Download
1 / 37
370 likes | 553 Vues
Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published in Eurocrypt’05 ). Dong Hoon Lee CIST Korea University http://cist.korea.ac.kr. Contents. Broadcast Encryption Concept / Applications Related Works Our Construction ( Trans. Efficient )
E N D
Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes( will be published in Eurocrypt’05 ) Dong Hoon LeeCIST Korea Universityhttp://cist.korea.ac.kr
Contents • Broadcast Encryption • Concept / Applications • Related Works • Our Construction (Trans. Efficient ) • Basic scheme • Extension 1, Extension 2, Extension 3 • Efficiency & Security • Conclusion
Contents Subscribers Key management Cipher Block Broadcast Encryption : Concept Broadcast Data Supplier Contents Broadcast Encryption Message s : session key , m :contents Es(m) Esk(s)
3 5 3 1 3 5 7 6 3 5 2 3 4 8 1 5 9 5 6 7 1 DATA BE : Basic Security = Revocation • Adversarial Coalition Group ? 2 2 4 4 Revoked Members
BE : Applications • Satellite-based Business • Group Communication (multicast) • Digital Rights Management • xCP (Extensible Content Protection), IBM • 2003. 4. Home network content protection (MP3 players, DVD players, Cellular phones, PDAs, TV ) • AACS (Advanced Access Content System) group • 2004. 7. IBM, Intel, Microsoft, Panasonic, Sony, Toshiba, Disney, Warner Bros. Studios • Copy protection scheme : pirated DVDs
BE : Related Works • Combinatorial Approaches • Combinatorial design • Algebraic Approaches • Secret Sharing Method • Tree-based structure • LKH (Logical Key Hierarchy) • SD (Subset Difference)Naor, Naor, Lotspiech, Crypto’01 • IBM xCP, AACS • LSD (Layered SD) Halevy and Shamir, Crypto’02 • SSD (Stratified SD) Goodrich et. al, Crypto’04
BE : Measures • Transmission Length • Storage for keys at user device • Computation overhead • One-to-many communication TL is the most important factor • GOAL: Transmission-efficient scheme with Storage and Computation overhead within reasonable bounds
BE : Basic Approaches GC (Group Center) GC Unicast Single-Message U3 U1 U2 U4 U8 U5 U6 U7 U3 U1 U2 U4 U8 U5 U6 U7 One key for all cases of revocation : {1},{12},…,{145},…,{124578},… Transmission User storage User storage Transmission
Broadcast Encryption –Tree-based • LKH • SD Key storage per user : log-key restriction # of transmitted messages : 2 r (r:# of revoked users)
Challenging Problem ? > The number of revoked users The number of trans. messages
Our Scheme : One-way chain nodes Chain-value Sdi F(Sdi) F2(Sdi) Fj-i(Sdi) Pseudo-Random number sequence from F : {0,1}κ→{0,1}mκ
Our Scheme : User Structure Users Chain-value Sdi F(Sdi) F2(Sdi) Fj-i(Sdi) Circular structure Linear structure
Our Scheme : Basic Scheme • Key assignment u1 u12 u2 Key set u11 u3 u8 u5 u6 u7 u10 s8 u4 s7 F1(s7) u9 u5 s6 F(s6) F2(s6) u6 u8 s5 … F(s5) F3(s5) u7 … n keys per user n different labels
Our Scheme : Basic Scheme • Revocation Method u1 s1 u12 u2 SK2= F5(s6) F(s1) u3 u11 F2(s1) F5(s6) u10 F4(s6) u4 F3(s1) u9 SK1=F3(s1) F3(s6) u5 u8 u6 F2(s6) s6 u7 F(s6) r (=2) subsets r (=2) revoked users r (=2) trans. messages
Our Scheme : Basic Scheme • Key computation SK=F10(s1) u1 s1 u12 u2 F(s1) u3 u11 F2(s1) F10(s1) u10 F9(s1) u4 F3(s1) u9 F4(s1) F8(s1) u5 u8 u6 F7(s1) F5(s1) u7 F6(s1) Maximum n computations of F per user
Our Scheme : Extension 1 • Further reduction of Trans. length in basic scheme Coveringseveral subsetsbyone key !! user SO ↑ subset TL ↓
Our Scheme : Extension 1 (OWC([n,2])) • Revocation Method (Jumping one-way chain) SK1=F10(s12,5) s12,5 u1 u12 u2 F1(s12,5) u3 u11 F2(s12,5) F10(s12,5) u10 F9(s12,5) u4 F3(s12,5) u9 F8(s12,5) u5 F4(s12,5) u8 u6 F7(s12,5) F5(s12,5) u7 F6(s12,5) r/2 (=1) subsets r (=2) revoked users r/2 (=1) Trans. messages
