fast algorithms for the free riders problem in broadcast encryption
DESCRIPTION
Fast Algorithms for the Free Riders Problem in Broadcast Encryption. Zulfikar Ramzan David P. Woodruff. Crypto 2006. Broadcast Encryption. Users. Server. Offline phase - Server distributes keys. Online phase - Encrypt a session key for privileged users. - PowerPoint PPT PresentationTRANSCRIPT
Fast Algorithms for the Free Riders Problem in Broadcast
Encryption
Zulfikar Ramzan
David P. Woodruff
Crypto 2006
Broadcast Encryption
Server
Users
Many applications: payperview TV, music, videosOffline phase - Server distributes keysOnline phase - Encrypt a session key for privileged users
Broadcast Encryption
• Parameters– Storage per user (# keys)– Server storage – Communication vs. computation– Sets of privileged users it can support
• Security– Computational vs. Information-theoretic
Free Riders
• [ASW] If we allow a small fraction of non-privileged (revoked) users to decrypt the broadcast, can we significantly save resources?
• A revoked user decrypting the broadcast is a free rider
• Commercial view These savings might be worth more than the loss
from allowing a few free riders
• [ASW] Consider the subset-cover framework
Subset Cover Framework [NNL][n] = {1, …, n} is set of users
Offline
• For some S ½ [n], server distributes a key KS to all users in S. Let C be the collection of S
Online• R ½ [n] are the revoked users
• Server finds subsets S1, S2, …, St in C such that
S1 [ S2 [ [ St = [n] \ R
• Broadcast ES1(M), ES2(M), …, ESt(M)
Free Riders
• [ASW] Hardness– Given a worst-case C, a revoked set R, and a
bound f on the number of free riders
– NP-hard to find smallest t and S1, S2, …, St 2 C
• S1 [ S2 [ [ St contains [n] n R
• S1 [ S2 [ [ St contains · f elements of R
– Finding t’ with t’ · (1+)t also hard
• Leave open the complexity for specific C
Our Contribution
For a popular, information-theoretically secure scheme in subset-cover framework, known as the Complete Subtree Scheme, we find optimal t and S1, St in O(rf) time
Can find t’ · (1+)t and S1, St’ for uniform R of size r in O~(rf1/3) time
Techniques useful for other schemes in the subset-cover framework
Complete Subtree Scheme [NNL]
Complete Binary Tree on n leaves
Key at each node v given to users in subtree(v)
u1 u2 u3 u4
v
v
Complete Subtree Scheme [NNL]
n users/leaves# keys = # nodes = 2n-1
# keys per user = log n + 1
uu1 u2 u5u4 u6 u8u7
Communication = O(r log n/r)Information-theoretic security
Supports any revoked set of any size r
Benefits of Free Riders
• Can reduce communication from O(n1/2) to O(log n) in Complete Subtree Scheme
• Need an algorithm to find free riders – random assignment bad with overwhelming probability
• Preserve computation, storage, etc.
Benefits of Free Riders
Diagram shows revoked users
Optimal to make all singletons free riders
… …
…
Algorithm Overview• Given a set R of leaves and a bound f of free
riders, find smallest t and nodes v1, v2, …, vt
Privileged users covered by some subtree(vi) and at most f revoked users covered
• Dynamic programming algorithmFor each v with children L(v), R(v)
• AL(v)[i] = optimal cost of assigning at most i free riders to subtree(L(v))
• Av[i] = minj AL(v)[j] + AR(v)[i-j]
Backtrack from root to find assignment
Algorithm Overview
• Algorithm has O(nf) time. Bad for large n
• In practice, r very small
• For CS scheme, can achieve O(rf) by only computing arrays Av at joining nodes
x y z
Initialize Ax = [0 0] Az = [0 0]Ay = [0 0]
p
q
Compute Ap[i] = minj Ax[j] + Ay[i-j], Ap = [0 0 0]
Lift Ap = [0 0 0] to Ap’= [1 1 1]
Lift Az = [0 0] to Az’= [2 1]
Compute Aq[i] = minj Ap’[j] + Az’[i-j], Aq = [3 2 2]
p and q are the only joining nodes
Algorithm Overview
1. Compute joining nodes v
2. For each v, let L(v) and R(v) be nearest joining nodes in left and right subtree of v
1. “Lift” AL(v) and AR[v]
1. Av[i] = minj AL(v)[j] + AR(v)[i-j]
3. Backtrack using DFS to find optimal assignment
Step 2: MinSum Problem
Av[i] = minj AL(v)[j] + AR(v)[i-j] for all i
Given a1 ¸ a2 ¸ ¸ am1 and
b1 ¸ b2 ¸ ¸ bm2,
output 8 i, minj a[j] + b[i-j]
• Easy O(m1 m2) time
• Computational geometry: O(m1 m2/log m1m2)
• Implies overall algorithm is O(rf) time
Step 2: MinSum Problem
Given a1 ¸ a2 ¸ ¸ am1 and
b1 ¸ b2 ¸ ¸ bm2,
output 8 i, minj a[j] + b[i-j]
Relaxations1. 8 i, output j’ for which
a[j’] + b[i-j’] · (1+) minj a[j] + b[i-j]2. Bounded differences for CS scheme
a[j] – a[j+1] = O(log n) and b[j] – b[j+1] = O(log n)
Our result: O~(m1 m21/3) time
If R uniformly chosen from sets of size r, time is O~(rf1/3)
Summary of Results
1. O(rf)-time to optimally find set of f free riders given revoked set R of size r
2. For every > 0, given a1 ¸ ¸ am1 and b1 ¸ ¸ bm2 with aj – aj+1 and bj – bj+1 small, for all i output j’ such that
aj’ + bi-j’ · (1+)minj aj + bi-j
in O~(m1 m21/3) time
3. Yields O~(rf1/3)-time algorithm
Open Questions
• Extend to other broadcast schemes
• Develop a better understanding of the benefits of free riders - computation and storage savings?
• Faster algorithms for the MinSum problem
MinSum Observations
• If a[j] + b[i-j] is the minimum for level i, then a[j] + b[i+-j] is the approximate minimum for level i +
• To approximately solve level i, only try a few indices j because a[j] + b[i-j] ¼ a[j+1] + b[i-j-1]
• If aj’ = aj’+1 = = aj’+r , then for level i,
a[j’] + b[i-j’] ¸ a[j’+1] + b[i-j’-1] ¸ … ¸ a[j’+r] + b[i-j’-r],
so we need only consider ai’