korea university crypto ‘05 jung yeon hwang, dong hoon lee, jong in lim generic transformation for...

Korea University

CRYPTO ‘05

Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim

Generic Transformation for Scalable Broadcast Encryption Schemes

2

Contents

Broadcast Encryption (BE)

Concept / Applications

Related Works

Our Approach for Scalability

Design Principle

Generic Transformation

Compiled Examples

Concluding Remarks

3

Broadcast Encryption : Concept

Message Sender

s : session key , m :contents

Header Body

Broadcast Encryption Message

Contents

Subscribers

4

BE : Applications

Satellite-based Business

Group Communication

Digital Rights ManagementHome network content protection

AACS (Advanced Access Content System) group

2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba,

Disney, Warner Bros. Studios

5

BE : Basic Goal

How to efficiently exclude illegal users from a privileged set ?

Revoked User Privileged User

Transmission Overhead (TO)

User Storage Overhead (SO)

Computation Overhead (CO)

one-to-many communication : Transmission efficiency

6

BE : Related Works

Unicast & Power-Set Solutions

Middle Ground : Revocation-state ?

Define a collection of subsets

- Combinatorial Approach (collusion)

- Tree Structure (SD,LSD,SSD), Line Segment (PI)

Reveal Information of Revoked Users

- Secret Sharing

Accumulate Information of Privileged Users

- One-Way Accumulator

7

Problem of Scalability & Our Solution

Large Number of Users?Impractical due to

Excessive User Storage and/or Computation Overhead

Modular Approach for Scalability

Reduction in User Storage and Computation

Slight Increase in Transmission Overhead

Structure Preserving

- Security

- Type of Key Sharing : Symmetric / Public Key

- Connection State : Stateful / Stateless

8

Our Solution : Modular Approach

…

…Se

Se1

Se18

User Structure : n=ws

w-ary Tree

… …

…

Ue184

Sibling Set Sa

Users

Independent & Hierarchical Application of BE to small subsets

e

1 8

1 2 3 4 5 6 7 8

41 2 3 5 6 7 8

Height = s

9

Our Solution : Modular Approach

…

…

Independent & Hierarchical Application of BE

- Key Assignment

Se

Se1

Se18

Tree

… …

…

Ue184

10

Our Solution : Modular Approach

…

…Se

Se1

Se18

Independent & Hierarchical Application of BE

- Revocation Tree

… …

…

Revoked Users (leaves) Revoked nodes (Steiner Tree)

ue115 ue182

11

Our Solution : Modular Approach

…Se

Se1

Se18

Independent & Hierarchical Application of BE

- Revocation Tree

…

Revoked nodes

… …

…Se11

ue115 ue182

12

Our Solution : Performance Analysis

User Storage Overhead1 + sᆞ SOB(n1/s)

Preserve “log-key restriction”

(1+ s log n1/s = 1+ log n)

Computation OverheadCOB(n1/s)

Transmission Overhead≤ sᆞ TOB(n1/s)

Sibling Set

Height : s

w=n1/s

13

Examples

User Devices with Limited Resources

Transmission-Restricted/Low Bandwidth

Application

14

Example 1 : For Low Resource Environment

BE scheme B1 with

log n +1 SO, 2 r TO, n CO

Transformation

BE scheme B1 with

log n +1 SO, 2 r log n /log log n TO, log n CO

15

Example 1 : For Low Resource Environment

User Structure : Number line

U1 U2 U3 UnUn-1U4 Ui… …

Basic Tool : One-way chain

F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)

ui ui+1 ui+2 uj points

chain-value

F: {0,1}κ → {0,1}κ

U5 U6

F1(sdi) F2(sdi) Fj-i(sdi)sdi

sdi ←R {0,1}κ

i1 … …

16

541 2 3 6 7 8 9 10 11 1312 3214 1615

Example 1 : For Low Resource Environment

Revocation of B1 : 2r (r : number of revoked users)

54

F4(sdi)

1 2 3 6 7 8 9 10 11 1312

F3(sd8) F2(sd9) F21(sd32)

32

F3(sd1) F2(sd8) F1(sd9) F20(sd32)

Key Assignment of B1 : 1+log n (Log-Key Restriction)

chain-valuesF2(sd8)

F(sd5)

F10(sd16)

sd6

F5(sd1) F26(sd32)

…

n computations

168

17

Example 1 : Security

Subset Cover Framework (by Naor et al.)

Subset : Interval (line segment)

Existence of Pseudo-Random Sequence Number Generator

Key assignment method satisfies Key Indistinguishability

18

Example 2 : Low Bandwidth BE

Jumping One-way Chain Schemes by Jho et. al at Eurocrypt’05

Application of Different BE Schemes : B2

Performance. TO : [r/2] +1, SO : (n2+4n)/8, CO : n/2

…

… … …

19

Performance Analysis

N=108 users and w=100 for worst case

Transmission Overhead User Storage Overhead

The gap of log key restriction

SD

B1

B2

B1

B2

SD

20

Concluding Remarks

Average case analysis

Traitor Tracing & Other Properties

Multi-dimensional Cube

m2

m1

m3

u=(1,1,1)

m1

m2

u=(1,1)

x 축

y 축

z 축

x 축

y 축

u

revoked users: u=(4,6), v=(8,4)

u u

Cover= {C+[1,3],C

-[5,6],C

+[7,7],C

-[9,11],

C+4,[1,5],C

-4,[7,11],C

+8,[1,3],C

+8,[1,3],}

1 11

11

v vv

C+[1,3] C-

[5,6] C+[7,7]

C-[9,11]

C+4,[1,5]

C-4,[7,11]

C-8,[5,11]

C+8,[1,3]

21

Thank you