1 / 45

On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications

On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications. Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos Kiayias aggelos@cse.uconn.edu. Digital Content Distribution. What is digital content distribution? It is multi-recipient transmission

kiley
Download Presentation

On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. On The Algebraic Structure of Combinatorial Broadcast Encryption Schemesand Applications Serdar Pehlivanoglu(pay-live-a-no-glue) Joint work with Aggelos Kiayias aggelos@cse.uconn.edu

  2. Digital Content Distribution What is digital content distribution? It is multi-recipient transmission Access Control Multi-recipient encryption TransmissionCenter Recipient population U1, U2, U3, …, Un Insecure Channel

  3. Multi-Recipient Encryption Licensing Agency Keys TransmissionCenter Distributor Distributor Distributor Distributor Distributor Distributor Distributor Distributor Distributor Recipient population U1, U2, U3, …, Un Recipient population U1, U2, U3, …, Un Recipient population U1, U2, U3, …, Un Insecure Channel

  4. Applications • Encryption for DVDs and other Media content distribution systems. • Regular DVDs and Blu-Ray disks. • Filesystem Access Permissions. • Etc. September 2008

  5. Challenges • Minimizing • Transmission overhead • Key storage for receivers. • Key derivation time for receivers.

  6. Example: Linear Trace&Revoke Scheme Content Distributor Es1(k) Es2(k) Es3(k) Licensing Agency Esn(k) Secret Key s2 s3 … sn s1 Ek(m) Un U1 U2 U3 Transmission overhead = n Key storage = 1 Key Derivation = 1

  7. Subset Cover Framework(SCF) • Subset Cover Framework [NNL01] • General combinatorial framework. Can describe many schemes. • Tracing and revoking unlimited number of users. • Seamless integration of tracing and revoking. • N is the set of all recipients, R is the set of excluded recipients. • Define a set system = {S1,S2,…,Sw } 2N. • Revocation property: (fully exclusive) • Any subset S in N can be partitioned into disjoint subsets from .

  8. Body Header <in1, …, inm, EL1(K), EL2(K), …ELm(K)> FK(M) Encryption in SCF • Each subset Si  is associated with a long-lived key Li. • Key Assignment: • Any user u has access to Lithrough its private information if and only if u  Si • Revocation algorithm: • Given R find a partition of N\R s.t N \ R = i=1mSi with associated keys L1, L2, … Lm • The ciphertext is:

  9. A series of works crypto 2001 crypto 2001 crypto 2002 crypto 2004 ISC 2004 Asiacrypt 2005 Eurocrypt 2005 Financial Crypto 2006

  10. Our Focus • Study the Algebraic Structure of SCF • Based on the observation : the underlying set system constitutes a partial order set (Key Poset). • Generic revocation and tracing algorithms • What are sufficient conditions for optimal revocation and tracing? • How to design of new schemes tailored to specific scenarios or improving aspects of existing ones? A poset is a set P with relation  that is reflexive, antisymmetric, and transitive

  11. The Key Poset • Given any SCF instance we define the Key-poset • Nodes  Subsets  Keys Leaves  Users • Edges represents the subset relation. • The Set System: • Is represented by the nodes in the Hasse diagram of the Key Poset • Revocation: • Finding the nodes to cover the enabled set of leaves. • Tracing: • Finding the nodes to cover the nodes not used by the pirate decoder. • Key Assignment: • All keys of the nodes above a leaf is known to (or derived by) that leaf. U2 U3 U1 U4 In this example : Transmission overhead = 1 Key storage = 2n-1 Key Derivation = 1

  12. Subset Difference Method [NNL01] vi vi vj vj … Si,j Si,j = Set of all leaves in the subtree of Vi but not in Vj

  13. The Key Poset of NNL

  14. A basic Question • What makes a key poset good ? • Is it possible to describe “good” in algebraic terms? • Observe : to revoke we need to efficiently solve some instance of set cover.

  15. Short Primer on Partial Orders • A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed. • A nonempty subset A of a poset (P, ) is called a directed set if for any two elements a, bA, there exists c in A such that a  c and b  c. • It is called a lower set if for every xA, y  x implies that y is in A.

