Fingerprinting & Broadcast Fingerprinting & Broadcast Encryption for Content Encryption for Content
ProtectionProtection
2
OutlineOutline
IntroductionIntroduction Fingerprinting & Traitor TracingFingerprinting & Traitor Tracing Broadcast EncryptionBroadcast Encryption
3
IntroductionIntroduction
FingerprintingFingerprinting Traitor tracingTraitor tracing Broadcast encryptionBroadcast encryption
4
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
Marking assumptionMarking assumption Traceability schemeTraceability scheme Frameproof codeFrameproof code cc-secure code -secure code c-TA code & c-IPP codec-TA code & c-IPP code Combinatorial propertiesCombinatorial properties Fingerprinting methodsFingerprinting methods Tracing algorithmTracing algorithm
5
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Marking assumption- Marking assumption <Definition> undetectable positions<Definition> undetectable positions
<Definition> feasible set<Definition> feasible set
.... if leundetectab is position Then
}.,...,{ suppose Formally, position.th in their match in
users toassigned words theif for leundetectab is
position say that we},...,1{For users. ofcoalition
a be and code-),(an be },...,{Let
)()()(
1
)()1(
21 cui
ui
ui
c
n
wwwi
uuCiC
Ci
li
Cnlww
Γ
).(by );(
denote and omit the e Usually wbits. leundetectab scoalition'
match the which wordsall containsset feasible theThus .in
user somefor } s.t. {?})({);( as ofset
feasible theDefine .for positions leundetectab ofset thebe Let
users. ofcoalition a be and code-),(an be },...,{Let
)(
)()1(
CFCF
Cu
wwwCFC
CR
Cnlww
Ru
Rl
n
6
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Marking assumption- Marking assumptione.g. A: 3 2 3 1 2e.g. A: 3 2 3 1 2
B: 1 2 2 1 2B: 1 2 2 1 2
<Definition> Marking Assumption<Definition> Marking Assumption
any coalition of any coalition of cc users is only capable users is only capable of creating an object whose fingerprint of creating an object whose fingerprint lies in the feasible set of the coalitionlies in the feasible set of the coalition
212)( ABF
7
Fingerprinting & Traitor Fingerprinting & Traitor Tracing Tracing
- Traceability scheme- Traceability scheme <Definition> Traitor tracing schemes<Definition> Traitor tracing schemes
( B. Chor, A. Fiat, M. Naor, and B. Pinkas, ( B. Chor, A. Fiat, M. Naor, and B. Pinkas, 1994 )1994 )
A traitor tracing scheme consists of three A traitor tracing scheme consists of three components:components:
traitor.a ofidentity the
determine todecoder, pirate a ofon confiscatiupon used algorithm, tracingA traitor 3.
messages. those
decrypt user toevery by used 1010 scheme decryption a and messages
encrypt osupplier t data by the used1010 scheme encryptionAn 2.
gets. userseach key that personal in the bits ofnumber theis and users possible of
set theis where10 mapping a defines that key -meta a hassupplier
data The users. new add osupplier t data by the used scheme,tion initializauser A 1.
},{},:{D
},{},:{E
s
U},{:UP
*β
**α
sα
8
Fingerprinting & Traitor TraciFingerprinting & Traitor Tracingng
– Frameproof codes– Frameproof codes <Definition> <Definition> cc-Frameproof codes -Frameproof codes
((James ShawJames Shaw, 1995 (1998)), 1995 (1998))
WWFc
Wc
)( satisfies ,most at size of
,set every if frameproof- is codeA
9
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
– – cc-secure codes-secure codes <Definition> totally <Definition> totally cc-secure code-secure code
<Lemma><Lemma>
. then worda generates users
most at of coalition a if :condition following thesatisfying
algorithm tracinga exists thereif secure- totally is codeA
CA(x)x
c C
Ac
each. users most at of ,..., coalitions allfor
0)(...)(0...
