1 / 33

Explicit Exclusive Set Systems with Applications

Explicit Exclusive Set Systems with Applications. David P. Woodruff. Joint work with Craig Gentry and Zulfikar Ramzan. Outline. The Combinatorics Problem Our Techniques Applications Broadcast encryption Certificate revocation Group testing. The Combinatorics Problem.

kvoigt
Download Presentation

Explicit Exclusive Set Systems with Applications

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Explicit Exclusive Set Systems with Applications David P. Woodruff Joint work with Craig Gentry and Zulfikar Ramzan

  2. Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing

  3. The Combinatorics Problem • Find a family C of subsets of {1, 2, …., n} such that any large set S µ {1, 2, …, n} is the union of a small number of sets in C S = S1[ S2[[ St • Parameters: • Universe is [n] = {1, …, n} • |S| >= n-r • Write S as a union of · t sets in C • Goal: • Minimize |C|

  4. The Combinatorics Problem • Find a family C of subsets of [n] such that any set S µ [n] with |S| ¸ n-r is union of t sets in C: S = S1[ S2[[ St • Example: t = 1 • C = all sets of size ¸ n-r • |C| = • Example: t = n • C = all sets of size 1 • |C| = n • C excludes sets of size · r • C is an exclusive set system

  5. Another Example • Example: r = 1, t = 2 • Write each i 2 [n] as (i1, i2) 2 [n1/2]2 … x S: 1 i n excludes 1st coordinate i1 = excludes 2nd coordinate i2 • |C| = 2n1/2

  6. Another Example (Generalized) • r = 1, t · log n • Write each i 2 [n] as (i1, i2 , …, it) 2 [n1/t]t • Sets in C are named (x, y) 2 [t] x [n1/t] • i 2 (x,y) iff ix y • |C| = tn1/t • If S = [n] n i, • S = (1, i1) [ (2, i2) [ … [ (t, it)

  7. Example Summary • r arbitrary • t = 1: |C| = • t = n: |C| = n • t · log n • r = 1: |C| = tn1/t How does |C| grow given n, r, and t?

  8. A Lower Bound • At least sets of size ¸ n-r • Only different unions • Thus, • Solve for |C| Claim: Proof:

  9. Example Summary • r arbitrary • t = 1: |C| = • t = n: |C| = n • t · log n • r = 1: |C| = tn1/t tight tight tight What happens for arbitrary n, r, and t?

  10. Known Results Bad: once n and r are chosen, t and |C| are fixed

  11. Known Results • Only known general result: • If r · t, then |C| = O(t3(nt)r/t log n) [KR] • Drawbacks: • Probabilistic method • To write S = S1[ S2[ … [ St , solve Set-Cover • C has large description • Bad for applications • Suboptimal size:

  12. Our Results • Main result: |C| = poly(r,t) • n, r, t all arbitrary • Match lower bound up to poly(r,t) • In applications r, t << n • When r,t << n, get |C| = O(rt ) • Our construction is explicit • Find sets S = S1[ … [ St in poly(r, t, log n) time • Improved cryptographic applications

  13. Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing

  14. Techniques • Case analysis: • r, t << n: algebraic solution • general r, t: use divide-and-conquer approach to reduce to previous case

  15. Case: r,t << n • Find a prime p = n1/t +  • Integers [n] are points in (Fp)t • Consider the ring Fp[X1, …, Xt] • Goal: find set of polynomials C such that for any R ½ [n] with |R| · r, there exist p1, …, pt2 C such that R = Variety(p1, …, pt)

  16. The Polynomial Collection • Consider the following collection: and

  17. The Polynomial Collection (Con’d) and Proof: choose j=1|R| (X1 – uj1) let ui1, ui2, …, ui|R| be the ith coordinates and ui+11, ui+12, …, ui+1|R| be the (i+1)st coordinates choose pi+1 = f(Xi) – Xi+1 by interpolating from f(uij) = ui+1j for all j Claim: If no two points in R have the same ith coordinate for any i, then we can find p1, …, pt with Variety(p1, …, pt) = R

