7. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
8. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
C ← E(M, K)
9. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
C ← E(M, K)
C = “KNQXGAQWJGJFOI”
10. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
C ← E(M, K)
C = “KNQXGAQWJGJFOI”
M ← E−1
(C, K)
11. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
C ← E(M, K)
C = “KNQXGAQWJGJFOI”
M ← E−1
(C, K)
M = “Nandan, 6:30pm”
12. Symmetric Key Encryption
Alice Bob
M = “Nandan, 6:30pm”
Insecure Communication Channel
Oscar
Enc Dec
K K
M = “Nandan, 6:30pm”
C ← E(M, K)
C = “KNQXGAQWJGJFOI”
M ← E−1
(C, K)
M = “Nandan, 6:30pm”
23. DRM in Blu-ray/DVD discs
(Copyrighted) Content Production House
n Users
legitimate player
24. DRM in Blu-ray/DVD discs
(Copyrighted) Content Production House
n Users
legitimate player
pirated player
25. Basic Schemes
N: set of all users u1, . . . , un; n = |N|
R: set of revoked users; r = |R|
26. Basic Schemes
N: set of all users u1, . . . , un; n = |N|
R: set of revoked users; r = |R|
S = {Si : Si ⊆ N}
27. Basic Schemes
N: set of all users u1, . . . , un; n = |N|
R: set of revoked users; r = |R|
S = {Si : Si ⊆ N}
Singleton Set Scheme
S = {{u1}, . . . , {un}}
Each user is assigned a unique key. O(1)
M has to be encrypted for each user in N R. O(n − r)
28. Basic Schemes
N: set of all users u1, . . . , un; n = |N|
R: set of revoked users; r = |R|
S = {Si : Si ⊆ N}
Singleton Set Scheme
S = {{u1}, . . . , {un}}
Each user is assigned a unique key. O(1)
M has to be encrypted for each user in N R. O(n − r)
Power Set Scheme
S = {{u1}, . . . , {u1, u2}, . . . , {u1, . . . , un−1}, . . . , N}
Each subset of users is assigned a unique key. O(2n)
M is encrypted only once for the set N R ∈ S. O(1)
29. Subset Cover Framework [NNL01]
1. Initiation
Choose the collection
S = {S1, . . . , Sw }; Si ⊆ N.
30. Subset Cover Framework [NNL01]
1. Initiation
Choose the collection
S = {S1, . . . , Sw }; Si ⊆ N.
Assign key Li to each Si ∈ S
Only u ∈ Si gets Li
31. Subset Cover Framework [NNL01]
1. Initiation
Choose the collection
S = {S1, . . . , Sw }; Si ⊆ N.
Assign key Li to each Si ∈ S
Only u ∈ Si gets Li
2. Encryption
Broadcast Message
(sent in sessions)
Message Block M
32. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
33. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
}
34. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
35. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
M with random Ks;
36. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
M with random Ks;
Ks with Lij
of each Sij
∈ Sc
37. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
M with random Ks;
Ks with Lij
of each Sij
∈ Sc
FKs
(M)
38. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
M with random Ks;
Ks with Lij
of each Sij
∈ Sc
FKs
(M) ELi1
(Ks) · · · ELih
(Ks)
39. Subset Cover Framework [NNL01]
2. Encryption (M, R)
For each session (with privileged users N R):
Find the Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
Encrypt:
M with random Ks;
Ks with Lij
of each Sij
∈ Sc
FKs
(M) ELi1
(Ks) · · · ELih
(Ks)
body header
40. Subset Cover Framework [NNL01]
3. Decryption
FKs
(M) ELi1
(Ks) · · · ELih
(Ks)
For u ∈ Sij
where Si,j ∈ Sc
Find ELij
(Ks) in the header
41. Subset Cover Framework [NNL01]
3. Decryption
FKs
(M) ELi1
(Ks) · · · ELih
(Ks)
For u ∈ Sij
where Si,j ∈ Sc
Find ELij
(Ks) in the header
Ks ← E−1
Lij
(ELij
(Ks))
42. Subset Cover Framework [NNL01]
3. Decryption
FKs
(M) ELi1
(Ks) · · · ELih
(Ks)
For u ∈ Sij
where Si,j ∈ Sc
Find ELij
(Ks) in the header
Ks ← E−1
Lij
(ELij
(Ks))
M ← F−1
Ks
(FKs (M))
44. Parameters of Interest
|Sc| = h: header length (costliest parameter)
Example: Pay-TV bandwidth cost
|Iu|: user storage (may be costly)
Example: High-end military receivers
45. Parameters of Interest
|Sc| = h: header length (costliest parameter)
Example: Pay-TV bandwidth cost
|Iu|: user storage (may be costly)
Example: High-end military receivers
Encryption time
Decryption time
Example: TV set-top box booting time
46. Applications of BE
Pay-TV, CableLabs standard.
AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros.,
IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer Player Manufacturer
47. Applications of BE
Pay-TV, CableLabs standard.
AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros.,
IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer Player Manufacturer
Military Broadcasts
Global Broadcast Service (US)
Joint Broadcast System (Europe)
48. Applications of BE
Pay-TV, CableLabs standard.
AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros.,
IBM, Toshiba and Sony.
Blu-ray Disc Manufacturer Player Manufacturer
Military Broadcasts
Global Broadcast Service (US)
Joint Broadcast System (Europe)
File Sharing in Encrypted File Systems.
Mailing list encryption: [BGW05] OpenPGP functions as a
BE system
Online content sharing and distribution [BBW06]
eCommerce: trade secret broadcasts
. . .
49. Why NOT use Public-Key BE?
Efficiency!!!
(decryption time, hence cost)
52. The collection S
S = {S1, . . . , Sw}; Si ⊆ N
determines the header length h
(through the cover generation algorithm)
Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
53. The collection S
S = {S1, . . . , Sw}; Si ⊆ N
determines the header length h
(through the cover generation algorithm)
Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
determines the user storage |Iu|
(through the key assignment and distribution algorithm)
54. The collection S
S = {S1, . . . , Sw}; Si ⊆ N
determines the header length h
(through the cover generation algorithm)
Subset Cover Sc = {Si1
, . . . , Sih
} ⊂ S such that
N R = Si1
∪ · · · ∪ Sih
determines the user storage |Iu|
(through the key assignment and distribution algorithm)
determines the encryption and decryption time
(through the key assignment and distribution algorithm)
55. Two types of S
Subset Difference {1}, {3}, {6, 7, 8}
Punctured Interval {1, 3, 6}, {7, 8}
Dalit Naor, Moni Naor, and Jeffery Lotspiech.
Revocation and tracing schemes for stateless receivers.
In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer
Science, pages 41–62. Springer, 2001.
Nam-Su Jho and Jung Yeon Hwang and Jung Hee Cheon and Myung-Hwan Kim
and Dong Hoon Lee and Eun Sun Yoo.
One-Way Chain Based Broadcast Encryption Schemes.
In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in
Computer Science, pages 559–574. Springer, 2005.
56. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
57. Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
58. Subset Difference (SD) Scheme [NNL01]
Naor-Naor-Lotspiech (2001)
Patented
Used in the AACS standard
59. Subset Difference (SD) Scheme [NNL01]
Naor-Naor-Lotspiech (2001)
Patented
Used in the AACS standard
0
1 2
3 4 5 6
7 8 9 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Assumed n = 2 0
63. Collection SNNL−SD has:
For all internal nodes i
For all corresponding nodes j(= i) in the subtree Ti
Si,j = Ti Tj
64. Collection SNNL−SD has:
For all internal nodes i
For all corresponding nodes j(= i) in the subtree Ti
Si,j = Ti Tj
T i
T j
All users that are in Ti but not in Tj
65. Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
67. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
68. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
69. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
70. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
71. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
72. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
GL(GL(seedi )) GR (GL(seedi ))
73. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
GL(GL(seedi )) GR (GL(seedi ))
seedi,j = GR (GL(GL(seedi )))
74. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
GL(GL(seedi )) GR (GL(seedi ))
seedi,j = GR (GL(GL(seedi )))
75. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
GL(GL(seedi )) GR (GL(seedi ))
seedi,j = GR (GL(GL(seedi )))
Li,j = GM (seedi,j )
76. Key Assignment
Key for Si,j:
Assign random seedi to each internal node i
Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k
G(seed) = GL(seed)||GM(seed)||GR(seed)
seedi
j
GL(seedi ) GR (seedi )
GL(GL(seedi )) GR (GL(seedi ))
seedi,j = GR (GL(GL(seedi )))
Li,j = GM (seedi,j )
Key of Si,j: Li,j = GM(seedi,j)
77. Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
78. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
Figure: Secrets stored by u
79. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
Figure: Secrets stored by u
80. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
Figure: Secrets stored by u
81. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
Figure: Secrets stored by u
82. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
Figure: Secrets stored by u
83. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
GR (GL(GL(GL(seedi ))))
Figure: Secrets stored by u
84. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
GR (GL(GL(GL(seedi ))))
1 +
Figure: Secrets stored by u
85. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
GR (GL(GL(GL(seedi ))))
1 + 2 +
Figure: Secrets stored by u
86. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
GR (GL(GL(GL(seedi ))))
1 + 2 + · · · + 0 =
Figure: Secrets stored by u
87. User Storage
User u stores: for every ancestor i (at level ), the derived
seeds of nodes “falling-off” from the path between i and u,
derived from seedi.
u
seedi
GR (seedi )
GR (GL(seedi ))
GR (GL(GL(seedi )))
GR (GL(GL(GL(seedi ))))
1 + 2 + · · · + 0 = 0( 0+1)
2
Figure: Secrets stored by u
88. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
105. NNL-SD Parameters
For n users out of which r are revoked:
User storage: O(log2
(n)).
Maximum header length: 2r − 1.
Maximum decryption time: O(log n).
106. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
109. Layered SD subsets
Which Si,j ∈ SHS−LSD?
If i is at a special level:
for all j in T i, Si,j ∈ SHS−LSD
If i is not at a special level:
for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD
110. Layered SD subsets
Which Si,j ∈ SHS−LSD?
If i is at a special level:
for all j in T i, Si,j ∈ SHS−LSD
If i is not at a special level:
for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD
T i
T j
111. Layered SD subsets
Which Si,j ∈ SHS−LSD?
If i is at a special level:
for all j in T i, Si,j ∈ SHS−LSD
If i is not at a special level:
for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD
T i
T j
special level
112. Layered SD subsets
Si,j ∈ SNNL−SD SHS−LSD if
i is not at a special level
and i and j are not in the same layer
113. Layered SD subsets
Si,j ∈ SNNL−SD SHS−LSD if
i is not at a special level
and i and j are not in the same layer
How to cover these subsets?
114. Layered SD subsets
Si,j ∈ SNNL−SD SHS−LSD if
i is not at a special level
and i and j are not in the same layer
How to cover these subsets? SPLIT!!!
special level
T i
T k
T j
Subsets in SSD SLSD are split into: Si,j = Si,k ∪ Sk,j .
115. Layered SD Scheme
Key for Si,k is Li,k = GM(GL(seedi))
Key for Sk,j is Lk,j = GM(GR(GL(seedk )))
Li,k = GM (seedi,k )
k
seedi
seedi,k = GL(seedi )
GR (seedi )special level
k
j
seedk
GL(seedk ) GR (seedk )
seedk,j = GR (GL(seedk ))
Lk,j = GM (seedk,j )
116. LSD Parameters
NNL-SD scheme:
User storage needed: O(log2
(n)).
Maximum Header Length: 2r − 1.
Decryption Time: O(log n).
HS-LSD scheme:
User Storage needed: O(log3/2
n).
Maximum header length: 4r − 2.
Decryption Time: O(log n).
117. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
118. Other SD-based Schemes
[GoodrichST04] Stratified SD
Key assignment: Left and right preorder tree traversals
O(log n) storage; O(n) decryption time
Double header length
[FukushimaKTS08] 3-ary tree SD
“However, in a general a-ary tree with a ≥ 4,... our hash chain
approach fails... Thus, the construction of a coalition resistant
a-ary SD method with reasonable communication, computation,
and storage overhead is an open issue.”
[WangYL14] Balanced Double SD
Published after I submitted my thesis
We have better results now
119. Analysis of SD scheme
[ParkB06]
Generating function for N(n, r, h)
Mean header length: “complex to compute and difficult to
gain insight from”
[EagleOPR08]
Small standard deviations
[MartinMW09]
Maximum header length
120. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
121. Complete Tree SD (CTSD) Scheme
Question: What happens when n = 2 0 ?
Answer: Add dummy users to get to the next power of two.
If the dummy users are considered revoked, then the effect
on the header length is disastrous.
If the dummy users are privileged, the situation is better
but, there is still a measurable effect on the header length.
Solution: Use a complete binary tree.
“Completes” (and also subsumes) the NNL-SD scheme to
work for any number of users.
Conceptually simple; working out the details is a bit
involved.
122. CTSD Scheme: Header Length Analysis
(n, r)-revocation
A choice of r revoked users out of total n users
For each (n, r)-revocation,
h ∈ {1, . . . , hmax }
N(n, r, h)
#(n, r)-revocations for which the the header length is h.
123. CTSD Scheme: Header Length Analysis
(n, r)-revocation
A choice of r revoked users out of total n users
For each (n, r)-revocation,
h ∈ {1, . . . , hmax }
N(n, r, h)
#(n, r)-revocations for which the the header length is h.
How to compute N(n, r, h)?
The only known method would
enumerate all possible n
r (n, r)-revocations
run the cover finding algorithm for each
count the number of (n, r)-revocations leading to a header
of size h.
124. Recurrence relation for N(n, r, h)
N(λi, r1, h1) = T(λi, r1, h1) + j∈IN(i) T(λj, r1, h1 − 1)
where IN(i) is the set of all internal nodes in the subtree T i
excluding the node i.
T(λi, r1, h1) =
r1−1
r =1
h1
h =0 N(λ2i+1, r , h ) × N(λ2i+2, r1 − r , h1 − h )
where λ2i+1 (respectively λ2i+2) is the number of leaves in
the left (respectively right) subtree of T i.
T(λi , r1, h1) r1 < 0 r1 = 0 r1 = 1 2 ≤ r1 < n r1 = n r1 > n
h1 = 0 0 0 0 0 1 0
h1 ≥ 1 0 0 0 from rec. 0 0
N(λi , r1, h1) r1 < 0 r1 = 0 r1 = 1 2 ≤ r1 < n r1 = n r1 > n
h1 = 0 0 0 0 0 1 0
h1 = 1 0 1 n from rec. 0 0
h1 > 1 0 0 0 from rec. 0 0
Table: Boundary conditions on T(n, r, h) and N(n, r, h).
125. Computing N(n, r, h)
Dynamic Programming:
N(n, r, h) can be computed in O(r2h2 log n + rh log2
n) time
and O(rh log n) space.
N(n, r, h) for all possible h can be computed in
O(r4 log n + r2 log n) time and O(r2 log2
n) space.
N(n, r, h) for all possible r and h can be computed in
O(n4 log n + n2 log2
n) time and O(n2 log n) space.
N(i, r, h) for 2 ≤ i ≤ n and all possible r and h can be
computed in O(n5 + n3 log n) time and O(n3) space.
The combinatorics behind the cover generation algorithm was
well captured!
(for n ~125)
126. Using N(n, r, h): Maximum Header Length
Theorem
The maximum header length in the CTSD method for n users is
hmax = min(2r − 1, n
2 , n − r).
For the NNL-SD scheme, the bound of 2r − 1 was known.
