Presentation is loading. Please wait.

Presentation is loading. Please wait.

On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos.

Published byLaura Hill Modified over 9 years ago

Similar presentations

Presentation on theme: "On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos."— Presentation transcript:

1 On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos Kiayias aggelos@cse.uconn.edu

2 Digital Content Distribution What is digital content distribution? –It is multi-recipient transmission Access Control –Multi-recipient encryption Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Transmission Center Insecure Channel

3 Multi-Recipient Encryption Licensing Agency Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Insecure Channel Keys Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Distributor Recipient population U 1, U 2, U 3, …, U n Recipient population U 1, U 2, U 3, …, U n Transmission Center

4 Applications Encryption for DVDs and other Media content distribution systems. –Regular DVDs and Blu-Ray disks. Filesystem Access Permissions. Etc. September 20084

5 Challenges Minimizing –Transmission overhead –Key storage for receivers. –Key derivation time for receivers.

6 Example: Linear Trace&Revoke Scheme Licensing Agency Transmission overhead = n Key storage = 1 Key Derivation = 1 Content Distributor U1U1 U2U2 U3U3 UnUn Secret Key s1s1 E s1 ( k ) E s2 ( k ) E s3 ( k ) E sn ( k ) Ek(m)Ek(m) s2s2 s3s3 … s n

7 Subset Cover Framework(SCF) Subset Cover Framework [NNL01] –General combinatorial framework. Can describe many schemes. –Tracing and revoking unlimited number of users. –Seamless integration of tracing and revoking. N is the set of all recipients, R is the set of excluded recipients. Define a set system  = {S 1,S 2,…,S w }  2 N. Revocation property: (fully exclusive) –Any subset S in N can be partitioned into disjoint subsets from .

8 Each subset S i   is associated with a long-lived key L i. Key Assignment: –Any user u has access to L i through its private information if and only if u  S i Revocation algorithm: –Given R find a partition of N\R s.t N \ R =  i=1 m S i with associated keys L 1, L 2, … L m The ciphertext is: Encryption in SCF F K (M) Header Body

9 A series of works 9 Subset Cover Scheme TransmissionComputationKey Storage CSr log (N/r)1log N SD2r-1log Nlog 2 N Basic LSD4r-1log Nlog 3/2 N SSD4krN 1/k 2klog N Basic Key Chain Tree 2rN2log N Subset Incremental Chain System (SIC) 2krN 1/k 2log N One-Way Chainr/kN-rNkNk (w-Complete Tree SIC) 2rkN 1/k k ((log N)/2 +1) crypto 2001 crypto 2002 crypto 2004 Eurocrypt 2005 ISC 2004 Asiacrypt 2005 Financial Crypto 2006

10 Our Focus Study the Algebraic Structure of SCF –Based on the observation : the underlying set system constitutes a partial order set (Key Poset). Generic revocation and tracing algorithms What are sufficient conditions for optimal revocation and tracing? How to design of new schemes tailored to specific scenarios or improving aspects of existing ones? A poset is a set P with relation  that is reflexive, antisymmetric, and transitive

11 The Key Poset Given any SCF instance we define the Key-poset Nodes  Subsets  Keys Leaves  Users Edges represents the subset relation. The Set System: Is represented by the nodes in the Hasse diagram of the Key Poset Revocation: Finding the nodes to cover the enabled set of leaves. Tracing: Finding the nodes to cover the nodes not used by the pirate decoder. Key Assignment: All keys of the nodes above a leaf is known to (or derived by) that leaf. In this example : Transmission overhead = 1 Key storage = 2 n-1 Key Derivation = 1 U1U1 U2U2 U3U3 U4U4

12 Subset Difference Method [NNL01] vivi vjvj … S i,j vivi vjvj S i,j = Set of all leaves in the subtree of V i but not in V j

13 The Key Poset of NNL

14 A basic Question What makes a key poset good ? Is it possible to describe “good” in algebraic terms? Observe : to revoke we need to efficiently solve some instance of set cover.

15 Short Primer on Partial Orders A nonempty subset I of a poset (P,  ) is called an ideal if I is lower and directed. –A nonempty subset A of a poset (P,  ) is called a directed set if for any two elements a, b  A, there exists c in A such that a  c and b  c. –It is called a lower set if for every x  A, y  x implies that y is in A.

16 An ideal in the SD key poset

17 Our Objective We need to solve a set cover efficiently. Basic observation: If the set system is an ideal we can do this efficiently. –IdealCover(u): Starting from u grow up until you hit the top. Basic operation: “grow”

18 Short Primer on Partial Orders A nonempty subset I of a poset (P,  ) is called an ideal if I is lower and directed. –A nonempty subset A of a poset (P,  ) is called a directed set if for any two elements a, b  A, there exists c in A such that a  c and b  c. –It is called a lower set if for every x  A, y  x implies that y is in A. An atom in poset P is an element that is minimal among all elements. The dual notion of ideal, the one obtained in the reverse partial order, is called a filter. –We call F(x) as an atomic filter if x is an atom. –We denote P x by the complement of F(x) in (P,  ).

