Oct 8, 2015 - Global Broadcast Service (US). â» Joint Broadcast System ... Mailing list encryption: [BGW05] OpenPGP fun
“Tree-Based Symmetric Key Broadcast Encryption” (Thesis Defense)
Sanjay Bhattacherjee ISI, Kolkata; ENS-Lyon
Supervisor: Prof. Palash Sarkar ISI, Kolkata
Date: 8th October, 2015
Outline
Preliminaries Background Our Contributions Conclusion
Symmetric Key Encryption
Alice
Bob
Symmetric Key Encryption
Alice
Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Symmetric Key Encryption
Alice
Oscar
M = “Nandan, 6:30pm”
Insecure Communication Channel
Bob
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
Insecure Communication Channel
K
K Enc
Dec
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
Insecure Communication Channel
K
K Enc
Dec
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
K
Insecure Communication Channel
K
C ← E(M, K )
Enc
Dec
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
K
C ← E(M, K )
Enc
Insecure Communication Channel
C = “KNQXGAQWJGJFOI”
K Dec
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
K
C ← E(M, K )
Enc
Insecure Communication Channel
C = “KNQXGAQWJGJFOI”
M ← E −1 (C, K )
Dec
K
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
K
C ← E(M, K )
Enc
Insecure Communication Channel
C = “KNQXGAQWJGJFOI”
M = “Nandan, 6:30pm”
M ← E −1 (C, K )
Dec
K
Symmetric Key Encryption
Alice
Bob
Oscar
M = “Nandan, 6:30pm”
M = “Nandan, 6:30pm”
K
C ← E(M, K )
Enc
Insecure Communication Channel
C = “KNQXGAQWJGJFOI”
M = “Nandan, 6:30pm”
M ← E −1 (C, K )
Dec
K
One Alice → Many Bobs?
Alice
One Alice → Many Bobs?
Alice
n (Bobs and Oscars)
One Alice → Many Bobs?
privileged
Alice
n (Bobs and Oscars)
One Alice → Many Bobs?
privileged
Alice
revoked
n (Bobs and Oscars)
Pay-TV center → Subscribers
Broadcasting Center (Tata Sky, Dish TV, etc.)
Pay-TV center → Subscribers
Broadcasting Center (Tata Sky, Dish TV, etc.)
n Users
Pay-TV center → Subscribers
privileged users
Broadcasting Center (Tata Sky, Dish TV, etc.)
n Users
Pay-TV center → Subscribers
privileged users
Broadcasting Center (Tata Sky, Dish TV, etc.) revoked users
n Users
DRM in Blu-ray/DVD discs
(Copyrighted) Content Production House
DRM in Blu-ray/DVD discs
(Copyrighted) Content Production House
n Users
DRM in Blu-ray/DVD discs
legitimate player
(Copyrighted) Content Production House
n Users
DRM in Blu-ray/DVD discs
legitimate player
pirated player
(Copyrighted) Content Production House
n Users
Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;
n = |N | r = |R|
Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;
S = {Si : Si ⊆ N }
n = |N | r = |R|
Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;
n = |N | r = |R|
S = {Si : Si ⊆ N } Singleton Set Scheme S = {{u1 }, . . . , {un }} I
Each user is assigned a unique key.
O(1)
I
M has to be encrypted for each user in N \ R.
O(n − r )
Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;
n = |N | r = |R|
S = {Si : Si ⊆ N } Singleton Set Scheme S = {{u1 }, . . . , {un }} I
Each user is assigned a unique key.
O(1)
I
M has to be encrypted for each user in N \ R.
O(n − r )
Power Set Scheme S = {{u1 }, . . . , {u1 , u2 }, . . . , {u1 , . . . , un−1 }, . . . , N } I
Each subset of users is assigned a unique key.
O(2n )
I
M is encrypted only once for the set N \ R ∈ S.
O(1)
Subset Cover Framework [NNL01] 1. Initiation I
Choose the collection
S = {S1 , . . . , Sw }; Si ⊆ N .
