[Cryptography] encrypted *broadcasts* ?

[Seth David Schoen]

The pay-per-view people have a concept of "entitlement control messages"
where they periodically send data that affects the ability or
willingness of receivers to decrypt the encrypted broadcast stream.  I
forgot how common it is for this to be like a revocation list ("receiver
#198273, please stop receiving, you're no longer authorized") as opposed
to, for example, periodically encrypting copies of new master session
keys separately for each recipient.

The DRM people have a thing with trees (technically "subset difference
trees") where they can provide, in specific media, the information
needed for the leaves of the tree to calculate the master decryption key
for that media -- and they can efficiently withhold portions in the
future, in later-published media, to prune portions of the tree so that
the affected leaves can't decrypt it.  This is most famously used in
AACS.

I believe AACS also has a watermarking option where the decrypted media
obtained by specific keys is not identical to that obtained by other keys.
(I don't remember exactly how that's achieved, but I think the idea
was that there are slightly different versions of different scenes,
and each end user's key decrypts a different combination of those
different versions.)  So, if someone publishes it and the people running
the system can obtain the published copy, it provides a clue to which
device's decryption key was used.

The overall argument is that they can then limit the scope of how widely
useful a particular successful attack will be, although they can't stop
people from using that attack to decrypt older media.