  18. The Polynomial Collection (Con’d) Proof: choose j=1|R| (X1 – uj1) let ui1, ui2, …, ui|R| be the ith coordinates and ui+11, ui+12, …, ui+1|R| be the (i+1)st coordinates choose pi+1 = f(Xi) – Xi+1 by interpolating from f(uij) = uij+1 for all j Claim 2: If x 2 [n] n R, then x not in Variety(p1, …, pt) Proof: Induction. If x in variety, x1 = u1j for some j pi+1(x) = f(xi) – xi+1 = 0 so: f(xi) = f(uij) = ui+1j = xi+1 Claim 1: Every point in R is in Variety(p1, …, pt) Proof: Immediate

  19. and The Polynomial Collection (Con’d) • |C| = O(tpr), where p = n1/t +  • Density theorems ! |C| = O(tnr/t) • Only works if R has distinct coordinates…

  20. Handling Non-distinct Coordinates • Perform coordinate tranformations • Each u 2 [n] is a degree-(t-1) polynomial pu in Fp[x] • Translate polynomial representation to point representation by evaluation: pu -> (pu(1), pu(2), …, pu(t)) pu pu’ implies translations are distinct • Idea: choose many transformations (sets of t points in Fp), so every R has a transformation with distinct coordinates • Apply previous construction

  21. Handling Non-distinct Coordinates Suppose R = {1, …, r} 1 2 3 … t (t+1) (t+2) … 2t (2t+1) … … p1 p2 p3 … pr 1 2 3 … t (t+1) (t+2) … 2t (2t+1) … … 2 2 3 … t 3 2 3 … t … … … … r 2 3 … t

  22. Handling Non-Distinct Coordinates • How many blocks of t points do we need to consider? • Two distinct degree-(t-1) polynomials can agree on at most t-1 points. • Thus, at most can have non-distinct coordinates • So choose blocks, apply “distinct coordinate” construction for each block • Take union of constructions for all blocks

  23. Summary and Improvements • O(r2 t) blocks, each O(t nr/t) sets • O(r2 t2 nr/t) sets in total! • Can improve to O(rt )

  24. Improvements • Choose specialpoints in Fp for blocks • Mix the blocks with an expander • Balance complexity of two types of sets

  25. i j General n, r, t x x x x x x 1 n • Problem! n2 term ?!? • Fix:- hash [n] to [r2] first • - do enough hashes so there is an injective • hash for every R • - apply construction above on [r2] • Let m be such that r/m, t/m << n • For every interval [i, j], form an exclusive set • system with n’ = j-i+1, r’ = r/m, t’ = t/m • Given a set R, find intervals which evenly • partition R.

  26. Outline • The Combinatorics Problem • Our Techniques • Applications • Broadcast encryption • Certificate revocation • Group testing

  27. Broadcast Encryption Clients Server • 1 server, n clients • Server broadcasts to all clients at once • E.g., payperview TV, music, videos • Only privileged users can understand broadcasts • E.g., those who pay their monthly bills • Need to encrypt broadcasts Online phase - Server encrypts a session key so only privileged users can decrypt Offline phase - Server distributes keys

  28. Subset Cover Framework [NNL] • Offline stage: • For some S ½ [n], server creates a key K(S) and distributes it to all users in S • Idea: choose sets S from an exclusive set system C • Server space complexity ~ |C| • ith user space complexity ~ # S containing i

  29. Subset Cover Framework [NNL] • Online stage: • Given a set R ½ [n] of at most r revoked users • Server establishes a session key M that only users in the set [n] n R know • Finds S1, …, St with [n] n R = S1[ … [ St • Encrypt M under each of K(S1), …, K(St) • For u 2 [n] n R, there is Si with u 2 Si • For u 2 R, no Si with u 2 Si • Content encrypted using session key M

  30. Subset Cover Framework [NNL] • Online stage: • Communication complexity ~ t • Tolerate up to r revoked users • Tolerate any number of colluders • Information-theoretic security

  31. Our Results • Use our explicit exclusive set system • General n,r,t • Contrasts with previous explicit systems • Poly(r,t, log n) time to find keys for broadcast • Contrasts with probabilistic constructions • Parameters • For poly(r, log n) server storage complexity, we can set t = r log (n/r), but previously t = (r2 log n)

  32. More Reasons to Study Exclusive Sets • Other applications • Certificate revocation • Group testing • Fun mathematical problem

  33. Open problems • O(rt ) versus (t ) • Our O(rt ) bound needs t = o(log n) • Bound for general r,t is poly(r,t) • Improve the poly(r,t) factor • Find more applications

More Related