Subset Cover Framework [NNL01] 1. Initiation I
Choose the collection
S = {S1 , . . . , Sw }; Si ⊆ N . I
Assign key Li to each Si ∈ S I
Only u ∈ Si gets Li
Subset Cover Framework [NNL01] 1. Initiation I
Choose the collection
S = {S1 , . . . , Sw }; Si ⊆ N . I
Assign key Li to each Si ∈ S I
Only u ∈ Si gets Li
2. Encryption Broadcast Message
(sent in sessions)
Message Block M
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R):
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih }
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt:
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt: I
M with random Ks ;
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt: I I
M with random Ks ; Ks with Lij of each Sij ∈ Sc
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt: I I
M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M)
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt: I I
M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M)
ELi1 (Ks )
···
ELih (Ks )
Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I
Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that
N \ R = Si1 ∪ · · · ∪ Sih I
Encrypt: I I
M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M) body
ELi1 (Ks )
··· header
ELih (Ks )
Subset Cover Framework [NNL01]
3. Decryption FKs (M)
For u ∈ Sij where Si,j ∈ Sc I
Find ELi (Ks ) in the header j
ELi1 (Ks )
···
ELih (Ks )
Subset Cover Framework [NNL01]
3. Decryption FKs (M)
For u ∈ Sij where Si,j ∈ Sc I
Find ELi (Ks ) in the header
I
EL−1 (ELi (Ks )) ij j
j
Ks ←
ELi1 (Ks )
···
ELih (Ks )
Subset Cover Framework [NNL01]
3. Decryption FKs (M)
For u ∈ Sij where Si,j ∈ Sc I
Find ELi (Ks ) in the header
I
Ks ←
EL−1 (ELi (Ks )) ij j
I
M ← FK−1 (FKs (M)) s
j
ELi1 (Ks )
···
ELih (Ks )
Parameters of Interest I
|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost
Parameters of Interest I
|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost
I
|Iu |: user storage (may be costly) Example: High-end military receivers
Parameters of Interest I
|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost
I
|Iu |: user storage (may be costly) Example: High-end military receivers
I I
Encryption time Decryption time Example: TV set-top box booting time
Applications of BE I I
Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer
Player Manufacturer
Applications of BE I I
Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer
I
Player Manufacturer
Military Broadcasts I I
Global Broadcast Service (US) Joint Broadcast System (Europe)
Applications of BE I I
Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer
I
Military Broadcasts I I
I I
I I I
Player Manufacturer
Global Broadcast Service (US) Joint Broadcast System (Europe)
File Sharing in Encrypted File Systems. Mailing list encryption: [BGW05] OpenPGP functions as a BE system Online content sharing and distribution [BBW06] eCommerce: trade secret broadcasts ...
Why NOT use Public-Key BE?
Efficiency!!! (decryption time, hence cost)
Preliminaries Background Our Contributions Conclusion
The collection S
S = {S1, . . . , Sw }; Si ⊆ N
The collection S
S = {S1, . . . , Sw }; Si ⊆ N I
determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih
The collection S
S = {S1, . . . , Sw }; Si ⊆ N I
determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih
I
determines the user storage |Iu | (through the key assignment and distribution algorithm)
The collection S
S = {S1, . . . , Sw }; Si ⊆ N I
determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih
I
determines the user storage |Iu | (through the key assignment and distribution algorithm)
I
determines the encryption and decryption time (through the key assignment and distribution algorithm)
Two types of S
I
Subset Difference {1}, {3}, {6, 7, 8}
I
Punctured Interval {1, 3, 6}, {7, 8} Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless receivers. In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 41–62. Springer, 2001. Nam-Su Jho and Jung Yeon Hwang and Jung Hee Cheon and Myung-Hwan Kim and Dong Hoon Lee and Eun Sun Yoo. One-Way Chain Based Broadcast Encryption Schemes. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 559–574. Springer, 2005.