Our Scheme : Extension 1 (OWC([n,3])) • Revocation Method (Jumping one-way chain) SK1=F10(s12,5,8) s12,5,8 u12 F1(s12,5,8) F2(s12,5,8) F10(s12,5,8) F9(s12,5,8) F3(s12,5,8) F8(s12,5,8) u5 F4(s12,5,8) u8 F5(s12,5,8) F7(s12,5,8) F6(s12,5,8) r/3 (=1) subsets r (=3) revoked users r/3 (=1) Trans. messages
( ( ) ) n n k 2 Our Scheme : Extension 1 • Key assignment u1 u12 u2 u3 u11 keys per user u10 u4 u9 u5 u8 u6 u7 keys per user Choice of different labels for k revoked users SO : O(nk)
Our Scheme : Extension 1 • Key computation SK=F10(sw)) u1 sw u12 u2 F(sw) u3 u11 F2(sw) F10(sw) u10 F9(sw) u4 F3(sw) u9 F4(sw) F8(sw) u5 u8 u6 F7(sw) F5(sw) u7 F6(sw) Maximum n computations of F per user
Our Scheme : Extension 2 • Trade-off between SO and TL …. …. Basic Extension 1 Power-set BE Trans. Length r r / k 0 O(nk) n Keys Storage 2n-1 ( k is a natural number )
Our Scheme : Extension 2 • Reduction in keys storage per user in Basic Scheme Constructinghierarchical chain so thatseveral keys of a user cover one subset !! user SO ↓ subset TO ↑
Our Scheme : Extension 2 (OWC(p,[w,k])) • Revocation method (hierarchical chain : 2-dim Ring)
Our Scheme : Extension 2 • Revocation method (structurally equivalent with SD) Complete binary ring Complete binary tree
Our Scheme : Extension 2 • Trade-off between SO and TL …. …. Basic Extension 2 SD Trans. Length r rw/(w-1) 2 r n Keys Storage (log2n+log n)/2 + 1 g(n) - k is a natural number - g(n) = (w-1)log n + (w-1)(log2n+log n)/2 + 1 (w-ary ring)
Our Scheme : Extension 3 • Toward Practical Scheme Reduce ( User keys storage + Trans. Length ) Combination of two extension methods : Layered 2-dimensional Ring
Our Scheme : Extension 3 • User structure: layered 2-dimnsional ring U1.1 U2.1 U1.2 U2.2 U1.9 U2.9 U1.3 U2.3 U1.8 U2.8 U1.4 U2.4 U1.7 U2.7 U1.5 U2.5 U1.6 U2.6
Our Scheme : Extension 3 • Revocation method u1.1 u2.1 u1.2 u2.2 u1.9 u2.9 u1.3 u2.3 u1.8 u2.8 u1.4 u2.4 u1.7 u2.7 u1.5 u2.5 u1.6 u2.6 r/2+1 (=2) subsets r (=3) revoked users r/2+1 (=2) Trans. messages
( ) m=n/2 2 Our Scheme : Extension 3 • Key assignment u1.1 u2.1 u1.2 u2.2 u1.9 u2.9 u1.3 u2.3 u1.8 u2.8 u1.4 u2.4 u1.7 u2.7 u1.5 u2.5 u1.6 u2.6 n keys for 1 revoked user keys for 2 revoked users
Our Scheme : Extension 3 • Key computation u1.1 u2.1 u1.2 u2.2 u1.9 u2.9 u1.3 u2.3 u1.8 u2.8 u1.4 u2.4 u1.7 u2.7 u1.5 u2.5 u1.6 u2.6 Maximum m=n/2 com. of F and 1 com. of G per user
Our Scheme : Extension 3 • For a large number users : partition ... ...
Our Scheme : Extension 3 • 3 instances OWC(2,[50,2]) OWC(4,[50,2]) OWC((2:2),[50,2])
Our Construction : Security • Standard hybrid argument nodes Chain-value Sdi F(Sdi) F2(Sdi) Fj-i(Sdi) Pseudo-Random number sequence from F : {0,1}κ→{0,1}mκ Computational Indistinguishability Truly Random number sequence Ri+1 Ri+2 Ri+3 Rj Rj ←R {0,1}mκ
Our schemes : Efficiency n = 106 users m Keys Storage(Kbyte) Trans. Length (Kbyte) # of Comp. r=50,000(5%) OWC(2,[w,2]) 50 19.2 546.9 (0.7r) 50 OWC(4,[w,2]) 50 20.9 Fig. 546.9 (0.7r) 50 OWC((2:2),[w,2]) 50 19.9 Fig. 546.9 (0.7r) 50 SD (Naor et. al) 3.2 Fig. 1562.5 (2r) 20
Comparison : Transmission Length n = 106 users Kbyte SD 546.9 312.5 OWC(2,[50,2]) (w=50) 234.4 OWC(4,[50,2]) 178.1 OWC((2:2),[50,2]) 156.3 78.1 5 % 1 % 0.5% 2 % # of revoked users
Further Research • Further reduction in user storage • Reduction for initial transmission length • Other structure for Trade-off : Transmission length & User keys storage
Q & A Thank you