thencode secure- totally a is If
1
11
cCC
CFCFCC
c
r
rr
10
Fingerprinting & Traitor Fingerprinting & Traitor Tracing Tracing
- c-TA code & c-IPP code- c-TA code & c-IPP code A. Silverberg, J. Staddon, 2001A. Silverberg, J. Staddon, 2001 <Definition> <Definition> cc-TA (traceability)-TA (traceability)
<Definition > <Definition > cc-IPP -IPP (identifiable parent property) (identifiable parent property)
i
ii
i
CCzI(z,w)I(x,w)
Cx)desc(Cwc
CcC
allfor that
such exists e then ther if ,most at
size of coalitions allfor if codeTA - a is codeA
nonempty. is such that most at size of coalitions theof
onintersecti the, allfor if code IPP- a is codeA
)desc(CwcC
(C)descwcC
ii
c
11
Fingerprinting & Traitor Fingerprinting & Traitor Tracing Tracing
- c-TA code & c-IPP code- c-TA code & c-IPP code <Lemma> Every <Lemma> Every cc-TA code is a -TA code is a cc-IPP -IPP
code.code.
<proof><proof>
code. a a of definition by the s.t. then , if fact,In
.)(
, with any for that,show willWe
code. a of definition by the any for Thus
. allfor s.t. Let
. s.t. where if
code. a is Suppose
c-TAI(w,y)I(w,z)CzCy
CyCdescw
cCCC
c-TACxI(w,x)I(w,y)
CxI(w,x)I(w,y) Cy
)desc(Cwc,CCC(C), descw
c-TAC
jj
jj
jj
ii
iiic
12
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Combinatorial properties- Combinatorial properties ““Combinatorial properties and constrCombinatorial properties and constr
uctions of traceability schemes and frauctions of traceability schemes and frameproof codes”, D. R. Stinson, R. Wei,meproof codes”, D. R. Stinson, R. Wei, 1997(2001) 1997(2001)
Investigate combinatorial properties aInvestigate combinatorial properties and constructions of two recent topics ond constructions of two recent topics of cryptographic interest: f cryptographic interest: frameproof codesframeproof codes traceability schemetraceability scheme
13
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Combinatorial properties- Combinatorial properties <Definition> <Definition> cc-FPC(-FPC(vv,,bb))
<Definition> <Definition> cc-TS(-TS(kk,,bb,,vv))
).( a is say that We
.)( have we, such that
everyfor if, code frameproof- a called is code-)(A
v,bc-FPCΓ
WΓ wFcWΓW
cΓv,b
. users allfor )( computingby done be woulddetection Traitor
)(by
denoted isit and schemety traceabili- a called is scheme the
Then . and by produced is decoder pirate awhenever
coalition theofmember a is user exposedany Suppose
user. exposedan be to
defined is then , users allfor )( )( If
UUPF
.k,b,vc-TS
c
cC CF
CU
UUVVPFUPF
14
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Combinatorial properties- Combinatorial properties <Theorem><Theorem>
i
d
ii
d
d
BBB
},...,B,B\{BB
,,...,B,BBc db
v,c-FPC(v,b)
1
d
1i
21
21
such that block aexist not does there
blocks ofsubset any for and
such that )( systemset a a
B
BB
XΒX,
15
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Combinatorial properties- Combinatorial properties <Theorem><Theorem>
dj for BFBF},...,B,B\{BB
,BFk-
,...,B,BBc d
k b
v,b,vkc-TS
jd
jd
j
d
1such that
block aexist not does theresubset
any for and blocks of choiceevery for
hat property t with the,Bevery for and
such that )( systemset a ),( a
21
1
21
B
B
BBB
XΒX
,
16
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Combinatorial properties- Combinatorial properties <Theorem>If there exists a <Theorem>If there exists a c-TSc-TS((k,b,vk,b,v), th), th
en there exists a en there exists a cc-FPC(-FPC(vv,,bb).).<proof><proof>
.1Then
.such that block a and
, blocks, exist e then therno; Suppose
).( a is )( that prove We
).( a toingcorrespond systemset thebe Let
121
21
dj for BBBB
BB},..., B, B\{BB
,..., B, BBcd
v,bc-FPC
k,b,vc-TS)(
j
idid
d
Β
B
ΒX
ΒX
,,
17
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods AND-resilient codesAND-resilient codes
Trivial AND-ACC Trivial AND-ACC 00
AND-ACC ( AND-ACC ( TrapeTrape et al., 2003 ) et al., 2003 ) The fingerprinting scheme based on projective The fingerprinting scheme based on projective
space ( space ( DittmamDittmam, 2000 ), 2000 )
Selection-resilient codesSelection-resilient codes 0 0 combined with combined with ((LL,,NN,,DD))qqECC, ECC, DDLL(1(1/(1(1/cc))))
