Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and...
-
Upload
mia-gordon -
Category
Documents
-
view
215 -
download
0
Transcript of Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and...
![Page 1: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/1.jpg)
Explicit Exclusive Set Systems with
Applications
David P. Woodruff
Joint work with Craig Gentry and Zulfikar Ramzan
![Page 2: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/2.jpg)
Outline
1. The Combinatorics Problem
2. Our Techniques
3. Applications1. Broadcast encryption2. Certificate revocation3. Group testing
![Page 3: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/3.jpg)
The Combinatorics Problem Find a family C of subsets of {1, 2, …., n} such
that any large set S µ {1, 2, …, n} is the union of a small number of sets in C
S = S1 [ S2 [ [ St
Parameters: Universe is [n] = {1, …, n} |S| >= n-r Write S as a union of · t sets in C
Goal: Minimize |C|
![Page 4: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/4.jpg)
The Combinatorics Problem Find a family C of subsets of [n] such that any set
S µ [n] with |S| ¸ n-r is union of t sets in C:
S = S1 [ S2 [ [ St
Example: t = 1
C = all sets of size ¸ n-r
|C| =
Example: t = n
C = all sets of size 1
|C| = n
C excludes sets of size · r
C is an exclusive set system
![Page 5: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/5.jpg)
Another Example
Example: r = 1, t = 2
Write each i 2 [n] as (i1, i2) 2 [n1/2]2
xS:
1 i n
…
excludes 1st coordinate i1
= excludes 2nd coordinate i2
|C| = 2n1/2
![Page 6: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/6.jpg)
Another Example (Generalized) r = 1, t · log n
Write each i 2 [n] as (i1, i2 , …, it) 2 [n1/t]t
Sets in C are named (x, y) 2 [t] x [n1/t]
i 2 (x,y) iff ix y |C| = tn1/t
If S = [n] n i,
S = (1, i1) [ (2, i2) [ … [ (t, it)
![Page 7: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/7.jpg)
Example Summary
r arbitrary t = 1: |C| = t = n: |C| = n
t · log n r = 1: |C| = tn1/t
How does |C| grow given n, r, and t?
![Page 8: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/8.jpg)
A Lower Bound
Claim:
1. At least sets of size ¸ n-r
2. Only different unions
3. Thus,
4. Solve for |C|
Proof:
![Page 9: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/9.jpg)
Example Summary
r arbitrary t = 1: |C| = t = n: |C| = n
t · log n r = 1: |C| = tn1/t
tight
tight
tight
What happens for arbitrary n, r, and t?
![Page 10: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/10.jpg)
Known Results
Bad: once n and r are chosen, t and |C| are fixed
t |C| authors
(r log n / log r)2 (r log n / log r)2 GSY
r log n/r 2n LNN, ALO
2r n log n LNN
r3 log n / log r r3 log n /log r KRS
![Page 11: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/11.jpg)
Known Results Only known general result:
If r · t, then |C| = O(t3(nt)r/t log n) [KR]
Drawbacks: Probabilistic method To write S = S1 [ S2 [ … [ St , solve Set-CoverSet-Cover C has large description Bad for applications Suboptimal size:
![Page 12: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/12.jpg)
Our Results Main result: |C| = poly(r,t)
n, r, t all arbitrary
Match lower bound up to poly(r,t) In applications r, t << n When r,t << n, get |C| = O(rt )
Our construction is explicit Find sets S = S1 [ … [ St in poly(r, t, log n) time Improved cryptographic applications
![Page 13: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/13.jpg)
Outline
1. The Combinatorics Problem
2. Our Techniques
3. Applications1. Broadcast encryption2. Certificate revocation3. Group testing
![Page 14: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/14.jpg)
Techniques Case analysis:
r, t << n:
algebraic solution
general r, t:
use divide-and-conquer approach to reduce to previous case
![Page 15: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/15.jpg)
Case: r,t << n Find a prime p = n1/t +
Integers [n] are points in (Fp)t
Consider the ring Fp[X1, …, Xt]
Goal: find set of polynomials C such that for any R ½ [n] with |R| · r, there exist p1, …, pt 2 C such that
R = Variety(p1, …, pt)
![Page 16: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/16.jpg)
The Polynomial Collection
Consider the following collection:
and
![Page 17: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/17.jpg)
The Polynomial Collection (Con’d)
and
Claim: If no two points in R have the same ith coordinate for any i, then we can find p1, …, pt with Variety(p1, …, pt) = R
Proof: choose j=1|R| (X1 – uj
1)
let ui1, ui
2, …, ui|R| be the ith coordinates
and ui+11, ui+1
2, …, ui+1|R| be the (i+1)st coordinates
choose pi+1 = f(Xi) – Xi+1 by interpolating from f(ui
j) = ui+1j for all j
![Page 18: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/18.jpg)
The Polynomial Collection (Con’d)Proof: choose j=1
|R| (X1 – uj1)
let ui1, ui
2, …, ui|R| be the ith coordinates
and ui+11, ui+1
2, …, ui+1|R| be the (i+1)st coordinates
choose pi+1 = f(Xi) – Xi+1 by interpolating from f(ui
j) = uij+1 for all j