Complete (refined) picture:
if r ≤ n/4, hmax = 2r − 1;
if n/4 < r ≤ n/2, hmax = n/2; and
for r > n/2, hmax = n − r.
127. Using N(n, r, h): More analysis
nr
The value of n for which the header length of 2r − 1 is achieved
with r revoked users.
Obtained a complete characterization of nr .
Generating Function
Similar to that of [PB06]
Probabilities and Expectation
For n ~125
Compute probabilities of h ∈ {1, . . . , hmax }
Compute expected value Hn,r
128. Expected Header Length
Random experiment
Select a random subset of revoked users R from N
(Select a random (n, r)-revocation).
Event: Node i generates a subset Si,j
Xi
n,r = 1 if Si,j ∈ Sc for some j;
Xi
n,r = 0 otherwise.
h = X0
n,r + X1
n,r + · · · Xn−1
n,r =
n−1
i=0
Xi
n,r
Hn,r : expected header length for (n, r)-revocations.
Hn,r =
n−1
i=0
E[Xi
n,r ] =
n−1
i=0
Pr[Xi
n,r = 1]
129. Hn,r for all SD based schemes
This technique has been useful for other SD-based schemes:
Hn,r =
n−1
i=0
Pr[Xi
n,r = 1]
For the NNL-SD scheme:
Computing Hn,r requires O(r log n) time and O(1) space.
130. Hn,r for the NNL-SD Scheme
Theorem: For all n ≥ 1, r ≥ 1, the expected header length
Hn,r ↑ Hr , as n increases through powers of two, where
Hr = 3r − 2 − 3 ×
r−1
i=1
−
1
2
i
+
i
k=1
(−1)k i
k
(2k − 3k )
(2k − 1)
.
r 2 3 4 5 6
Hr /r 1.25 1.25 1.2455 1.2446 1.2448
131. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
132. Halevy-Shamir LSD Scheme
0
1 2
3 4 5 6
7 8 9 10 11 12 13 14
15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
Special Levels
0 = 4
1 = 2
2 = 0
d1 = 2
d2 = 2
[HS02]: “The root is considered to be at a special
level, and in addition we consider every level of depth
k · log (n) for k = 1 . . . log (n) as special (wlog, we
assume that these numbers are integers).”
n = 2 0 with 0 = 4, 9, 16, 25 only?
133. Layering Strategy
A choice of special levels is called a layering strategy.
General layering strategy
Layering strategy = ( 0, . . . , e):
has e + 1 special levels
0 > 1 > . . . > e−1 > e = 0.
Layering strategy d = (d1, . . . , de)
di = i − i−1 is a layer length
In general, the layer lengths need not be (almost) equal.
134. Extending the HS Scheme
Residual bottom layer
Write 0 = d(e − 1) + p where 1 ≤ p ≤ d. Then the special
levels are
0, 0 − d, 0 − 2d, . . ., − d(e − 1), 0.
Balanced layering or extended-HS (eHS)
Write 0 = d(e − 1) + p = (e − d + p)d + (d − p)(d − 1).
Define the layer lengths from the top to be
(d, . . . , d
e−d+p
, d − 1, . . . , d − 1
d−p
).
136. Storage Minimal Layering
SML0( 0)
A layering strategy which minimizes the user storage among all
layering strategies.
#SML0( 0)
User storage required by SML0( 0).
#SML0( 0) = min
1≤e≤ 0
#SML0(e, 0);
#SML0(e, 0) = min
( 0,..., e)
storage0( 0, 1, . . . , e)
Dynamic programming algorithm to compute #SML0( 0):
O( 3
0) time and O( 2
0) space.
137. Root at a Non-Special Level
[HS02]: “The root is considered to be at a special
level, and ...”
Making root level 0 non-special:
storage1( ) = storage0( ) − 1.
Hence, user storage decreases.
Pr[X0
n,r = 1] is small.
Hence, negligible increase in the expected header size.
SML1( 0): SML with non-special root.
#SML1( 0): corresponding user storage.