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Subset Difference (SD) Scheme [NNL01] Naor-Naor-Lotspiech (2001) I
Patented
I
Used in the AACS standard
Subset Difference (SD) Scheme [NNL01] Naor-Naor-Lotspiech (2001) I
Patented
I
Used in the AACS standard 0 1
2
3 7 15
8 16
5
4
17
9 18
19
10 20
21
6
11 22
23
13
12 24
25
Assumed n = 2`0
26
27
14 28
29
30
Collection SNNL−SD has:
Collection SNNL−SD has: I
For all internal nodes i
Collection SNNL−SD has: I
For all internal nodes i
I
For all corresponding nodes j(6= i) in the subtree Ti
Collection SNNL−SD has: I
For all internal nodes i
I
For all corresponding nodes j(6= i) in the subtree Ti Si,j = Ti \ Tj
Collection SNNL−SD has: I
For all internal nodes i
I
For all corresponding nodes j(6= i) in the subtree Ti Si,j = Ti \ Tj
Ti
Tj
All users that are in Ti but not in Tj
Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Key Assignment Key for Si,j :
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed)
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed)
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi
j
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi )
j
GR (seedi )
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))
GR (seedi ) GR (GL (seedi ))
j
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))
GR (seedi ) GR (GL (seedi ))
j
seedi,j = GR (GL (GL (seedi )))
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))
GR (seedi ) GR (GL (seedi ))
j
seedi,j = GR (GL (GL (seedi )))
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))
GR (seedi ) GR (GL (seedi ))
j
seedi,j = GR (GL (GL (seedi )))
Li,j = GM (seedi,j )
Key Assignment Key for Si,j : I
Assign random seedi to each internal node i
I
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))
GR (seedi ) GR (GL (seedi ))
j
seedi,j = GR (GL (GL (seedi )))
Li,j = GM (seedi,j )
Key of Si,j : Li,j = GM (seedi,j )
Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi .
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi
u
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi )
u
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
u
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi )) GR (GL (GL (seedi )))
u
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
`
GR (GL (GL (seedi )))
u
GR (GL (GL (GL (seedi ))))
Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
`
GR (GL (GL (seedi )))
u
GR (GL (GL (GL (seedi ))))
1+ Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
`
GR (GL (GL (seedi )))
u
GR (GL (GL (GL (seedi ))))
1+2+ Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
`
GR (GL (GL (seedi )))
u
GR (GL (GL (GL (seedi ))))
1 + 2 + · · · + `0 = Figure: Secrets stored by u
User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))
`
GR (GL (GL (seedi )))
u
GR (GL (GL (GL (seedi ))))
1 + 2 + · · · + `0 = Figure: Secrets stored by u
`0 (`0 +1) 2
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh }
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
Sc = {
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
Sc = {
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
Sc = {
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
Sc = {
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i1
j1
Sc = {
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i1
j1
Sc = S{S , Si2 ,j2 , i1 ,j1{ c =
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i1
j1
Sc = S{S , Si2 ,j2 , i1 ,j1{ c =
Covered
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i1
j1
Sc = S{S , Si2 ,j2 , i1 ,j1{ c =
Covered
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i1
j1
Sc = S{S , Si2 ,j2 , i1 ,j1{ c =
Covered
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i3 i4 i1
j3
Si ,j 4 3
j1
Sc = S{S , Si2 ,j2 , i1 ,j1{ c =
Covered
Si ,j 1 1
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i3 i4 i1
j3
Si ,j 4 3
j1
Covered
Si ,j 1 1
Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i3 i4
j3
Si ,j 4 3
Covered j1
i1
Covered
Si ,j 1 1
Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i5 i3 i4
j3
Si ,j 4 3
Covered j1
i1
Covered
Si ,j 1 1
Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j
i2
Si ,j 2 2
j2
Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R
i5 i3 i4
j3
Si ,j 4 3
Covered j1
i1
Covered
Si ,j 1 1
ScS= = {S = {S ,,jS , S{,,SS, S ,, . ., .} = cS c {S i1 ,jS 1i1 c 1 i1i2,j,j12i2 ,j2 i2i4,j,j23i4 ,j3
i2
Si ,j 2 2
j2
NNL-SD Parameters
For n users out of which r are revoked: I
User storage: O(log2 (n)).
I
Maximum header length: 2r − 1.
I
Maximum decryption time: O(log n).
