structures, European J. Combin. 19 (1998), pp. 329-343.

[6] D. Naor, M. Naor and 7. Lotspiech, Revocation and tracing schemes for stateless receivers, in CRYPTO 2001, Lecture Notes in Computer Science 2139 (2003), pp. 374-391.

[7] E.C. Park and LE. Blake, On the mean number of encryptions for tree-based broadcast encryption schemes, Journal of Discrete Algorithms, 4 (2006), pp. 215-238.

[8] D. Wallner, E. Harder and R. Agee, Key management for multicast: Issues and architectures, Sep. 1998, Internet daft available from http://www.ietf.org/ID.html.

[9] C.K. Wong, M. Gouda and S. Lam, Secure group communications using key graphs, in SIGCOMM 1998, ACM Press, New York, 1998, pp. 68-79.

Christopher Eagle (1) and Zhicheng Gao (2) and Mohamed Omar (3) and Daniel Panario (2) and Bruce Richmond (1)

(1) Department of Combinatorics and Optimization, University of Waterloo, Waterloo, Ontario N2L 3G1, Canada email: {cjeagle@engmail.uwaterloo.ca, lbrichmond@math.uwaterloo.ca}

(2) School of Mathematics and Statistics, Carleton University, Ottawa, Ontario K1S 5B6, Canada email: {zgao@math.carleton.ca, daniel@math.carleton.ca}

(3) Department of Mathematics, University of California Davis, Davis, California 95616, United States of America email: {momar@math.ucdavis.edu}

([dagger]) The authors have been partially funded by NSERC of Canada.

Printer friendly Cite/link Email Feedback | |

Author: | Eagle, Christopher; Gao, Zhicheng; Omar, Mohamed; Panario, Daniel; Richmond, Bruce |
---|---|

Publication: | DMTCS Proceedings |

Article Type: | Report |

Geographic Code: | 1CANA |

Date: | Jan 1, 2008 |

Words: | 4693 |

Previous Article: | Constructions for clumps statistics. |

Next Article: | On square permutations. |

Topics: |