Presentation is loading. Please wait.

Presentation is loading. Please wait.

Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published.

Published bySheryl Stone Modified over 9 years ago

Similar presentations

Presentation on theme: "Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published."— Presentation transcript:

1 Dong Hoon Lee CIST Korea University http://cist.korea.ac.kr Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published in Eurocrypt’05 )

2 2 Contents Broadcast Encryption  Concept / Applications  Related Works Our Construction (Trans. Efficient )  Basic scheme  Extension 1, Extension 2, Extension 3  Efficiency & Security Conclusion

3 3 Broadcast Encryption : Concept Data Supplier Subscribers Contents E sk (s) Es(m)Es(m) s : session key, m :contents Key managementCipher Block Broadcast Encryption Message Broadcast Contents

4 4 BE : Basic Security = Revocation Adversarial Coalition Group 3 5 2 3 5 6 1 3 5 4 7 5 3 1 DATA 13 5 6 7 8 9 2 4 Revoked Members ? 2 4

5 5 BE : Applications Satellite-based Business Group Communication (multicast) Digital Rights Management xCP (Extensible Content Protection), IBM 2003. 4. Home network content protection (MP3 players, DVD players, Cellular phones, PDAs, TV ) AACS (Advanced Access Content System) group 2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney, Warner Bros. Studios Copy protection scheme : pirated DVDs

6 6 BE : Related Works Combinatorial Approaches Combinatorial design Algebraic Approaches Secret Sharing Method Tree-based structure LKH (Logical Key Hierarchy) SD (Subset Difference) Naor, Naor, Lotspiech, Crypto ’ 01 IBM xCP, AACS LSD (Layered SD) Halevy and Shamir, Crypto ’ 02 SSD (Stratified SD) Goodrich et. al, Crypto ’ 04

7 7 BE : Measures  Transmission Length  Storage for keys at user device  Computation overhead One-to-many communication  TL is the most important factor GOAL : Transmission-efficient scheme with Storage and Computation overhead within reasonable bounds

8 8 BE : Basic Approaches U1U1 U2U2 U4U4 U3U3 U5U5 U6U6 U8U8 U7U7 GC (Group Center) Unicast Transmission User storage Single-Message Transmission User storage U1U1 U2U2 U4U4 U3U3 U5U5 U6U6 U8U8 U7U7 One key for all cases of revocation : {1},{12}, …,{145}, …,{124578}, … GC

9 9 Broadcast Encryption – Tree-based LKH SD Key storage per user : log-key restriction # of transmitted messages : 2 r (r:# of revoked users)

10 10 Challenging Problem The number of trans. messages The number of revoked users > ?

11 11 Our Scheme : One-way chain Pseudo-Random number sequence from F : {0,1} κ →{0,1} mκ nodes Chain-value Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

12 12 Our Scheme : User Structure Circular structure Users Chain-value Linear structure Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

13 13 Our Scheme : Basic Scheme Key assignment n keys per user u1u1 u2u2 u4u4 u3u3 u5u5 u6u6 u8u8 u7u7 u9u9 u 11 u 10 u 12 u8u8 s7s7 F1(s7)F1(s7) s8s8 s6s6 F(s 6 )F2(s6)F2(s6) s5s5 F(s 5 )F3(s5)F3(s5) … u7u7 u6u6 u5u5 n different labels … Key set

14 14 Our Scheme : Basic Scheme Revocation Method s1s1 F 2 (s 1 ) F 3 (s 1 ) F(s 1 ) s6s6 F(s 6 ) F 2 (s 6 ) F 3 (s 6 ) F 4 (s 6 ) F 5 (s 6 ) r (=2) revoked users r (=2) trans. messages u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK 2 = F 5 (s 6 ) SK 1 = F 3 (s 1 ) r (=2) subsets

15 15 Our Scheme : Basic Scheme Key computation s1s1 F 2 (s 1 ) F 3 (s 1 ) F(s 1 ) F 6 (s 1 ) F 7 (s 1 ) F 8 (s 1 ) F 9 (s 1 ) F 10 (s 1 ) u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK = F 10 (s 1 ) Maximum n computations of F per user F 4 (s 1 ) F 5 (s 1 )