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Layered Subset Difference Scheme [HS02]
Halevy-Shamir (CRYPTO, 2002): “special levels” Special Levels 0
4 1
15
8 16
5
4
7 0
2
3
2
17
9 18
19
10 20
21
6
11 22
23
13
12 24
25
26
27
14 28
29
30
Using layering (with special levels), SHS−LSD ⊂ SNNL−SD .
Layered Subset Difference Scheme [HS02]
Halevy-Shamir (CRYPTO, 2002): “special levels” Special Levels 0
4 Layer 2
1
Layer 1 15
8 16
5
4
7 0
2
3
2
17
9 18
19
10 20
21
6
11 22
23
13
12 24
25
26
27
14 28
29
30
Using layering (with special levels), SHS−LSD ⊂ SNNL−SD .
Layered SD subsets Which Si,j ∈ SHS−LSD ? I
If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD
I
If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD
Layered SD subsets Which Si,j ∈ SHS−LSD ? I
If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD
I
If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD Ti
Tj
Layered SD subsets Which Si,j ∈ SHS−LSD ? I
If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD
I
If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD Ti special level
Tj
Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I
i is not at a special level
I
and i and j are not in the same layer
Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I
i is not at a special level
I
and i and j are not in the same layer
How to cover these subsets?
Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I
i is not at a special level
I
and i and j are not in the same layer
How to cover these subsets? SPLIT!!! Ti special level Tk
Tj
Subsets in SSD \ SLSD are split into: Si,j = Si,k ∪ Sk ,j .
Layered SD Scheme I
Key for Si,k is Li,k = GM (GL (seedi ))
I
Key for Sk ,j is Lk ,j = GM (GR (GL (seedk ))) seedi k
special level
GR (seedi )
seedi,k = GL (seedi ) Li,k = GM (seedi,k ) seedk k GL (seedk )
GR (seedk ) j
seedk ,j = GR (GL (seedk ))
Lk ,j = GM (seedk ,j )
LSD Parameters
NNL-SD scheme: I
User storage needed: O(log2 (n)).
I
Maximum Header Length: 2r − 1.
I
Decryption Time: O(log n).
HS-LSD scheme: I
User Storage needed: O(log3/2 n).
I
Maximum header length: 4r − 2.
I
Decryption Time: O(log n).
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Other SD-based Schemes [GoodrichST04] Stratified SD I
Key assignment: Left and right preorder tree traversals
I
O(log n) storage; O(n) decryption time
I
Double header length
[FukushimaKTS08] 3-ary tree SD “However, in a general a-ary tree with a ≥ 4,... our hash chain approach fails... Thus, the construction of a coalition resistant a-ary SD method with reasonable communication, computation, and storage overhead is an open issue.”
[WangYL14] Balanced Double SD I
Published after I submitted my thesis
I
We have better results now
Analysis of SD scheme [ParkB06] I
Generating function for N(n, r , h)
I
Mean header length: “complex to compute and difficult to gain insight from”
[EagleOPR08] I
Small standard deviations
[MartinMW09] I
Maximum header length
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Complete Tree SD (CTSD) Scheme
Question: What happens when n 6= 2`0 ? Answer: Add dummy users to get to the next power of two. I
If the dummy users are considered revoked, then the effect on the header length is disastrous.
I
If the dummy users are privileged, the situation is better but, there is still a measurable effect on the header length.
Solution: Use a complete binary tree. I
“Completes” (and also subsumes) the NNL-SD scheme to work for any number of users.
I
Conceptually simple; working out the details is a bit involved.
CTSD Scheme: Header Length Analysis (n, r )-revocation A choice of r revoked users out of total n users For each (n, r )-revocation, h ∈ {1, . . . , hmax }
N(n, r , h) #(n, r )-revocations for which the the header length is h.
CTSD Scheme: Header Length Analysis (n, r )-revocation A choice of r revoked users out of total n users For each (n, r )-revocation, h ∈ {1, . . . , hmax }
N(n, r , h) #(n, r )-revocations for which the the header length is h. How to compute N(n, r , h)? The only known method would � I enumerate all possible n (n, r )-revocations r I
run the cover finding algorithm for each
I
count the number of (n, r )-revocations leading to a header of size h.
