fast algorithms for the free riders problem in broadcast encryption
Post on 05-Feb-2016
42 Views
Preview:
DESCRIPTION
TRANSCRIPT
Fast Algorithms for the Free Riders Problem in Broadcast
Encryption
Zulfikar Ramzan
David P. Woodruff
Crypto 2006
Broadcast Encryption
Server
Users
Many applications: payperview TV, music, videosOffline phase - Server distributes keysOnline phase - Encrypt a session key for privileged users
Broadcast Encryption
• Parameters– Storage per user (# keys)– Server storage – Communication vs. computation– Sets of privileged users it can support
• Security– Computational vs. Information-theoretic
Free Riders
• [ASW] If we allow a small fraction of non-privileged (revoked) users to decrypt the broadcast, can we significantly save resources?
• A revoked user decrypting the broadcast is a free rider
• Commercial view These savings might be worth more than the loss
from allowing a few free riders
• [ASW] Consider the subset-cover framework
Subset Cover Framework [NNL][n] = {1, …, n} is set of users
Offline
• For some S ½ [n], server distributes a key KS to all users in S. Let C be the collection of S
Online• R ½ [n] are the revoked users
• Server finds subsets S1, S2, …, St in C such that
S1 [ S2 [ [ St = [n] \ R
• Broadcast ES1(M), ES2(M), …, ESt(M)
Free Riders
• [ASW] Hardness– Given a worst-case C, a revoked set R, and a
bound f on the number of free riders
– NP-hard to find smallest t and S1, S2, …, St 2 C
• S1 [ S2 [ [ St contains [n] n R
• S1 [ S2 [ [ St contains · f elements of R
– Finding t’ with t’ · (1+)t also hard
• Leave open the complexity for specific C
Our Contribution
For a popular, information-theoretically secure scheme in subset-cover framework, known as the Complete Subtree Scheme, we find optimal t and S1, St in O(rf) time
Can find t’ · (1+)t and S1, St’ for uniform R of size r in O~(rf1/3) time
Techniques useful for other schemes in the subset-cover framework
Complete Subtree Scheme [NNL]
Complete Binary Tree on n leaves
Key at each node v given to users in subtree(v)
u1 u2 u3 u4
v
v
Complete Subtree Scheme [NNL]
n users/leaves# keys = # nodes = 2n-1
# keys per user = log n + 1
uu1 u2 u5u4 u6 u8u7
Communication = O(r log n/r)Information-theoretic security
Supports any revoked set of any size r
Benefits of Free Riders
• Can reduce communication from O(n1/2) to O(log n) in Complete Subtree Scheme
• Need an algorithm to find free riders – random assignment bad with overwhelming probability
• Preserve computation, storage, etc.
Benefits of Free Riders
Diagram shows revoked users
Optimal to make all singletons free riders
… …
…
Algorithm Overview• Given a set R of leaves and a bound f of free
riders, find smallest t and nodes v1, v2, …, vt
Privileged users covered by some subtree(vi) and at most f revoked users covered
• Dynamic programming algorithmFor each v with children L(v), R(v)
• AL(v)[i] = optimal cost of assigning at most i free riders to subtree(L(v))
• Av[i] = minj AL(v)[j] + AR(v)[i-j]
Backtrack from root to find assignment
Algorithm Overview
• Algorithm has O(nf) time. Bad for large n
• In practice, r very small
• For CS scheme, can achieve O(rf) by only computing arrays Av at joining nodes
x y z
Initialize Ax = [0 0] Az = [0 0]Ay = [0 0]
p
q
Compute Ap[i] = minj Ax[j] + Ay[i-j], Ap = [0 0 0]
Lift Ap = [0 0 0] to Ap’= [1 1 1]
Lift Az = [0 0] to Az’= [2 1]
Compute Aq[i] = minj Ap’[j] + Az’[i-j], Aq = [3 2 2]
p and q are the only joining nodes
Algorithm Overview
1. Compute joining nodes v
2. For each v, let L(v) and R(v) be nearest joining nodes in left and right subtree of v
1. “Lift” AL(v) and AR[v]
1. Av[i] = minj AL(v)[j] + AR(v)[i-j]
3. Backtrack using DFS to find optimal assignment
Step 2: MinSum Problem
Av[i] = minj AL(v)[j] + AR(v)[i-j] for all i
Given a1 ¸ a2 ¸ ¸ am1 and
b1 ¸ b2 ¸ ¸ bm2,
output 8 i, minj a[j] + b[i-j]
• Easy O(m1 m2) time
• Computational geometry: O(m1 m2/log m1m2)
• Implies overall algorithm is O(rf) time
Step 2: MinSum Problem
Given a1 ¸ a2 ¸ ¸ am1 and
b1 ¸ b2 ¸ ¸ bm2,
output 8 i, minj a[j] + b[i-j]
Relaxations1. 8 i, output j’ for which
a[j’] + b[i-j’] · (1+) minj a[j] + b[i-j]2. Bounded differences for CS scheme
a[j] – a[j+1] = O(log n) and b[j] – b[j+1] = O(log n)
Our result: O~(m1 m21/3) time
If R uniformly chosen from sets of size r, time is O~(rf1/3)
Summary of Results
1. O(rf)-time to optimally find set of f free riders given revoked set R of size r
2. For every > 0, given a1 ¸ ¸ am1 and b1 ¸ ¸ bm2 with aj – aj+1 and bj – bj+1 small, for all i output j’ such that
aj’ + bi-j’ · (1+)minj aj + bi-j
in O~(m1 m21/3) time
3. Yields O~(rf1/3)-time algorithm
Open Questions
• Extend to other broadcast schemes
• Develop a better understanding of the benefits of free riders - computation and storage savings?
• Faster algorithms for the MinSum problem
MinSum Observations
• If a[j] + b[i-j] is the minimum for level i, then a[j] + b[i+-j] is the approximate minimum for level i +
• To approximately solve level i, only try a few indices j because a[j] + b[i-j] ¼ a[j+1] + b[i-j-1]
• If aj’ = aj’+1 = = aj’+r , then for level i,
a[j’] + b[i-j’] ¸ a[j’+1] + b[i-j’-1] ¸ … ¸ a[j’+r] + b[i-j’-r],
so we need only consider ai’
top related