  16. An ideal in the SD key poset

  17. Our Objective • We need to solve a set cover efficiently. • Basic observation: If the set system is an ideal we can do this efficiently. • IdealCover(u): Starting from u grow up until you hit the top. • Basic operation: “grow”

  18. Short Primer on Partial Orders • A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed. • A nonempty subset A of a poset (P, ) is called a directed set if for any two elements a, bA, there exists c in A such that a  c and b  c. • It is called a lower set if for every xA, y  x implies that y is in A. • An atom in poset P is an element that is minimal among all elements. • The dual notion of ideal, the one obtained in the reverse partial order, is called a filter. • We call F(x) as an atomic filter if x is an atom. • We denote Px by the complement of F(x) in (P, ).

  19. Filter

  20. The Complement of a Filter

  21. The Complement of a Filter In general : The complement of a filter is a lower set. (not necessarily an ideal).

  22. Lower Maximal Partitions • Given a nonempty subset A of a poset (P, ) that is a lower set, we say<M1,M2, . . . ,Mk> is a lower-maximal partition of A if • Mi is a lower set for i = 1, . . . , k. • The atoms of Mi and Mj are different provided that i  j. • Mi is maximal with respect to A, i.e. if aMi and bA s.t a b, then bMi. • k is the largest integer such that all the above hold. • The order of a lower set A is defined as the size of its lower-maximal partition. We denote the order by ord(A). • Proposition. Any lower set A of poset (P, ) has a unique lower-maximal partition.

  23. “Separable” Families • We say a set system  is separable if in the lower-maximal partition<M1,M2, . . . ,Mk> of  it holds that Mi is an ideal of  for i=1,…, k

  24. Set Covering Separable Families • Given a separable family we can easily solve set cover: • Pick a user and “grow” along a chain till hit top. • Repeat with a user outside the ideals selected. • [needs “grow” + “select outside subset” as basic operations] • Complexity : Sum of chains in each ideal, [poly-logarithmic length]

  25. Factorizable Families • A fully-exclusive set system  is called factorizable if it is an ideal and for any ideal I and any atom u, it holds that IPu is separable. • Hint : Being factorizable implies a good behavior w.r.t. revocation.

  26. Basic Theorem • Definition. ’ = Revoke( , R) is the family Pu1 …Purwhere R = {u1,…,ur} • Theorem. If  is factorizable, then it holds that ’ = Revoke( , R) is separable.

  27. Revocation Algorithm The theorem implies the revocation algorithm Cover(N,R) : • Given  and R • Determine ’ = Revoke( , R) • Set Cover ’

  28. Transmission Overhead • Given a factorizable set system , Cover(N,R) outputs an optimal solution and the communication overhead is ord(i=1r Pui) where R={u1, …, ur}. • Given a factorizable set system  • If for any ideal I and an atom u, it holds that ord(I  Pu) log |I|, then the communication overhead for revoking r users is O(rlogN). • If, on the other hand, ord(I  Pu) c, then the communication overhead for revoking r users is at most r(c -1).

  29. Alternative Characterization • Theorem: A set system is factorizable iff following holds: S1 S2 is in the collection if S1  S2   (*) Proof.  Suppose that the set system is not factorizable due to an ideal I and an atom u despite (*) holds: Consider the lower maximal partition <M1,M2, . . . ,Mk> of I  Pu, suppose that Mi is not ideal, then it has more than one maximal element. Since k=ord(I  Pu) is maximal, then these maximal elements are intersecting. Then  implies that their union is in the set system and hence also in I  Pu  Suppose that set system is factorizable but S= S1 S2 is not in the collection. Consider the minimal ideal I in the set system that contains S (this exists due to factorizable property). There exists an atom u in I that is not in S. Since I  Pu is separable, there exists an ideal in its lower maximal partition that contains both S1 and S2 which contradicts the minimality I.