Recurrence relation for N(n, r , h) I
P N(λi , r1 , h1 ) = T (λi , r1 , h1 ) + j∈IN(i) T (λj , r1 , h1 − 1) where IN(i) is the set of all internal nodes in the subtree T i excluding the node i.
I
T (λi , r1 , h1 ) = Ph1 Pr1 −1 0 0 0 0 r 0 =1 h0 =0 N(λ2i+1 , r , h ) × N(λ2i+2 , r1 − r , h1 − h ) where λ2i+1 (respectively λ2i+2 ) is the number of leaves in the left (respectively right) subtree of T i .
T (λi , r1 , h1 )
r1 < 0
r1 = 0
r1 = 1
r1 > n
0 0
0 0
0 0
2 ≤ r1 < n 0 from rec.
r1 = n
h1 = 0 h1 ≥ 1
1 0
0 0
N(λi , r1 , h1 )
r1 < 0
r1 = 0
r1 = 1
2 ≤ r1 < n
r1 = n
r1 > n
h1 = 0 h1 = 1 h1 > 1
0 0 0
0 1 0
0 n 0
0 from rec. from rec.
1 0 0
0 0 0
Table: Boundary conditions on T (n, r , h) and N(n, r , h).
Computing N(n, r , h) Dynamic Programming: I
N(n, r , h) can be computed in O(r 2 h2 log n + rh log2 n) time and O(rh log n) space.
I
N(n, r , h) for all possible h can be computed in O(r 4 log n + r 2 log n) time and O(r 2 log2 n) space.
I
N(n, r , h) for all possible r and h can be computed in O(n4 log n + n2 log2 n) time and O(n2 log n) space.
I
N(i, r , h) for 2 ≤ i ≤ n and all possible r and h can be computed in O(n5 + n3 log n) time and O(n3 ) space.
The combinatorics behind the cover generation algorithm was well captured! (for n ~125)
Using N(n, r , h): Maximum Header Length
Theorem The maximum header � �length in the CTSD method for n users is hmax = min(2r − 1, n2 , n − r ). I I
For the NNL-SD scheme, the bound of 2r − 1 was known. Complete (refined) picture: I I I
if r ≤ n/4, hmax = 2r − 1; if n/4 < r ≤ n/2, hmax = n/2; and for r > n/2, hmax = n − r .
Using N(n, r , h): More analysis nr The value of n for which the header length of 2r − 1 is achieved with r revoked users. I
Obtained a complete characterization of nr .
Generating Function I
Similar to that of [PB06]
Probabilities and Expectation I
For n ~125
I
Compute probabilities of h ∈ {1, . . . , hmax }
I
Compute expected value Hn,r
Expected Header Length Random experiment Select a random subset of revoked users R from N (Select a random (n, r )-revocation).
Event: Node i generates a subset Si,j I
i = 1 if S ∈ S for some j; Xn,r c i,j
I
i = 0 otherwise. Xn,r 0 1 n−1 h = Xn,r + Xn,r + · · · Xn,r =
n−1 X
i Xn,r
i=0
Hn,r : expected header length for (n, r )-revocations. Hn,r =
n−1 X i=0
i ]= E[Xn,r
n−1 X i=0
i = 1] Pr[Xn,r
Hn,r for all SD based schemes
This technique has been useful for other SD-based schemes:
Hn,r =
n−1 X
i Pr[Xn,r = 1]
i=0
For the NNL-SD scheme: Computing Hn,r requires O(r log n) time and O(1) space.
Hn,r for the NNL-SD Scheme
Theorem: For all n ≥ 1, r ≥ 1, the expected header length Hn,r ↑ Hr , as n increases through powers of two, where Hr = 3r − 2 − 3 ×
r −1 � X i=1
r Hr /r
2 1.25
3 1.25
! � � k i k) i (2 − 3 1 �i X + (−1)k − . k (2k − 1) 2 k =1
4 1.2455
5 1.2446
6 1.2448
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
Halevy-Shamir LSD Scheme Special Levels `0 = 4
0
d1 = 2
1 `1 = 2
d2 = 2 15
9
8 16
5
4
7 `2 = 0
2
3
17
18
19
10 20
21
6
11 22
23
13
12 24
25
26
27
14 28
29
[HS02]: “The root is considered to be at a special level, p and in addition we consider every level of depth k · log (n) for k = 1 . . . log (n) as special (wlog, we assume that these numbers are integers).” n = 2`0 with `0 = 4, 9, 16, 25 only?
