Korea University

CRYPTO ‘05

Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim

Generic Transformation for Scalable Broadcast Encryption Schemes

2

Contents

Broadcast Encryption (BE)

Concept / Applications

Related Works

Our Approach for Scalability

Design Principle

Generic Transformation

Compiled Examples

Concluding Remarks

3

Broadcast Encryption : Concept

Message Sender

s : session key , m :contents

Header Body

Broadcast Encryption Message

Contents

Subscribers

4

BE : Applications

Satellite-based Business

Group Communication

Digital Rights ManagementHome network content protection

AACS (Advanced Access Content System) group

2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba,

Disney, Warner Bros. Studios

5

BE : Basic Goal

How to efficiently exclude illegal users from a privileged set ?

Revoked User Privileged User

Transmission Overhead (TO)

User Storage Overhead (SO)

Computation Overhead (CO)

one-to-many communication : Transmission efficiency

6

BE : Related Works

Unicast & Power-Set Solutions

Middle Ground : Revocation-state ?

Define a collection of subsets

- Combinatorial Approach (collusion)

- Tree Structure (SD,LSD,SSD), Line Segment (PI)

Reveal Information of Revoked Users

- Secret Sharing

Accumulate Information of Privileged Users

- One-Way Accumulator

7

Problem of Scalability & Our Solution

Large Number of Users?Impractical due to

Excessive User Storage and/or Computation Overhead

Modular Approach for Scalability

Reduction in User Storage and Computation

Slight Increase in Transmission Overhead

Structure Preserving

- Security

- Type of Key Sharing : Symmetric / Public Key

- Connection State : Stateful / Stateless

8

Our Solution : Modular Approach

…

…Se

Se1

Se18

User Structure : n=ws

w-ary Tree

… …

…

Ue184

Sibling Set Sa

Users

Independent & Hierarchical Application of BE to small subsets

e

1 8

1 2 3 4 5 6 7 8

41 2 3 5 6 7 8

Height = s

9

Our Solution : Modular Approach

…

…

Independent & Hierarchical Application of BE

- Key Assignment

Se

Se1

Se18

Tree

… …

…

Ue184

10

Our Solution : Modular Approach

…

…Se

Se1

Se18

Independent & Hierarchical Application of BE

- Revocation Tree

… …

…

Revoked Users (leaves) Revoked nodes (Steiner Tree)

ue115 ue182

11

Our Solution : Modular Approach

…Se

Se1

Se18

Independent & Hierarchical Application of BE

- Revocation Tree

…

Revoked nodes

… …

…Se11

ue115 ue182

12

Our Solution : Performance Analysis

User Storage Overhead1 + sᆞ SOB(n1/s)

Preserve “log-key restriction”

(1+ s log n1/s = 1+ log n)

Computation OverheadCOB(n1/s)

Transmission Overhead≤ sᆞ TOB(n1/s)

Sibling Set

Height : s

w=n1/s

13

Examples

User Devices with Limited Resources

Transmission-Restricted/Low Bandwidth

Application

14

Example 1 : For Low Resource Environment

BE scheme B1 with

log n +1 SO, 2 r TO, n CO

Transformation

BE scheme B1 with

log n +1 SO, 2 r log n /log log n TO, log n CO

15

Example 1 : For Low Resource Environment

User Structure : Number line

U1 U2 U3 UnUn-1U4 Ui… …

Basic Tool : One-way chain

F(sdi) F2(sdi) F3(sdi) Fj- 1+1(sdi)

ui ui+1 ui+2 uj points

chain-value

F: {0,1}κ → {0,1}κ

U5 U6

F1(sdi) F2(sdi) Fj-i(sdi)sdi

sdi ←R {0,1}κ

i1 … …

16

541 2 3 6 7 8 9 10 11 1312 3214 1615

Example 1 : For Low Resource Environment

Revocation of B1 : 2r (r : number of revoked users)

54

F4(sdi)

1 2 3 6 7 8 9 10 11 1312

F3(sd8) F2(sd9) F21(sd32)

32

F3(sd1) F2(sd8) F1(sd9) F20(sd32)

Key Assignment of B1 : 1+log n (Log-Key Restriction)

chain-valuesF2(sd8)

F(sd5)

F10(sd16)

sd6

F5(sd1) F26(sd32)

…

n computations

168

17

Example 1 : Security

Subset Cover Framework (by Naor et al.)

Subset : Interval (line segment)

Existence of Pseudo-Random Sequence Number Generator

Key assignment method satisfies Key Indistinguishability

18

Example 2 : Low Bandwidth BE

Jumping One-way Chain Schemes by Jho et. al at Eurocrypt’05

Application of Different BE Schemes : B2

Performance. TO : [r/2] +1, SO : (n2+4n)/8, CO : n/2

…

… … …

19

Performance Analysis

N=108 users and w=100 for worst case

Transmission Overhead User Storage Overhead

The gap of log key restriction

SD

B1

B2

B1

B2

SD

20

Concluding Remarks

Average case analysis

Traitor Tracing & Other Properties

Multi-dimensional Cube

m2

m1

m3

u=(1,1,1)

m1

m2

u=(1,1)

x 축

y 축

z 축

x 축

y 축

u

revoked users: u=(4,6), v=(8,4)

u u

Cover= {C+[1,3],C

-[5,6],C

+[7,7],C

-[9,11],

C+4,[1,5],C

-4,[7,11],C

+8,[1,3],C

+8,[1,3],}

1 11

11

v vv

C+[1,3] C-

[5,6] C+[7,7]

C-[9,11]

C+4,[1,5]

C-4,[7,11]

C-8,[5,11]

C+8,[1,3]

21

Thank you