Title: Fast Algorithms for the Free Riders Problem in Broadcast Encryption
1Fast Algorithms for the Free Riders Problem in
Broadcast Encryption
- Zulfikar Ramzan
- David P. Woodruff
Crypto 2006
2Broadcast Encryption
Users
Server
Many applications payperview TV, music, videos
Offline phase - Server distributes keys
Online phase - Encrypt a session key for
privileged users
3Broadcast Encryption
- Parameters
- Storage per user ( keys)
- Server storage
- Communication vs. computation
- Sets of privileged users it can support
- Security
- Computational vs. Information-theoretic
4Free Riders
- ASW If we allow a small fraction of
non-privileged (revoked) users to decrypt the
broadcast, can we significantly save resources? - A revoked user decrypting the broadcast is a
free rider - Commercial view
- These savings might be worth more than the
loss from allowing a few free riders - ASW Consider the subset-cover framework
5Subset Cover Framework NNL
- n 1, , n is set of users
- Offline
- For some S ½ n, server distributes a key KS to
all users in S. Let C be the collection of S - Online
- R ½ n are the revoked users
- Server finds subsets S1, S2, , St in C such that
- S1 S2 ? St n \ R
- Broadcast ES1(M), ES2(M), , ESt(M)
6Free Riders
- ASW Hardness
- Given a worst-case C, a revoked set R, and a
bound f on the number of free riders - NP-hard to find smallest t and S1, S2, , St 2 C
- S1 S2 ? St contains n n R
- S1 S2 ? St contains f elements of R
- Finding t with t (1?)t also hard
- Leave open the complexity for specific C
7Our Contribution
- For a popular, information-theoretically
secure scheme in subset-cover framework, known as
the Complete Subtree Scheme, we find optimal t
and S1, ? St in O(rf) time - Can find t (1?)t and S1, ? St for uniform
R of size r in O(rf1/3) time - Techniques useful for other schemes in the
subset-cover framework
8Complete Subtree Scheme NNL
v
v
u1
u2
u3
u4
Complete Binary Tree on n leaves Key at each
node v given to users in subtree(v)
9Complete Subtree Scheme NNL
u
u1
u2
u5
u4
u6
u8
u7
n users/leaves keys nodes 2n-1 keys per
user log n 1
Communication O(r log n/r) Information-theoretic
security Supports any revoked set of any size r
10Benefits of Free Riders
- Can reduce communication from O(n1/2) to O(log n)
in Complete Subtree Scheme - Need an algorithm to find free riders random
assignment bad with overwhelming probability - Preserve computation, storage, etc.
11Benefits of Free Riders
Diagram shows revoked users Optimal to make all
singletons free riders
12Algorithm Overview
- Given a set R of leaves and a bound f of free
riders, find smallest t and nodes v1, v2, , vt - Privileged users covered by some subtree(vi) and
at most f revoked users covered - Dynamic programming algorithm
- For each v with children L(v), R(v)
- AL(v)i optimal cost of assigning at most i
free riders to subtree(L(v)) - Avi minj AL(v)j AR(v)i-j
- Backtrack from root to find assignment
13Algorithm Overview
- Algorithm has O(nf) time. Bad for large n
- In practice, r very small
- For CS scheme, can achieve O(rf) by only
computing arrays Av at joining nodes
14q
p
x
y
z
Initialize Ax 0 0
Az 0 0
Ay 0 0
Lift Ap 0 0 0 to Ap 1 1 1 Lift Az 0
0 to Az 2 1 Compute Aqi minj Apj
Azi-j, Aq 3 2 2
p and q are the only joining nodes
Compute Api minj Axj Ayi-j, Ap 0 0
0
15Algorithm Overview
- Compute joining nodes v
- For each v, let L(v) and R(v) be nearest joining
nodes in left and right subtree of v - Lift AL(v) and ARv
- Avi minj AL(v)j AR(v)i-j
- Backtrack using DFS to find optimal assignment
16Step 2 MinSum Problem
- Avi minj AL(v)j AR(v)i-j for all i
- Given a1 a2 ? am1 and
- b1 b2 ? bm2,
- output 8 i, minj aj bi-j
- Easy O(m1 m2) time
- Computational geometry O(m1 m2/log m1m2)
- Implies overall algorithm is O(rf) time
17Step 2 MinSum Problem
- Given a1 a2 ? am1 and
- b1 b2 ? bm2,
- output 8 i, minj aj bi-j
- Relaxations
- 8 i, output j for which
- aj bi-j (1?) minj aj bi-j
- Bounded differences for CS scheme
- aj aj1 O(log n) and bj bj1
O(log n) - Our result O(m1 m21/3) time
- If R uniformly chosen from sets of size r, time
is O(rf1/3) -
18Summary of Results
- O(rf)-time to optimally find set of f free riders
given revoked set R of size r - For every ? gt 0, given a1 ? am1 and b1 ?
bm2 with aj aj1 and bj bj1 small, for all i
output j such that - aj bi-j (1?)minj aj bi-j
- in O(m1 m21/3) time
- 3. Yields O(rf1/3)-time algorithm
19Open Questions
- Extend to other broadcast schemes
- Develop a better understanding of the benefits of
free riders - - computation and storage savings?
- Faster algorithms for the MinSum problem
20MinSum Observations
- If aj bi-j is the minimum for level i, then
aj bi?-j is the approximate minimum for
level i ? - To approximately solve level i, only try a few
indices j because aj bi-j ¼ aj1
bi-j-1 - If aj aj1 ? ajr , then for level i,
- aj bi-j aj1 bi-j-1
ajr bi-j-r, - so we need only consider ai