fast algorithms for the free riders problem in broadcast encryption
DESCRIPTION
Fast Algorithms for the Free Riders Problem in Broadcast Encryption. Zulfikar Ramzan David P. Woodruff. Crypto 2006. Broadcast Encryption. Users. Server. Offline phase - Server distributes keys. Online phase - Encrypt a session key for privileged users . - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/1.jpg)
Fast Algorithms for the Free Riders Problem in Broadcast
Encryption
Zulfikar RamzanDavid P. Woodruff
Crypto 2006
![Page 2: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/2.jpg)
Broadcast Encryption
Server
Users
Many applications: payperview TV, music, videosOffline phase - Server distributes keysOnline phase - Encrypt a session key for privileged users
![Page 3: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/3.jpg)
Broadcast Encryption
• Parameters– Storage per user (# keys)– Server storage – Communication vs. computation– Sets of privileged users it can support
• Security– Computational vs. Information-theoretic
![Page 4: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/4.jpg)
Free Riders• [ASW] If we allow a small fraction of non-
privileged (revoked) users to decrypt the broadcast, can we significantly save resources?
• A revoked user decrypting the broadcast is a free rider
• Commercial view These savings might be worth more than the loss
from allowing a few free riders
• [ASW] Consider the subset-cover framework
![Page 5: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/5.jpg)
Subset Cover Framework [NNL][n] = {1, …, n} is set of users
Offline• For some S ½ [n], server distributes a key KS to all
users in S. Let C be the collection of S
Online• R ½ [n] are the revoked users• Server finds subsets S1, S2, …, St in C such that
S1 [ S2 [ [ St = [n] \ R
• Broadcast ES1(M), ES2(M), …, ESt(M)
![Page 6: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/6.jpg)
Free Riders
• [ASW] Hardness– Given a worst-case C, a revoked set R, and a
bound f on the number of free riders– NP-hard to find smallest t and S1, S2, …, St 2 C
• S1 [ S2 [ [ St contains [n] n R
• S1 [ S2 [ [ St contains · f elements of R
– Finding t’ with t’ · (1+)t also hard
• Leave open the complexity for specific C
![Page 7: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/7.jpg)
Our Contribution For a popular, information-theoretically
secure scheme in subset-cover framework, known as the Complete Subtree Scheme, we find optimal t and S1, St in O(rf) time
Can find t’ · (1+)t and S1, St’ for uniform R of size r in O~(rf1/3) time
Techniques useful for other schemes in the subset-cover framework
![Page 8: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/8.jpg)
Complete Subtree Scheme [NNL]
Complete Binary Tree on n leaves
Key at each node v given to users in subtree(v)
u1 u2 u3 u4
v
v
![Page 9: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/9.jpg)
Complete Subtree Scheme [NNL]
n users/leaves# keys = # nodes = 2n-1
# keys per user = log n + 1
uu1 u2 u5u4 u6 u8u7
Communication = O(r log n/r)Information-theoretic security
Supports any revoked set of any size r
![Page 10: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/10.jpg)
Benefits of Free Riders
• Can reduce communication from O(n1/2) to O(log n) in Complete Subtree Scheme
• Need an algorithm to find free riders – random assignment bad with overwhelming probability
• Preserve computation, storage, etc.
![Page 11: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/11.jpg)
Benefits of Free Riders
Diagram shows revoked users
Optimal to make all singletons free riders
… …
…
![Page 12: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/12.jpg)
Algorithm Overview• Given a set R of leaves and a bound f of free
riders, find smallest t and nodes v1, v2, …, vt
Privileged users covered by some subtree(vi) and at most f revoked users covered
• Dynamic programming algorithmFor each v with children L(v), R(v)
• AL(v)[i] = optimal cost of assigning at most i free riders to subtree(L(v))
• Av[i] = minj AL(v)[j] + AR(v)[i-j]
Backtrack from root to find assignment
![Page 13: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/13.jpg)
Algorithm Overview
• Algorithm has O(nf) time. Bad for large n
• In practice, r very small
• For CS scheme, can achieve O(rf) by only computing arrays Av at joining nodes
![Page 14: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/14.jpg)
x y z
Initialize Ax = [0 0] Az = [0 0]Ay = [0 0]
p
q
Compute Ap[i] = minj Ax[j] + Ay[i-j], Ap = [0 0 0]
Lift Ap = [0 0 0] to Ap’= [1 1 1]
Lift Az = [0 0] to Az’= [2 1]
Compute Aq[i] = minj Ap’[j] + Az’[i-j], Aq = [3 2 2]
p and q are the only joining nodes
![Page 15: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/15.jpg)
Algorithm Overview1. Compute joining nodes v
2. For each v, let L(v) and R(v) be nearest joining nodes in left and right subtree of v
1. “Lift” AL(v) and AR[v]
1. Av[i] = minj AL(v)[j] + AR(v)[i-j]
3. Backtrack using DFS to find optimal assignment
![Page 16: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/16.jpg)
Step 2: MinSum Problem Av[i] = minj AL(v)[j] + AR(v)[i-j] for all i
Given a1 ¸ a2 ¸ ¸ am1 and b1 ¸ b2 ¸ ¸ bm2,
output 8 i, minj a[j] + b[i-j]
• Easy O(m1 m2) time
• Computational geometry: O(m1 m2/log m1m2)• Implies overall algorithm is O(rf) time
![Page 17: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/17.jpg)
Step 2: MinSum ProblemGiven a1 ¸ a2 ¸ ¸ am1 and
b1 ¸ b2 ¸ ¸ bm2, output 8 i, minj a[j] + b[i-j]
Relaxations1. 8 i, output j’ for which
a[j’] + b[i-j’] · (1+) minj a[j] + b[i-j]2. Bounded differences for CS scheme
a[j] – a[j+1] = O(log n) and b[j] – b[j+1] = O(log n)
Our result: O~(m1 m21/3) time
If R uniformly chosen from sets of size r, time is O~(rf1/3)
![Page 18: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/18.jpg)
Summary of Results1. O(rf)-time to optimally find set of f free riders
given revoked set R of size r
2. For every > 0, given a1 ¸ ¸ am1 and b1 ¸ ¸ bm2 with aj – aj+1 and bj – bj+1 small, for all i output j’ such that
aj’ + bi-j’ · (1+)minj aj + bi-j
in O~(m1 m21/3) time
3. Yields O~(rf1/3)-time algorithm
![Page 19: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/19.jpg)
Open Questions
• Extend to other broadcast schemes
• Develop a better understanding of the benefits of free riders - computation and storage savings?
• Faster algorithms for the MinSum problem
![Page 20: Fast Algorithms for the Free Riders Problem in Broadcast Encryption](https://reader034.vdocuments.net/reader034/viewer/2022051700/56816011550346895dcf13bb/html5/thumbnails/20.jpg)
MinSum Observations• If a[j] + b[i-j] is the minimum for level i, then a[j] + b[i+-j]
is the approximate minimum for level i +
• To approximately solve level i, only try a few indices j because a[j] + b[i-j] ¼ a[j+1] + b[i-j-1]
• If aj’ = aj’+1 = = aj’+r , then for level i,
a[j’] + b[i-j’] ¸ a[j’+1] + b[i-j’-1] ¸ … ¸ a[j’+r] + b[i-j’-r],
so we need only consider ai’