symmetric key broadcast encryption: state-of-the-artpalash/talks/samsungirn.pdf · goal:gestation...
TRANSCRIPT
isilogo
Symmetric Key Broadcast Encryption:State-of-the-Art
Palash Sarkar(Based on joint work with Sanjay Bhattacherjee)
Indian Statistical [email protected]
India Research Network Meeting on Mobile Security2015
Samsung R&D Institute India, Bangalore
Palash Sarkar Symmetric Key BE 4th Dec, 2015 1 / 49
isilogo
Research in Cryptology: A Personal Perspective
Cryptographically useful Boolean functions.Design & analysis of block and stream ciphers and hash functions.Modes of operations for block and stream ciphers:
Low-level, in-place, disk encryption.Schemes for authentication and encryption.
Symmetric key broadcast encryption.Identity-based cryptography, digital signatures.Discrete log problem on finite fields and hyperelliptic curves.Secure and efficient implementations.Information security law and practical aspects of security.
http://www.isical.ac.in/~palash/or,
Google “Palash Sarkar”
Palash Sarkar Symmetric Key BE 4th Dec, 2015 2 / 49
isilogo
A Fledgling “Start-Up”
Turing Laboratory:Structure: A project at the Applied Statistics Unit presently (i.e., upto March 2016) funded by the Indian Statistical Institute.People (current): One faculty member; two post-docs; three PhDstudents.
Number of PhD students likely to increase.Number of post-docs/visitors depend on funding.
Scope:Cryptology and related areas in a broad sense.Topics at the intersection of Math, Stat, CS and Engg.
Goal: Gestation of ideas.To advance the current state-of-the-art.To formulate and investigate questions of foundational nature.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 3 / 49
isilogo
Symmetric Key Broadcast Encryption: Background
Palash Sarkar Symmetric Key BE 4th Dec, 2015 4 / 49
isilogo
Conventional Symmetric Key Encryption
Receiver
message M
DecryptEncrypt ciphertext
public channel
secret key K secret key Kadversary
Sender
Palash Sarkar Symmetric Key BE 4th Dec, 2015 5 / 49
isilogo
Symmetric Key Broadcast Encryption
Centre
Users
Users
Users
Broadcast
Palash Sarkar Symmetric Key BE 4th Dec, 2015 6 / 49
isilogo
Symmetric Key BE Functionality
The centre pre-distributes secret information to the users.A broadcast takes place in a session.For each session:
Some users are privileged and the rest are revoked.The actual message is encrypted once using a session key.The session key undergoes a number of separate encryptions; thisdetermines the header.
FKs(M) Ek1(Ks) · · · Ekh(Ks)
body header
Correctness: The privileged users are able to decrypt.Security: The coalition of all the revoked users get no informationabout the message.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 7 / 49
isilogo
Parameters of Interest
Size of the header.User storage: size of the secret information required to be storedby the users.Time required by the centre to encrypt.Time required by a user to decrypt.Simplicity of implementation.
Hdr sz and enc time are proportional to # enc of the session key.
Requirement: Reduce header size, user storage and decryption time.Calls for trade-offs.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 8 / 49
isilogo
Applications of BE
AACS standard: content protection in optical discs: Disney, Intel,Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.
Samsung is an AACS Authorised Certification Entity.
Pay-TV: BSkyB in UK and Ireland has more than 10 million users;Cable TV Networks (Regulation) Amendment Act, 2011 (India).File Sharing in Encrypted File Systems.Encrypted Email to Mailing Lists.Military Broadcasts: Global Broadcast Service (US), JointBroadcast System (Europe).. . .
Real-life parameters of interest: Pay-TV bandwidth cost, set-top boxbooting time, high-end military receiver storage, resource-constraineddevices.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 9 / 49
isilogo
Subset Cover Schemes
Identify a collection S consisting of subsets of users.Eg. S = {{u1,u2}, {u12,u51,u73}, {u2,u11}, . . .}.Assign keys to each subset in S.To each user, assign secret information such that it is able togenerate secret keys for each subset in S to which it belongs; andno more.During a broadcast, form a partition {S1, . . . ,Sh} of the set ofprivileged users with Si ∈ S.The session key is encrypted using the keys for S1, . . . ,Sh.Each privileged user can decrypt; no coalition of revoked usersgains any information about the session key (or the message).
