Methods and apparatus for efficient revocation of receivers. In one implementation, a method of broadcast encryption includes: assigning a respective master key to each of a plurality of receivers, where each master key can be used to derive two or more of a plurality of sub keys; revoking one or more receivers, leaving one or more unrevoked receivers; for each master key of an unrevoked receiver, selecting the sub key that can be derived by that master key and derived by the most other master keys but not derived by a master key of any of the one or more revoked receivers; for each selected sub key, encrypting one ciphertext using that selected sub key; and sending the encrypted ciphertexts to the plurality of receivers.