on the algebraic structure of combinatorial broadcast encryption schemes and applications
DESCRIPTION
On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications. Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos Kiayias [email protected]. Digital Content Distribution. What is digital content distribution? It is multi-recipient transmission - PowerPoint PPT PresentationTRANSCRIPT
On The Algebraic Structure of On The Algebraic Structure of Combinatorial Broadcast Combinatorial Broadcast
Encryption SchemesEncryption Schemesand Applicationsand Applications
Serdar Pehlivanoglu(pay-live-a-no-glue)
Joint work with Aggelos [email protected]
Digital Content Distribution
• What is digital content distribution? – It is multi-recipient transmission
• Access Control
– Multi-recipient encryption
Recipient population
U1, U2, U3, …, Un
Recipient population
U1, U2, U3, …, Un
TransmissionCenter
Insecure Channel
Multi-Recipient Encryption
Licensing Agency
Distributor
Recipient population
U1, U2, U3, …, Un
Recipient population
U1, U2, U3, …, Un
Insecure Channel
Keys
DistributorDistributorDistributorDistributor
Recipient population
U1, U2, U3, …, Un
Recipient population
U1, U2, U3, …, Un
DistributorDistributorDistributorDistributor
Recipient population
U1, U2, U3, …, Un
Recipient population
U1, U2, U3, …, Un
TransmissionCenter
Applications
• Encryption for DVDs and other Media content distribution systems.– Regular DVDs and Blu-Ray disks.
• Filesystem Access Permissions.
• Etc.
September 2008 4
Challenges
• Minimizing – Transmission overhead– Key storage for receivers.– Key derivation time for receivers.
Example: Linear Trace&Revoke Scheme
Licensing Agency
Transmission overhead = nKey storage = 1Key Derivation = 1
Content Distributor
U1 U2 U3Un
Secret Keys1
Es1(k) Es2(k) Es3(k) Esn(k)
Ek(m)
s2 s3 … sn
Subset Cover Framework(SCF)
• Subset Cover Framework [NNL01]– General combinatorial framework. Can describe many
schemes.– Tracing and revoking unlimited number of users.– Seamless integration of tracing and revoking.
• N is the set of all recipients, R is the set of excluded recipients.
• Define a set system = {S1,S2,…,Sw } 2N. • Revocation property: (fully exclusive)
– Any subset S in N can be partitioned into disjoint subsets from .
• Each subset Si is associated with a long-lived key Li.
• Key Assignment: – Any user u has access to Li through its private information
if and only if u Si
• Revocation algorithm:– Given R find a partition of N\R s.t
N \ R = i=1m Si
with associated keys L1, L2, … Lm
• The ciphertext is:
Encryption in SCF
<in1, …, inm, EL1(K), EL2(K), …ELm(K)> FK(M)
Header Body
A series of works
9
Subset Cover Scheme
Transmission Computation Key Storage
CS r log (N/r) 1 log N
SD 2r-1 log N log2 N
Basic LSD 4r-1 log N log3/2 N
SSD 4kr N1/k 2klog N
Basic Key Chain Tree
2r N 2log N
Subset Incremental Chain System (SIC)
2kr N1/k 2log N
One-Way Chain r/k N-r Nk
(w-Complete Tree SIC)
2r kN1/k k ((log N)/2 +1)
crypto 2001
crypto 2001
crypto 2002
crypto 2004
Eurocrypt 2005
ISC 2004
Asiacrypt 2005
Financial Crypto 2006
Our Focus
• Study the Algebraic Structure of SCF– Based on the observation : the underlying set
system constitutes a partial order set (Key Poset).
• Generic revocation and tracing algorithms• What are sufficient conditions for optimal revocation
and tracing?• How to design of new schemes tailored to specific
scenarios or improving aspects of existing ones?
A poset is a set P with relation that is reflexive, antisymmetric, and transitive
The Key Poset
• Given any SCF instance we define the Key-poset• Nodes Subsets Keys Leaves
Users• Edges represents the subset relation.• The Set System:
• Is represented by the nodes in the Hasse diagram of the Key Poset
• Revocation:• Finding the nodes to cover the enabled set
of leaves. • Tracing:
• Finding the nodes to cover the nodes not used by the pirate decoder.
• Key Assignment:• All keys of the nodes above a leaf is known
to (or derived by) that leaf.
