Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published in Eurocrypt’05 )

2 Contents Broadcast Encryption  Concept / Applications  Related Works Our Construction (Trans. Efficient )  Basic scheme  Extension 1, Extension 2, Extension 3  Efficiency & Security Conclusion

3 Broadcast Encryption : Concept Data Supplier Subscribers Contents E sk (s) Es(m)Es(m) s : session key, m :contents Key managementCipher Block Broadcast Encryption Message Broadcast Contents

4 BE : Basic Security = Revocation Adversarial Coalition Group DATA Revoked Members ? 2 4

5 BE : Applications Satellite-based Business Group Communication (multicast) Digital Rights Management xCP (Extensible Content Protection), IBM Home network content protection (MP3 players, DVD players, Cellular phones, PDAs, TV ) AACS (Advanced Access Content System) group IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney, Warner Bros. Studios Copy protection scheme : pirated DVDs

6 BE : Related Works Combinatorial Approaches Combinatorial design Algebraic Approaches Secret Sharing Method Tree-based structure LKH (Logical Key Hierarchy) SD (Subset Difference) Naor, Naor, Lotspiech, Crypto ’ 01 IBM xCP, AACS LSD (Layered SD) Halevy and Shamir, Crypto ’ 02 SSD (Stratified SD) Goodrich et. al, Crypto ’ 04

7 BE : Measures  Transmission Length  Storage for keys at user device  Computation overhead One-to-many communication  TL is the most important factor GOAL : Transmission-efficient scheme with Storage and Computation overhead within reasonable bounds

8 BE : Basic Approaches U1U1 U2U2 U4U4 U3U3 U5U5 U6U6 U8U8 U7U7 GC (Group Center) Unicast Transmission User storage Single-Message Transmission User storage U1U1 U2U2 U4U4 U3U3 U5U5 U6U6 U8U8 U7U7 One key for all cases of revocation : {1},{12}, …,{145}, …,{124578}, … GC

9 Broadcast Encryption – Tree-based LKH SD Key storage per user : log-key restriction # of transmitted messages : 2 r (r:# of revoked users)

10 Challenging Problem The number of trans. messages The number of revoked users > ?

11 Our Scheme : One-way chain Pseudo-Random number sequence from F : {0,1} κ →{0,1} mκ nodes Chain-value Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

12 Our Scheme : User Structure Circular structure Users Chain-value Linear structure Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

13 Our Scheme : Basic Scheme Key assignment n keys per user u1u1 u2u2 u4u4 u3u3 u5u5 u6u6 u8u8 u7u7 u9u9 u 11 u 10 u 12 u8u8 s7s7 F1(s7)F1(s7) s8s8 s6s6 F(s 6 )F2(s6)F2(s6) s5s5 F(s 5 )F3(s5)F3(s5) … u7u7 u6u6 u5u5 n different labels … Key set

14 Our Scheme : Basic Scheme Revocation Method s1s1 F 2 (s 1 ) F 3 (s 1 ) F(s 1 ) s6s6 F(s 6 ) F 2 (s 6 ) F 3 (s 6 ) F 4 (s 6 ) F 5 (s 6 ) r (=2) revoked users r (=2) trans. messages u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK 2 = F 5 (s 6 ) SK 1 = F 3 (s 1 ) r (=2) subsets

15 Our Scheme : Basic Scheme Key computation s1s1 F 2 (s 1 ) F 3 (s 1 ) F(s 1 ) F 6 (s 1 ) F 7 (s 1 ) F 8 (s 1 ) F 9 (s 1 ) F 10 (s 1 ) u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK = F 10 (s 1 ) Maximum n computations of F per user F 4 (s 1 ) F 5 (s 1 )

16 Our Scheme : Extension 1 Covering several subsets by one key !! Further reduction of Trans. length in basic scheme user subset SO ↑ TL ↓

17 Our Scheme : Extension 1 (OWC([n,2])) Revocation Method (Jumping one-way chain) F 2 (s 12,5 ) F 3 (s 12,5 ) F 1 (s 12,5 ) r (=2) revoked users u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK 1 = F 10 (s 12,5 ) F 6 (s 12,5 ) F 7 (s 12,5 ) F 8 (s 12,5 ) F 9 (s 12,5 ) F 10 (s 12,5 ) F 5 (s 12,5 ) F 4 (s 12,5 ) s 12,5 r/2 (=1) Trans. messages r/2 (=1) subsets