16 16 Our Scheme : Extension 1 Covering several subsets by one key !! Further reduction of Trans. length in basic scheme user subset SO ↑ TL ↓

17 17 Our Scheme : Extension 1 (OWC([n,2])) Revocation Method (Jumping one-way chain) F 2 (s 12,5 ) F 3 (s 12,5 ) F 1 (s 12,5 ) r (=2) revoked users u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK 1 = F 10 (s 12,5 ) F 6 (s 12,5 ) F 7 (s 12,5 ) F 8 (s 12,5 ) F 9 (s 12,5 ) F 10 (s 12,5 ) F 5 (s 12,5 ) F 4 (s 12,5 ) s 12,5 r/2 (=1) Trans. messages r/2 (=1) subsets

18 18 Our Scheme : Extension 1 (OWC([n,3])) Revocation Method (Jumping one-way chain) F 2 (s 12,5,8 ) F 3 (s 12,5,8 ) F 1 (s 12,5,8 ) r (=3) revoked users SK 1 = F 10 (s 12,5,8 ) F 6 (s 12,5,8 ) F 7 (s 12,5,8 ) F 8 (s 12,5,8 ) F 9 (s 12,5,8 ) F 10 (s 12,5,8 ) F 5 (s 12,5,8 ) F 4 (s 12,5,8 ) s 12,5,8 u5u5 u8u8 u 12 r/3 (=1) Trans. messages r/3 (=1) subsets

19 19 Our Scheme : Extension 1 Key assignment Choice of different labels for k revoked users u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 keys per user n k ( ) n 2 ( ) SO : O(n k )

20 20 Our Scheme : Extension 1 Key computation swsw F 2 (s w ) F 3 (s w ) F(s w ) F 6 (s w ) F 7 (s w ) F 8 (s w ) F 9 (s w ) F 10 (s w ) u1u1 u2u2 u5u5 u 12 u 11 u6u6 u3u3 u4u4 u7u7 u8u8 u9u9 u 10 SK = F 10 (s w ) ) Maximum n computations of F per user F 4 (s w ) F 5 (s w )

21 21 Our Scheme : Extension 2 Trade-off between SO and TL Trans. Length BasicExtension 1 Keys Storage r n 0 2 n-1 …. Power-set BE …. r / k O(n k ) ( k is a natural number )

22 22 Our Scheme : Extension 2 Constructing hierarchical chain so that several keys of a user cover one subset !! Reduction in keys storage per user in Basic Scheme user subset SO ↓ TO ↑

23 23 Our Scheme : Extension 2 (OWC(p,[w,k])) Revocation method (hierarchical chain : 2-dim Ring)

24 24 Our Scheme : Extension 2 Revocation method (structurally equivalent with SD) Complete binary treeComplete binary ring

25 25 Our Scheme : Extension 2 Trade-off between SO and TL Trans. Length BasicExtension 2 Keys Storage r n 2 r (log 2 n+log n)/2 + 1 …. SD …. rw/(w-1) g(n) - k is a natural number - g(n) = (w-1) log n + (w-1) (log 2 n+log n)/2 + 1 (w-ary ring)

26 26 Our Scheme : Extension 3 Combination of two extension methods : Layered 2-dimensional Ring Toward Practical Scheme Reduce ( User keys storage + Trans. Length )

27 27 U 1.1 U 1.2 U 1.5 U 1.6 U 1.3 U 1.4 U 1.7 U 1.8 U 1.9 Our Scheme : Extension 3 User structure : layered 2-dimnsional ring U 2.1 U 2.2 U 2.5 U 2.6 U 2.3 U 2.4 U 2.7 U 2.8 U 2.9

28 28 u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 Our Scheme : Extension 3 Revocation method u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 r (=3) revoked users r/2+1 (=2) Trans. messages r/2+1 (=2) subsets

29 29 Our Scheme : Extension 3 Key assignment u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 n keys for 1 revoked user keys for 2 revoked users m=n/2 2 ( )

30 30 Our Scheme : Extension 3 Key computation u 1.1 u 1.2 u 1.5 u 1.6 u 1.3 u 1.4 u 1.7 u 1.8 u 1.9 u 2.1 u 2.2 u 2.5 u 2.6 u 2.3 u 2.4 u 2.7 u 2.8 u 2.9 Maximum m=n/2 com. of F and 1 com. of G per user

31 31 Our Scheme : Extension 3 For a large number users : partition...