In this example : Transmission overhead = 1Key storage = 2n-1
Key Derivation = 1
U1 U2 U3 U4
Subset Difference Method [NNL01]
vi
vj
…
Si,j
vi
vj
Si,j = Set of all leaves in the subtree of Vi but not in Vj
The Key Poset of NNL
A basic Question
• What makes a key poset good ?
• Is it possible to describe “good” in algebraic terms?
• Observe : to revoke we need to efficiently solve some instance of set cover.
Short Primer on Partial Orders
• A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed.– A nonempty subset A of a poset (P, ) is called a directed
set if for any two elements a, bA, there exists c in A such that a c and b c.
– It is called a lower set if for every xA, y x implies that y is in A.
An ideal in the SD key poset
Our Objective
• We need to solve a set cover efficiently.
• Basic observation: If the set system is an ideal we can do this efficiently.– IdealCover(u): Starting from u grow up until you
hit the top.• Basic operation: “grow”
Short Primer on Partial Orders
• A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed.– A nonempty subset A of a poset (P, ) is called a directed
set if for any two elements a, bA, there exists c in A such that a c and b c.
– It is called a lower set if for every xA, y x implies that y is in A.
• An atom in poset P is an element that is minimal among all elements.
• The dual notion of ideal, the one obtained in the reverse partial order, is called a filter. – We call F(x) as an atomic filter if x is an atom.– We denote Px by the complement of F(x) in (P, ).
Filter
The Complement of a Filter
The Complement of a Filter
In general :
The complement of a filter is a lower set.(not necessarily an ideal).
Lower Maximal Partitions
• Given a nonempty subset A of a poset (P, ) that is a lower set, we say<M1,M2, . . . ,Mk> is a lower-maximal partition of A if1. Mi is a lower set for i = 1, . . . , k.2. The atoms of Mi and Mj are different provided that i j.
3. Mi is maximal with respect to A, i.e. if aMi and bA s.t a b, then bMi.
4. k is the largest integer such that all the above hold.• The order of a lower set A is defined as the size of
its lower-maximal partition. We denote the order by ord(A).
• Proposition. Any lower set A of poset (P, ) has a unique lower-maximal partition.
“Separable” Families
• We say a set system is separable if in the lower-maximal partition <M1,M2, . . . ,Mk> of it holds that Mi is an ideal of for i=1,…, k
Set Covering Separable Families
• Given a separable family we can easily solve set cover:– Pick a user and “grow” along a chain till hit top.– Repeat with a user outside the ideals selected.
• [needs “grow” + “select outside subset” as basic operations]
• Complexity : Sum of chains in each ideal,
[poly-logarithmic length]
Factorizable Families
• A fully-exclusive set system is called factorizable if it is an ideal and for any ideal I and any atom u, it holds that IPu is separable.– Hint : Being factorizable implies a good
behavior w.r.t. revocation.
Basic Theorem
• Definition. ’ = Revoke( , R) is the family Pu1 … Pur
where R = {u1,…,ur}
• Theorem. If is factorizable, then it holds that ’ = Revoke( , R) is separable.
Revocation Algorithm
The theorem implies the revocation algorithm Cover(N,R) :
• Given and R– Determine ’ = Revoke( , R) – Set Cover ’
Transmission Overhead
• Given a factorizable set system , Cover(N,R) outputs an optimal solution and the
communication overhead is ord(i=1r Pui) where
R={u1, …, ur}.
• Given a factorizable set system – If for any ideal I and an atom u, it holds that
ord(I Pu) log |I|, then the communication overhead for revoking r users is O(rlogN).
– If, on the other hand, ord(I Pu) c, then the communication overhead for revoking r users is at most r(c -1).
Alternative Characterization• Theorem: A set system is factorizable iff following holds:
S1 S2 is in the collection if S1 S2 (*)
Proof. Suppose that the set system is not factorizable due to an ideal I and an atom u despite (*) holds: Consider the lower maximal partition <M1,M2, . . . ,Mk> of I Pu, suppose that Mi is not ideal, then it has more than one maximal element. Since k=ord(I Pu) is maximal, then these maximal elements are intersecting. Then implies that their union is in the set system and hence also in I Pu
Suppose that set system is factorizable but S= S1 S2 is not in the collection. Consider the minimal ideal I in the set system that contains S (this exists due to factorizable property). There exists an atom u in I that is not in S. Since I Pu is separable, there exists an ideal in its lower maximal partition that contains both S1 and S2 which contradicts the minimality I.
