390 likes | 407 Views
Explore a novel broadcast encryption paradigm based on time-varying key hierarchy, ensuring secure distribution to all valid members. Learn about reconfigurable key management schemes for stateless receivers.
E N D
Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1, 2003
Reconfigurable Key Management for Broadcast Encryption or Secret Bits with Multiple Roles: A Novel Paradigm for Broadcast Encryption Schemes two alternative titles of this talk -
Broadcast Encryption – A Brief Introduction • Broadcast encryption (BE) schemes define methods for encrypting content so that only privileged users are able to recover the content from the broadcast which is a ciphertext obtained based on a Session Encryption Key (SEK). • Ensuring that only the valid members of the selected group have SEK at any given time instance is the key management problem in BE. • On the other hand, for the SEK updating, a system needs another set of keys called the Key-Encrypting Keys (KEKs) that can be used to encrypt and transmit the updated SEK to the valid members of the group. • Hence, the key management problem reduces to the problem of distributing the KEKs to the members such that at any given time instant all the valid members can be securely reached and updated with the new SEK.
Abstract of the Talk Scenario under consideration: • broadcasting encryption – stateless receivers • each receiver has a sequence of secret bits to be used during its entire life Main characteristics of the proposed key management: • it is the re-configurable key management (time varying key management scheme): it is based on a collection of the underlying structures - at each instant of time a structure from the collection is employed for updating the session key • segments of the secret bits sequence play different roles depending on employed key management scheme
Roadmap of the presentation • I. Re-configurable Key Management • II. Secret Key Bits Play Different Roles: Re-using of the Keys • III. Illustrative examples
I. Reconfigurable Key Management Main Characteristics
Reconfigurable Key Management KM 1 selection of the most appropriate KM for given revocation scenario KM 2 currently employed KM KM n Collection of Key Management (KM) schemes
Reconfigurable Key Management • “Jumping” from one underlying structure to the another • to perform the best fit to different revocation scenarios in • highly dynamical group of users.
Novel Scheme: Multiple underlying structures Multiple roles of the secret bits Time varying Local heterogeneous key management Adjustable to the revocation dynamics Existing Ones: Single underlying structure Single role of the secret bits Static Global homogeneous key management Non-adjustable to the revocation dynamics Novel Scheme Versus Existing Ones
Main Characteristics of Novel Approach • Novel and FlexibleGeneric Paradigm for developing Broadcast Encryption Key Management schemes for Stateless Receivers. • Novel technology is based on the reconfigurability concept (time varying heterogeneous logical tree hierarchy), and it yields the improved overall characteristics in comparison with the previously reported techniques.
Required Cryptographic Primitives • Reconfigurable key management requires a number of underlying structures for assigning KEKs to the receivers, and in a general case it requires the following two cryptographic primitives: • cryptographic pseudo-random number generator (keystream generator) • hash functions
Illustrative Underlying Structures forReconfigurable Key Management
. . . … … . . . A general form of the sectioned heterogeneous logical key hierarchy (SH-LKH). The triangles play roles of certain substructures, and in a particular case they are sub-trees, with the root at the triangle up and the leaves at the triangle bottom.
An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf, and the keys are related to the tree nodes.
Reconfigurable Key Management: Main Implementation Issues • Decision onstorage@receiver and processing@receiveroverheads. • According to the above decision and the expected revocation scenarios, design of a suitable collection of the underlying structures which yield minimization of the communication overload. (Note that the collection could be established in a non-optimized (ad-hock) or an optimized manner).
Certain Implementation Issues of Reconfigurable Key Management - RKM(I) • At the center side RKM implementation includes establishing RKM system. • During the establishing phase the center selects the component key management schemes so that each of them is suitable for certain class of the revocation patterns. • Accordingly, during the establishing phase the center forms a list of the following pairs: (revocation pattern class; key management scheme). • Storage requirements for this list of pairs and related information on the component schemes is usually negligible in comparison with the number of keys which should be stored at the center. • So, for each SEK updating, the current revocation patern directly determines the component key management scheme which will be employed.
