1 / 20

Fast Algorithms for the Free Riders Problem in Broadcast Encryption

Fast Algorithms for the Free Riders Problem in Broadcast Encryption. Zulfikar Ramzan David P. Woodruff. Crypto 2006. Broadcast Encryption. Users. Server. Offline phase - Server distributes keys. Online phase - Encrypt a session key for privileged users .

vito
Download Presentation

Fast Algorithms for the Free Riders Problem in Broadcast Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Fast Algorithms for the Free Riders Problem in Broadcast Encryption Zulfikar Ramzan David P. Woodruff Crypto 2006

  2. Broadcast Encryption Users Server Offline phase - Server distributes keys Online phase - Encrypt a session key for privileged users Many applications: payperview TV, music, videos

  3. Broadcast Encryption • Parameters • Storage per user (# keys) • Server storage • Communication vs. computation • Sets of privileged users it can support • Security • Computational vs. Information-theoretic

  4. Free Riders • [ASW] If we allow a small fraction of non-privileged (revoked) users to decrypt the broadcast, can we significantly save resources? • A revoked user decrypting the broadcast is a free rider • Commercial view These savings might be worth more than the loss from allowing a few free riders • [ASW] Consider the subset-cover framework

  5. Subset Cover Framework [NNL] [n] = {1, …, n} is set of users Offline • For some S ½ [n], server distributes a key KS to all users in S. Let C be the collection of S Online • R ½ [n] are the revoked users • Server finds subsets S1, S2, …, St in C such that S1[ S2[[ St = [n] \ R • Broadcast ES1(M), ES2(M), …, ESt(M)

  6. Free Riders • [ASW] Hardness • Given a worst-case C, a revoked set R, and a bound f on the number of free riders • NP-hard to find smallest t and S1, S2, …, St 2 C • S1[ S2[[ St contains [n] n R • S1[ S2[[ St contains · f elements of R • Finding t’ with t’ · (1+)t also hard • Leave open the complexity for specific C

  7. Our Contribution For a popular, information-theoretically secure scheme in subset-cover framework, known as the Complete Subtree Scheme, we find optimal t and S1,  St in O(rf) time Can find t’ · (1+)t and S1,  St’ for uniform R of size r in O~(rf1/3) time Techniques useful for other schemes in the subset-cover framework

  8. Complete Subtree Scheme [NNL] v v u1 u2 u3 u4 Complete Binary Tree on n leaves Key at each node v given to users in subtree(v)

  9. Complete Subtree Scheme [NNL] u1 u2 u u4 u6 u7 u8 u5 Communication = O(r log n/r) Information-theoretic security Supports any revoked set of any size r n users/leaves # keys = # nodes = 2n-1 # keys per user = log n + 1

  10. Benefits of Free Riders • Can reduce communication from O(n1/2) to O(log n) in Complete Subtree Scheme • Need an algorithm to find free riders – random assignment bad with overwhelming probability • Preserve computation, storage, etc.

  11. Benefits of Free Riders … … … Diagram shows revoked users Optimal to make all singletons free riders

  12. Algorithm Overview • Given a set R of leaves and a bound f of free riders, find smallest t and nodes v1, v2, …, vt Privileged users covered by some subtree(vi) and at most f revoked users covered • Dynamic programming algorithm For each v with children L(v), R(v) • AL(v)[i] = optimal cost of assigning at most i free riders to subtree(L(v)) • Av[i] = minj AL(v)[j] + AR(v)[i-j] Backtrack from root to find assignment

  13. Algorithm Overview • Algorithm has O(nf) time. Bad for large n • In practice, r very small • For CS scheme, can achieve O(rf) by only computing arrays Av at joining nodes

  14. q p x y z Lift Ap = [0 0 0] to Ap’= [1 1 1] Lift Az = [0 0] to Az’= [2 1] Compute Aq[i] = minj Ap’[j] + Az’[i-j], Aq = [3 2 2] Initialize Ax = [0 0] Ay = [0 0] Az = [0 0] p and q are the only joining nodes Compute Ap[i] = minj Ax[j] + Ay[i-j], Ap = [0 0 0]

  15. Algorithm Overview • Compute joining nodes v • For each v, let L(v) and R(v) be nearest joining nodes in left and right subtree of v • “Lift” AL(v) and AR[v] • Av[i] = minj AL(v)[j] + AR(v)[i-j] • Backtrack using DFS to find optimal assignment

  16. Step 2: MinSum Problem Av[i] = minj AL(v)[j] + AR(v)[i-j] for all i Given a1¸ a2¸¸ am1 and b1¸ b2¸¸ bm2, output 8 i, minj a[j] + b[i-j] • Easy O(m1 m2) time • Computational geometry: O(m1 m2/log m1m2) • Implies overall algorithm is O(rf) time

  17. Step 2: MinSum Problem Given a1¸ a2¸¸ am1 and b1¸ b2¸¸ bm2, output 8 i, minj a[j] + b[i-j] Relaxations • 8 i, output j’ for which a[j’] + b[i-j’] · (1+) minj a[j] + b[i-j] • Bounded differences for CS scheme a[j] – a[j+1] = O(log n) and b[j] – b[j+1] = O(log n) Our result: O~(m1 m21/3) time If R uniformly chosen from sets of size r, time is O~(rf1/3)

  18. Summary of Results • O(rf)-time to optimally find set of f free riders given revoked set R of size r • For every  > 0, given a1¸¸ am1 and b1¸¸ bm2 with aj – aj+1 and bj – bj+1 small, for all i output j’ such that aj’ + bi-j’· (1+)minj aj + bi-j in O~(m1 m21/3) time 3. Yields O~(rf1/3)-time algorithm

  19. Open Questions • Extend to other broadcast schemes • Develop a better understanding of the benefits of free riders - computation and storage savings? • Faster algorithms for the MinSum problem

  20. MinSum Observations • If a[j] + b[i-j] is the minimum for level i, then a[j] + b[i+-j] is the approximate minimum for level i +  • To approximately solve level i, only try a few indices j because a[j] + b[i-j] ¼ a[j+1] + b[i-j-1] • If aj’ = aj’+1 =  = aj’+r , then for level i, a[j’] + b[i-j’] ¸ a[j’+1] + b[i-j’-1] ¸ … ¸ a[j’+r] + b[i-j’-r], so we need only consider ai’

More Related