Alternative Characterization
• Theorem: The set systems corresponding to the – Complete Subtree [NNL01], – Subset Difference [NNL01]– Layered Subset Difference [HaSh02], – Stratified Subset Difference[GoSuTa04], – Subset Incremental Chain [AtIm05], – Key-Chain Tree[WNR04], – Complete Key-Chain Tree [HwLeLi05]
• are all factorizable.
Extended Results to the Tracing
• We can extend our results to the Tracing problem.
• Pirate decoder uses some keys, i.e. subsets.• Tracing is equivalent to revoking in a
modified set system that ‘chops’ the subsets that are used by the pirate decoder.– Suppose that S is used by the pirate decoder,
then ’ = \F(S).– The cover is Revoke(’, {}). ’ doesn’t have to be separable.
• Improvement on the communication overhead compared to the only known tracing algorithm.– Linear in number of traitors.
Our Key Derivation Method
• Each user should be able to derive all the keys for subsets in F(u).
• Approach:– Split key poset into a forest T of upward
looking trees.– Keys in each tree of T are derivable from
the root by one-way transformations.– User gets the key of the roots for all trees
in the forest TF(u)
A new class of Broadcast Encryption Schemes
• Applications
• We demonstrate the power of working directly with the key poset.
X-Property
• Root has children as many as the number of leaves:– Cu for any uN where Cu = N\{u}
• Two elements S1,S2 so that– F(S1) and F(S2) are disjoint and both are
complete binary trees of height log|N| -1 excluding the root.
– Any Cu is a leaf of one of the binary trees in F(S1) or F(S2)
A transformation that Preserves the X-property
One-to-one mapping between the below filters to the above trees
Some Facts on Transformation
• Squares the number of users.• Theorem. If the underlying set system is
factorizable then the resulting set system is also factorizable.
• Let be a factorizable set system defined over a set size 2m. If for any ideal I and an atom u, it holds that ord(I Pu) c(m), then
– ord(I` Pu) c(m) + 2 for any I`
Transform() and an atom u in a set of size 22m.
Transmission overhead
• Let ` constructed after k transformations of a set system defined over a set with size d and transmission overhead of c(d)r to disable a set of r users. – If d is a constant, then the transmission
overhead of ` would be O(r log log N)– If k is a constant, then the transmission
overhead of ` would be O(r.c(d)).
Key-Derivation Procedures
• Path Property: – There exist two elements S1,S2 so that
• F(S1) and F(S2) are disjoint and both filters are complete binary trees of height log|N| -1 excluding the root.
• For any u, Pu intersects with the binary trees F(S1) or F(S2) in a single path of length log|N| -1.
• Path-property implies X-property• The transformation preserves the path-
property.
Key Assignment & Derivation for path-property
LABEL = S
GR (S)
GR(GR (S))
GR(GR(GR (S)))
GL(GL (S))
GL (S)
GL(GR (S))GR(GL (S))
Cu
User u is given GL(S), GR(GR (S)), GR(GL(GR(S))) …
will be able to derive any key of the hanging off nodes by at most log N function evaluations.
F(S1) F(S2)
Pu intersects with binary trees in red nodes
Key Storage& Derivation for the Transformation
• Let be a factorizable set system defined over a set size 2m. If the key storage (derivation) for the set system is K(m) (D(m)), then K’(m) (D’(m)) for the new set system Transform() would be– K’(m)= 2K(m) + m.– D’(m)= max(D(m), m)
A Construction
Start with: which satisfies the path-property.
Applying the transformation two times yield:
Scheme Parameters(1)
• Start with basic set system for 2 users:• Apply the transformation k times to get a set
system for N=22k users.
• Storage 2k = log N• Computation time: log N• Transmission overhead: 2rloglog N
Another Basic Scheme with path-property
Scheme Parameters(2)
• Start with the set system for d users:
Storage: 3(log d -1)
Computation time: max(d, log d)
Transmission overhead: 2r
• Apply the transformation k times to get a set system for N=d2k users, say k is a constant.
Storage: 2k.log N
Computation time: max(N1/2^k, log N)
Transmission overhead: 2rk
• Compare this with k-complete tree and Layered Subset Incremental Chain System
Thank You