Download
1 / 33
330 likes | 422 Vues
This joint work outlines the combinatorics problem of finding families of subsets from a given universe that can represent any set as a union of a small number of subsets in the family. The techniques and applications of this problem, including broadcast encryption, certificate revocation, and group testing, are discussed in detail.
E N D
Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan
Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing
The Combinatorics Problem • Find a family C of subsets of {1, 2, …., n} such that any large set S µ {1, 2, …, n} is the union of a small number of sets in C S = S1[ S2[[ St • Parameters: • Universe is [n] = {1, …, n} • |S| >= n-r • Write S as a union of · t sets in C • Goal: • Minimize |C|
The Combinatorics Problem • Find a family C of subsets of [n] such that any set S µ [n] with |S| ¸ n-r is union of t sets in C: S = S1[ S2[[ St • Example: t = 1 • C = all sets of size ¸ n-r • |C| = • Example: t = n • C = all sets of size 1 • |C| = n • C excludes sets of size · r • C is an exclusive set system
Another Example • Example: r = 1, t = 2 • Write each i 2 [n] as (i1, i2) 2 [n1/2]2 … x S: 1 i n excludes 1st coordinate i1 = excludes 2nd coordinate i2 • |C| = 2n1/2
Another Example (Generalized) • r = 1, t · log n • Write each i 2 [n] as (i1, i2 , …, it) 2 [n1/t]t • Sets in C are named (x, y) 2 [t] x [n1/t] • i 2 (x,y) iff ix y • |C| = tn1/t • If S = [n] n i, • S = (1, i1) [ (2, i2) [ … [ (t, it)
Example Summary • r arbitrary • t = 1: |C| = • t = n: |C| = n • t · log n • r = 1: |C| = tn1/t How does |C| grow given n, r, and t?
A Lower Bound • At least sets of size ¸ n-r • Only different unions • Thus, • Solve for |C| Claim: Proof:
Example Summary • r arbitrary • t = 1: |C| = • t = n: |C| = n • t · log n • r = 1: |C| = tn1/t tight tight tight What happens for arbitrary n, r, and t?
Known Results Bad: once n and r are chosen, t and |C| are fixed
Known Results • Only known general result: • If r · t, then |C| = O(t3(nt)r/t log n) [KR] • Drawbacks: • Probabilistic method • To write S = S1[ S2[ … [ St , solve Set-Cover • C has large description • Bad for applications • Suboptimal size:
Our Results • Main result: |C| = poly(r,t) • n, r, t all arbitrary • Match lower bound up to poly(r,t) • In applications r, t << n • When r,t << n, get |C| = O(rt ) • Our construction is explicit • Find sets S = S1[ … [ St in poly(r, t, log n) time • Improved cryptographic applications
Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing
Techniques • Case analysis: • r, t << n: algebraic solution • general r, t: use divide-and-conquer approach to reduce to previous case
Case: r,t << n • Find a prime p = n1/t + • Integers [n] are points in (Fp)t • Consider the ring Fp[X1, …, Xt] • Goal: find set of polynomials C such that for any R ½ [n] with |R| · r, there exist p1, …, pt2 C such that R = Variety(p1, …, pt)
The Polynomial Collection • Consider the following collection: and
The Polynomial Collection (Con’d) and Proof: choose j=1|R| (X1 – uj1) let ui1, ui2, …, ui|R| be the ith coordinates and ui+11, ui+12, …, ui+1|R| be the (i+1)st coordinates choose pi+1 = f(Xi) – Xi+1 by interpolating from f(uij) = ui+1j for all j Claim: If no two points in R have the same ith coordinate for any i, then we can find p1, …, pt with Variety(p1, …, pt) = R
The Polynomial Collection (Con’d) Proof: choose j=1|R| (X1 – uj1) let ui1, ui2, …, ui|R| be the ith coordinates and ui+11, ui+12, …, ui+1|R| be the (i+1)st coordinates choose pi+1 = f(Xi) – Xi+1 by interpolating from f(uij) = uij+1 for all j Claim 2: If x 2 [n] n R, then x not in Variety(p1, …, pt) Proof: Induction. If x in variety, x1 = u1j for some j pi+1(x) = f(xi) – xi+1 = 0 so: f(xi) = f(uij) = ui+1j = xi+1 Claim 1: Every point in R is in Variety(p1, …, pt) Proof: Immediate