  30. Alternative Characterization • Theorem: The set systems corresponding to the • Complete Subtree [NNL01], • Subset Difference [NNL01] • Layered Subset Difference [HaSh02], • Stratified Subset Difference[GoSuTa04], • Subset Incremental Chain [AtIm05], • Key-Chain Tree[WNR04], • Complete Key-Chain Tree [HwLeLi05] • are all factorizable.

  31. Extended Results to the Tracing • We can extend our results to the Tracing problem. • Pirate decoder uses some keys, i.e. subsets. • Tracing is equivalent to revoking in a modified set system that ‘chops’ the subsets that are used by the pirate decoder. • Suppose that S is used by the pirate decoder, then ’ = \F(S). • The cover is Revoke(’, {}). • ’ doesn’t have to be separable. • Improvement on the communication overhead compared to the only known tracing algorithm. • Linear in number of traitors.

  32. Our Key Derivation Method • Each user should be able to derive all the keys for subsets in F(u). • Approach: • Split key poset into a forest T of upward looking trees. • Keys in each tree of T are derivable from the root by one-way transformations. • User gets the key of the roots for all trees in the forest TF(u)

  33. A new class of Broadcast Encryption Schemes • Applications • We demonstrate the power of working directly with the key poset.

  34. X-Property • Root has children as many as the number of leaves: • Cu for any uN where Cu = N\{u} • Two elements S1,S2  so that • F(S1) and F(S2) are disjoint and both are complete binary trees of height log|N| -1 excluding the root. • Any Cu is a leaf of one of the binary trees in F(S1) or F(S2)

  35. A transformation that Preserves the X-property One-to-one mapping between the below filters to the above trees

  36. Some Facts on Transformation • Squares the number of users. • Theorem. If the underlying set system is factorizable then the resulting set system is also factorizable. • Let  be a factorizable set system defined over a set size 2m. If for any ideal I and an atom u, it holds that ord(I  Pu) c(m), then • ord(I`  Pu) c(m) + 2 for any I` Transform() and an atom u in a set of size 22m.

  37. Transmission overhead • Let ` constructed after k transformations of a set system  defined over a set with size d and transmission overhead of c(d)r to disable a set of r users. • If d is a constant, then the transmission overhead of ` would be O(r log log N) • If k is a constant, then the transmission overhead of ` would be O(r.c(d)).

  38. Key-Derivation Procedures • Path Property: • There exist two elements S1,S2  so that • F(S1) and F(S2) are disjoint and both filters are complete binary trees of height log|N| -1 excluding the root. • For any u, Pu intersects with the binary trees F(S1) or F(S2) in a single path of length log|N| -1. • Path-property implies X-property • The transformation preserves the path-property.

  39. Key Assignment & Derivation for path-property Cu GR(GR(GR (S))) GL(GL (S)) GR(GL (S)) GR(GR (S)) GL(GR (S)) GL (S) GR (S) F(S2) F(S1) LABEL = S Pu intersects with binary trees in red nodes User u is given GL(S), GR(GR (S)), GR(GL(GR(S))) … will be able to derive any key of the hanging off nodes by at most log N function evaluations.

  40. Key Storage& Derivation for the Transformation • Let  be a factorizable set system defined over a set size 2m. If the key storage (derivation) for the set system  is K(m) (D(m)), then K’(m) (D’(m)) for the new set system Transform() would be • K’(m)= 2K(m) + m. • D’(m)= max(D(m), m)

  41. A Construction which satisfies the path-property. Start with: Applying the transformation two times yield:

  42. Scheme Parameters(1) • Start with basic set system for 2 users: • Apply the transformation k times to get a set system for N=22k users. • Storage 2k = log N • Computation time: log N • Transmission overhead: 2rloglog N

  43. Another Basic Scheme with path-property

  44. Scheme Parameters(2) Start with the set system for d users: Storage: 3(log d -1) Computation time: max(d, log d) Transmission overhead: 2r Apply the transformation k times to get a set system for N=d2k users, say k is a constant. Storage: 2k.log N Computation time: max(N1/2^k, log N) Transmission overhead: 2rk Compare this with k-complete tree and Layered Subset Incremental Chain System

  45. Thank You

More Related