Dong Hoon Lee
CIST Korea Universityhttp://cist.korea.ac.kr
Efficient Communication-Storage Tradeoffs for
Broadcast Encryption Schemes( will be published in Eurocrypt’05 )
2
Contents
Broadcast Encryption Concept / Applications
Related Works
Our Construction (Trans. Efficient ) Basic scheme Extension 1, Extension 2, Extension 3 Efficiency & Security
Conclusion
3
Broadcast Encryption : Concept
DataSupplier
Subscribers
Contents
Esk(s) Es(m)s : session key , m :contents
Key management Cipher Block
Broadcast Encryption Message
Broadcast
Contents
4
BE : Basic Security = Revocation
Adversarial Coalition
Group3 52 3 56
1
3 547531
DATA
1 3 5 6 7 8 92
4
Revoked Members
?2
4
5
BE : Applications
Satellite-based BusinessGroup Communication (multicast)Digital Rights Management
xCP (Extensible Content Protection), IBM2003. 4. Home network content protection (MP3 players, DVD players, Cellular phones, PDAs, TV )
AACS (Advanced Access Content System) group2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney, Warner Bros. StudiosCopy protection scheme : pirated DVDs
6
BE : Related Works
Combinatorial ApproachesCombinatorial design
Algebraic Approaches Secret Sharing Method
Tree-based structureLKH (Logical Key Hierarchy) SD (Subset Difference) Naor, Naor, Lotspiech, Crypto’01
IBM xCP, AACSLSD (Layered SD) Halevy and Shamir, Crypto’02SSD (Stratified SD) Goodrich et. al, Crypto’04
7
BE : Measures
1. Transmission Length2. Storage for keys at user device3. Computation overhead
One-to-many communication TL is the most important factorGOAL : Transmission-efficient scheme with Storage and Computation overhead within reasonable bounds
8
BE : Basic Approaches
U1 U2 U4U3 U5 U6
U8U7
GC (Group Center)
Unicast
TransmissionUser storage
Single-Message
TransmissionUser storage
U1 U2 U4U3 U5 U6
U8U7
One key for all cases of revocation : {1},{12},…,{145},…,{124578},…
GC
9
Broadcast Encryption – Tree-based
LKH SD
Key storage per user
: log-key restriction
# of transmitted messages: 2 r (r:# of revoked users)
10
Challenging Problem
The number of
trans. messages
The number of
revoked users >?
11
Our Scheme : One-way chain
Pseudo-Random number sequence from F : {0,1}κ →{0,1}mκ
F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)
ui ui+1 ui+2 ujnodes
Chain-valueSdi F(Sdi) F2(Sdi) Fj-i(Sdi)
12
Our Scheme : User Structure
Circular structure
F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)
ui ui+1 ui+2 uj Users
Chain-value
Linear structure
Sdi F(Sdi) F2(Sdi) Fj-i(Sdi)
13
Our Scheme : Basic Scheme
Key assignment
n keys per user
u1
u2
u4
u3
u5
u6 u8u7
u9
u11
u10
u12
u8
s7 F1(s7)
s8
s6 F(s6) F2(s6)
s5 F(s5) F3(s5)…
u7u6u5
n different labels
…
Key set
14
Our Scheme : Basic Scheme
Revocation Method
s1
F2(s1)
F3(s1)
F(s1)
s6F(s6
)
F2(s6)
F3(s6)
F4(s6)
F5(s6)
r (=2) revoked usersr (=2) trans. messages
u1u2
u5
u12
u11
u6
u3
u4
u7
u8
u9
u10
SK2 = F5(s6)
SK1 = F3(s1)
r (=2) subsets
15
Our Scheme : Basic Scheme
Key computation
s1
F2(s1)
F3(s1)
F(s1)
F6(s1)F7(s1)
F8(s1)
F9(s1)
F10(s1)
u1u2
u5
u12
u11
u6
u3
u4
u7
u8
u9
u10
SK = F10(s1)
Maximum n computations of F per user
F4(s1)
F5(s1)
16
Our Scheme : Extension 1
Covering several subsets by one key !!