30
Layering Strategy
A choice of special levels is called a layering strategy.
General layering strategy ` I
Layering strategy ` = (`0 , . . . , `e ): I I
I
has e + 1 special levels `0 > `1 > . . . > `e−1 > `e = 0.
Layering strategy d = (d1 , . . . , de ) I I
di = `i − `i−1 is a layer length In general, the layer lengths need not be (almost) equal.
Extending the HS Scheme Residual bottom layer Write `0 = d(e − 1) + p where 1 ≤ p ≤ d. Then the special levels are `0 , `0 − d, `0 − 2d, . . ., ` − d(e − 1), 0.
Balanced layering or extended-HS (eHS) Write `0 = d(e − 1) + p = (e − d + p)d + (d − p)(d − 1). Define the layer lengths from the top to be (d, . . . , d , d − 1, . . . , d − 1). | {z } | {z } e−d+p
d−p
Layering Strategy and User Storage
Layering strategy: ` = (`0 , . . . , `e )
storage0 (`) =
e−1 X i=0
e−1
`i +
1X (`i − `i+1 )(`i − `i+1 − 1). 2 i=0
storage0 (`0 , `1 , . . . , `e ) (`0 − `1 )(`0 − `1 − 1) = `0 + + storage0 (`1 , . . . , `e ). 2
Storage Minimal Layering SML0 (`0 ) A layering strategy which minimizes the user storage among all layering strategies.
#SML0 (`0 ) User storage required by SML0 (`0 ).
#SML0 (`0 ) = #SML0 (e, `0 ) =
min #SML0 (e, `0 );
1≤e≤`0
min storage0 (`0 , `1 , . . . , `e )
(`0 ,...,`e )
Dynamic programming algorithm to compute #SML0 (`0 ): O(`30 ) time and O(`20 ) space.
Root at a Non-Special Level [HS02]: “The root is considered to be at a special level, and ...”
Making root level `0 non-special: I
storage1 (`) = storage0 (`) − `1 . Hence, user storage decreases.
I
0 = 1] is small. Pr[Xn,r Hence, negligible increase in the expected header size.
SML1 (`0 ): SML with non-special root. #SML1 (`0 ): corresponding user storage.
Examples of SML
Suppose there are 228 users, i.e., `0 = 28 (a good estimate as per the CableLabs website) Scheme Name NNL-SD: eHS: SML0 : SML1 :
Layering ` (28,0) (28,22,16,10,5,0) (28,21,15,10,6,3,1,0) (22,16,11,7,4,2,0)
Storage |Iu | 406 146 140 119
Other Results
Complete Tree LSD scheme Maximum Header Length I
hmax = min (4r − 2,
I
hmax = min (4r − 3,
�n� � n2 � 2
, n − r ) if root is non-special. , n − r ) if root is special.
Expected Header Length: I
The splitting of subsets complicates the analysis.
I
O(r log2 n) time and O(1) space.
Constrained Minimization I
I
For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I
I
Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.
Constrained Minimization I
I
For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I
I
Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.
Result: Hn,r close to that of NNL-SD, but, with lower user storage.
Constrained Minimization I
I
For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I
I
Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.
`max = `0 − log2 r
Result: Hn,r close to that of NNL-SD, but, with lower user storage.
Constrained Minimization I
I
For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I
I
Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.
`max = `0 − log2 r
Result: Hn,r close to that of NNL-SD, but, with lower user storage.
A CML Example
n = 228 and rmin = 210 . Scheme NNL-SD: eHS: CML:
Layering ` (28,0) (28,22,16,10,5,0) (23, 18,0)
|Iu | 406 146 219
Hn,r (normalized with NNL-SD) (1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00) (1.69, 1.63, 1.64, 1.67, 1.69, 1.72, 1.73, 1.74, 1.75, 1.75) (1.14, 1.08, 1.04, 1.03, 1.01, 1.01, 1.00, 1.00, 1.00, 1.00)
Header lengths for 10 equispaced values of r from 210 to 214 normalized by the header length of the NNL-SD scheme.