19 Filter

20 The Complement of a Filter

21 In general : The complement of a filter is a lower set. (not necessarily an ideal).

22 Lower Maximal Partitions Given a nonempty subset A of a poset (P,  ) that is a lower set, we say is a lower-maximal partition of A if 1.M i is a lower set for i = 1,..., k. 2.The atoms of M i and M j are different provided that i  j. 3.M i is maximal with respect to A, i.e. if a  M i and  b  A s.t a  b, then b  M i. 4.k is the largest integer such that all the above hold. The order of a lower set A is defined as the size of its lower-maximal partition. We denote the order by ord(A). Proposition. Any lower set A of poset (P,  ) has a unique lower-maximal partition.

23 “Separable” Families We say a set system  is separable if in the lower-maximal partition of  it holds that M i is an ideal of  for i=1,…, k

24 Set Covering Separable Families Given a separable family we can easily solve set cover: –Pick a user and “grow” along a chain till hit top. –Repeat with a user outside the ideals selected. [needs “grow” + “select outside subset” as basic operations] Complexity : Sum of chains in each ideal, [poly-logarithmic length]

25 Factorizable Families A fully-exclusive set system  is called factorizable if it is an ideal and for any ideal I   and any atom u, it holds that I  P u is separable. –Hint : Being factorizable implies a good behavior w.r.t. revocation.

26 Basic Theorem Definition.  ’ = Revoke( , R) is the family P u 1  …  P u r where R = {u 1,…,u r } Theorem. If  is factorizable, then it holds that  ’ = Revoke( , R) is separable.

27 Revocation Algorithm The theorem implies the revocation algorithm Cover(N,R) : Given  and R –Determine  ’ = Revoke( , R) –Set Cover  ’

28 Transmission Overhead Given a factorizable set system , Cover(N,R) outputs an optimal solution and the communication overhead is ord(  i=1 r P u i ) where R={u 1, …, u r }. Given a factorizable set system  –If for any ideal I and an atom u, it holds that ord(I  P u )  log |I|, then the communication overhead for revoking r users is O(rlogN). –If, on the other hand, ord(I  P u )  c, then the communication overhead for revoking r users is at most r(c -1).

29 Alternative Characterization Theorem: A set system is factorizable iff following holds: S 1  S 2 is in the collection if S 1  S 2   (*) Proof.  Suppose that the set system is not factorizable due to an ideal I and an atom u despite (*) holds: Consider the lower maximal partition of I  P u, suppose that M i is not ideal, then it has more than one maximal element. Since k=ord(I  P u ) is maximal, then these maximal elements are intersecting. Then  implies that their union is in the set system and hence also in I  P u  Suppose that set system is factorizable but S= S 1  S 2 is not in the collection. Consider the minimal ideal I in the set system that contains S (this exists due to factorizable property). There exists an atom u in I that is not in S. Since I  P u is separable, there exists an ideal in its lower maximal partition that contains both S 1 and S 2 which contradicts the minimality I.

30 Alternative Characterization Theorem: The set systems corresponding to the –Complete Subtree [NNL01], –Subset Difference [NNL01] –Layered Subset Difference [HaSh02], –Stratified Subset Difference[GoSuTa04], –Subset Incremental Chain [AtIm05], –Key-Chain Tree[WNR04], –Complete Key-Chain Tree [HwLeLi05] are all factorizable.

31 Extended Results to the Tracing We can extend our results to the Tracing problem. Pirate decoder uses some keys, i.e. subsets. Tracing is equivalent to revoking in a modified set system that ‘chops’ the subsets that are used by the pirate decoder. –Suppose that S is used by the pirate decoder, then  ’ =  \F(S). –The cover is Revoke(  ’, {}). –  ’ doesn’t have to be separable. Improvement on the communication overhead compared to the only known tracing algorithm. –Linear in number of traitors.

32 Our Key Derivation Method Each user should be able to derive all the keys for subsets in F(u). Approach: –Split key poset into a forest T of upward looking trees. –Keys in each tree of T are derivable from the root by one-way transformations. –User gets the key of the roots for all trees in the forest T  F(u)

33 A new class of Broadcast Encryption Schemes Applications We demonstrate the power of working directly with the key poset.

