On The Algebraic Structure of Combinatorial Broadcast Encryption Schemes and Applications

1
On The Algebraic Structure of Combinatorial
Broadcast Encryption Schemesand Applications

• Serdar Pehlivanoglu(pay-live-a-no-glue)
• Joint work with Aggelos Kiayias
• aggelos_at_cse.uconn.edu

2
Digital Content Distribution

• What is digital content distribution?
• It is multi-recipient transmission
• Access Control
• Multi-recipient encryption

TransmissionCenter
Recipient population U1, U2, U3, , Un
Insecure Channel
3
Multi-Recipient Encryption
Licensing Agency
Keys
Distributor
Distributor
Distributor
Distributor
Distributor
Distributor
Distributor
Distributor
Distributor
TransmissionCenter
Recipient population U1, U2, U3, , Un
Recipient population U1, U2, U3, , Un
Recipient population U1, U2, U3, , Un
Insecure Channel
4
Applications

• Encryption for DVDs and other Media content
  distribution systems.
• Regular DVDs and Blu-Ray disks.
• Filesystem Access Permissions.
• Etc.

5
Challenges

• Minimizing
• Transmission overhead
• Key storage for receivers.
• Key derivation time for receivers.

6
Example Linear TraceRevoke Scheme
Content Distributor
Es1(k)
Es2(k)
Es3(k)
Licensing Agency
Esn(k)
Secret Key
s2
s3
sn
s1
Ek(m)
Un
U1
U2
U3
Transmission overhead n Key storage 1 Key
Derivation 1
7
Subset Cover Framework(SCF)

• Subset Cover Framework NNL01
• General combinatorial framework. Can describe
  many schemes.
• Tracing and revoking unlimited number of users.
• Seamless integration of tracing and revoking.
• N is the set of all recipients, R is the set of
  excluded recipients.
• Define a set system ? S1,S2,,Sw ? 2N.
• Revocation property (fully exclusive)
• Any subset S in N can be partitioned into
  disjoint subsets from ?.

8
Encryption in SCF

• Each subset Si? ? is associated with a long-lived
  key Li.
• Key Assignment
• Any user u has access to Li through its private
  information if and only if u ? Si
• Revocation algorithm
• Given R find a partition of N\R s.t
• N \ R ?i1m Si
• with associated keys L1, L2, Lm
• The ciphertext is

9
A series of works
Subset Cover Scheme Transmission Computation Key Storage
CS r log (N/r) 1 log N
SD 2r-1 log N log2 N
Basic LSD 4r-1 log N log3/2 N
SSD 4kr N1/k 2klog N
Basic Key Chain Tree 2r N 2log N
Subset Incremental Chain System (SIC) 2kr N1/k 2log N
One-Way Chain r/k N-r Nk
(w-Complete Tree SIC) 2r kN1/k k ((log N)/2 1)
crypto 2001
crypto 2001
crypto 2002
crypto 2004
ISC 2004
Asiacrypt 2005
Eurocrypt 2005
Financial Crypto 2006
10
Our Focus

• Study the Algebraic Structure of SCF
• Based on the observation the underlying set
  system constitutes a partial order set (Key
  Poset).
• Generic revocation and tracing algorithms
• What are sufficient conditions for optimal
  revocation and tracing?
• How to design of new schemes tailored to
  specific scenarios or improving aspects of
  existing ones?

A poset is a set P with relation ? that is
reflexive, antisymmetric, and transitive
11
The Key Poset

• Given any SCF instance we define the Key-poset
• Nodes ? Subsets ? Keys Leaves ? Users
• Edges represents the subset relation.
• The Set System
• Is represented by the nodes in the Hasse diagram
  of the Key Poset
• Revocation
• Finding the nodes to cover the enabled set of
  leaves.
• Tracing
• Finding the nodes to cover the nodes not used by
  the pirate decoder.
• Key Assignment
• All keys of the nodes above a leaf is known to
  (or derived by) that leaf.

U2
U3
U1
U4
In this example Transmission overhead 1 Key
storage 2n-1 Key Derivation 1
12
Subset Difference Method NNL01
vi
vi
vj
vj

Si,j
Si,j Set of all leaves in the subtree of Vi
but not in Vj
13
The Key Poset of NNL
14
A basic Question

• What makes a key poset good ?
• Is it possible to describe good in algebraic
  terms?
• Observe to revoke we need to efficiently solve
  some instance of set cover.

