On Symmetric Key Broadcast Encryption

Similar documents
Generic Attacks on Feistel Schemes

Mobility Tolerant Broadcast in Mobile Ad Hoc Networks

Generic Attacks on Feistel Schemes

Communication Theory II

Automated Analysis and Synthesis of Block-Cipher Modes of Operation

Cryptanalysis of an Improved One-Way Hash Chain Self-Healing Group Key Distribution Scheme

INTERNATIONAL JOURNAL OF PURE AND APPLIED RESEARCH IN ENGINEERING AND TECHNOLOGY

Block Ciphers Security of block ciphers. Symmetric Ciphers

Efficient semi-static secure broadcast encryption scheme

Design of Parallel Algorithms. Communication Algorithms

Lecture5: Lossless Compression Techniques

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

A STENO HIDING USING CAMOUFLAGE BASED VISUAL CRYPTOGRAPHY SCHEME

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

International Conference on Advances in Engineering & Technology 2014 (ICAET-2014) 48 Page

COMP 2804 solutions Assignment 4

Yale University Department of Computer Science

Enhanced Efficient Halftoning Technique used in Embedded Extended Visual Cryptography Strategy for Effective Processing

Public-key Cryptography: Theory and Practice

How (Information Theoretically) Optimal Are Distributed Decisions?

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

MA 524 Midterm Solutions October 16, 2018

A Simple Scheme for Visual Cryptography

Secured Bank Authentication using Image Processing and Visual Cryptography

Computational aspects of two-player zero-sum games Course notes for Computational Game Theory Section 3 Fall 2010

Rumors Across Radio, Wireless, and Telephone

Game Theory and Randomized Algorithms

Asymptotically Optimal Two-Round Perfectly Secure Message Transmission

Self-Scrambling Anonymizer. Overview

Abstract. 1 Introduction. 2 The Proposed Scheme. The 29th Workshop on Combinatorial Mathematics and Computation Theory

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

The number theory behind cryptography

Noisy Index Coding with Quadrature Amplitude Modulation (QAM)

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

LECTURE VI: LOSSLESS COMPRESSION ALGORITHMS DR. OUIEM BCHIR

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

Feedback via Message Passing in Interference Channels

Information Theory and Communication Optimal Codes

Indoor Localization in Wireless Sensor Networks

Implementation of Colored Visual Cryptography for Generating Digital and Physical Shares

ElGamal Public-Key Encryption and Signature

Efficient Privacy-Preserving Biometric Identification

VP3: Using Vertex Path and Power Proximity for Energy Efficient Key Distribution

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

Evaluation of Visual Cryptography Halftoning Algorithms

A Novel Technique in Visual Cryptography

COMP Online Algorithms. Paging and k-server Problem. Shahin Kamali. Lecture 11 - Oct. 11, 2018 University of Manitoba

Fast Sorting and Pattern-Avoiding Permutations

Comm. 502: Communication Theory. Lecture 6. - Introduction to Source Coding

Chapter 7: Sorting 7.1. Original

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

Optimisation and Operations Research

V.Sorge/E.Ritter, Handout 2

Monitoring Churn in Wireless Networks

Performance Evaluation of Floyd Steinberg Halftoning and Jarvis Haltonong Algorithms in Visual Cryptography

Number Theory and Security in the Digital Age

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Non-Interactive Secure 2PC in the Offline/Online and Batch Settings

TMA4155 Cryptography, Intro

Capacity of collusion secure fingerprinting a tradeoff between rate and efficiency

CSE 21 Mathematics for Algorithm and System Analysis

Data security (Cryptography) exercise book

Scheduling in omnidirectional relay wireless networks

Linear Congruences. The solutions to a linear congruence ax b (mod m) are all integers x that satisfy the congruence.