and The Polynomial Collection (Con’d) • |C| = O(tpr), where p = n1/t + • Density theorems ! |C| = O(tnr/t) • Only works if R has distinct coordinates…
Handling Non-distinct Coordinates • Perform coordinate tranformations • Each u 2 [n] is a degree-(t-1) polynomial pu in Fp[x] • Translate polynomial representation to point representation by evaluation: pu -> (pu(1), pu(2), …, pu(t)) pu pu’ implies translations are distinct • Idea: choose many transformations (sets of t points in Fp), so every R has a transformation with distinct coordinates • Apply previous construction
Handling Non-distinct Coordinates Suppose R = {1, …, r} 1 2 3 … t (t+1) (t+2) … 2t (2t+1) … … p1 p2 p3 … pr 1 2 3 … t (t+1) (t+2) … 2t (2t+1) … … 2 2 3 … t 3 2 3 … t … … … … r 2 3 … t
Handling Non-Distinct Coordinates • How many blocks of t points do we need to consider? • Two distinct degree-(t-1) polynomials can agree on at most t-1 points. • Thus, at most can have non-distinct coordinates • So choose blocks, apply “distinct coordinate” construction for each block • Take union of constructions for all blocks
Summary and Improvements • O(r2 t) blocks, each O(t nr/t) sets • O(r2 t2 nr/t) sets in total! • Can improve to O(rt )
Improvements • Choose specialpoints in Fp for blocks • Mix the blocks with an expander • Balance complexity of two types of sets
i j General n, r, t x x x x x x 1 n • Problem! n2 term ?!? • Fix:- hash [n] to [r2] first • - do enough hashes so there is an injective • hash for every R • - apply construction above on [r2] • Let m be such that r/m, t/m << n • For every interval [i, j], form an exclusive set • system with n’ = j-i+1, r’ = r/m, t’ = t/m • Given a set R, find intervals which evenly • partition R.
Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing
Broadcast Encryption Clients Server • 1 server, n clients • Server broadcasts to all clients at once • E.g., payperview TV, music, videos • Only privileged users can understand broadcasts • E.g., those who pay their monthly bills • Need to encrypt broadcasts Online phase - Server encrypts a session key so only privileged users can decrypt Offline phase - Server distributes keys
Subset Cover Framework [NNL] • Offline stage: • For some S ½ [n], server creates a key K(S) and distributes it to all users in S • Idea: choose sets S from an exclusive set system C • Server space complexity ~ |C| • ith user space complexity ~ # S containing i
Subset Cover Framework [NNL] • Online stage: • Given a set R ½ [n] of at most r revoked users • Server establishes a session key M that only users in the set [n] n R know • Finds S1, …, St with [n] n R = S1[ … [ St • Encrypt M under each of K(S1), …, K(St) • For u 2 [n] n R, there is Si with u 2 Si • For u 2 R, no Si with u 2 Si • Content encrypted using session key M
Subset Cover Framework [NNL] • Online stage: • Communication complexity ~ t • Tolerate up to r revoked users • Tolerate any number of colluders • Information-theoretic security
Our Results • Use our explicit exclusive set system • General n,r,t • Contrasts with previous explicit systems • Poly(r,t, log n) time to find keys for broadcast • Contrasts with probabilistic constructions • Parameters • For poly(r, log n) server storage complexity, we can set t = r log (n/r), but previously t = (r2 log n)
More Reasons to Study Exclusive Sets • Other applications • Certificate revocation • Group testing • Fun mathematical problem
Open problems • O(rt ) versus (t ) • Our O(rt ) bound needs t = o(log n) • Bound for general r,t is poly(r,t) • Improve the poly(r,t) factor • Find more applications