15
Short Primer on Partial Orders

• A nonempty subset I of a poset (P, ?) is called
  an ideal if I is lower and directed.
• A nonempty subset A of a poset (P, ?) is called a
  directed set if for any two elements a, b?A,
  there exists c in A such that a ? c and b ? c.
• It is called a lower set if for every x?A, y ? x
  implies that y is in A.

16
An ideal in the SD key poset
17
Our Objective

• We need to solve a set cover efficiently.
• Basic observation If the set system is an ideal
  we can do this efficiently.
• IdealCover(u) Starting from u grow up until you
  hit the top.
• Basic operation grow

18
Short Primer on Partial Orders

• A nonempty subset I of a poset (P, ?) is called
  an ideal if I is lower and directed.
• A nonempty subset A of a poset (P, ?) is called a
  directed set if for any two elements a, b?A,
  there exists c in A such that a ? c and b ? c.
• It is called a lower set if for every x?A, y ? x
  implies that y is in A.
• An atom in poset P is an element that is minimal
  among all elements.
• The dual notion of ideal, the one obtained in the
  reverse partial order, is called a filter.
• We call F(x) as an atomic filter if x is an atom.
• We denote Px by the complement of F(x) in (P, ?).

19
Filter
20
The Complement of a Filter
21
The Complement of a Filter
In general The complement of a filter is a
lower set. (not necessarily an ideal).
22
Lower Maximal Partitions

• Given a nonempty subset A of a poset (P, ?) that
  is a lower set, we sayltM1,M2, . . . ,Mkgt is a
  lower-maximal partition of A if
• Mi is a lower set for i 1, . . . , k.
• The atoms of Mi and Mj are different provided
  that i ? j.
• Mi is maximal with respect to A, i.e. if a?Mi and
  ?b?A s.t a ? b, then b?Mi.
• k is the largest integer such that all the above
  hold.
• The order of a lower set A is defined as the size
  of its lower-maximal partition. We denote the
  order by ord(A).
• Proposition. Any lower set A of poset (P, ?) has
  a unique lower-maximal partition.

23
Separable Families

• We say a set system ? is separable if in the
  lower-maximal partition ltM1,M2, . . . ,Mkgt of ?
  it holds that Mi is an ideal of ? for i1,, k

24
Set Covering Separable Families

• Given a separable family we can easily solve set
  cover
• Pick a user and grow along a chain till hit
  top.
• Repeat with a user outside the ideals selected.
• needs grow select outside subset as basic
  operations
• Complexity Sum of chains in each ideal,
  poly-logarithmic length

25
Factorizable Families

• A fully-exclusive set system ? is called
  factorizable if it is an ideal and for any ideal
  I? ? and any atom u, it holds that I?Pu is
  separable.
• Hint Being factorizable implies a good behavior
  w.r.t. revocation.

26
Basic Theorem

• Definition. ? Revoke(? , R) is the family Pu1
  ? ? Pur where R u1,,ur
• Theorem. If ? is factorizable, then it holds that
  ? Revoke(? , R) is separable.

27
Revocation Algorithm

• The theorem implies the revocation algorithm
  Cover(N,R)
• Given ? and R
• Determine ? Revoke(? , R)
• Set Cover ?

28
Transmission Overhead

• Given a factorizable set system ?, Cover(N,R)
  outputs an optimal solution and the communication
  overhead is ord(?i1r Pui) where Ru1, , ur.
• Given a factorizable set system ?
• If for any ideal I and an atom u, it holds that
  ord(I ? Pu) ? log I, then the communication
  overhead for revoking r users is O(rlogN).
• If, on the other hand, ord(I ? Pu) ? c, then the
  communication overhead for revoking r users is at
  most r(c -1).

29
Alternative Characterization

• Theorem A set system is factorizable iff
  following holds
• S1? S2 is in the collection if S1 ? S2 ? ?
  ()
• Proof. ? Suppose that the set system is not
  factorizable due to an ideal I and an atom u
  despite () holds Consider the lower maximal
  partition ltM1,M2, . . . ,Mkgt of I ? Pu, suppose
  that Mi is not ideal, then it has more than one
  maximal element. Since kord(I ? Pu) is maximal,
  then these maximal elements are intersecting.
  Then ? implies that their union is in the set
  system and hence also in I ? Pu
• ? Suppose that set system is factorizable but S
  S1? S2 is not in the collection. Consider the
  minimal ideal I in the set system that contains S
  (this exists due to factorizable property). There
  exists an atom u in I that is not in S. Since I ?
  Pu is separable, there exists an ideal in its
  lower maximal partition that contains both S1 and
  S2 which contradicts the minimality I.

