Post on 13-Jan-2016
transcript
Korea University
CRYPTO ‘05
Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim
Generic Transformation for Scalable Broadcast Encryption Schemes
2
Contents
Broadcast Encryption (BE)
Concept / Applications
Related Works
Our Approach for Scalability
Design Principle
Generic Transformation
Compiled Examples
Concluding Remarks
3
Broadcast Encryption : Concept
Message Sender
s : session key , m :contents
Header Body
Broadcast Encryption Message
Contents
Subscribers
4
BE : Applications
Satellite-based Business
Group Communication
Digital Rights ManagementHome network content protection
AACS (Advanced Access Content System) group
2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba,
Disney, Warner Bros. Studios
5
BE : Basic Goal
How to efficiently exclude illegal users from a privileged set ?
Revoked User Privileged User
Transmission Overhead (TO)
User Storage Overhead (SO)
Computation Overhead (CO)
one-to-many communication : Transmission efficiency
6
BE : Related Works
Unicast & Power-Set Solutions
Middle Ground : Revocation-state ?
Define a collection of subsets
- Combinatorial Approach (collusion)
- Tree Structure (SD,LSD,SSD), Line Segment (PI)
Reveal Information of Revoked Users
- Secret Sharing
Accumulate Information of Privileged Users
- One-Way Accumulator
7
Problem of Scalability & Our Solution
Large Number of Users?Impractical due to
Excessive User Storage and/or Computation Overhead
Modular Approach for Scalability
Reduction in User Storage and Computation
Slight Increase in Transmission Overhead
Structure Preserving
- Security
- Type of Key Sharing : Symmetric / Public Key
- Connection State : Stateful / Stateless
8
Our Solution : Modular Approach
…
…Se
Se1
Se18
User Structure : n=ws
w-ary Tree
… …
…
Ue184
Sibling Set Sa
Users
Independent & Hierarchical Application of BE to small subsets
e
1 8
1 2 3 4 5 6 7 8
41 2 3 5 6 7 8
Height = s
9
Our Solution : Modular Approach
…
…
Independent & Hierarchical Application of BE
- Key Assignment
Se
Se1
Se18
Tree
… …
…
Ue184
10
Our Solution : Modular Approach
…
…Se
Se1
Se18
Independent & Hierarchical Application of BE
- Revocation Tree
… …
…
Revoked Users (leaves) Revoked nodes (Steiner Tree)
ue115 ue182
11
Our Solution : Modular Approach
…Se
Se1
Se18
Independent & Hierarchical Application of BE
- Revocation Tree
…
Revoked nodes
… …
…Se11
ue115 ue182
12
Our Solution : Performance Analysis
User Storage Overhead1 + sᆞ SOB(n1/s)
Preserve “log-key restriction”
(1+ s log n1/s = 1+ log n)
Computation OverheadCOB(n1/s)
Transmission Overhead≤ sᆞ TOB(n1/s)
Sibling Set
Height : s
w=n1/s
13
Examples
User Devices with Limited Resources
Transmission-Restricted/Low Bandwidth
Application
14
Example 1 : For Low Resource Environment
BE scheme B1 with
log n +1 SO, 2 r TO, n CO
Transformation
BE scheme B1 with
log n +1 SO, 2 r log n /log log n TO, log n CO
15
Example 1 : For Low Resource Environment
User Structure : Number line
U1 U2 U3 UnUn-1U4 Ui… …
Basic Tool : One-way chain
F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)
ui ui+1 ui+2 uj points
chain-value
F: {0,1}κ → {0,1}κ
U5 U6
F1(sdi) F2(sdi) Fj-i(sdi)sdi
sdi ←R {0,1}κ
i1 … …
16
541 2 3 6 7 8 9 10 11 1312 3214 1615
Example 1 : For Low Resource Environment
Revocation of B1 : 2r (r : number of revoked users)
54
F4(sdi)
1 2 3 6 7 8 9 10 11 1312
F3(sd8) F2(sd9) F21(sd32)
32
F3(sd1) F2(sd8) F1(sd9) F20(sd32)
Key Assignment of B1 : 1+log n (Log-Key Restriction)
chain-valuesF2(sd8)
F(sd5)
F10(sd16)
sd6
F5(sd1) F26(sd32)
…
n computations
168
17
Example 1 : Security
Subset Cover Framework (by Naor et al.)
Subset : Interval (line segment)
Existence of Pseudo-Random Sequence Number Generator
Key assignment method satisfies Key Indistinguishability
18
Example 2 : Low Bandwidth BE
Jumping One-way Chain Schemes by Jho et. al at Eurocrypt’05
Application of Different BE Schemes : B2
Performance. TO : [r/2] +1, SO : (n2+4n)/8, CO : n/2
…
… … …
19
Performance Analysis
N=108 users and w=100 for worst case
Transmission Overhead User Storage Overhead
The gap of log key restriction
SD
B1
B2
B1
B2
SD
20
Concluding Remarks
Average case analysis
Traitor Tracing & Other Properties
Multi-dimensional Cube
m2
m1
m3
u=(1,1,1)
m1
m2
u=(1,1)
x 축
y 축
z 축
x 축
y 축
u
revoked users: u=(4,6), v=(8,4)
u u
Cover= {C+[1,3],C
-[5,6],C
+[7,7],C
-[9,11],
C+4,[1,5],C
-4,[7,11],C
+8,[1,3],C
+8,[1,3],}
1 11
11
v vv
C+[1,3] C-
[5,6] C+[7,7]
C-[9,11]
C+4,[1,5]
C-4,[7,11]
C-8,[5,11]
C+8,[1,3]
21
Thank you