TAC Reconfiguration for Paging Optimization in LTE-Based Mobile Communication Systems

Bit Reversal Broadcast Scheduling for Ad Hoc Systems

DUBLIN CITY UNIVERSITY

GENERIC CODE DESIGN ALGORITHMS FOR REVERSIBLE VARIABLE-LENGTH CODES FROM THE HUFFMAN CODE

A Visual Cryptography Based Watermark Technology for Individual and Group Images

A Message Scheduling Scheme for All-to-all Personalized Communication on Ethernet Switched Clusters

Multicasting over Multiple-Access Networks

A Brief Introduction to Information Theory and Lossless Coding

CS510 \ Lecture Ariel Stolerman

Hamming Codes as Error-Reducing Codes

Digital Image Sharing using Encryption Processes

CS188 Spring 2010 Section 3: Game Trees

A Novel (2,n) Secret Image Sharing Scheme

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

Hamming Codes and Decoding Methods

A SECURITY MODEL FOR ANONYMOUS CREDENTIAL SYSTEMS

Moiré Cryptography. Yvo Desmedt. Tri Van Le. ABSTRACT 1. INTRODUCTION

Secure Transactio :An Credit Card Fraud Detection System Using Visual Cryptography

Fermat s little theorem. RSA.

Algorithms and Data Structures: Network Flows. 24th & 28th Oct, 2014

Public Key Locally Decodable Codes with Short Keys

Analysis of Power Assignment in Radio Networks with Two Power Levels

Spread Spectrum Communications and Jamming Prof. Kutty Shajahan M G S Sanyal School of Telecommunications Indian Institute of Technology, Kharagpur

International Journal of Advance Research in Computer Science and Management Studies

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2017

An Enhanced Fast Multi-Radio Rendezvous Algorithm in Heterogeneous Cognitive Radio Networks

ISSN Vol.06,Issue.09, October-2014, Pages:

Modular Multiplication Algorithm in Cryptographic Processor: A Review and Future Directions

On the Benefit of Tunability in Reducing Electronic Port Counts in WDM/TDM Networks

Stanford University CS261: Optimization Handout 9 Luca Trevisan February 1, 2011

Computing and Communications 2. Information Theory -Channel Capacity

CS188 Spring 2014 Section 3: Games

Secure multiparty computation without one-way functions

Introduction to. Algorithms. Lecture 10. Prof. Constantinos Daskalakis CLRS

Broadcast Networks with Layered Decoding and Layered Secrecy: Theory and Applications

Transcription:

On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical Institute, Kolkata Elliptic Curve Cryptography (This is not) 2014 Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 1 / 53

Conventional Symmetric Key Encryption Sender message M Receiver public channel Encrypt ciphertext Decrypt secret key K adversary secret key K Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 2 / 53

Symmetric Key Broadcast Encryption Users Users Broadcast Users Centre Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 3 / 53

Symmetric Key BE Functionality The centre pre-distributes secret information to the users. A broadcast takes place in a session. For each session: Some users are privileged and the rest are revoked. The actual message is encrypted once using a session key. The session key undergoes a number of separate encryptions. This determines the header. Only the privileged users are able to decrypt. A coalition of all the revoked users get no information about the message. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 4 / 53

Parameters of Interest Size of the header. Size of the secret information required to be stored by the users. Time required by the centre to encrypt. Time required by a user to decrypt. Hdr sz and enc time are proportional to # enc of the session key. Requirement: Reduce header size, user storage and decryption time. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 5 / 53

Applications of BE AACS standard: content protection in optical discs: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony. Pay-TV: BSkyB in UK and Ireland has a subscriber base of over 10 million; Cable Television Networks (Regulation) Amendment Act, 2011 (India). File Sharing in Encrypted File Systems. Encrypted Email to Mailing Lists. Military Broadcasts: Global Broadcast Service (US), Joint Broadcast System (Europe).... Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 6 / 53

Subset Cover Schemes Identify a collection S consisting of subsets of users. Assign keys to each subset in S. To each user, assign secret information such that it is able to generate secret keys for each subset in S to which it belongs; and no more. During a broadcast, form a partition {S 1,..., S h } of the set of privileged users with S i S. The session key is encrypted using the keys for S 1,..., S h. Each privileged user can decrypt; no coalition of revoked users gains any information about the session key (or the message). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 7 / 53

Subset Difference Scheme Naor-Naor-Lotspiech (2001): patented, AACS standard. Assumes an underlying full binary tree Level Numbers 4 0 3 1 2 2 3 4 5 6 1 7 8 9 10 11 12 13 14 0 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 8 / 53

Subsets in the collection S S i,j = T i \ T j : has all users that are in T i but not in T j i j Collection S: has all subsets S i,j such that j( i) is in the subtree T i. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 9 / 53