Further reduction of Trans. length in basic scheme
user
subset
SO ↑
TL ↓
17
Our Scheme : Extension 1 (OWC([n,2]))
Revocation Method (Jumping one-way chain)
F2(s12,5)
F3(s12,5)
F1(s12,5)
r (=2) revoked users
u1u2
u5
u12
u11
u6
u3
u4
u7
u8
u9
u10
SK1 = F10(s12,5)
F6(s12,5)F7(s12,5)
F8(s12,5)
F9(s12,5)
F10(s12,5)
F5(s12,5)
F4(s12,5)
s12,5
r/2 (=1) Trans. messages
r/2 (=1) subsets
18
Our Scheme : Extension 1 (OWC([n,3]))
Revocation Method (Jumping one-way chain)
F2(s12,5,8)
F3(s12,5,8)
F1(s12,5,8)
r (=3) revoked users
SK1 = F10(s12,5,8)
F6(s12,5,8)F7(s12,5,8)
F8(s12,5,8)
F9(s12,5,8)
F10(s12,5,8)
F5(s12,5,8)
F4(s12,5,8)
s12,5,8
u5
u8
u12
r/3 (=1) Trans. messages
r/3 (=1) subsets
19
Our Scheme : Extension 1
Key assignment
Choice of different labels for k revoked users
u1u2
u5
u12
u11
u6
u3
u4
u7
u8
u9
u10
keys per usern
k( )
keys per usern
2( )
SO : O(nk)
20
Our Scheme : Extension 1
Key computation
sw
F2(sw)
F3(sw)
F(sw)
F6(sw)F7(sw)
F8(sw)
F9(sw)
F10(sw)
u1u2
u5
u12
u11
u6
u3
u4
u7
u8
u9
u10
SK = F10(sw) )
Maximum n computations of F per user
F4(sw)
F5(sw)
21
Our Scheme : Extension 2
Trade-off between SO and TL
Trans. Length
Basic Extension 1
Keys Storage
r
n
0
2n-1
…. Power-set BE ….
r / k
O(nk)
( k is a natural number )
22
Our Scheme : Extension 2
Constructing hierarchical chain so that several keys of a user cover one subset !!
Reduction in keys storage per user in Basic Scheme
user
subset
SO ↓
TO ↑
23
Our Scheme : Extension 2 (OWC(p,[w,k]))
Revocation method (hierarchical chain : 2-dim Ring)
24
Our Scheme : Extension 2
Revocation method (structurally equivalent with SD)
Complete binary treeComplete binary ring
25
Our Scheme : Extension 2
Trade-off between SO and TL
Trans. Length
Basic Extension 2
Keys Storage
r
n
2 r
(log2n+log n)/2 + 1
…. SD….
rw/(w-1) g(n)
- k is a natural number- g(n) = (w-1)log n + (w-1)(log2n+log n)/2 + 1
(w-ary ring)
26
Our Scheme : Extension 3
Combination of two extension methods: Layered 2-dimensional Ring
Toward Practical Scheme
Reduce ( User keys storage + Trans. Length )
27
U1.1
U1.2
U1.5 U1.6
U1.3
U1.4
U1.7
U1.8
U1.9
Our Scheme : Extension 3
User structure : layered 2-dimnsional ring
U2.1
U2.2
U2.5 U2.6
U2.3
U2.4
U2.7
U2.8
U2.9
28
u1.1
u1.2
u1.5 u1.6
u1.3
u1.4
u1.7
u1.8
u1.9
Our Scheme : Extension 3
Revocation method
u2.1
u2.2
u2.5 u2.6
u2.3
u2.4
u2.7
u2.8
u2.9
r (=3) revoked usersr/2+1 (=2) Trans. messages
r/2+1 (=2) subsets
29
Our Scheme : Extension 3
Key assignment
u1.1
u1.2
u1.5 u1.6
u1.3
u1.4
u1.7
u1.8
u1.9
u2.1
u2.2
u2.5 u2.6
u2.3
u2.4
u2.7
u2.8
u2.9
n keys for 1 revoked userkeys for 2 revoked usersm=n/2
2( )
30
Our Scheme : Extension 3
Key computation
u1.1
u1.2
u1.5 u1.6
u1.3
u1.4
u1.7
u1.8
u1.9
u2.1
u2.2
u2.5 u2.6
u2.3
u2.4
u2.7
u2.8
u2.9
Maximum m=n/2 com. of F and 1 com. of G per user
31
Our Scheme : Extension 3
For a large number users : partition
...
...
32
Our Scheme : Extension 3
3 instances
OWC(2,[50,2])
OWC(4,[50,2])
OWC((2:2),[50,2])
33
Our Construction : SecurityStandard hybrid argument
Pseudo-Random number sequence from F : {0,1}κ →{0,1}mκ
Truly Random number sequence
Ri+1 Ri+2 Ri+3 Rj Rj ←R {0,1}mκ
Computational Indistinguishability
F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)
ui ui+1 ui+2 ujnodes
Chain-valueSdi F(Sdi) F2(Sdi) Fj-i(Sdi)
34
Our schemes : Efficiency
50546.9 (0.7r)Fig.19.950OWC((2:2),[w,2])
50546.9 (0.7r)Fig.20.950 OWC(4,[w,2])
50546.9 (0.7r)19.250OWC(2,[w,2])
r=50,000(5%)
# of Comp.
Trans. Length (Kbyte)Keys Storage (Kbyte)m
n = 106 users
3.2SD (Naor et. al) Fig. 201562.5 (2r)
35
Comparison : Transmission Length
5 %
546.9
1 %
234.4
156.3
0.5%
SD
OWC(2,[50,2])
2 %
312.5
78.1
(w=50)
178.1
OWC(4,[50,2])
OWC((2:2),[50,2])
n = 106 usersKbyte
# of revoked users
36
Further Research
Further reduction in user storage
Reduction for initial transmission length
Other structure for Trade-off
: Transmission length & User keys storage
37
Q & A
Thank you
Top Related