32 32 Our Scheme : Extension 3 3 instances OWC(2,[50,2]) OWC(4,[50,2]) OWC((2:2),[50,2])

33 33 Our Construction : Security Standard hybrid argument Pseudo-Random number sequence from F : {0,1} κ →{0,1} mκ Truly Random number sequence R i+1 R i+2 R i+3 RjRj R j ← R {0,1} mκ Computational Indistinguishability nodes Chain-value Sd i F(Sd i ) F 2 (Sd i ) F j-i (Sd i )

34 34 Our schemes : Efficiency 50 546.9 (0.7r) Fig.19.950OWC((2:2),[w,2]) 50 546.9 (0.7r) Fig.20.950OWC(4,[w,2]) 50 546.9 (0.7r) 19.250OWC(2,[w,2]) r=50,000(5%) # of Comp. Trans. Length (Kbyte)Keys Storage (Kbyte)m n = 10 6 users 3.2SD (Naor et. al)Fig. 20 1562.5 (2r)

35 35 Comparison : Transmission Length 5 % 546.9 1 % 234.4 156.3 0.5% SD OWC(2,[50,2]) 2 % 312.5 78.1 (w=50) 178.1 OWC(4,[50,2]) OWC((2:2),[50,2]) n = 10 6 users Kbyte # of revoked users

36 36 Further Research Further reduction in user storage Reduction for initial transmission length Other structure for Trade-off : Transmission length & User keys storage

37 37 Q & A Thank you

Download ppt "Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published."

Similar presentations

Andy Daniëls 3 SWMA ICT03. Introduction History Technical Comparison Companies Security Why Blu-ray is On the Rise? Television: HD vs. Standard Conclusion.

Andy Daniëls 3 SWMA ICT03. Introduction History Technical Comparison Companies Security Why Blu-ray is On the Rise? Television: HD vs. Standard Conclusion.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.

GSM network and its privacy Thomas Stockinger. Overview Why privacy and security? GSM network‘s fundamentals Basic communication Authentication Key generation.
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.

Self-Organized Anonymous Authentication in Mobile Ad Hoc Networks Julien Freudiger, Maxim Raya and Jean-Pierre Hubaux SECURECOMM, 2009.
Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses Computer Science Department New Mexico State University,

Secure Content Delivery in Information-Centric Networks: Design, Implementation, and Analyses Computer Science Department New Mexico State University,
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.

Presentation By: Garrett Lund Paper By: Sandro Rafaeli and David Hutchison.
URSA: Providing Ubiquitous and Robust Security Support for MANET

URSA: Providing Ubiquitous and Robust Security Support for MANET
LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU 20082065 Myunghan Yoo.

LOGO Multi-user Broadcast Authentication in Wireless Sensor Networks ICU Myunghan Yoo.
Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.

Computer Science Dr. Peng NingCSC 774 Adv. Net. Security1 CSC 774 Advanced Network Security Topic 7. Wireless Sensor Network Security.
Broadcast Encryption and Traitor Tracing 2001. 12. 2001507 Jin Kim.

Broadcast Encryption and Traitor Tracing Jin Kim.
On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos.

On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications Serdar Pehlivanoglu (pay-live-a-no-glue) Joint work with Aggelos.
1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.

1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.
Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.

Computer Science 1 Efficient Self-healing Group Key Distribution With Revocation Capability Archana Rajagopal CSC 774 Presentation Based on Original Slides.
1 Florian Pestoni IBM Research IBM xCP Cluster Protocol IBM Presentation to Copy Protection Technical Working Group July 18 th, 2002.

1 Florian Pestoni IBM Research IBM xCP Cluster Protocol IBM Presentation to Copy Protection Technical Working Group July 18 th, 2002.
Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)

Optimal Communication Complexity of Generic Multicast Key Distribution Saurabh Panjwani UC San Diego (Joint Work with Daniele Micciancio)
Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,

Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,

Similar presentations

Ads by Google