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i j Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i G L (seed i ) G R (seed i ) j Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i G L (seed i ) G R (seed i ) G L (G L (seed i )) G R (G L (seed i )) j Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i G L (seed i ) G R (seed i ) G L (G L (seed i )) G R (G L (seed i )) j G R (G L (G L (seed i ))) Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i G L (seed i ) G R (seed i ) G L (G L (seed i )) G R (G L (seed i )) j G R (G L (G L (seed i ))) Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i ))))

Key Assignment Pseudo-random generator (PRG): G : {0, 1} k {0, 1} 3k G(seed) = G L (seed) G M (seed) G R (seed) seed i G L (seed i ) G R (seed i ) G L (G L (seed i )) G R (G L (seed i )) j G R (G L (G L (seed i ))) L i,j = G M (G R (G L (G L (seed i )))) Figure : Key of S i,j : L i,j = G M (G R (G L (G L (seed i )))) Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 10 / 53

Assigning seeds to users Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i T j u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i T j u Figure : From one derived seed, keys of many subsets can be generated Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 11 / 53

Assigning seeds to users T i u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u T j Figure : From one derived seed, keys of many subsets can be generated

Assigning seeds to users T i T j u T i u T j Figure : From one derived seed, keys of many subsets can be generated Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 12 / 53

User Storage Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage seed i u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage seed i u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage seed i G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage seed i G L (seed i ) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage seed i G L (seed i ) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage G L (seed i ) seed i G R (G L (seed i )) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 13 / 53

User Storage seed i G R (G L (seed i )) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage G R (G L (G L (seed i ))) seed i G R (G L (seed i )) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage G R (G L (G L (seed i ))) seed i G R (G L (seed i )) G R (seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i.

User Storage G R (G L (G L (seed i ))) seed i G R (G L (seed i )) G R (seed i ) u G R (G L (G L (G L (seed i )))) Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes falling-off from the path between i and u, derived from seed i. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 14 / 53

Subset Cover Finding Algorithm S i,j = T i \ T j

Subset Cover Finding Algorithm S i,j = T i \ T j

Subset Cover Finding Algorithm S i,j = T i \ T j

Subset Cover Finding Algorithm S i,j = T i \ T j

Subset Cover Finding Algorithm S i,j = T i \ T j

Subset Cover Finding Algorithm j 1 j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 1 i 2 j 1 j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 1 i 2 j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 1 i 2 Covered j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 3 i 1 i 2 Covered j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 3 i 1 i 2 Covered j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 3 i 1 i 2 Covered j 3 j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 4 i 3 i 1 i 2 Covered j 3 j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 4 i 3 i 1 i 2 Covered j 3 S i4,j 3 j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 4 Covered i 3 i 1 i 2 Covered j 3 j 1 j 2 S i4,j S i1,j S 3 1 i2,j 2 S i,j = T i \ T j

Subset Cover Finding Algorithm i 5 i 4 Covered i 3 i 1 i 2 Covered j 3 S i4,j 3 j 1 j 2 S i1,j S 1 i2,j 2 S i,j = T i \ T j Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 15 / 53

NNL-SD Parameters For n users out of which r are revoked: User storage needed: O(log 2 (n)). Header length in the worst case: 2r 1. Decryption time in the worst case: O(log n). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 16 / 53

Layered Subset Difference Scheme Halevy-Shamir (CRYPTO, 2002) Some levels are marked as special. Special Levels 4 0 1 2 Layer 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Layer 2 0 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 17 / 53

Layered SD Scheme T i special level T k T j Figure : The subset S i,j split into S i,k (green leaves) and S k,j (grey leaves). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 18 / 53

Layered SD Scheme seed i special level k seed i,k = G L (seed i ) G R (seed i ) L i,k = G M (seed i,k ) seed k k G L (seed k ) G R (seed k ) j seed k,j = G R (G L (seed k )) L k,j = G M (seed k,j ) Figure : Key for S i,k is L i,k = G M (G L (seed i )) and for S k,j is L k,j = G M (G R (G L (seed k ))). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 19 / 53

Important Parameters NNL-SD scheme: User storage needed: O(log 2 (n)). Maximum Header Length: 2r 1. HS-LSD scheme: User Storage needed: O(log 3/2 n). Maximum header length: 4r 2. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 20 / 53

Some Questions What is the expected header length of the NNL scheme? The NNL and the HS schemes are based on full binary trees; What happens if the number of users is not a power of two? Is the user storage achieved in the HS scheme the minimum possible? Is the (expected) header length achieved in the NNL scheme the minimum possible? What happens if we use trees of arity higher than 2? Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 21 / 53