18 Our Scheme : Extension 1 (OWC([n,3])) Revocation Method (Jumping one-way chain) F 2 (s 12,5,8 ) F 3 (s 12,5,8 ) F 1 (s 12,5,8 ) r (=3) revoked users SK 1 = F 10 (s 12,5,8 ) F 6 (s 12,5,8 ) F 7 (s 12,5,8 ) F 8 (s 12,5,8 ) F 9 (s 12,5,8 ) F 10 (s 12,5,8 ) F 5 (s 12,5,8 ) F 4 (s 12,5,8 ) s 12,5,8 u5u5 u8u8 u 12 r/3 (=1) Trans. messages r/3 (=1) subsets

19 Our Scheme : Extension 1 Key assignment Choice of different labels for k revoked users u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 keys per user n k ( ) n 2 ( ) SO : O(n k )

20 Our Scheme : Extension 1 Key computation swsw F 2 (s w ) F 3 (s w ) F(s w ) F 6 (s w ) F 7 (s w ) F 8 (s w ) F 9 (s w ) F 10 (s w ) u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK = F 10 (s w ) ) Maximum n computations of F per user F 4 (s w ) F 5 (s w )

21 Our Scheme : Extension 2 Trade-off between SO and TL Trans. Length BasicExtension 1 Keys Storage r n 0 2 n-1 …. Power-set BE …. r / k O(n k ) ( k is a natural number )

22 Our Scheme : Extension 2 Constructing hierarchical chain so that several keys of a user cover one subset !! Reduction in keys storage per user in Basic Scheme user subset SO ↓ TO ↑

23 Our Scheme : Extension 2 (OWC(p,[w,k])) Revocation method (hierarchical chain : 2-dim Ring)

24 Our Scheme : Extension 2 Revocation method (structurally equivalent with SD) Complete binary treeComplete binary ring

25 Our Scheme : Extension 2 Trade-off between SO and TL Trans. Length BasicExtension 2 Keys Storage r n 2 r (log 2 n+log n)/2 + 1 …. SD …. rw/(w-1) g(n) - k is a natural number - g(n) = (w-1) log n + (w-1) (log 2 n+log n)/2 + 1 (w-ary ring)

26 Our Scheme : Extension 3 Combination of two extension methods : Layered 2-dimensional Ring Toward Practical Scheme Reduce ( User keys storage + Trans. Length )

27 U 1.1 U 1.2 U 1.5 U 1.6 U 1.3 U 1.4 U 1.7 U 1.8 U 1.9 Our Scheme : Extension 3 User structure : layered 2-dimnsional ring U 2.1 U 2.2 U 2.5 U 2.6 U 2.3 U 2.4 U 2.7 U 2.8 U 2.9

28 u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 Our Scheme : Extension 3 Revocation method u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 r (=3) revoked users r/2+1 (=2) Trans. messages r/2+1 (=2) subsets

29 Our Scheme : Extension 3 Key assignment u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 n keys for 1 revoked user keys for 2 revoked users m=n/2 2 ( )

30 Our Scheme : Extension 3 Key computation u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 Maximum m=n/2 com. of F and 1 com. of G per user

31 Our Scheme : Extension 3 For a large number users : partition...

32 Our Scheme : Extension 3 3 instances OWC(2,[50,2]) OWC(4,[50,2]) OWC((2:2),[50,2])

33 Our Construction : Security Standard hybrid argument Pseudo-Random number sequence from F : {0,1} κ →{0,1} mκ Truly Random number sequence R i+1 R i+2 R i+3 RjRj R j ← R {0,1} mκ Computational Indistinguishability nodes Chain-value Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

34 Our schemes : Efficiency (0.7r) Fig OWC((2:2),[w,2]) (0.7r) Fig OWC(4,[w,2]) (0.7r) OWC(2,[w,2]) r=50,000(5%) # of Comp. Trans. Length (Kbyte)Keys Storage (Kbyte)m n = 10 6 users 3.2SD (Naor et. al)Fig (2r)

35 Comparison : Transmission Length 5 % % % SD OWC(2,[50,2]) 2 % (w=50) OWC(4,[50,2]) OWC((2:2),[50,2]) n = 10 6 users Kbyte # of revoked users

36 Further Research Further reduction in user storage Reduction for initial transmission length Other structure for Trade-off : Transmission length & User keys storage

37 Q & A Thank you