+ All Categories
Home > Documents > Dong Hoon Lee CIST Korea University cist.korea.ac.kr

Dong Hoon Lee CIST Korea University cist.korea.ac.kr

Date post: 13-Jan-2016
Category:
Upload: yin
View: 61 times
Download: 1 times
Share this document with a friend
Description:
Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published in Eurocrypt’05 ). Dong Hoon Lee CIST Korea University http://cist.korea.ac.kr. Contents. Broadcast Encryption Concept / Applications Related Works Our Construction ( Trans. Efficient ) - PowerPoint PPT Presentation
37
Dong Hoon Lee CIST Korea University http://cist.korea.ac.kr Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published in Eurocrypt’05 )
Transcript
Page 1: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

Dong Hoon Lee

CIST Korea Universityhttp://cist.korea.ac.kr

Efficient Communication-Storage Tradeoffs for

Broadcast Encryption Schemes( will be published in Eurocrypt’05 )

Page 2: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

2

Contents

Broadcast Encryption Concept / Applications

Related Works

Our Construction (Trans. Efficient ) Basic scheme Extension 1, Extension 2, Extension 3 Efficiency & Security

Conclusion

Page 3: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

3

Broadcast Encryption : Concept

DataSupplier

Subscribers

Contents

Esk(s) Es(m)s : session key , m :contents

Key management Cipher Block

Broadcast Encryption Message

Broadcast

Contents

Page 4: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

4

BE : Basic Security = Revocation

Adversarial Coalition

Group3 52 3 56

1

3 547531

DATA

1 3 5 6 7 8 92

4

Revoked Members

?2

4

Page 5: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

5

BE : Applications

Satellite-based BusinessGroup Communication (multicast)Digital Rights Management

xCP (Extensible Content Protection), IBM2003. 4. Home network content protection (MP3 players, DVD players, Cellular phones, PDAs, TV )

AACS (Advanced Access Content System) group2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney, Warner Bros. StudiosCopy protection scheme : pirated DVDs

Page 6: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

6

BE : Related Works

Combinatorial ApproachesCombinatorial design

Algebraic Approaches Secret Sharing Method

Tree-based structureLKH (Logical Key Hierarchy) SD (Subset Difference) Naor, Naor, Lotspiech, Crypto’01

IBM xCP, AACSLSD (Layered SD) Halevy and Shamir, Crypto’02SSD (Stratified SD) Goodrich et. al, Crypto’04

Page 7: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

7

BE : Measures

1. Transmission Length2. Storage for keys at user device3. Computation overhead

One-to-many communication TL is the most important factorGOAL : Transmission-efficient scheme with Storage and Computation overhead within reasonable bounds

Page 8: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

8

BE : Basic Approaches

U1 U2 U4U3 U5 U6

U8U7

GC (Group Center)

Unicast

TransmissionUser storage

Single-Message

TransmissionUser storage

U1 U2 U4U3 U5 U6

U8U7

One key for all cases of revocation : {1},{12},…,{145},…,{124578},…

GC

Page 9: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

9

Broadcast Encryption – Tree-based

LKH SD

Key storage per user

: log-key restriction

# of transmitted messages: 2 r (r:# of revoked users)

Page 10: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

10

Challenging Problem

The number of

trans. messages

The number of

revoked users >?

Page 11: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

11

Our Scheme : One-way chain

Pseudo-Random number sequence from F : {0,1}κ →{0,1}mκ

F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)

ui ui+1 ui+2 ujnodes

Chain-valueSdi F(Sdi) F2(Sdi) Fj-i(Sdi)

Page 12: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

12

Our Scheme : User Structure

Circular structure

F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)

ui ui+1 ui+2 uj Users

Chain-value

Linear structure

Sdi F(Sdi) F2(Sdi) Fj-i(Sdi)

Page 13: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

13

Our Scheme : Basic Scheme

Key assignment

n keys per user

u1

u2

u4

u3

u5

u6 u8u7

u9

u11

u10

u12

u8

s7 F1(s7)

s8

s6 F(s6) F2(s6)

s5 F(s5) F3(s5)…

u7u6u5

n different labels

Key set

Page 14: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

14

Our Scheme : Basic Scheme

Revocation Method

s1

F2(s1)

F3(s1)

F(s1)

s6F(s6

)

F2(s6)

F3(s6)

F4(s6)

F5(s6)

r (=2) revoked usersr (=2) trans. messages

u1u2

u5

u12

u11

u6

u3

u4

u7

u8

u9

u10

SK2 = F5(s6)

SK1 = F3(s1)

r (=2) subsets

Page 15: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

15

Our Scheme : Basic Scheme

Key computation

s1

F2(s1)

F3(s1)

F(s1)

F6(s1)F7(s1)

F8(s1)

F9(s1)

F10(s1)

u1u2

u5

u12

u11

u6

u3

u4

u7

u8

u9

u10

SK = F10(s1)

Maximum n computations of F per user

F4(s1)

F5(s1)

Page 16: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

16

Our Scheme : Extension 1

Covering several subsets by one key !!