138. Examples of SML
Suppose there are 228 users, i.e., 0 = 28
(a good estimate as per the CableLabs website)
Scheme Name Layering Storage |Iu|
NNL-SD: (28,0) 406
eHS: (28,22,16,10,5,0) 146
SML0: (28,21,15,10,6,3,1,0) 140
SML1: (22,16,11,7,4,2,0) 119
139. Other Results
Complete Tree LSD scheme
Maximum Header Length
hmax = min (4r − 2, n
2 , n − r) if root is non-special.
hmax = min (4r − 3, n
2 , n − r) if root is special.
Expected Header Length:
The splitting of subsets complicates the analysis.
O(r log2
n) time and O(1) space.
140. Constrained Minimization
For a given r, the contribution of level max = 0 − log2 r to
the header is maximum.
As r ↑, max ↓. Hence,
Depending on the application, fix a value of rmin and set
max = 0 − log2 rmin.
Let = { max , 0}.
141. Constrained Minimization
For a given r, the contribution of level max = 0 − log2 r to
the header is maximum.
As r ↑, max ↓. Hence,
Depending on the application, fix a value of rmin and set
max = 0 − log2 rmin.
Let = { max , 0}.
Result: Hn,r close to that of NNL-SD, but, with lower user
storage.
142. Constrained Minimization
For a given r, the contribution of level max = 0 − log2 r to
the header is maximum.
As r ↑, max ↓. Hence,
Depending on the application, fix a value of rmin and set
max = 0 − log2 rmin.
Let = { max , 0}.
max = 0 − log2 r
Result: Hn,r close to that of NNL-SD, but, with lower user
storage.
143. Constrained Minimization
For a given r, the contribution of level max = 0 − log2 r to
the header is maximum.
As r ↑, max ↓. Hence,
Depending on the application, fix a value of rmin and set
max = 0 − log2 rmin.
Let = { max , 0}.
max = 0 − log2 r
Result: Hn,r close to that of NNL-SD, but, with lower user
storage.
144. A CML Example
n = 228 and rmin = 210.
Scheme Layering |Iu| Hn,r (normalized with NNL-SD)
NNL-SD: (28,0) 406 (1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00)
eHS: (28,22,16,10,5,0) 146 (1.69, 1.63, 1.64, 1.67, 1.69, 1.72, 1.73, 1.74, 1.75, 1.75)
CML: (23, 18,0) 219 (1.14, 1.08, 1.04, 1.03, 1.01, 1.01, 1.00, 1.00, 1.00, 1.00)
Header lengths for 10 equispaced values of r from 210 to 214
normalized by the header length of the NNL-SD scheme.
145. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
146. k-ary tree SD
seedi
i
j1 j2
Li,{j} = G100(seedi )
j G010(seedi ) G001(seedi )
Li,{j1,j2} = G011(Li,{j})
Figure: Key of Si,{j1,j2} is G000(Li,{j1,j2}) = G000(G011(G100(seedi ))).
User storage
1 + (2k−1
− 1)
0
=1
= 1 +
0( 0 + 1)
2
(2k−1
− 1)
... reduced using additional tree structure
(constructed using cyclotomic cosets mod 2k − 1)
149. k-ary tree SD: Results
Why k-ary trees?
|S| ↑ =⇒ (Hn,r ↓, |Iu| ↑) always?
Hierarchy of Optimization
150. k-ary tree SD: Results
Why k-ary trees?
|S| ↑ =⇒ (Hn,r ↓, |Iu| ↑) always?
Hierarchy of Optimization
Header length analysis
hmax = min (2r − 1, n/k , n − r)
Algorithm to compute Hn,r (for n = k 0 )
O(r log n) space; O(1) time
Reducing user storage
Using cyclotomic cosets modulo 2k
− 1
An additional tree structure T(k)
151. k-ary tree SD: Results
Why k-ary trees?
|S| ↑ =⇒ (Hn,r ↓, |Iu| ↑) always?