Tackling Arbitrary Number of Users Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 22 / 53

Complete Tree SD Scheme Question: What happens when the number of users is not a power of two? Answer: Add dummy users to get to the next power of two. If the dummy users are considered revoked, then the effect on the header length is disastrous. If the dummy users are privileged, the situation is better but, there is still a measureable effect on the header length. Solution: Use a complete binary tree. Completes (and also subsumes) the NNL-SD scheme to work for any number of users. Conceptually simple; working out the details is a bit involved. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 23 / 53

CTSD Scheme: Header Length Analysis N(n, r, h): number of revocation patterns with n users, out of which r users are revoked and the header length is h. Recurrence relation for N(n, r, h). N(λ i, r 1, h 1 ) = T (λ i, r 1, h 1 ) + j IN(i) T (λ j, r 1, h 1 1) where IN(i) is the set of all internal nodes in the subtree T i excluding the node i. T (λ i, r 1, h 1 ) = r 1 1 h1 r =1 h =0 N(λ 2i+1, r, h ) N(λ 2i+2, r 1 r, h 1 h ) where λ 2i+1 (respectively λ 2i+2 ) is the number of leaves in the left (respectively right) subtree of T i. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 24 / 53

Boundary Conditions T (λ i, r 1, h 1 ) r 1 < 0 r 1 = 0 r 1 = 1 2 r 1 < n r 1 = n r 1 > n h 1 = 0 0 0 0 0 1 0 h 1 1 0 0 0 from rec. 0 0 N(λ i, r 1, h 1 ) r 1 < 0 r 1 = 0 r 1 = 1 2 r 1 < n r 1 = n r 1 > n h 1 = 0 0 0 0 0 1 0 h 1 = 1 0 1 n from rec. 0 0 h 1 > 1 0 0 0 from rec. 0 0 Table : Boundary conditions on T (n, r, h) and N(n, r, h). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 25 / 53

Computing N(n, r, h) Dynamic Programming: N(n, r, h) can be computed in O(r 2 h 2 log n + rh log 2 n) time and O(rh log n) space. N(n, r, h) for all possible h can be computed in O(r 4 log n + r 2 log n) time and O(r 2 log 2 n) space. N(n, r, h) for all possible r and h can be computed in O(n 4 log n + n 2 log 2 n) time and O(n 2 log n) space. N(i, r, h) for 2 i n and all possible r and h can be computed in O(n 5 + n 3 log n) time and O(n 3 ) space. Previous to our work, the only known method was to enumerate all possible ( ) n r revocation patterns, run the header generation algorithm and count the number of patterns leading to a header of size h. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 26 / 53

CTSD: Maximum Header Length Theorem: The maximum header length in the CTSD method for n users is min(2r 1, n 2, n r). For the NNL-SD scheme, the bound of 2r 1 was known. Complete picture: if r n/4, the bound 2r 1 is appropriate; if n/4 < r n/2, the bound n/2 is appropriate; and for r > n/2, the bound n r is appropriate. Using the CTSD method is never worse than individual transmission to privileged users. The proof requires extensive use of the recurrence for N(n, r, h). n r : The value of n for which the header length of 2r 1 is achieved with r revoked users. A complete characterisation of n r is obtained. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 27 / 53

CTSD: Expected Header Length Random experiment: Select a random subset of r users out of n users and revoke them. Random variable X i n,r : takes the value 1 if S i,j is in the header for some j and 0 otherwise. E[X i n,r ] = Pr[X i n,r = 1]. H n,r : expected header length for n users with r revoked users. H n,r = E[X i n,r ] = Pr[X i n,r = 1] where the sum is over all the n 1 internal nodes i in the tree. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 28 / 53

CTSD: Expected Header Length For all nodes i at the same level, Pr[X i n,r = 1] takes at most 3 possible values. As a consequence, the sum can be re-written to vary over the levels of the tree. H n,r can be computed in O(r log n) time and O(1) space. Provides granular information: expected number of subsets in the header from all the nodes at a certain level. Since CTSD subsumes NNL-SD, all the results also hold for NNL-SD. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 29 / 53

NNL-SD: Expected Header Length Theorem: For all n 1, r 1, the expected header length H n,r H r, as n increases through powers of two, where ( r 1 ( H r = 3r 2 3 1 ) i + 2 i=1 i ( ) ) i (2 ( 1) k k 3 k ) k (2 k. 1) k=1 r 2 3 4 5 6 H r /r 1.25 1.25 1.2455 1.2446 1.2448 Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 30 / 53