Further reduction of Trans. length in basic scheme

user

subset

SO ↑

TL ↓

Page 17: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

17

Our Scheme : Extension 1 (OWC([n,2]))

Revocation Method (Jumping one-way chain)

F2(s12,5)

F3(s12,5)

F1(s12,5)

r (=2) revoked users

u1u2

u5

u12

u11

u6

u3

u4

u7

u8

u9

u10

SK1 = F10(s12,5)

F6(s12,5)F7(s12,5)

F8(s12,5)

F9(s12,5)

F10(s12,5)

F5(s12,5)

F4(s12,5)

s12,5

r/2 (=1) Trans. messages

r/2 (=1) subsets

Page 18: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

18

Our Scheme : Extension 1 (OWC([n,3]))

Revocation Method (Jumping one-way chain)

F2(s12,5,8)

F3(s12,5,8)

F1(s12,5,8)

r (=3) revoked users

SK1 = F10(s12,5,8)

F6(s12,5,8)F7(s12,5,8)

F8(s12,5,8)

F9(s12,5,8)

F10(s12,5,8)

F5(s12,5,8)

F4(s12,5,8)

s12,5,8

u5

u8

u12

r/3 (=1) Trans. messages

r/3 (=1) subsets

Page 19: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

19

Our Scheme : Extension 1

Key assignment

Choice of different labels for k revoked users

u1u2

u5

u12

u11

u6

u3

u4

u7

u8

u9

u10

keys per usern

k( )

keys per usern

2( )

SO : O(nk)

Page 20: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

20

Our Scheme : Extension 1

Key computation

sw

F2(sw)

F3(sw)

F(sw)

F6(sw)F7(sw)

F8(sw)

F9(sw)

F10(sw)

u1u2

u5

u12

u11

u6

u3

u4

u7

u8

u9

u10

SK = F10(sw) )

Maximum n computations of F per user

F4(sw)

F5(sw)

Page 21: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

21

Our Scheme : Extension 2

Trade-off between SO and TL

Trans. Length

Basic Extension 1

Keys Storage

r

n

0

2n-1

…. Power-set BE ….

r / k

O(nk)

( k is a natural number )

Page 22: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

22

Our Scheme : Extension 2

Constructing hierarchical chain so that several keys of a user cover one subset !!

Reduction in keys storage per user in Basic Scheme

user

subset

SO ↓

TO ↑

Page 23: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

23

Our Scheme : Extension 2 (OWC(p,[w,k]))

Revocation method (hierarchical chain : 2-dim Ring)

Page 24: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

24

Our Scheme : Extension 2

Revocation method (structurally equivalent with SD)

Complete binary treeComplete binary ring

Page 25: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

25

Our Scheme : Extension 2

Trade-off between SO and TL

Trans. Length

Basic Extension 2

Keys Storage

r

n

2 r

(log2n+log n)/2 + 1

…. SD….

rw/(w-1) g(n)

- k is a natural number- g(n) = (w-1)log n + (w-1)(log2n+log n)/2 + 1

(w-ary ring)

Page 26: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

26

Our Scheme : Extension 3

Combination of two extension methods: Layered 2-dimensional Ring

Toward Practical Scheme

Reduce ( User keys storage + Trans. Length )

Page 27: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

27

U1.1

U1.2

U1.5 U1.6

U1.3

U1.4

U1.7

U1.8

U1.9

Our Scheme : Extension 3

User structure : layered 2-dimnsional ring

U2.1

U2.2

U2.5 U2.6

U2.3

U2.4

U2.7

U2.8

U2.9

Page 28: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

28

u1.1

u1.2

u1.5 u1.6

u1.3

u1.4

u1.7

u1.8

u1.9

Our Scheme : Extension 3

Revocation method

u2.1

u2.2

u2.5 u2.6

u2.3

u2.4

u2.7

u2.8

u2.9

r (=3) revoked usersr/2+1 (=2) Trans. messages

r/2+1 (=2) subsets

Page 29: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

29

Our Scheme : Extension 3

Key assignment

u1.1

u1.2

u1.5 u1.6

u1.3

u1.4

u1.7

u1.8

u1.9

u2.1

u2.2

u2.5 u2.6

u2.3

u2.4

u2.7

u2.8

u2.9

n keys for 1 revoked userkeys for 2 revoked usersm=n/2

2( )

Page 30: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

30

Our Scheme : Extension 3

Key computation

u1.1

u1.2

u1.5 u1.6

u1.3

u1.4

u1.7

u1.8

u1.9

u2.1

u2.2

u2.5 u2.6

u2.3

u2.4

u2.7

u2.8

u2.9

Maximum m=n/2 com. of F and 1 com. of G per user

Page 31: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

31

Our Scheme : Extension 3

For a large number users : partition

...

...

Page 32: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

32

Our Scheme : Extension 3

3 instances

OWC(2,[50,2])

OWC(4,[50,2])

OWC((2:2),[50,2])

Page 33: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

33

Our Construction : SecurityStandard hybrid argument

Pseudo-Random number sequence from F : {0,1}κ →{0,1}mκ

Truly Random number sequence

Ri+1 Ri+2 Ri+3 Rj Rj ←R {0,1}mκ

Computational Indistinguishability

F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)

ui ui+1 ui+2 ujnodes

Chain-valueSdi F(Sdi) F2(Sdi) Fj-i(Sdi)

Page 34: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

34

Our schemes : Efficiency

50546.9 (0.7r)Fig.19.950OWC((2:2),[w,2])

50546.9 (0.7r)Fig.20.950 OWC(4,[w,2])

50546.9 (0.7r)19.250OWC(2,[w,2])

r=50,000(5%)

# of Comp.

Trans. Length (Kbyte)Keys Storage (Kbyte)m

n = 106 users

3.2SD (Naor et. al) Fig. 201562.5 (2r)

Page 35: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

35

Comparison : Transmission Length

5 %

546.9

1 %

234.4

156.3

0.5%

SD

OWC(2,[50,2])

2 %

312.5

78.1

(w=50)

178.1

OWC(4,[50,2])

OWC((2:2),[50,2])

n = 106 usersKbyte

# of revoked users

Page 36: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

36

Further Research

Further reduction in user storage

Reduction for initial transmission length

Other structure for Trade-off

: Transmission length & User keys storage

Page 37: Dong Hoon Lee CIST  Korea University cist.korea.ac.kr

37

Q & A

Thank you


Recommended