Palash Sarkar Symmetric Key BE 4th Dec, 2015 10 / 49
isilogo
Trivial Solutions
Singleton set scheme: S = N .Each user has an independent key; separate encryptions of themessage are made.Header size is the number of privileged users.User storage is one key per user.
Power set scheme: S = 2N .A key is assigned to each subset of users; a single encryption ofthe message is made to the key of the privileged set of users.Header size is just one encryption.Each user has to store 2n−1 keys.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 11 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 12 / 49
isilogo
Schemes with Non-Trivial Trade-Offs
Palash Sarkar Symmetric Key BE 4th Dec, 2015 13 / 49
isilogo
Subset Difference Scheme
Naor-Naor-Lotspiech (2001): patented, AACS standard.Assumes an underlying full binary tree
1615 17 18 19 20 21 22
12 13 141110987
3 4 5 6
21
0
2
0
23 24 25 26 27 28 29 30
Level Numbers
1
4
3
Palash Sarkar Symmetric Key BE 4th Dec, 2015 14 / 49
isilogo
Subsets in the collection S
Si,j = Ti \ Tj : has all users that are in Ti but not in Tj
j
i
Collection S: has all subsets Si,j such that j( 6= i) is in the subtree Ti .
Palash Sarkar Symmetric Key BE 4th Dec, 2015 15 / 49
isilogo
NNL-SD Parameters
For n users out of which r are revoked:User storage needed: O(log2(n)).Header length in the worst case: 2r − 1.Decryption time in the worst case: O(log n).
Palash Sarkar Symmetric Key BE 4th Dec, 2015 16 / 49
isilogo
Layered Subset Difference Scheme
Halevy-Shamir (CRYPTO, 2002) Some levels are marked as “special”.
1615 17 18 19 20 21 22
12 13 141110987
3 4 5 6
21
0
4
2
0
Special Levels
23 24 25 26 27 28 29 30
Layer 1
Layer 2
Palash Sarkar Symmetric Key BE 4th Dec, 2015 17 / 49
isilogo
Layered SD Scheme
special level
T i
T k
T j
Figure : Subset Si,j splits into Si,k (green leaves) and Sk,j (grey leaves); i at anon-special level.
Subsets Si,j where i and j are not in the same layer are not requiredany more. This results in reduction of user storage.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 18 / 49
isilogo
HS-LSD Parameters
For n users out of which r are revoked:User Storage needed: O(log3/2 n).Maximum header length: 4r − 2.Worst case decryption time: O(log n).
Palash Sarkar Symmetric Key BE 4th Dec, 2015 19 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 20 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 20 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 20 / 49
isilogo
Some Subsequent Schemes
Goodrich, Sun and Tamassia (2004):User storage: O(log n).Header length: 2r − 1.Decryption time: O(n).
Cheon, Jho, Kim and Yoo (2008):A complicated scheme with a wide range of options.Header length can be reduced to below r , but, at the cost of greatlyincreasing the user storage.The decryption time is more than log n.
Wang, Yang and Lin (2014):Header length smaller than that of the NNL-SD scheme.Increased user storage.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 21 / 49
isilogo
An Overview of Recent Research
Palash Sarkar Symmetric Key BE 4th Dec, 2015 22 / 49
isilogo
Some Questions
What is the expected header length of the NNL scheme?The NNL and the HS schemes are based on full binary trees;What happens if the number of users is not a power of two?Is the user storage achieved in the HS scheme the minimumpossible?Is the (expected) header length achieved in the NNL scheme theminimum possible?What happens if we use trees of arity higher than 2?
Palash Sarkar Symmetric Key BE 4th Dec, 2015 23 / 49
isilogo
Some Answers
Sanjay Bhattacherjee and Palash Sarkar.Complete tree subset difference broadcast encryption scheme and its analysis.Des. Codes Cryptography, 66(1-3):335–362, 2013.
Sanjay Bhattacherjee and Palash Sarkar.Concrete analysis and trade-offs for the (complete tree) layered subset differencebroadcast encryption scheme.IEEE Transactions on Computers, 63(7): 1709–1722, 2014.
Sanjay Bhattacherjee and Palash Sarkar.Tree based symmetric key broadcast encryption.Journal of Discrete Algorithms, 34, 78–107, 2015.
Sanjay Bhattacherjee and Palash Sarkar.Reducing communication overhead of the subset difference scheme.IEEE Transactions on Computers,http://doi.ieeecomputersociety.org/10.1109/TC.2015.2485231.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 24 / 49
isilogo
The Players
Sanjay Bhattacherjee, [email protected],presently post-doc at ENS-Lyon, France.
