On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos Kiayias
Digital Content Distribution What is digital content distribution? –It is multi-recipient transmission Access Control –Multi-recipient encryption Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Transmission Center Insecure Channel
Multi-Recipient Encryption Licensing Agency Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Insecure Channel Keys Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Transmission Center
Applications Encryption for DVDs and other Media content distribution systems. –Regular DVDs and Blu-Ray disks. Filesystem Access Permissions. Etc. September 20084
Challenges Minimizing –Transmission overhead –Key storage for receivers. –Key derivation time for receivers.
Example: Linear Trace&Revoke Scheme Licensing Agency Transmission overhead = n Key storage = 1 Key Derivation = 1 Content Distributor U1U1 U2U2 U3U3 UnUn Secret Key s1s1 E s1 ( k ) E s2 ( k ) E s3 ( k ) E sn ( k ) Ek(m)Ek(m) s2s2 s3s3 … s n
Subset Cover Framework(SCF) Subset Cover Framework [NNL01] –General combinatorial framework. Can describe many schemes. –Tracing and revoking unlimited number of users. –Seamless integration of tracing and revoking. N is the set of all recipients, R is the set of excluded recipients. Define a set system = {S 1,S 2,…,S w } 2 N. Revocation property: (fully exclusive) –Any subset S in N can be partitioned into disjoint subsets from .
Each subset S i is associated with a long-lived key L i. Key Assignment: –Any user u has access to L i through its private information if and only if u S i Revocation algorithm: –Given R find a partition of N\R s.t N \ R = i=1 m S i with associated keys L 1, L 2, … L m The ciphertext is: Encryption in SCF F K (M) Header Body
A series of works 9 Subset Cover Scheme TransmissionComputationKey Storage CSr log (N/r)1log N SD2r-1log Nlog 2 N Basic LSD4r-1log Nlog 3/2 N SSD4krN 1/k 2klog N Basic Key Chain Tree 2rN2log N Subset Incremental Chain System (SIC) 2krN 1/k 2log N One-Way Chainr/kN-rNkNk (w-Complete Tree SIC) 2rkN 1/k k ((log N)/2 +1) crypto 2001 crypto 2002 crypto 2004 Eurocrypt 2005 ISC 2004 Asiacrypt 2005 Financial Crypto 2006
Our Focus Study the Algebraic Structure of SCF –Based on the observation : the underlying set system constitutes a partial order set (Key Poset). Generic revocation and tracing algorithms What are sufficient conditions for optimal revocation and tracing? How to design of new schemes tailored to specific scenarios or improving aspects of existing ones? A poset is a set P with relation that is reflexive, antisymmetric, and transitive
The Key Poset Given any SCF instance we define the Key-poset Nodes Subsets Keys Leaves Users Edges represents the subset relation. The Set System: Is represented by the nodes in the Hasse diagram of the Key Poset Revocation: Finding the nodes to cover the enabled set of leaves. Tracing: Finding the nodes to cover the nodes not used by the pirate decoder. Key Assignment: All keys of the nodes above a leaf is known to (or derived by) that leaf. In this example : Transmission overhead = 1 Key storage = 2 n-1 Key Derivation = 1 U1U1 U2U2 U3U3 U4U4
Subset Difference Method [NNL01] vivi vjvj … S i,j vivi vjvj S i,j = Set of all leaves in the subtree of V i but not in V j
The Key Poset of NNL
A basic Question What makes a key poset good ? Is it possible to describe “good” in algebraic terms? Observe : to revoke we need to efficiently solve some instance of set cover.
Short Primer on Partial Orders A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed. –A nonempty subset A of a poset (P, ) is called a directed set if for any two elements a, b A, there exists c in A such that a c and b c. –It is called a lower set if for every x A, y x implies that y is in A.
An ideal in the SD key poset
Our Objective We need to solve a set cover efficiently. Basic observation: If the set system is an ideal we can do this efficiently. –IdealCover(u): Starting from u grow up until you hit the top. Basic operation: “grow”
Short Primer on Partial Orders A nonempty subset I of a poset (P, ) is called an ideal if I is lower and directed. –A nonempty subset A of a poset (P, ) is called a directed set if for any two elements a, b A, there exists c in A such that a c and b c. –It is called a lower set if for every x A, y x implies that y is in A. An atom in poset P is an element that is minimal among all elements. The dual notion of ideal, the one obtained in the reverse partial order, is called a filter. –We call F(x) as an atomic filter if x is an atom. –We denote P x by the complement of F(x) in (P, ).
Filter
The Complement of a Filter
In general : The complement of a filter is a lower set. (not necessarily an ideal).
Lower Maximal Partitions Given a nonempty subset A of a poset (P, ) that is a lower set, we say is a lower-maximal partition of A if 1.M i is a lower set for i = 1,..., k. 2.The atoms of M i and M j are different provided that i j. 3.M i is maximal with respect to A, i.e. if a M i and b A s.t a b, then b M i. 4.k is the largest integer such that all the above hold. The order of a lower set A is defined as the size of its lower-maximal partition. We denote the order by ord(A). Proposition. Any lower set A of poset (P, ) has a unique lower-maximal partition.
“Separable” Families We say a set system is separable if in the lower-maximal partition of it holds that M i is an ideal of for i=1,…, k
Set Covering Separable Families Given a separable family we can easily solve set cover: –Pick a user and “grow” along a chain till hit top. –Repeat with a user outside the ideals selected. [needs “grow” + “select outside subset” as basic operations] Complexity : Sum of chains in each ideal, [poly-logarithmic length]
Factorizable Families A fully-exclusive set system is called factorizable if it is an ideal and for any ideal I and any atom u, it holds that I P u is separable. –Hint : Being factorizable implies a good behavior w.r.t. revocation.