Hierarchy of Optimization
Header length analysis
hmax = min (2r − 1, n/k , n − r)
Algorithm to compute Hn,r (for n = k 0 )
O(r log n) space; O(1) time
Reducing user storage
Using cyclotomic cosets modulo 2k
− 1
An additional tree structure T(k)
Complete Tree for arbitrary number of users
Layering
Storage Minimal Layering
Header length simulation study (for n = k 0 )
153. k-ary tree SD
k 3 4 5 6 7 8 16
δk 0.44 0.19 0.11 0.07 0.05 0.04 < 0.01
Table: Values of the threshold δk .
154. Outline
Preliminaries
Background
NNL-SD: Initiation
Define SNNL−SD
Key Assignment
Key Distribution
NNL-SD: Encryption
Halevy-Shamir Layered SD
Other Related Works
Our Contributions
Paper 1: Arbitrary n; Detailed Analysis
Paper 2: Layering; Minimizing Storage
Paper 3: k-ary Generalization
Paper 4: Assured Savings on Communication
Conclusion
156. a-ABTSD scheme
SNNL−SD ⊂ Sa−ABTSD
Augment trees of height a (with k = 2a
leaf nodes)
(Better?) Hierarchy of Optimization
157. a-ABTSD scheme
SNNL−SD ⊂ Sa−ABTSD
Augment trees of height a (with k = 2a
leaf nodes)
(Better?) Hierarchy of Optimization
Header length analysis
hmax = min (2r − 1, n/k , n − r)
Reducing user storage
Using cyclotomic cosets modulo 2k
− 1
An additional tree structure T(k)
Complete Tree for arbitrary number of users
Header length simulation study
168. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
169. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
170. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
171. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
172. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
173. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
174. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
175. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
2 Storage minimal layering
176. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
2 Storage minimal layering
2 Constrained minimization layering
177. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
2 Storage minimal layering
2 Constrained minimization layering
3 k-ary tree SD scheme
178. Summary of Contributions
What if n = 2 0 ?
1, 2, 3, 4 Use dummy users or complete trees?
Analysis of SD-based schemes?
1 N(n, r, h)
1 Generating function [PB06]
1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )?
In [PB06]: too complicated!!! (approximations)
1 Upper bound on Hn,r ?
1.38r (sketchy proof [NNL01])
1.25r (empirical [NNL01]) - theoretical analysis?
Choice of S: |S| ↑ or |S| ↓?
2 Storage minimal layering
2 Constrained minimization layering
3 k-ary tree SD scheme
4 (a, b, c)-ABTSD scheme
183. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
184. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
185. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
186. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
187. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
188. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
a-ABTSD schemes
(for different values of a)
189. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
a-ABTSD schemes
(for different values of a)
k-SD schemes
(for different values of k)
190. |S|
Intuition:
Choice of S: |S| ↑ or |S| ↓
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
a-ABTSD schemes
(for different values of a)
k-SD schemes
(for different values of k)
191. Publications
Sanjay Bhattacherjee and Palash Sarkar.
Complete tree subset difference broadcast encryption scheme and its analysis.
Des. Codes Cryptography, 66(1-3):335–362, 2013.
Sanjay Bhattacherjee and Palash Sarkar.
Concrete analysis and trade-offs for the (complete tree) layered subset difference
broadcast encryption scheme.
IEEE Transactions on Computers, 63(7): 1709–1722, 2014.
Sanjay Bhattacherjee and Palash Sarkar.
Tree based symmetric key broadcast encryption.
J. Discrete Algorithms, 34: 78–107, 2015.
Sanjay Bhattacherjee and Palash Sarkar.
Reducing communication overhead of the subset difference scheme.
IEEE Transactions on Computers, to appear.
Sanjay Bhattacherjee and Palash Sarkar.
Implementations related to the above papers, https://drive.google.com/
folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil.
Uploaded on 13th August, 2014.
196. Open Questions
Schemes:
More hierarchies of optimization?
Practical scheme with hmax < r
Stateless as well as forward secure?
...
Analysis:
Non-uniform distribution of revoked users?
...