((LL,,NN,,DD))qq-ECC with -ECC with DD>=>=LL(1-1/(1-1/cc22) (Staddon, 2001)) (Staddon, 2001)
18
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Tracing algorithms- Tracing algorithms scenarioscenario
The center broadcasts the encrypted contThe center broadcasts the encrypted content to usersent to users
One encryption key and multiple distinct One encryption key and multiple distinct decryption keysdecryption keys
One cannot compute a new decryption keOne cannot compute a new decryption key from a given set of keysy from a given set of keys
19
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Tracing algorithms- Tracing algorithms Static tracingStatic tracing
Used upon confiscation of a pirate decoder, to Used upon confiscation of a pirate decoder, to determine the identity of a traitordetermine the identity of a traitor
Such scheme would be ineffective if the pirate Such scheme would be ineffective if the pirate were simply to rebroadcast the original contentwere simply to rebroadcast the original content
Use watermarking methods to allow the Use watermarking methods to allow the broadcaster to generate different versions of broadcaster to generate different versions of the original contentthe original content
Use the watermarks found in the pirate copy to Use the watermarks found in the pirate copy to trace its supporting traitorstrace its supporting traitors
Drawback: requires one copy of content for Drawback: requires one copy of content for each user and so requires very high bandwidtheach user and so requires very high bandwidth
20
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Tracing algorithms- Tracing algorithms Dynamic tracing (Fiat & Tassa, 2001)Dynamic tracing (Fiat & Tassa, 2001)
The content is divided into consecutive segmentsThe content is divided into consecutive segments Embed one of the q marks in each segment, hence creEmbed one of the q marks in each segment, hence cre
ating q versions of the segment ating q versions of the segment (watermarking method)(watermarking method)
In each interval, the user group is divided into q subseIn each interval, the user group is divided into q subsets and each subset receives on version of the segmentts and each subset receives on version of the segment
The subsets are varied in each interval using the rebrThe subsets are varied in each interval using the rebroadcasted contentoadcasted content
Trace all colluders with lower bandwidthTrace all colluders with lower bandwidth Drawback: Drawback:
Vulnerable to a delayed rebroadcast attackVulnerable to a delayed rebroadcast attack High real-time computation for regrouping the users and allocatiHigh real-time computation for regrouping the users and allocati
ng marks to subsetsng marks to subsets
21
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Tracing algorithms- Tracing algorithms Sequential tracing ( Reihaneh, 2003)Sequential tracing ( Reihaneh, 2003)
The channel feedback is only used for traciThe channel feedback is only used for tracing and not for allocation of marks to usersng and not for allocation of marks to users
The mark allocation table is predefined anThe mark allocation table is predefined and there is no need for real-time computatiod there is no need for real-time computation to determine the mark allocation of the nn to determine the mark allocation of the next intervalext interval The need for real-time computation will be minThe need for real-time computation will be min
imizedimized Protects against the delayed reboradcast attackProtects against the delayed reboradcast attack
The traitors are identified sequentiallyThe traitors are identified sequentially
22
Broadcast EncryptionBroadcast Encryption
Key pre-distribution schemesKey pre-distribution schemes Key managementKey management
23
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme In a key pre-distribution scheme, the In a key pre-distribution scheme, the