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
k -ary tree SD seedi i
Li,{j} = G100 (seedi )
G010 (seedi )
j j1
G001 (seedi )
j2
Li,{j ,j } = G011 (Li,{j} ) 1 2
Figure: Key of Si,{j1 ,j2 } is G000 (Li,{j1 ,j2 } ) = G000 (G011 (G100 (seedi ))).
User storage 1 + (2
k −1
− 1)
`0 X `=1
`=1+
`0 (`0 + 1) k −1 (2 − 1) 2
... reduced using additional tree structure (constructed using cyclotomic cosets mod 2k − 1)
k -ary tree SD: Results I
Why k -ary trees? I
|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑)
k -ary tree SD: Results I
Why k -ary trees? I
|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑)
always?
k -ary tree SD: Results I
Why k -ary trees? I I
|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization
always?
k -ary tree SD: Results I
Why k -ary trees? I I
I
always?
Header length analysis I I
I
|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization
hmax = min (2r − 1, dn/k e, n − r ) Algorithm to compute Hn,r (for n = k `0 ) O(r log n) space; O(1) time
Reducing user storage I I
Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )
k -ary tree SD: Results I
Why k -ary trees? I I
I
I
I
I
Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )
Complete Tree for arbitrary number of users Layering I
I
hmax = min (2r − 1, dn/k e, n − r ) Algorithm to compute Hn,r (for n = k `0 ) O(r log n) space; O(1) time
Reducing user storage I
I
always?
Header length analysis I
I
|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization
Storage Minimal Layering
Header length simulation study (for n 6= k `0 )
k -ary tree SD: Header length and user storage n
103
105
107
k
usk
2 3 4 5 6 7 8 2 3 4 5 6 7 8 2 3 4 5 6 7 8
55 56 60 90 120 180 340 153 132 180 216 336 378 714 300 240 312 396 540 810 1224
MHLk /r (1.10, 0.98, 0.72) (1.27, 1.06, 0.72) (1.21, 0.96, 0.59) (1.11, 0.84, 0.50) (1.03, 0.73, 0.42) (0.95, 0.65, 0.36) (0.86, 0.58, 0.32) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31)
n
104
106
108
k
usk
2 3 4 5 6 7 8 2 3 4 5 6 7 8 2 3 4 5 6 7 8
105 90 112 126 252 270 510 210 182 220 270 432 648 952 378 306 420 468 792 990 1530
MHLk /r (1.11, 0.97, 0.71) (1.26, 1.07, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.86, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.07, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31)
Table: MHLk /r for r = (0.1n, 0.2n, 0.4n).
k -ary tree SD
k δk
3 0.44
4 0.19
5 0.11
6 0.07
7 0.05
8 0.04
Table: Values of the threshold δk .
16 < 0.01
Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution
NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion
a-ABTSD scheme
I
SNNL−SD ⊂ Sa−ABTSD I
Augment trees of height a (with k = 2a leaf nodes)
a-ABTSD scheme
I
SNNL−SD ⊂ Sa−ABTSD I I
Augment trees of height a (with k = 2a leaf nodes) (Better?) Hierarchy of Optimization
a-ABTSD scheme
I
SNNL−SD ⊂ Sa−ABTSD I I
I
Header length analysis I
I
Augment trees of height a (with k = 2a leaf nodes) (Better?) Hierarchy of Optimization hmax = min (2r − 1, dn/k e, n − r )
Reducing user storage I I
Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )
I
Complete Tree for arbitrary number of users
I
Header length simulation study
a-ABTSD: Header length and user storage
n 103
105
107
a
usa (n)
MHLa /r
1 2 3 4 1 2 3 4 1 2 3 4
55 145 1279 115247 153 425 4233 432123 300 852 8902 950634
(1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.31, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16)
n 104
106
108
a
usa (n)
1 2 3 4 1 2 3 4 1 2 3 4
105 287 2757 271629 210 590 6024 629652 378 1080 11428 1234578
MHLa /r (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16)
Table: MHLa /r for three different choices of r namely, r = (0.1n, 0.2n, 0.4n).
a-ABTSD performance
with b = 2a − 1 and c = `0 .