PhD thesis available at:http://perso.ens-lyon.fr/sanjay.bhattacherjee/Implementations: https://drive.google.com/folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil.Uploaded on 13th August, 2014.
Palash Sarkar.Indian Statistical Institute: provided the infrastructure and theenvironment for carrying out the research.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 25 / 49
isilogo
NNL-SD Scheme: Limitations and Beyond
Palash Sarkar Symmetric Key BE 4th Dec, 2015 26 / 49
isilogo
Complete Tree SD Scheme
Question: What happens when the number of users is not a power oftwo?
Possible answer: Add dummy users to get to the next power of two.Revoked: Disastrous effect on header length.Privileged: Better but, still a measureable deterioration of headerlength.
Solution: Use a complete binary tree.
“Completes” (and also subsumes) the NNL-SD scheme to workfor any number of users.Conceptually simple; working out the details is involved.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 27 / 49
isilogo
CTSD: Maximum Header Length
Theorem: The maximum header length in the CTSD method for nusers is min(2r − 1,
⌊n2
⌋,n − r).
For the NNL-SD scheme, the bound of 2r − 1 was known.Complete picture:
if r ≤ n/4, the bound 2r − 1 is appropriate;if n/4 < r ≤ n/2, the bound n/2 is appropriate; andif r > n/2, the bound n − r is appropriate.
Using the CTSD method is never worse than individualtransmission to privileged users.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 28 / 49
isilogo
CTSD: Expected Header Length
Random experiment: Select a random subset of r users out of n usersand revoke them.Random variable X i
n,r : takes the value 1 if Si,j is in the header for somej and 0 otherwise.
E [X in,r ] = Pr[X i
n,r = 1].Hn,r : expected header length for n users with r revoked users.
Hn,r =∑
E [X in,r ] =
∑Pr[X i
n,r = 1] where the sum is over all then − 1 internal nodes i in the tree.
Hn,r can be computed in O(r log n) time and O(1) space.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 29 / 49
isilogo
NNL-SD: Expected Header Length
Theorem: For all n ≥ 1, r ≥ 1, the expected header length Hn,r ↑ Hr ,as n increases through powers of two, where
Hr = 3r − 2− 3×r−1∑i=1
((− 1
2
)i+
i∑k=1
(−1)k(
ik
)(2k − 3k )
(2k − 1)
).
r 2 3 4 5 6Hr/r 1.25 1.25 1.2455 1.2446 1.2448
Palash Sarkar Symmetric Key BE 4th Dec, 2015 30 / 49
isilogo
Minimising User Storage
Palash Sarkar Symmetric Key BE 4th Dec, 2015 31 / 49
isilogo
Halevy-Shamir LSD Scheme
1615 17 18 19 20 21 22
12 13 141110987
3 4 5 6
21
0
4
2
0
Special Levels
23 24 25 26 27 28 29 30
Layer 1
Layer 2
“The root is considered to be at a special level, and inaddition we consider every level of depth k ·
√log (n) for
k = 1 . . . log (n) as special (wlog, we assume that thesenumbers are integers).”
Works for 2`0 users with `0 = 4,9,16,25 (in the practical range).
Palash Sarkar Symmetric Key BE 4th Dec, 2015 32 / 49
isilogo
Generalisation: Notion of Layering Strategy
A choice of special levels is called a layering strategy.A layering strategy ` is denoted by the numbers of the speciallevels `0 > `1 > ... > `e−1 > `e = 0.The layering strategy has (e + 1) special levels.Let ` = (`0, . . . , `e).In general, the layer lengths need not be (almost) equal.It is not necessary for the root node to be special.
Leads to smaller storage.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 33 / 49
isilogo
Layering Strategy and User Storage
storage0(`) =e−1∑i=0
`i +12
e−1∑i=0
(`i − `i+1)(`i − `i+1 − 1).
Recursive description:
storage0(`0, `1, . . . , `e)
= `0 +(`0 − `1)(`0 − `1 − 1)
2+ storage0(`1, . . . , `e).
