symmetric key broadcast encryption: state-of-the-artpalash/talks/samsungirn.pdf · goal:gestation...

isilogo

Symmetric Key Broadcast Encryption:State-of-the-Art

Palash Sarkar(Based on joint work with Sanjay Bhattacherjee)

Indian Statistical [email protected]

India Research Network Meeting on Mobile Security2015

Samsung R&D Institute India, Bangalore

Palash Sarkar Symmetric Key BE 4th Dec, 2015 1 / 49

isilogo

Research in Cryptology: A Personal Perspective

Cryptographically useful Boolean functions.Design & analysis of block and stream ciphers and hash functions.Modes of operations for block and stream ciphers:

Low-level, in-place, disk encryption.Schemes for authentication and encryption.

Symmetric key broadcast encryption.Identity-based cryptography, digital signatures.Discrete log problem on finite fields and hyperelliptic curves.Secure and efficient implementations.Information security law and practical aspects of security.

http://www.isical.ac.in/~palash/or,

Google “Palash Sarkar”


http://www.isical.ac.in/~palash/

isilogo

A Fledgling “Start-Up”

Turing Laboratory:Structure: A project at the Applied Statistics Unit presently (i.e., upto March 2016) funded by the Indian Statistical Institute.People (current): One faculty member; two post-docs; three PhDstudents.

Number of PhD students likely to increase.Number of post-docs/visitors depend on funding.

Scope:Cryptology and related areas in a broad sense.Topics at the intersection of Math, Stat, CS and Engg.

Goal: Gestation of ideas.To advance the current state-of-the-art.To formulate and investigate questions of foundational nature.


isilogo

Symmetric Key Broadcast Encryption: Background


isilogo

Conventional Symmetric Key Encryption

Receiver

message M

DecryptEncrypt ciphertext

public channel

secret key K secret key Kadversary

Sender


isilogo

Symmetric Key Broadcast Encryption

Centre

Users

Users

Users

Broadcast


isilogo

Symmetric Key BE Functionality

The centre pre-distributes secret information to the users.A broadcast takes place in a session.For each session:

Some users are privileged and the rest are revoked.The actual message is encrypted once using a session key.The session key undergoes a number of separate encryptions; thisdetermines the header.

FKs(M) Ek1(Ks) · · · Ekh(Ks)

body header

Correctness: The privileged users are able to decrypt.Security: The coalition of all the revoked users get no informationabout the message.


isilogo

Parameters of Interest

Size of the header.User storage: size of the secret information required to be storedby the users.Time required by the centre to encrypt.Time required by a user to decrypt.Simplicity of implementation.

Hdr sz and enc time are proportional to # enc of the session key.

Requirement: Reduce header size, user storage and decryption time.Calls for trade-offs.


isilogo

Applications of BE

AACS standard: content protection in optical discs: Disney, Intel,Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.

Samsung is an AACS Authorised Certification Entity.

Pay-TV: BSkyB in UK and Ireland has more than 10 million users;Cable TV Networks (Regulation) Amendment Act, 2011 (India).File Sharing in Encrypted File Systems.Encrypted Email to Mailing Lists.Military Broadcasts: Global Broadcast Service (US), JointBroadcast System (Europe).. . .

Real-life parameters of interest: Pay-TV bandwidth cost, set-top boxbooting time, high-end military receiver storage, resource-constraineddevices.


isilogo

Subset Cover Schemes

Identify a collection S consisting of subsets of users.Eg. S = {{u1,u2}, {u12,u51,u73}, {u2,u11}, . . .}.Assign keys to each subset in S.To each user, assign secret information such that it is able togenerate secret keys for each subset in S to which it belongs; andno more.During a broadcast, form a partition {S1, . . . ,Sh} of the set ofprivileged users with Si ∈ S.The session key is encrypted using the keys for S1, . . . ,Sh.Each privileged user can decrypt; no coalition of revoked usersgains any information about the session key (or the message).


isilogo

Trivial Solutions

Singleton set scheme: S = N .Each user has an independent key; separate encryptions of themessage are made.Header size is the number of privileged users.User storage is one key per user.

Power set scheme: S = 2N .A key is assigned to each subset of users; a single encryption ofthe message is made to the key of the privileged set of users.Header size is just one encryption.Each user has to store 2n−1 keys.


isilogo

Pictorial Representation of |S|

IntuitionAs |S| increases, header size decreases and user storage increases.

