1 / 19

Explicit Exclusive Set Systems with Applications to Broadcast Encryption

Explore the Subset Cover Framework for broadcast encryption using exclusive set systems, focusing on achieving optimal size and efficiency in cryptographic applications.

meachum
Download Presentation

Explicit Exclusive Set Systems with Applications to Broadcast Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Explicit Exclusive Set Systems with Applications to Broadcast Encryption David P. Woodruff MIT Craig Gentry Stanford Zulfikar Ramzan Symantec FOCS 2006

  2. Broadcast Encryption Clients Server • 1 server, n clients • Server broadcasts to all clients at once • E.g., payperview TV, music, videos • Only privileged users can understand broadcasts • E.g., those who pay their monthly bills • Need to encrypt broadcasts

  3. Subset Cover Framework [NNL] • Offline stage: • For some S ½ [n], server creates a key K(S) and distributes it to all users in S • Let C be the collection of S • Server space complexity ~ |C| • ith user space complexity ~ # S containing i

  4. Subset Cover Framework [NNL] • Online stage: • Given a set R ½ [n] of at most r revoked users • Server establishes a session key M that only users in the set [n] n R know • Finds S1, …, St2 C with [n] n R = S1[ … [ St • Encrypt M under each of K(S1), …, K(St) • Content encrypted using session key M

  5. Subset Cover Framework [NNL] • Communication complexity ~ t • Tolerate up to r revoked users • Tolerate any number of colluders • Information-theoretic security

  6. The Combinatorics Problem • Find a family C of subsets of {1, …., n} such that any large set S µ {1, …, n} is the union of a small number of sets in C S = S1[ S2[[ St • Parameters: • Universe is [n] = {1, …, n} • |S| >= n-r • Write S as a union of · t sets in C • Goal: • Minimize |C|

  7. A Lower Bound • At least sets of size ¸ n-r • Only different unions • Thus, • Solve for |C| Claim: Proof:

  8. Known Upper Bounds Bad: once n and r are chosen, t and |C| are fixed

  9. Known Upper Bounds • Only known general result: • If r · t, then |C| = O(t3(nt)r/t log n) [KR] • Drawbacks: • Probabilistic method • To write S = S1[ S2[ … [ St , solve Set-Cover • C has large description • No way to verify C is correct • Suboptimal size:

  10. Our Results • Main result: tight upper bound |C| = poly(r,t) • n, r, t all arbitrary • Match lower bound up to poly(r,t) • In applications r, t << n • When r,t << n, get |C| = O(rt ) • Our construction is explicit • Find sets S = S1[ … [ St in poly(r, t, log n) time • Improved cryptographic applications

  11. Cryptographic Implications • Our explicit exclusive set system yield almost optimal information-theoretic broadcast encryption and multi-certificate revocation schemes • General n,r,t • Contrasts with previous explicit systems • Poly(r,t, log n) time to find keys for broadcast • Contrasts with probabilistic constructions • Parameters • For poly(r, log n) server storage complexity, we can set t = r log (n/r), but previously t = (r2 log n)

  12. Techniques • Case analysis: • r, t << n: algebraic solution • general r, t: use divide-and-conquer approach to reduce to previous case

  13. Case: r,t << n • Find a prime p = n1/t +  • Users [n] are points in (Fp)t • Consider the ring Fp[X1, …, Xt] • Goal: find set of polynomials C such that for any R ½ [n] with |R| · r, there exist p1, …, pt2 C such that R = Variety(p1, …, pt)

  14. Case: r,t << n • First design a polynomial collection so that for any R ½ [n] with |R| · r such that for every coordinate i, 1 · i · t, All |R| points differ on the ith coordinate (*) • Then perform a few permutations :[n] -> [n] and construct new polynomial collections on ([n]). Take the union of these collections. • Can find the  deterministically using MDS codes

  15. Example Collection: r = 2, t = 3 For r = 2, t = 3, our collection is: • (X1 – a)(X1 – b) for all distinct a,b • aX1 + b – X2 for any a, b 2 Fp • aX2 + b – X3 for any a,b 2 Fp Revoke u = (u1, u2, u3) and v = (v1, v2, v3) u1 v1, u2 v2, and u3 v3 Let p1 = (X1 – u1)(X1-v1). Find p2 by interpolating from au1 + b – u2 = 0, av1 + b – v2 = 0 Find p3 by interpolation. Variety(p1, p2,p3) = u, v We broadcast with keys K(pi), distributed to users which don’t vanish on pi If u1 v1, u2 = v2, and u3 v3, then (u1, u2, v3) also in variety…

  16. and Our General Collection Intuition: First type of polynomials implement a “base case”. Second type of polynomials implement “AND”s.

  17. Wrapping up the r,t << n case. • Using many tricks – balancing techniques, expanders, etc., can show even without distinct coordinates, can achieve size O(rt ). • Almost matches the (t ) lower bound. • Open question: resolve this gap.

  18. i j General n, r, t x x x x x x 1 n • Problem! n2 term ?!? • Fix:- hash [n] to [r2] first • - do enough hashes so there is an injective • hash for every R • - apply construction above on [r2] • Let m be such that r/m, t/m << n • For every interval [i, j], form an exclusive set • system with n’ = j-i+1, r’ = r/m, t’ = t/m • Given a set R, find intervals which evenly • partition R.

  19. Summary and Open Questions • Main result: tight explicit upper bound |C| = poly(r,t) • n, r, t arbitrary • Cover sets in poly(r, t, log n) time • Optimal # of keys per user • Other result: Slightly improve [LS] lower bound on keys per user in any scheme using a relaxed sunflower lemma: from ( )/(rt) to ( )/r • Open question: improve poly(r,t) factors

More Related