Layering strategy with root as a non-special layer:
storage1(`) = storage0(`)− `1.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 34 / 49
isilogo
Storage Minimal Layering
Consider a tree of height `0:SML0(`0): a layering strategy which minimises the user storageamong all layering strategies;#SML0(`0): user storage required by SML0(`0);
Root node is not special:SML1(`0) and #SML1(`0) correspond to the case where the rootis not special.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 35 / 49
isilogo
Computing SML
Dynamic Programming:
An O(`3) time and O(`2) space algorithm to compute #SML0(`0).The actual layering strategy SML0(`0) can also be recovered fromthe algorithm.Also possible to obtain #SML1(`0) and SML1(`0).
Palash Sarkar Symmetric Key BE 4th Dec, 2015 36 / 49
isilogo
Examples of SML
Suppose there are 228 users, i.e., `0 = 28:NNL-SD: layering: 28,0; storage: 406.eHS: layering: 28,22,16,10,5,0; storage: 146.SML0: layering: 28,21,15,10,6,3,1,0; storage: 140.SML1: layering: 22,16,11,7,4,2,0; storage: 119.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 37 / 49
isilogo
Header Length
Maximum Header Length:At most min (4r − 2,
⌈n2
⌉,n − r).
At most min (4r − 3,⌈n
2
⌉,n − r) if the root level is special.
Expected Header Length:The splitting of subsets complicates the analysis.An O(r log2 n) time algorithm to compute the expected headerlength.A very useful tool to analyse various schemes.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 38 / 49
isilogo
Constrained Minimisation
Question: Is it possible to obtain expected header length close to thatof NNL-SD, but, with lower user storage?
For each level, consider the expected number of subsets arisingfrom the nodes at that level.Suppose ` is a level which maximises this quantity.
Question: How to choose `?Answer: Extensive experimentation has shown that ` = `0 − log2 r is agood choice.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 39 / 49
isilogo
Constrained Minimisation Layering
Fix a value of r and set ` = `0 − log2 r .Level ` is made special, so that subsets arising from level ` are notsplit.All levels below ` are made non-special.At most one level above ` (mid-way between ` and the root) ismade special; all other levels are made non-special.
`max = `0 − log2 r
Palash Sarkar Symmetric Key BE 4th Dec, 2015 40 / 49
isilogo
A CML Example
Number of users is n = 228 i.e., `0 = 28 and suppose rmin = 210.
NNL-SD: layering: 28,0; storage: 406.eHS: layering: 28,22,16,10,5,0; storage: 146;header lengths:(1.69,1.63,1.64,1.67,1.69,1.72,1.73,1.74,1.75,1.75).CML: layering: 23, 18,0; storage: 219;header lengths:(1.14,1.08,1.04,1.03,1.01,1.01,1.00,1.00,1.00,1.00).
Header lengths for 10 equispaced values of r from 210 to 214
normalised by the header length of the NNL-SD scheme.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 41 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 42 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 42 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 42 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
Palash Sarkar Symmetric Key BE 4th Dec, 2015 42 / 49
isilogo
Header Length Reduction.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 43 / 49
isilogo
Approach-I: k -ary Tree
Use of a k -ary tree with k ≥ 2:Header length with k > 3 is usually lower than header length withk = 2, though this is not always true.The comparison of header lengths for k = 3 and k = 2 is veryinteresting.User storage grows.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 44 / 49
isilogo
k -ary tree SD Performance
Palash Sarkar Symmetric Key BE 4th Dec, 2015 45 / 49
isilogo
Approach-II: Augmented Binary Tree SD Scheme
To each node of the binary tree, append an additional binary treehaving a levels.
Leads to a clear decrease in header length compared to theNNL-SD scheme.The user storage increases.Two other parameters are introduced to obtain O(n log n)schemes with header-length/user-storage trade-offs which varyfrom the NNL-SD scheme to the power set scheme.
Palash Sarkar Symmetric Key BE 4th Dec, 2015 46 / 49
isilogo
a-ABTSD Performance
Palash Sarkar Symmetric Key BE 4th Dec, 2015 47 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Pictorial Representation of |S|
IntuitionAs |S| increases, header size decreases and user storage increases.
Singleton Set scheme
Power Set scheme
NNL-SD scheme
HS-LSD scheme
SML-SD scheme
CML-SD scheme
a-ABTSD schemes(for different values of a)
k -SD schemes(for different values of k )
Palash Sarkar Symmetric Key BE 4th Dec, 2015 48 / 49
isilogo
Thank you for your kind attention!
Palash Sarkar Symmetric Key BE 4th Dec, 2015 49 / 49