34 X-Property Root has children as many as the number of leaves: –C u   for any u  N where C u = N\{u} Two elements S 1,S 2   so that –F(S 1 ) and F(S 2 ) are disjoint and both are complete binary trees of height log|N| -1 excluding the root. –Any C u is a leaf of one of the binary trees in F(S 1 ) or F(S 2 )

35 A transformation that Preserves the X-property One-to-one mapping between the below filters to the above trees

36 Some Facts on Transformation Squares the number of users. Theorem. If the underlying set system is factorizable then the resulting set system is also factorizable. Let  be a factorizable set system defined over a set size 2 m. If for any ideal I   and an atom u, it holds that ord(I  P u )  c(m), then –ord(I`  P u )  c(m) + 2 for any I`  Transform(  ) and an atom u in a set of size 2 2m.

37 Transmission overhead Let  ` constructed after k transformations of a set system  defined over a set with size d and transmission overhead of c(d)r to disable a set of r users. –If d is a constant, then the transmission overhead of  ` would be O(r log log N) –If k is a constant, then the transmission overhead of  ` would be O(r.c(d)).

38 Key-Derivation Procedures Path Property: –There exist two elements S 1,S 2   so that F(S 1 ) and F(S 2 ) are disjoint and both filters are complete binary trees of height log|N| -1 excluding the root. For any u, P u intersects with the binary trees F(S 1 ) or F(S 2 ) in a single path of length log|N| -1. Path-property implies X-property The transformation preserves the path- property.

39 Key Assignment & Derivation for path-property LABEL = S G R (S) G R (G R (S)) G R (G R (G R (S))) G L (G L (S)) G L (S) G L (G R (S)) G R (G L (S)) CuCu User u is given G L (S), G R (G R (S)), G R (G L (G R (S))) … will be able to derive any key of the hanging off nodes by at most log N function evaluations. F(S 1 ) F(S 2 ) P u intersects with binary trees in red nodes

40 Key Storage& Derivation for the Transformation Let  be a factorizable set system defined over a set size 2 m. If the key storage (derivation) for the set system  is K(m) (D(m)), then K’(m) (D’(m)) for the new set system Transform(  ) would be –K’(m)= 2K(m) + m. –D’(m)= max(D(m), m)

41 A Construction Start with: which satisfies the path-property. Applying the transformation two times yield:

42 Scheme Parameters(1) Start with basic set system for 2 users: Apply the transformation k times to get a set system for N=2 2 k users. Storage 2 k = log N Computation time: log N Transmission overhead: 2rloglog N

43 Another Basic Scheme with path-property

44 Scheme Parameters(2) Start with the set system for d users: Storage: 3(log d -1) Computation time: max(d, log d) Transmission overhead: 2r Apply the transformation k times to get a set system for N=d 2 k users, say k is a constant. Storage: 2k. log N Computation time: max(N 1/2^k, log N) Transmission overhead: 2rk Compare this with k-complete tree and Layered Subset Incremental Chain System

45 Thank You

Download ppt "On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos."

Similar presentations

Partial Orderings Section 8.6.

Partial Orderings Section 8.6.
Boosting Textual Compression in Optimal Linear Time.

Boosting Textual Compression in Optimal Linear Time.
CSCI 115 Chapter 6 Order Relations and Structures.

CSCI 115 Chapter 6 Order Relations and Structures.
Longest Common Subsequence

Longest Common Subsequence
Relations Relations on a Set. Properties of Relations.

Relations Relations on a Set. Properties of Relations.
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
1 Chapter 4 - 2 Equivalence, Order, and Inductive Proof.

1 Chapter Equivalence, Order, and Inductive Proof.
Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.

Parallel Scheduling of Complex DAGs under Uncertainty Grzegorz Malewicz.
Discrete Structure Li Tak Sing( 李德成 ) Lectures 20-22 1.

Discrete Structure Li Tak Sing( 李德成 ) Lectures
Complexity 16-1 Complexity Andrei Bulatov Non-Approximability.

Complexity 16-1 Complexity Andrei Bulatov Non-Approximability.
Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,

Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,
1 Discrete Structures & Algorithms Graphs and Trees: II EECE 320.

1 Discrete Structures & Algorithms Graphs and Trees: II EECE 320.
Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.

Foundations of Data-Flow Analysis. Basic Questions Under what circumstances is the iterative algorithm used in the data-flow analysis correct? How precise.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Data Flow Analysis 2 15-411 Compiler Design Nov. 3, 2005.

Data Flow Analysis Compiler Design Nov. 3, 2005.
Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.

Validating Streaming XML Documents Luc Segoufin & Victor Vianu Presented by Harel Paz.
Testing Metric Properties Michal Parnas and Dana Ron.

Testing Metric Properties Michal Parnas and Dana Ron.
Distributed Combinatorial Optimization

Distributed Combinatorial Optimization
Partially Ordered Sets (POSets)

Partially Ordered Sets (POSets)

Similar presentations

Ads by Google