What 1.25 turned out to be or Complex poles and DVDs

1
What 1.25 turned out to beorComplex poles and
DVDs

• Ilya Mironov
• Microsoft Research, SVC
• October 3rd, 2003

2
One-to-One Communications
Alice
Bob
3
One-to-Many Communications
Alice
Bob
Carl
Zing
4
One-to-Many Communications
Alice
Bob
Carl
Zing
5
One-to-Many Communications
Alice
Bob
Carl
Zing
6
One-to-Many Communications
Alice
Bob
Carl
Zing
7
Broadcast
Alice
Bob
Carl
Zing
8
Broadcast
Alice
Bob
Carl
Zing
9
Real Life Examples of Broadcast

• Pay-per-view
• Satellite radio, TV (dishes)
• DVD players

Stateless receivers
10
Broadcast encryption
source
k
k
k
k
k
k
k
k
k
k
receivers
? Very little overhead
? One rogue user compromises the whole system
11
Broadcast encryption
source
k1, k2, k3, k4, k5,, kn
k1
k2
k3
k4
k5
k6
k7
kn

receivers
broadcast Ek1,k, Ek2,k,, Ekn,k, Ek,M
12
Broadcast encryption
source
k1, k2, k3, k4, k5,, kn
k1
k2
k3
k4
k5
k6
k7
kn

receivers
? Simple user revocation
? Too many keys
13
Botched attempts

• CSS (most famous for the DeCSS crack)
• CPRM (IBM, Intel, Matsushita, Toshiba) Can revoke
  only 10,000 devices in 3Mb

14
Subset-cover framework (Naor-Naor-Lotspiech01)
S1
S7
S8
S6
S2
15
Subset-cover framework (Naor-Naor-Lotspiech01)
k3
k5
receiver u knows keys
k4
S1
S7
S8
S6
S2
16
Key distribution

• Based on some formal characteristic e.g., DVD
  players serial number
• Using some real-life descriptors
• CMU students/faculty
• researchers
• Pennsylvania state residents
• college-educated

17
Broadcast using subset cover
S10
S1
S8
S6
S3
S5
header uses k1, k3, k5, k6, k8, k10
18
Subtree difference
All receivers are associated with the leaves of a
full binary tree
k0
k00
k01
k00
k01
k11
19
Subtree differences
special set Si,j
i
j
20
Subtree difference
21
Subtree difference
22
Subtree difference
23
Subtree difference
24
Subtree difference
25
Subtree difference
26
Subtree difference
27
Subtree difference
28
Greedy algorithm

• Easy greedy algorithm for constructing a subtree
  cover for any set of revoked users

29
Greedy algorithm

• Find a node such that both of its children have
  exactly one revoked descendant

30
Greedy algorithm

• Add (at most) two sets to the cover

31
Greedy algorithm

• Revoke the entire subtree

32
Greedy algorithm

• Could be less than two sets

33
Average-case analysis

• R - number of revoked users
• C number of sets in the cover
• C 2R-1
• averaged over sets of fixed size NNL01
• EC 1.38R
• simulation experiments give NNL01
• EC R

1.25
34
Hypothesis

• 1.25 5/4

35
Different Model

• Revoke each user independently at random with
  probability p

36
Exact formula
If a user is revoked with probability p1
where
37
Exact formula
If a user is revoked with probability p1
where
38
Asymptotic
EC/ER
1.24511
p
39
Asymptotic
EC/ER
1.2451134
1.2451114
p
40
Exact formula
If a user is revoked with probability p1
where
41
Singularities of f
Function f cannot be analytically continued
beyond the unit disk
42
One approach

• 5 pages of dense computations series, o, O,
  lim, etc.
• produce only the constant term

43
Mellin transform
44
Approximation
For small q
where
45
The Mellin Transform
Poles at 0, -1, -2, -3, and
46
Complex poles

0
-1
-2
-3
47
Mellin transform
48
Approximation
where p 1-q
49
Asymptotic
EC/ER
1.2451134
3log2 4/3
1.2451114
p
50
Average-case analysis

• R - number of revoked users
• C number of sets in the cover
• If a user is revoked with probability p1
• EC 1.24511 ER

51
Knuth and de Bruijn

• Solution communicated by de Bruijn to Knuth for
  analysis of the radix-exchange sort algorithm
  (vol. 3, 1st ed, p. 131)
• De Bruijn, Knuth, Rice, The average height of
  planted plane trees, 1972

52
Further reading

• Flajolet, Gourdon, Dumas, Mellin transform and
  asymptotics Harmonics sums, Theor. Comp. Sc.,
  123(2), 1994

53
Back-up slides
54
Halevy-Shamir scheme

• Noticed that subtree differences are decomposable

55
Halevy-Shamir scheme

• Fewer special sets reduce memory requirement on
  receivers

56
Improvement

• For practical parameters save additionally 20
  compared to the Halevy-Shamir scheme