Reducing User Storage Below Halevy-Shamir Scheme Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 31 / 53

Halevy-Shamir LSD Scheme Special Levels 4 0 1 2 Layer 1 2 3 4 5 6 7 8 9 10 11 12 13 14 Layer 2 0 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 The root is considered to be at a special level, and in addition we consider every level of depth k log (n) for k = 1... log (n) as special (wlog, we assume that these numbers are integers). Works for 2 l 0 users with l 0 = 4, 9, 16, 25 (in the practical range). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 32 / 53

Halevy-Shamir LSD Scheme For the case of n = 2 28, HS suggests special levels to be 28, 22, 16, 10, 5, 0. Nothing is mentioned about how to choose the layer lengths when l 0 is not a perfect square. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 33 / 53

Extending the HS Scheme Residual bottom layer: Write l 0 = d(e 1) + p where 1 p d. Then the special levels are l 0, l 0 d, l 0 2d,..., l d(e 1), 0. Balanced layering: Write l 0 = d(e 1) + p = (e d + p)d + (d p)(d 1). Define the layer lengths from the top to be (d,..., d, d 1,..., d 1). }{{}}{{} e d+p d p Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 34 / 53

Extending the HS Scheme Both strategies (residual bottom; balanced) can be shown to provide the same user storage. Having smaller layers nearer the top increases the user storage. The balanced layering strategy provides slightly smaller expected header length. We call this the extended-hs (ehs) layering strategy. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 35 / 53

Layering Strategy A choice of special levels is called a layering strategy. A layering strategy l is denoted by the numbers of the special levels l 0 > l 1 >... > l e 1 > l e = 0. The layering strategy has (e + 1) special levels. Let l = (l 0,..., l e ). In general, the layer lengths need not be (almost) equal. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 36 / 53

Layering Strategy and User Storage storage 0 (l) = e 1 l i + 1 e 1 (l i l i+1 )(l i l i+1 1). 2 i=0 i=0 Recursive description: storage 0 (l 0, l 1,..., l e ) = l 0 + (l 0 l 1 )(l 0 l 1 1) 2 + storage 0 (l 1,..., l e ). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 37 / 53

Root as a Non-Special Layer Observations: It can be shown that the probability of the root generating a subset in the header is small. Having the root as a special layer increases the user storage. Layering strategy with root as a non-special layer: storage 1 (l) = storage 0 (l) l 1. Reduces user storage by l 1 at a negligible increase in the expected header size. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 38 / 53

Storage Minimal Layering Given l 0, let SML 0 (l 0 ) be a layering strategy which minimises the user storage among all layering strategies; #SML 0 (l 0 ): user storage required by SML 0 (l 0 ); SML 1 (l 0 ) and #SML 1 (l 0 ) corresponds to the case where the root is not special. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 39 / 53

Relations/Recurrences for SML #SML 0 (l 0 ) = min 1 e l 0 #SML 0 (e, l 0 ); where #SML 0 (e, l 0 ) is the minimum storage that can be achieved with e special levels. #SML 0 (e, l 0 ) = min (l 0,...,l e) storage 0 (l 0, l 1,..., l e ) where the minimum is over all possible layering strategies (l 0, l 1,..., l e ). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 40 / 53

Relations/Recurrences for SML #SML 0 (e, l 0 ) = min 1 l 1 <l 0 ( l 0 + (l 0 l 1 )(l 0 l 1 1) + #SML 0 (e 1, l 1 ) 2 ) ; #SML 1 (l 0 ) ( = min min #SML 0 (e 1, l 1 ) + (l ) 0 l 1 )(l 0 l 1 + 1). e l 1 2 Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 41 / 53

Computing SML Dynamic Programming: An O(l 3 ) time and O(l 2 ) space algorithm to compute #SML 0 (l 0 ) The actual layering strategy SML 0 (l 0 ) can also be recovered from the algorithm. Once the table has been computed using dynamic programming, it is possible to obtain #SML 1 (l 0 ) and SML 1 (l 0 ). Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 42 / 53