trusted authority (TA) generates and trusted authority (TA) generates and distributes keys to each userdistributes keys to each user
The goal is to allow TA to broadcast the The goal is to allow TA to broadcast the secure message to a dynamically secure message to a dynamically changing privileged subset of users in changing privileged subset of users in such a way that non-privileged users such a way that non-privileged users cannot learn the message while cannot learn the message while minimizing key management related-minimizing key management related-transmissions transmissions
24
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Definition> (<Definition> (PP,,FF)-KPS )-KPS
((PP,,FF)-Key Predistribution Scheme)-Key Predistribution SchemeThe scheme is a (The scheme is a (PP,,FF)-Key Predistributi)-Key Predistribution Scheme if it satisfies:on Scheme if it satisfies: Each user Each user ii in any privileged set in any privileged set PPPP can c can c
ompute ompute kkPP
No forbidden subset No forbidden subset F F FF disjoint from an disjoint from any privileged subset y privileged subset PP has no information o has no information on n kkPP
25
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Trivial KPS Trivial KPS Shamir threshold KPS (Shamir, 1979)Shamir threshold KPS (Shamir, 1979) Blom KPS (1984)Blom KPS (1984) Fiat-Naor KPS (1993)Fiat-Naor KPS (1993)
26
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Definition> (<Definition> (PP,,FF)-One-Time )-One-Time
Broadcast Encryption SchemeBroadcast Encryption Scheme
.on n informatioany has from
disjoint subset forbidden no broadcast, thereceivingAfter 3.
n.informatiosecret suser' theandbroadcast single the
by determineduniquely isuser privileged afor message 2.The
.n informatiosecret theallgiven even ,about n informatio
any has users ofsubset no broadcast, theknowing Without 1.
:satisfiesit if OTBES)-),(( Scheme Encryption
Broadcast Time-One-),( a is scheme hesay that t We
P
P
mP
F
Um U
FP
FP
27
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Beimel-Chor OTBES (1993)Beimel-Chor OTBES (1993)
28
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Definition> (<Definition> (PP,,FF)-Key Distribution )-Key Distribution
PatternPattern (Mitchell & Piper, 1988) (Mitchell & Piper, 1988)
b
F∩P s.t. ∈F and ∈P∀
≠}B∩F and B⊆P :{B if
KDP)-),((
Pattern on DistributiKey -),( a is ),(
blocks called of subsets ofset a :}BB
users ofset a :
jjj
1
FP
FP
FPBU
UB
U
,...,{
29
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme A KDP can be represented by an A KDP can be represented by an nnββ inciden inciden
ce matrix ce matrix AA=(=(aaijij) which is defined as follows:) which is defined as follows:
The KDP can be used to construct KPS.The KDP can be used to construct KPS.
otherwise. 0
if 1 jji
B ia
30
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Theorem> Suppose (<Theorem> Suppose (UU,,BB) is a () is a (PP,,FF)-KDP, t)-KDP, t
hen exists a (hen exists a (PP,,FF)-KPS with information ra)-KPS with information rate te 1/ 1/maxmax{{rrii:1:1≤≤ii≤≤nn} } rrii=|{=|{BBjj::iiBBjj}|}|and total information rate and total information rate 1/ 1/ββ
The trivial KPS and Fiat-Naor KPS are botThe trivial KPS and Fiat-Naor KPS are both in fact KDPsh in fact KDPs The trivial KPS is obtained by taking The trivial KPS is obtained by taking BB to be al to be al
l l tt-subsets of -subsets of UU The Fiat-Naor KPS is produced by taking The Fiat-Naor KPS is produced by taking BB to to
be all subsets of be all subsets of UU of cardinality at least of cardinality at least n-wn-w
31
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme OA KDP (Stinson, 1997)OA KDP (Stinson, 1997) PA KDP (Stinson, 1997)PA KDP (Stinson, 1997)
32
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The purpose of key management is to The purpose of key management is to provide secure procedures for handling provide secure procedures for handling cryptographic keying material to be used cryptographic keying material to be used in symmetric or asymmetric in symmetric or asymmetric cryptographic mechanisms.cryptographic mechanisms.