Basic Theorem Definition. ’ = Revoke( , R) is the family P u 1 … P u r where R = {u 1,…,u r } Theorem. If is factorizable, then it holds that ’ = Revoke( , R) is separable.
Revocation Algorithm The theorem implies the revocation algorithm Cover(N,R) : Given and R –Determine ’ = Revoke( , R) –Set Cover ’
Transmission Overhead Given a factorizable set system , Cover(N,R) outputs an optimal solution and the communication overhead is ord( i=1 r P u i ) where R={u 1, …, u r }. Given a factorizable set system –If for any ideal I and an atom u, it holds that ord(I P u ) log |I|, then the communication overhead for revoking r users is O(rlogN). –If, on the other hand, ord(I P u ) c, then the communication overhead for revoking r users is at most r(c -1).
Alternative Characterization Theorem: A set system is factorizable iff following holds: S 1 S 2 is in the collection if S 1 S 2 (*) Proof. Suppose that the set system is not factorizable due to an ideal I and an atom u despite (*) holds: Consider the lower maximal partition of I P u, suppose that M i is not ideal, then it has more than one maximal element. Since k=ord(I P u ) is maximal, then these maximal elements are intersecting. Then implies that their union is in the set system and hence also in I P u Suppose that set system is factorizable but S= S 1 S 2 is not in the collection. Consider the minimal ideal I in the set system that contains S (this exists due to factorizable property). There exists an atom u in I that is not in S. Since I P u is separable, there exists an ideal in its lower maximal partition that contains both S 1 and S 2 which contradicts the minimality I.
Alternative Characterization Theorem: The set systems corresponding to the –Complete Subtree [NNL01], –Subset Difference [NNL01] –Layered Subset Difference [HaSh02], –Stratified Subset Difference[GoSuTa04], –Subset Incremental Chain [AtIm05], –Key-Chain Tree[WNR04], –Complete Key-Chain Tree [HwLeLi05] are all factorizable.
Extended Results to the Tracing We can extend our results to the Tracing problem. Pirate decoder uses some keys, i.e. subsets. Tracing is equivalent to revoking in a modified set system that ‘chops’ the subsets that are used by the pirate decoder. –Suppose that S is used by the pirate decoder, then ’ = \F(S). –The cover is Revoke( ’, {}). – ’ doesn’t have to be separable. Improvement on the communication overhead compared to the only known tracing algorithm. –Linear in number of traitors.
Our Key Derivation Method Each user should be able to derive all the keys for subsets in F(u). Approach: –Split key poset into a forest T of upward looking trees. –Keys in each tree of T are derivable from the root by one-way transformations. –User gets the key of the roots for all trees in the forest T F(u)
A new class of Broadcast Encryption Schemes Applications We demonstrate the power of working directly with the key poset.
X-Property Root has children as many as the number of leaves: –C u for any u N where C u = N\{u} Two elements S 1,S 2 so that –F(S 1 ) and F(S 2 ) are disjoint and both are complete binary trees of height log|N| -1 excluding the root. –Any C u is a leaf of one of the binary trees in F(S 1 ) or F(S 2 )
A transformation that Preserves the X-property One-to-one mapping between the below filters to the above trees
Some Facts on Transformation Squares the number of users. Theorem. If the underlying set system is factorizable then the resulting set system is also factorizable. Let be a factorizable set system defined over a set size 2 m. If for any ideal I and an atom u, it holds that ord(I P u ) c(m), then –ord(I` P u ) c(m) + 2 for any I` Transform( ) and an atom u in a set of size 2 2m.
Transmission overhead Let ` constructed after k transformations of a set system defined over a set with size d and transmission overhead of c(d)r to disable a set of r users. –If d is a constant, then the transmission overhead of ` would be O(r log log N) –If k is a constant, then the transmission overhead of ` would be O(r.c(d)).
Key-Derivation Procedures Path Property: –There exist two elements S 1,S 2 so that F(S 1 ) and F(S 2 ) are disjoint and both filters are complete binary trees of height log|N| -1 excluding the root. For any u, P u intersects with the binary trees F(S 1 ) or F(S 2 ) in a single path of length log|N| -1. Path-property implies X-property The transformation preserves the path- property.
Key Assignment & Derivation for path-property LABEL = S G R (S) G R (G R (S)) G R (G R (G R (S))) G L (G L (S)) G L (S) G L (G R (S)) G R (G L (S)) CuCu User u is given G L (S), G R (G R (S)), G R (G L (G R (S))) … will be able to derive any key of the hanging off nodes by at most log N function evaluations. F(S 1 ) F(S 2 ) P u intersects with binary trees in red nodes
Key Storage& Derivation for the Transformation Let be a factorizable set system defined over a set size 2 m. If the key storage (derivation) for the set system is K(m) (D(m)), then K’(m) (D’(m)) for the new set system Transform( ) would be –K’(m)= 2K(m) + m. –D’(m)= max(D(m), m)
A Construction Start with: which satisfies the path-property. Applying the transformation two times yield:
Scheme Parameters(1) Start with basic set system for 2 users: Apply the transformation k times to get a set system for N=2 2 k users. Storage 2 k = log N Computation time: log N Transmission overhead: 2rloglog N
Another Basic Scheme with path-property
Scheme Parameters(2) Start with the set system for d users: Storage: 3(log d -1) Computation time: max(d, log d) Transmission overhead: 2r Apply the transformation k times to get a set system for N=d 2 k users, say k is a constant. Storage: 2k. log N Computation time: max(N 1/2^k, log N) Transmission overhead: 2rk Compare this with k-complete tree and Layered Subset Incremental Chain System
Thank You