Claim 1: Every point in R is in Variety(p1, …, pt) Proof: Induction. If x in variety, x1 = u1
j for some j
pi+1(x) = f(xi) – xi+1 = 0 so: f(xi) = f(ui
j) = ui+1j = xi+1
Claim 2: If x 2 [n] n R, then x not in Variety(p1, …, pt)Proof: Immediate
![Page 19: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/19.jpg)
The Polynomial Collection (Con’d)
|C| = O(tpr), where p = n1/t +
Density theorems ! |C| = O(tnr/t)
Only works if R has distinct coordinates…
and
![Page 20: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/20.jpg)
Handling Non-distinct Coordinates Perform coordinate tranformations
Each u 2 [n] is a degree-(t-1) polynomial pu in Fp[x]
Translate polynomial representation to point representation by evaluation:
pu -> (pu(1), pu(2), …, pu(t))
pu pu’ implies translations are distinct
Idea: choose many transformations (sets of t points in Fp), so every R has a transformation with distinct coordinates
Apply previous construction
![Page 21: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/21.jpg)
Handling Non-distinct Coordinates
1 2 3 … t (t+1) (t+2) … 2t (2t+1) … …
Suppose R = {1, …, r}
p1
p2
p3
…
pr
1 2 3 … t
2 2 3 … t
3 2 3 … t
r 2 3 … t
(t+1) (t+2) … 2t (2t+1) … …
… … … …
![Page 22: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/22.jpg)
Handling Non-Distinct Coordinates How many blocks of t points do we need to consider?
Two distinct degree-(t-1) polynomials can agree on at most t-1 points.
Thus, at most can have non-distinct coordinates
So choose blocks, apply “distinct coordinate” construction for each block
Take union of constructions for all blocks
![Page 23: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/23.jpg)
Summary and Improvements
O(r2 t) blocks, each O(t nr/t) sets
O(r2 t2 nr/t) sets in total!
Can improve to O(rt )
![Page 24: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/24.jpg)
Improvements
Choose special points in Fp for blocks
Mix the blocks with an expander
Balance complexity of two types of sets
![Page 25: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/25.jpg)
General n, r, t
1 n
Let m be such that r/m, t/m << n
For every interval [i, j], form an exclusive set system with n’ = j-i+1, r’ = r/m, t’ = t/m
Given a set R, find intervals which evenly partition R.
i jx x x x x x
Problem! n2 term ?!?
Fix:- hash [n] to [r2] first
- do enough hashes so there is an injective hash for every R
- apply construction above on [r2]
![Page 26: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/26.jpg)
Outline
1. The Combinatorics Problem
2. Our Techniques
3. Applications1. Broadcast encryption2. Certificate revocation3. Group testing
![Page 27: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/27.jpg)
Broadcast Encryption
Server
Clients
1 server, n clients
Server broadcasts to all clients at once
E.g., payperview TV, music, videos
Only privileged users can understand broadcasts
E.g., those who pay their monthly bills
Need to encrypt broadcastsOffline phase - Server distributes keysOnline phase - Server encrypts a session key so only
privileged users can decrypt
![Page 28: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/28.jpg)
Subset Cover Framework [NNL]
Offline stage:
For some S ½ [n], server creates a key K(S) and distributes it to all users in S
Idea: choose sets S from an exclusive set system C
Server space complexity ~ |C|
ith user space complexity ~ # S containing i
![Page 29: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/29.jpg)
Subset Cover Framework [NNL]
Online stage:
Given a set R ½ [n] of at most r revoked users
Server establishes a session key M that only users in the set [n] n R know
Finds S1, …, St with [n] n R = S1 [ … [ St
Encrypt M under each of K(S1), …, K(St) For u 2 [n] n R, there is Si with u 2 Si
For u 2 R, no Si with u 2 Si
Content encrypted using session key M
![Page 30: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/30.jpg)
Subset Cover Framework [NNL]
Online stage:
Communication complexity ~ t
Tolerate up to r revoked users
Tolerate any number of colluders
Information-theoretic security
![Page 31: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/31.jpg)
Our Results Use our explicit exclusive set system
General n,r,t Contrasts with previous explicit systems
Poly(r,t, log n) time to find keys for broadcast Contrasts with probabilistic constructions
Parameters For poly(r, log n) server storage complexity, we can
set t = r log (n/r), but previously t = (r2 log n)
![Page 32: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/32.jpg)
More Reasons to Study Exclusive Sets
Other applications
Certificate revocation
Group testing
Fun mathematical problem
![Page 33: Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan.](https://reader036.fdocuments.us/reader036/viewer/2022070305/55141750550346e2488b537a/html5/thumbnails/33.jpg)
Open problems
O(rt ) versus (t )
Our O(rt ) bound needs t = o(log n)
Bound for general r,t is poly(r,t)
Improve the poly(r,t) factor
Find more applications