The Open Systems Interconnection (OSI) The Open Systems Interconnection (OSI) Security Architecture defines key Security Architecture defines key management as “the generation, management as “the generation, storage, distribution, deletion, archiving storage, distribution, deletion, archiving and application of keys in accordance and application of keys in accordance with a security policy”.with a security policy”.
33
Broadcast EncryptionBroadcast Encryption- Key management- Key management
Access control schemesAccess control schemes The bit-vector schemeThe bit-vector scheme The block-by-block schemeThe block-by-block scheme The extended-header schemeThe extended-header scheme The VSPACE schemeThe VSPACE scheme The tree schemeThe tree scheme
34
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The state update problem The state update problem Content is encrypted using a group key which is knoContent is encrypted using a group key which is kno
wn to a group of users in many scenarioswn to a group of users in many scenarios When users leave or join the group, the group key mWhen users leave or join the group, the group key m
ust be changedust be changed prevent leaving members from decrypting content in the fuprevent leaving members from decrypting content in the fu
tureture Prevent joining members from decrypting previous contentPrevent joining members from decrypting previous content
(backward secrecy)(backward secrecy) O(O(nn) messages) messages
How to reduce the overhead of the key update messaHow to reduce the overhead of the key update messages?ges?
35
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The LKH (Logical Key Hierarchy) SchemeThe LKH (Logical Key Hierarchy) Scheme
36
Introduction-Introduction-FingerprintingFingerprinting
Fingerprinting is the process of Fingerprinting is the process of assigning an unique key for each userassigning an unique key for each user
The purpose is to identify the person The purpose is to identify the person who acquired a particular copy who acquired a particular copy
ImplementationImplementation Embed an unique key inside the content Embed an unique key inside the content
for each user for each user Encrypt the content and each user has his Encrypt the content and each user has his
own decryption key to recover the contentown decryption key to recover the content
37
Introduction-Traitor Introduction-Traitor TracingTracing
Collusion attack Collusion attack A group of malicious users (traitors) can A group of malicious users (traitors) can
collude by combining their keys to collude by combining their keys to create a new pirate key (pirate decoder)create a new pirate key (pirate decoder)
A traitor tracing algorithm is used to A traitor tracing algorithm is used to trace at least one of the colluders or trace at least one of the colluders or the group containing the colludersthe group containing the colluders
38
Introduction-Broadcast Introduction-Broadcast EncryptionEncryption
Broadcast encryption schemes Broadcast encryption schemes enable a trusted authority to enable a trusted authority to broadcast a message to the users in broadcast a message to the users in a network so that a certain specified a network so that a certain specified subset of authorized users can subset of authorized users can decrypt it decrypt it
It involves the problems of the key It involves the problems of the key pre-assignment, key management pre-assignment, key management and even the traceability schemes and even the traceability schemes
39
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods Consist of all n-bit binary vectors Consist of all n-bit binary vectors
that have only a single 0 bitthat have only a single 0 bit e.g. n=4e.g. n=4
C={1110,1101,1011,0111}C={1110,1101,1011,0111}
40
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods <Definition> <Definition> 00 the (n,n)-code containing all n-bit binathe (n,n)-code containing all n-bit bina
ry words with exactly one 1ry words with exactly one 1 e.g. e.g. 00 (3)={100,010,001} (3)={100,010,001}
41
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods Use BIBD to construct an AND-ACCUse BIBD to construct an AND-ACC <Theorem> Let (<Theorem> Let (XX,,AA) be a () be a (vv,,kk,1)-BIBD and ,1)-BIBD and
M the corresponding incidence matrix. If tM the corresponding incidence matrix. If the codevectors are assigned as the bit comhe codevectors are assigned as the bit complement of the columns of M, then the resuplement of the columns of M, then the resulting scheme is a (lting scheme is a (kk-1)-resilient AND-ACC.-1)-resilient AND-ACC.