Certain Implementation Issues of Reconfigurable Key Management – RKM(II) • One-to-one correspondence between the revocation pattern and the component scheme implies that RKM employment does not require any additional processing for selecting a particular key management at any time instance. • At a receiver side RKM operates in a manner very similar to a static key management scheme. • During SEK updating a legitimate (non-revoked) receiver will be able to extract information about KEK it posses which was employed for obtaining one of SEK encrypted forms delivered via broadcasting. • This information will tell the receiver which of its KEKs should be employed and how: in a general case, according to the extracted information, a mapping of a KEK should be performed. • Note that the mapping itself is not a secret operation and usually it is the cryptographic one-way hashing.
Certain Implementation Issues of Reconfigurable Key Management – RKM (III) • Accordingly, employment of RKM requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver. • On the other hand, it is true that RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.
II. Secret Key Bits Play Different Roles Re-using of the Keys
Reconfigurable Key Management and Secret Key Bits • Reconfigurable key management includes reusing of the same secret bits segments in different modes • An important implementation issue: methodology for reusing of the secret key bits so that they can play different roles.
Shared Mail Box Problem • Each user Ui holds just one secret key Ki. • For each i=1,2,…,k, the mail box Bican only be opened by the user Uiwho possesses the secret key Ki. • The shared mail box SB can be opened by every user in the group, but not any outsider. • Even when k-1 users conspire together, it is computationally difficult for the k-1 users to open the other user's private mail box. • Important Note: The shared mail box problem can be solved by employment of appropriate one-way hash functions.
Reusing of the Secret Bits main issues
Reusing of the Secret Key Bits • reusing of the independent keys • reusing of the dependent keys - direct reusing - indirect reusing employment of appropriate mappings of the (dependent) keys
secret key bits block for secret bits processing rules for secret bits processing specification of the secret bits subsets selected instance of re-configurable key management subset-by-subset mapping collection of the keys
One-Way Hash Desired KEK Subset of Stored Secret Key Bits Mapping of the Keys
Sharing of the Secret Bits • NOTE: Appropriate processing – mapping of the secret key bits yields a possibility for the shared use of the same secret bits even within joint framework of secret key and public key encryption techniques.
III: Illustrative Example Reconfigurable Key Management Based on Sectioned Key Tree
An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf, and the keys are related to the tree nodes.
Two Particular Key Management Schemes SKT-A and SKT-B
CST LSD LSD LSD SKT-A
CST LSD LSD SKT-B
Analysis of the Proposed Schemes Storage, Communications and Processing Overheads
Characteristics of SKT-A Proposition 1. SKT-A key management requires the following overhead for R revocations in total which affect R0 different sections: • dimension of the storage@receiver overhead: O(H01.5 - H0 + log2 N) • dimension of the communications overhead: O(R + R0 ((log2 N) - H0 ) – R0 log2 R0 ) • dimension of the processing@receiver overhead: O(H0).
Characteristics of SKT-B Proposition 2. SKT-B key management requires the following overhead for R revocations in total which affect R0 and R1 different sections in the lower two layers, the bottom (0-th) and the middle (1-st) ones, respectively: • dimension of the storage@receiver overhead: O(H01.5 + H11.5 – H0 – H1 + log2 N) • dimension of the communications overhead: O(R + R0 + R1((log2 N)-H1 –H0) – R1 log2 R1) • dimension of the processing@receiver overhead: O(max {H0, H1})
Advantages of the Novel Approach (Discussion of the previous Illustrative Example) • Storage: In a system with a million users the novel technology based key management requires only 35 keys at the receiver in comparison with 400 and 90 keys required by SD and LSD methods, respectively. • Processing: The novel technology based key management yields more than three times lower processing overhead at a receiver in comparison with SD and LSD methods. • Communication Overhead: In a large number of the revocation scenarios the novel technology based key management implies the same communications overhead as SD and LSD methods.
Instead Conclusions (1) • A novel framework for key management schemes based on reconfigurable logical key hierarchy is proposed which has a number of differences and advantages over the previously reported approaches. • Recall that the main characteristics of the up to now reported key management schemes include employment of a static underlying structure for the key management, and addressing the subset covering problem over the entire underlying structure. • Oppositely, the main underlying ideas for developing of the reconfigurable key management (RKM) include the following: • (i) employment of a reconfigurable underlying structure; and • (ii) in a general case employment of a divide-and-conquer approach over the underlying structure.
Instead Conclusions (2) • RKM appears as a very suitable approach for highly dynamic revocation scenarios. • Employment of RKM for a SEK updating requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver. • On the other hand, RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.
Thank You Very Much for the Attention, and QUESTIONS Please!