Singleton Set scheme

Power Set scheme


isilogo

Schemes with Non-Trivial Trade-Offs


isilogo

Subset Difference Scheme

Naor-Naor-Lotspiech (2001): patented, AACS standard.Assumes an underlying full binary tree

1615 17 18 19 20 21 22

12 13 141110987

3 4 5 6

21

0

2

0

23 24 25 26 27 28 29 30

Level Numbers

1

4

3


isilogo

Subsets in the collection S

Si,j = Ti \ Tj : has all users that are in Ti but not in Tj

j

i

Collection S: has all subsets Si,j such that j( 6= i) is in the subtree Ti .


isilogo

NNL-SD Parameters

For n users out of which r are revoked:User storage needed: O(log2(n)).Header length in the worst case: 2r − 1.Decryption time in the worst case: O(log n).


isilogo

Layered Subset Difference Scheme

Halevy-Shamir (CRYPTO, 2002) Some levels are marked as “special”.

1615 17 18 19 20 21 22

12 13 141110987

3 4 5 6

21

0

4

2

0

Special Levels

23 24 25 26 27 28 29 30

Layer 1

Layer 2


isilogo

Layered SD Scheme

special level

T i

T k

T j

Figure : Subset Si,j splits into Si,k (green leaves) and Sk,j (grey leaves); i at anon-special level.

Subsets Si,j where i and j are not in the same layer are not requiredany more. This results in reduction of user storage.


isilogo

HS-LSD Parameters

For n users out of which r are revoked:User Storage needed: O(log3/2 n).Maximum header length: 4r − 2.Worst case decryption time: O(log n).


isilogo




Power Set scheme

NNL-SD scheme

HS-LSD scheme


isilogo

Some Subsequent Schemes

Goodrich, Sun and Tamassia (2004):User storage: O(log n).Header length: 2r − 1.Decryption time: O(n).

Cheon, Jho, Kim and Yoo (2008):A complicated scheme with a wide range of options.Header length can be reduced to below r , but, at the cost of greatlyincreasing the user storage.The decryption time is more than log n.

Wang, Yang and Lin (2014):Header length smaller than that of the NNL-SD scheme.Increased user storage.


isilogo

An Overview of Recent Research


isilogo

Some Questions

What is the expected header length of the NNL scheme?The NNL and the HS schemes are based on full binary trees;What happens if the number of users is not a power of two?Is the user storage achieved in the HS scheme the minimumpossible?Is the (expected) header length achieved in the NNL scheme theminimum possible?What happens if we use trees of arity higher than 2?


isilogo

Some Answers

Sanjay Bhattacherjee and Palash Sarkar.Complete tree subset difference broadcast encryption scheme and its analysis.Des. Codes Cryptography, 66(1-3):335–362, 2013.

Sanjay Bhattacherjee and Palash Sarkar.Concrete analysis and trade-offs for the (complete tree) layered subset differencebroadcast encryption scheme.IEEE Transactions on Computers, 63(7): 1709–1722, 2014.

Sanjay Bhattacherjee and Palash Sarkar.Tree based symmetric key broadcast encryption.Journal of Discrete Algorithms, 34, 78–107, 2015.

Sanjay Bhattacherjee and Palash Sarkar.Reducing communication overhead of the subset difference scheme.IEEE Transactions on Computers,http://doi.ieeecomputersociety.org/10.1109/TC.2015.2485231.


http://doi.ieeecomputersociety.org/10.1109/TC.2015.2485231

isilogo

The Players

Sanjay Bhattacherjee, [email protected],presently post-doc at ENS-Lyon, France.

PhD thesis available at:http://perso.ens-lyon.fr/sanjay.bhattacherjee/Implementations: https://drive.google.com/folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil.Uploaded on 13th August, 2014.

Palash Sarkar.Indian Statistical Institute: provided the infrastructure and theenvironment for carrying out the research.


http://perso.ens-lyon.fr/sanjay.bhattacherjee/

https://drive.google.com/folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil

https://drive.google.com/folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil

isilogo

NNL-SD Scheme: Limitations and Beyond


isilogo

Complete Tree SD Scheme

Question: What happens when the number of users is not a power oftwo?

Possible answer: Add dummy users to get to the next power of two.Revoked: Disastrous effect on header length.Privileged: Better but, still a measureable deterioration of headerlength.