e.g. (7,3,1)-BIBDe.g. (7,3,1)-BIBD
1001011
0101101
0110011
0011110
1010101
1100110
1111000
C
42
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods Constructions using Constructions using tt-designs-designs <Definition> <Definition> tt-(v, k,-(v, k,λλ) design) design
BIBD’s are 2-(v, k,BIBD’s are 2-(v, k,λλ) design) design e.g. 2-(9, 3,1) design e.g. 2-(9, 3,1) design
{0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {0,1,6},{0,2,5},{0,3,4},{1,2,4},{3,5,6},{1,5,7} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8} {5,4,8},{4,6,7},{6,2,8},{2,3,7},{3,1,8},{0,7,8}
.in blocks exactly
in occurs ofsubset -every and ,Bevery for B
, where),( systemset a isdesign )(A
B
XB
XBX
tk
vv,k,λt-
,
43
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods Use techniques from finite projective Use techniques from finite projective
geometry to construct d-detecting geometry to construct d-detecting fingerprinting schemefingerprinting scheme
e.g. PG(2,2) 2-detectinge.g. PG(2,2) 2-detecting
44
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods <Lemma > <Lemma >
Let Let be a be a cc-frameproof (-frameproof (ll,,pp)-code and )-code and CC be an ( be an (LL,,NN,,DD))pp-ECC. Let -ECC. Let ’ be the co’ be the composition of mposition of and and CC. Then . Then ’ is a ’ is a cc-fr-frameproof code, provided ameproof code, provided DD>>LL(1-(1/(1-(1/cc)).)).
45
Fingerprinting & Traitor Fingerprinting & Traitor TracingTracing
- Fingerprinting methods- Fingerprinting methods
code.TA - is CThen .11 distance
Hamming minimum having ECC-)(an is that Suppose2
q
c)/c-L(D
L,N,DC
<Theorem><Theorem>
46
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Trivial KPS 1Trivial KPS 1
give every user give every user uuiiUU its own key and trans its own key and transmit an individually encrypted message Emit an individually encrypted message Euujj
(m) to every member (m) to every member uujjPP → long transmission time→ long transmission time
Trivial KPS 2Trivial KPS 2for every for every tt-subset -subset PPUU, the TA gives , the TA gives kkpp to e to every member of very member of PP →→ every user stores a huge number of keysevery user stores a huge number of keys
47
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Blom KPSBlom KPS
t=2 t=2
)()(
user to values1 thegivesTA The .4
)()(
polynimail thecomputesTA 3.The
s.t ),(in tscoefficien having
)(
polynomial random a constructsTA 2.The
secret. be toneednot do valuesThese ).1( user to
gives and ),(number randomdistinct n chooseTA 1.The
0
0 0
ijjiP
ij
w
j
jijii
jiij
w
i
w
j
jiij
i
i
sgsgk
i bw
xbx,sfxg
i,j aaqGF
yxax,yf
ni is
qGFs
48
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Blom KPS Blom KPS
e.g. e.g.
10,4,3
)9,15()(),4,6()(),14,7()(
915)(,46)(,147)(
2)(78),(
1,7,12,1,17,3
2
}3,2{}3,1{}2,1{
321
321
321
kkk
xuxuxu
xxgxxgxxg
xyyxyxf
ssswqn
t
49
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Fiat-Naor KPS Fiat-Naor KPS
φ}P:F{FFP
F
F
sk
P
Fs
qGFs
wFUF
F
U
be todefined is set privileged a with associatedkey The
.\ ofmember every to gives and
)( valuerandom a choosesTA the
, with subset every For
50
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Fiat-Naor KPSFiat-Naor KPS
e.g. e.g.