Properties of SML SML 0 and SML 1 are not necessarily unique; choose the layering for which expected header length is lower. Removing l 0 from SML 0 does not necessarily provide SML 1. Compared to NNL-SD, ehs reduces storage by a large amount; SML 0 reduces storage below ehs by a small amount; SML 1 reduces storage below ehs by 18% to 24% in the practical range. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 43 / 53

Examples of SML Suppose there are 2 28 users, i.e., l 0 = 28: NNL-SD: layering: 28,0; storage: 406. ehs: layering: 28,22,16,10,5,0; storage: 146. SML 0 : layering: 28,21,15,10,6,3,1,0; storage: 140. SML 1 : layering: 22,16,11,7,4,2,0; storage: 119. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 44 / 53

Complete Tree LSD Scheme Question: What if the number of users n is not a power of 2? Answer: Use a complete tree as in the case of the NNL-SD scheme. The notions of layering strategy and storage minimal layering carry over to this case. All users would not be required to store the same amount; the requirement is to minimise the maximum of all the user storages. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 45 / 53

Header Length Maximum Header Length: At most min (4r 2, n 2, n r). At most min (4r 3, n 2, n r) if the root level is special. Expected Header Length: The splitting of subsets complicates the analysis. An O(r log 2 n) time algorithm to compute the expected header length. A very useful tool to analyse various schemes. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 46 / 53

Constrained Minimisation Question: Is it possible to obtain expected header length close to that of NNL-SD, but, with lower user storage? For each level, we have an expression for the expected number of subsets arising from the nodes at that level. Suppose l is a level which maximises the above quantity. Question: How to choose l? Answer: How to do this analytically is not clear. Extensive experimentation has shown that l = l 0 log 2 r is a good choice. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 47 / 53

Constrained Minimisation Layering Fix a value of r and set l = l 0 log 2 r. Level l is made special, so that subsets arising from level l are not split. All levels below l are made non-special. At most one level above l (mid-way between l and the root) is made special; all other levels are made non-special. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 48 / 53

How to Choose r? Depending on the application, make an assumption on the minimum value of r, say r min. If the actual r is greater than r min, then there is no problem. If the acutal r is smaller than r min, then the benefits on the header length is not attained. Choosing r min to be too small will not lead to substantial savings in user storage; choosing r min to be too large will not provide the desired reduction on header storage. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 49 / 53

A CML Example Number of users is n = 2 l 0 with l 0 = 28 and suppose r min = 2 10. NNL-SD: layering: 28,0; storage: 406. ehs: layering: 28,22,16,10,5,0; storage: 146; header lengths: (1.69, 1.63, 1.64, 1.67, 1.69, 1.72, 1.73, 1.74, 1.75, 1.75). CML: layering: 23, 18,0; storage: 219; header lengths: (1.14, 1.08, 1.04, 1.03, 1.01, 1.01, 1.00, 1.00, 1.00, 1.00). Header lengths for 10 equispaced values of r from 2 10 to 2 14 normalised by the header length of the NNL-SD scheme. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 50 / 53

References The NNL and the HS papers: Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless receivers. In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 41 62. Springer, 2001. Dani Halevy and Adi Shamir. The LSD broadcast encryption scheme. In Moti Yung, editor, CRYPTO, volume 2442 of Lecture Notes in Computer Science, pages 47 60. Springer, 2002. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 51 / 53

Our Works Sanjay Bhattacherjee and Palash Sarkar. Complete tree subset difference broadcast encryption scheme and its analysis. Des. Codes Cryptography, 66(1-3):335 362, 2013. Sanjay Bhattacherjee and Palash Sarkar. Concrete analysis and trade-offs for the (complete tree) layered subset difference broadcast encryption scheme. IEEE Transactions on Computers, 63(7): 1709 1722, 2014. Sanjay Bhattacherjee and Palash Sarkar. Tree based symmetric key broadcast encryption. Cryptology eprint Archive, Report 2013/786, 2013. http://eprint.iacr.org/2013/786. Sanjay Bhattacherjee and Palash Sarkar. Reducing communication overhead of the subset difference scheme. Cryptology eprint Archive, Report 2014/577, 2014. http://eprint.iacr.org/2014/577. Sanjay Bhattacherjee. Implementations related to the above papers, https://drive.google.com/ folderview?id=0b7azs7qqqds0unb5ahp3wmjwcdq&usp=sharing_eil. Uploaded on 13th August, 2014. Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 52 / 53

Thank you for your attention! Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 53 / 53

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback