Chair for Network- and Data-Security Broadcast Encryption for Stateless Receivers (Naor, Naor & Lotspiech 2001) André Adelsbach Chair for Network- and Data-Security Horst Görtz Institute Bochum, Germany

Broadcast Encryption (BE) Broadcast Encryption (Fiat & Naor ’93) Goal: Center has broadcast channel to large set of devices, … … but only a sub-set of allowed devices should have access m m m encrypt m, such that only allowed devices have access (keys to decrypt) 03/11/2004 Broadcast Encryption for Stateless Receivers

Broadcast Encryption Schemes Subset-Cover Framework (Naor, Naor, Lotspiech) Set of all devices: N={D1, …, Dn} Collection of Subsets: S = {S1, …, Sk} each Sj associated with long-lived key Lj each device d in Sj can compute Lj from its device keys Kd Sending to allowed set P = N \ R Sender finds cover {Si1, …, Sil} with P =  Sij encrypt session key K with Li1, …, Lil broadcast [i1, …, ij], [E(Li1 , K), …, E(Lil , K)], E(K, msg) Schemes differ in definition of collection of subsets S (matrix-based, tree-based, ….) computation of Lj TRADEOFFS !!!! 03/11/2004 Broadcast Encryption for Stateless Receivers

Complete Subtree Method Devices are leaves of a complete binary tree Collection of Subsets: S := {all complete subtrees} k D1 D2 Dn … D4………………………………………………… k0 k00 k001 k0011 03/11/2004 Broadcast Encryption for Stateless Receivers

Complete Subtree Method (II) Di gets keys of sub-trees of which it is a leaf: D4 := {k, k0, k00, k001, k0011} In other words: Di gets keys associated with nodes on path from root to Di k D1 D2 Dn … D4………………………………………………… k0 k00 k001 k0011 03/11/2004 Broadcast Encryption for Stateless Receivers

Complete Subtree Method (III) Revoking a set of receivers R: Find a minimal cover of non-revoked devices ! Algorithm: Trees hanging off Steiner Tree of R Example: R = {D1, D2, D4}  encrypt with k1, k01, k0010 D1 D2 Dn … D4………………………………………………… k1 ST{D1, D2, D4} k01 k0010 03/11/2004 Broadcast Encryption for Stateless Receivers

Performance of Complete-Subset Result: any N\R can be covered with r log(n/r) subsets Log(n) device keys for each device Only one decryption at receiver 03/11/2004 Broadcast Encryption for Stateless Receivers

Subset-Difference Method Idea: Increase number of subsets significantly to O(N2)  gain in freedom in covering non-revoked devices… S := {Sij | vi is an ancestor of vj} D1 D2 Dn …D4……………………………….… vi vj Sij := {Descendants of vi} \ {Descendants of vj} vi vj Result: any N\R can be covered with at most 2r -1 subsets and only 1.25r subsets on average! 03/11/2004 Broadcast Encryption for Stateless Receivers

Subset-Difference Method (II) Problem: Naïve key management for O(n2) subsets requires storage of O(n) keys! Solution: Clever computational key-assignment, s.t. each device stores less keys, but can compute his Lij Let G be a pseudo-random bit-string generator: G: {0,1}k  {0,1}3k , G(L) = GL(L)|GM(L)|GR(L) Top-Down labeling: Left Child: GL(L) Right Child: GR(L) L GL(L) GR(L) 03/11/2004 Broadcast Encryption for Stateless Receivers

Subset-Difference Method (III) Consider sub-trees Ti rooted at vi For each sub-tree Ti a leaf D should be able to compute Lij  vj is not an ancestor of u LABELij = GL(GR(Li)) Lij := GM(LABELij) Li Tree Ti vi GL(Li) GR(Li) GR(GL(Li)) GL(GR(Li)) GL(GL(Li)) GR(GR(Li)) vj u ………………………..…………………………. 03/11/2004 Broadcast Encryption for Stateless Receivers

Performance & Comparison Result (Subset Difference): any N\R can be covered with 2r-1 subsets ½ log2(n) device keys for each device Only one decryption at receiver Comparison: Method Length of Header # of Keys per Receiver Comp. Complexity # of Dec. Compl. Subtree r log(N/r) log N O(log log N) 1 Subset Diff. 2r -1 ½ log2 N O(log N) 03/11/2004 Broadcast Encryption for Stateless Receivers