11
,2,14,2
,5,10,5
,13
8,3,8,11
1,17,3
}3,2,1{
}3,2{}3,1{}2,1{
}3{}2{}1{
}3{}2{}1{
k
kkk
kkk
k
ssss
wqn
51
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Beimel-Chor OTBESBeimel-Chor OTBES
)11( 3.
named are factors-one that theSuppose
scheme Blom by the determined key unique a and
it, containingfactor -one unique a }{
.matchings)(perfect factors-one into dpartitione becan
,set edge and set on vertext graph complete The
.set privileged that theSuppose 2.
up.set is )(in scheme Blom )22(A .1
2let ,mod0 Suppose
11
1
t-i,F:ekmb
.,...FF
k
Ei,je
EPK
},...i{iP
qGFw-,t
l l t
ieiP
t-
e
t
t
52
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Beimel-Chor OTBESBeimel-Chor OTBES
e.g.e.g.
),,
,,,(
),,(
}},{},,{{
}},{},,{{
}},{},,{{
},...,{,4
},{3},{3},{2
},{2},{1},{1
321
32413
42312
43211
41
324142
314321
iiiiii
iiiiiiP
p
kmkmkm
kmkmkmb
mmmm
iiiiF
iiiiF
iiiiF
iiPt
53
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Secret Sharing Schemes Secret Sharing Schemes
.user of share thecalled is
and denoted be willuser given ton informatiosecret The
.about n informatioany
hassubset edunauthoriz nobut hold,jointly they shares the
from computecan subset authorizedany way that asuch in
,in user each n toinformatiosecret distribute TA will The
key. thecalled ),( uesecret val one hasTA the
scheme, sharingsecret aIn
subsets. autorized called subsets ofset a is 2
users, ofset a :
i
ui
k
k
X
qGFk
Γ
nX
i
X
54
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Shamir threshold KShamir threshold K
PS PS
.user to gives and
)(
polynimail thecomputesTA The 3.
. ermconstant t theiskey The
).(in tscoefficien having
)(
1most at degree of polynomial random a constructsTA The 2.
secret. be toneednot do valuesThese
).1( user to gives and ),(
numbers random zero-nondistinct n choosesTA The 1.
power prime a be 1Let
0
1
0
iy
xfy
a
qGF
xaxf
t-
ni ixqGFx
nq
i
ii
t-
iii
ii
55
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme Shamir threshold KPSShamir threshold KPS
e.g. e.g.
. polynomial t thereconstruc
toused becan (5,11)(4,0),(3,10),(2,7),(1,8),
pairs ordered theof 3Any
11)5(0)4(
10)3(7)2(8)1(
are ddistribute are that shares The
13. iskey theso
,21013)(
polynomail thechoosesTA that theSuppose
51 are valuespublic the
and )17(in scheme aconstruct weSuppose
54
321
2
f
f,yfy
,f,yf, yfy
xxxf
.ii,x
GF
i
56
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Definition> Orthogonal Array<Definition> Orthogonal Array
s.ii
uA
,...γγAs
s.tYvaA
nλvs,n,vOA
ii
s
j,i
sλ
1 , allfor
column in occurs entry hein which t of rows
exactly are there,say , of columnsany for
, . ,say set,- a from entries with ),(
array, a is )(array orthogonalAn
1
57
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Theorem> OA KDP<Theorem> OA KDP
.)]([set key having
users,n ofset afor KPS-)( a exists Then there
.1)( s.t.power prime a is that Suppose
.)( define and ,12 and 11
thatSuppose 3. with an is thereSuppose
m
wt
wt
λ
qGF
t,s-t
λvv-zqq
λzv-zms-tv-z
s(s,n,v)OA
58
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Definition> Perpendicular Arrays<Definition> Perpendicular Arrays
order). some(in columnsgiven in theoccur
elementsgiven hein which t of rows exactly are there
, of columns any for and , ofsubset -any for 2.
, of elementsdifferent contains of roweach 1.