30
Alternative Characterization

• Theorem The set systems corresponding to the
• Complete Subtree NNL01,
• Subset Difference NNL01
• Layered Subset Difference HaSh02,
• Stratified Subset DifferenceGoSuTa04,
• Subset Incremental Chain AtIm05,
• Key-Chain TreeWNR04,
• Complete Key-Chain Tree HwLeLi05
• are all factorizable.

31
Extended Results to the Tracing

• We can extend our results to the Tracing problem.
  
• Pirate decoder uses some keys, i.e. subsets.
• Tracing is equivalent to revoking in a modified
  set system that chops the subsets that are used
  by the pirate decoder.
• Suppose that S is used by the pirate decoder,
  then ? ?\F(S).
• The cover is Revoke(?, ).
• ? doesnt have to be separable.
• Improvement on the communication overhead
  compared to the only known tracing algorithm.
• Linear in number of traitors.

32
Our Key Derivation Method

• Each user should be able to derive all the keys
  for subsets in F(u).
• Approach
• Split key poset into a forest T of upward looking
  trees.
• Keys in each tree of T are derivable from the
  root by one-way transformations.
• User gets the key of the roots for all trees in
  the forest T?F(u)

33
A new class of Broadcast Encryption Schemes

• Applications
• We demonstrate the power of working directly with
  the key poset.

34
X-Property

• Root has children as many as the number of
  leaves
• Cu?? for any u?N where Cu N\u
• Two elements S1,S2 ?? so that
• F(S1) and F(S2) are disjoint and both are
  complete binary trees of height logN -1
  excluding the root.
• Any Cu is a leaf of one of the binary trees in
  F(S1) or F(S2)

35
A transformation that Preserves the X-property
One-to-one mapping between the below filters to
the above trees
36
Some Facts on Transformation

• Squares the number of users.
• Theorem. If the underlying set system is
  factorizable then the resulting set system is
  also factorizable.
• Let ? be a factorizable set system defined over a
  set size 2m. If for any ideal I?? and an atom u,
  it holds that ord(I ? Pu) ? c(m), then
• ord(I ? Pu) ? c(m) 2 for any I ?Transform(?)
  and an atom u in a set of size 22m.

37
Transmission overhead

• Let ? constructed after k transformations of a
  set system ? defined over a set with size d and
  transmission overhead of c(d)r to disable a set
  of r users.
• If d is a constant, then the transmission
  overhead of ? would be O(r log log N)
• If k is a constant, then the transmission
  overhead of ? would be O(r.c(d)).

38
Key-Derivation Procedures

• Path Property
• There exist two elements S1,S2 ?? so that
• F(S1) and F(S2) are disjoint and both filters are
  complete binary trees of height logN -1
  excluding the root.
• For any u, Pu intersects with the binary trees
  F(S1) or F(S2) in a single path of length logN
  -1.
• Path-property implies X-property
• The transformation preserves the path-property.

39
Key Assignment Derivation for path-property
Cu
GR(GR(GR (S)))
GR(GR (S))
GL(GL (S))
GR(GL (S))
GL(GR (S))
GR (S)
GL (S)
F(S2)
F(S1)
LABEL S
Pu intersects with binary trees in red nodes
User u is given GL(S), GR(GR (S)), GR(GL(GR(S)))
will be able to derive any key of the
hanging off nodes by at most log N
function evaluations.
40
Key Storage Derivation for the Transformation

• Let ? be a factorizable set system defined over a
  set size 2m. If the key storage (derivation) for
  the set system ? is K(m) (D(m)), then K(m)
  (D(m)) for the new set system Transform(?) would
  be
• K(m) 2K(m) m.
• D(m) max(D(m), m)

41
A Construction
which satisfies the path-property.
Start with
Applying the transformation two times yield
42
Scheme Parameters(1)

• Start with basic set system for 2 users
• Apply the transformation k times to get a set
  system for N22k users.
• Storage 2k log N
• Computation time log N
• Transmission overhead 2rloglog N

43
Another Basic Scheme with path-property
44
Scheme Parameters(2)

• Start with the set system for d users
• Storage 3(log d -1)
• Computation time max(d, log d)
• Transmission overhead 2r
• Apply the transformation k times to get a set
  system for Nd2k users, say k is a constant.
• Storage 2k.log N
• Computation time max(N1/2k, log N)
• Transmission overhead 2rk
• Compare this with k-complete tree and Layered
  Subset Incremental Chain System

45
Thank You