(a, b, c)-ABTSD
with a = 5 and c = `0 .
(a, b, c)-ABTSD
with b = 2a − 1.
Preliminaries Background Our Contributions Conclusion
Implementations
Schemes: I
NNL-SD, HS-LSD and all new schemes
Analysis: I
Header length algorithms
I
User storage algorithms
I
...
What this thesis is NOT about
Asymptotic Improvements
What this thesis is ALL about
Combinatorial and Probabilistic Analysis
What this thesis is ALL about
Combinatorial and Probabilistic Analysis Obtaining Hierarchies of Optimization
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes? 1 N(n, r , h)
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes? 1 N(n, r , h) 1 Generating function [PB06]
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering 2 Constrained minimization layering
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering 2 Constrained minimization layering 3 k -ary tree SD scheme
Summary of Contributions I
What if n 6= 2`0 ?
1, 2, 3, 4 Use dummy users or complete trees? I
Analysis of SD-based schemes?
1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ? I I
I
1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓? 2 2 3 4
Storage minimal layering Constrained minimization layering k -ary tree SD scheme (a, b, c)-ABTSD scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme
Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
a-ABTSD schemes (for different values of a)
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
a-ABTSD schemes (for different values of a)
k -SD schemes (for different values of k )
|S|
Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme
NNL-SD scheme HS-LSD scheme Singleton Set scheme
a-ABTSD schemes (for different values of a)
k -SD schemes (for different values of k )
Publications Sanjay Bhattacherjee and Palash Sarkar. Complete tree subset difference broadcast encryption scheme and its analysis. Des. Codes Cryptography, 66(1-3):335–362, 2013. Sanjay Bhattacherjee and Palash Sarkar. Concrete analysis and trade-offs for the (complete tree) layered subset difference broadcast encryption scheme. IEEE Transactions on Computers, 63(7): 1709–1722, 2014. Sanjay Bhattacherjee and Palash Sarkar. Tree based symmetric key broadcast encryption. J. Discrete Algorithms, 34: 78–107, 2015. Sanjay Bhattacherjee and Palash Sarkar. Reducing communication overhead of the subset difference scheme. IEEE Transactions on Computers, to appear. Sanjay Bhattacherjee and Palash Sarkar. Implementations related to the above papers, https://drive.google.com/ folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil. Uploaded on 13th August, 2014.
Open Questions
Schemes:
Open Questions
Schemes: I
More hierarchies of optimization?
Open Questions
Schemes: I
More hierarchies of optimization?
I
Practical scheme with hmax < r
Open Questions
Schemes: I
More hierarchies of optimization?
I
Practical scheme with hmax < r
I
Stateless as well as forward secure?
I
...
Analysis:
Open Questions
Schemes: I
More hierarchies of optimization?
I
Practical scheme with hmax < r
I
Stateless as well as forward secure?
I
...
Analysis: I
Non-uniform distribution of revoked users?
I
...
Acknowledgement
I
Prof. Palash Sarkar
I
Friends
I
Family
Desirable Properties
Fully Collusion Resistant
Desirable Properties
Fully Collusion Resistant
Dynamic revocation
Desirable Properties
Fully Collusion Resistant
Stateless / Stateful
Dynamic revocation
Desirable Properties
Fully Collusion Resistant
Dynamic revocation
Stateless / Stateful
Traitor Tracing
Desirable Properties
Fully Collusion Resistant
Dynamic revocation
Dynamic joining / leaving of users
Stateless / Stateful
Traitor Tracing
Assigning seeds to users
Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti
u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj
u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj
u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj
u Ti
Tj u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj
u Ti
Tj u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti
u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj u Ti
u Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj u Ti
u Tj Figure: From one derived seed, keys of many subsets can be generated
Assigning seeds to users Ti Tj u Ti
u Tj Figure: From one derived seed, keys of many subsets can be generated