:satisfied are properties following
the ,say set,- a from entries with ),(
array, a is )(array lar perpendicuA
s
sA
AsYs
YnA
s.t.YvaA
ns
vλs,n,vPA
j,i
λ
59
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme <Theorem> PA KDP <Theorem> PA KDP
.)]([set key having
users, ofset afor KDP-)( a exists Then there
.1)1(
,12 and 11 that Suppose
.213 with )( a is thereSuppose
0
λ
m
t
s
t
zv
ts
tvλs-t
i it
s
it
zv
i
ts
its
itvλ
i
qGF
nt,s-t
,qm
s-tv-z
)/(nss,n,vPA
60
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme PA KPSPA KPS
e.g.e.g.
134052
102364
306125
426501
031546
562043
245163
6543210
:7 modulo rows following thedevelopingby obtained isA array The
}.6,5,4,3,2,1,0,{Sset thefrom symbols array with 756 a isA
(3,7,8). heconsider t We 1PA
61
Broadcast EncryptionBroadcast Encryption- Key pre-distribution - Key pre-distribution
schemescheme PA KDPPA KDP
e.g.e.g.
7 3 2
7 6 3
7 6 3 1
7 6 5 1
7 5 4 1
7 5 4 2
7 4 2
6 5 2
7 6 5 2
7 6 5 4
7 6 4 3
6 4 3 1
6 3 1
6 2 1
6 5 4 1
6 5 4 3
6 5 3 2
7 5 3 2
7 5 2
7 5 1
5 4 1
5 4 3 2
5 4 2 1
6 4 2 1
6 4 1
7 6 4
7 4 3
7 5 4 3
7 4 3 1
7 5 3 1
7 5 3
6 5 3
6 3 2
6 4 3 2
4 3 2 1
7 6 4 2
6 4 2
5 4 2
5 2 1
5 3 2 1
7 3 2 1
7 6 3 2
5 3 1
4 3 1
7 4 1
7 4 2 1
7 6 2 1
6 5 2 1
6 5 3 1
7 6 1
7 2 1
3 2 1
4 3 2
5 4 3
6 5 4
7 6 5
blow.given are of blocks 56 theand ,6,7}{1,2,3,4,5 where
, from ),( KDP-(2,1) aconstruct can Then we {0,1,2,3}. Suppose
BU
BU
AZ
62
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The bit-vector schemeThe bit-vector scheme Popular access control schemePopular access control scheme
(analog European satellite TV system,(analog European satellite TV system, Sky VideoCrypt systems,…)Sky VideoCrypt systems,…) All the programs are encrypted with the sAll the programs are encrypted with the s
ame key, witch is stored in every set-top teame key, witch is stored in every set-top terminal (STT)rminal (STT)
The STT decrypts a program The STT decrypts a program pp only if the only if the pp-th bit of bit-vector b[-th bit of bit-vector b[pp]=1.]=1.
63
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The block-by-block schemeThe block-by-block scheme The programs are split into n disjoint The programs are split into n disjoint
blocks, and all the programs belonging blocks, and all the programs belonging to a block are encrypted using the same to a block are encrypted using the same keykey
The STT stores the keys for each block The STT stores the keys for each block that the user buysthat the user buys
64
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The extended-header schemeThe extended-header scheme Attach cryptographic header Attach cryptographic header
information to each programinformation to each program Arrange the programs into predefined Arrange the programs into predefined
packages, and each package has a keypackages, and each package has a key Need large headers to each program in Need large headers to each program in
order to achieve flexibility in packaging order to achieve flexibility in packaging the programs the programs
65
Broadcast EncryptionBroadcast Encryption- Key management- Key management
The VSPACE schemeThe VSPACE scheme Attach only the single n-bit cryptographic Attach only the single n-bit cryptographic
identifier (CID) to a programidentifier (CID) to a program The encryption key of a program is functiThe encryption key of a program is functi
on of its CID on of its CID pp : : Key( Key(pp)=)=MpMp
The columns of M are master keys, which The columns of M are master keys, which are linearly independent vectors.are linearly independent vectors.
Top Related