Solution: Use a complete binary tree.

“Completes” (and also subsumes) the NNL-SD scheme to workfor any number of users.Conceptually simple; working out the details is involved.


isilogo

CTSD: Maximum Header Length

Theorem: The maximum header length in the CTSD method for nusers is min(2r − 1,

⌊n2

⌋,n − r).

For the NNL-SD scheme, the bound of 2r − 1 was known.Complete picture:

if r ≤ n/4, the bound 2r − 1 is appropriate;if n/4 < r ≤ n/2, the bound n/2 is appropriate; andif r > n/2, the bound n − r is appropriate.

Using the CTSD method is never worse than individualtransmission to privileged users.


isilogo

CTSD: Expected Header Length

Random experiment: Select a random subset of r users out of n usersand revoke them.Random variable X i

n,r : takes the value 1 if Si,j is in the header for somej and 0 otherwise.

E [X in,r ] = Pr[X i

n,r = 1].Hn,r : expected header length for n users with r revoked users.

Hn,r =∑

E [X in,r ] =

∑Pr[X i

n,r = 1] where the sum is over all then − 1 internal nodes i in the tree.

Hn,r can be computed in O(r log n) time and O(1) space.


isilogo

NNL-SD: Expected Header Length

Theorem: For all n ≥ 1, r ≥ 1, the expected header length Hn,r ↑ Hr ,as n increases through powers of two, where

Hr = 3r − 2− 3×r−1∑i=1

((− 1

2

)i+

i∑k=1

(−1)k(

ik

)(2k − 3k )

(2k − 1)

).

r 2 3 4 5 6Hr/r 1.25 1.25 1.2455 1.2446 1.2448


isilogo

Minimising User Storage


isilogo

Halevy-Shamir LSD Scheme

1615 17 18 19 20 21 22

12 13 141110987

3 4 5 6

21

0

4

2

0

Special Levels

23 24 25 26 27 28 29 30

Layer 1

Layer 2

“The root is considered to be at a special level, and inaddition we consider every level of depth k ·

√log (n) for

k = 1 . . . log (n) as special (wlog, we assume that thesenumbers are integers).”

Works for 2`0 users with `0 = 4,9,16,25 (in the practical range).


isilogo

Generalisation: Notion of Layering Strategy

A choice of special levels is called a layering strategy.A layering strategy ` is denoted by the numbers of the speciallevels `0 > `1 > ... > è−1 > è = 0.The layering strategy has (e + 1) special levels.Let ` = (`0, . . . , è).In general, the layer lengths need not be (almost) equal.It is not necessary for the root node to be special.

Leads to smaller storage.


isilogo

Layering Strategy and User Storage

storage0(`) =e−1∑i=0

ì +12

e−1∑i=0

(ì − ì+1)(ì − ì+1 − 1).

Recursive description:

storage0(`0, `1, . . . , è)

= `0 +(`0 − `1)(`0 − `1 − 1)

2+ storage0(`1, . . . , è).

Layering strategy with root as a non-special layer:

storage1(`) = storage0(`)− `1.


isilogo

Storage Minimal Layering

Consider a tree of height `0:SML0(`0): a layering strategy which minimises the user storageamong all layering strategies;#SML0(`0): user storage required by SML0(`0);

Root node is not special:SML1(`0) and #SML1(`0) correspond to the case where the rootis not special.


isilogo

Computing SML

Dynamic Programming:

An O(`3) time and O(`2) space algorithm to compute #SML0(`0).The actual layering strategy SML0(`0) can also be recovered fromthe algorithm.Also possible to obtain #SML1(`0) and SML1(`0).


isilogo

Examples of SML

Suppose there are 228 users, i.e., `0 = 28:NNL-SD: layering: 28,0; storage: 406.eHS: layering: 28,22,16,10,5,0; storage: 146.SML0: layering: 28,21,15,10,6,3,1,0; storage: 140.SML1: layering: 22,16,11,7,4,2,0; storage: 119.


isilogo

Header Length

Maximum Header Length:At most min (4r − 2,

⌈n2

⌉,n − r).

At most min (4r − 3,⌈n

2

⌉,n − r) if the root level is special.

Expected Header Length:The splitting of subsets complicates the analysis.An O(r log2 n) time algorithm to compute the expected headerlength.A very useful tool to analyse various schemes.


isilogo

Constrained Minimisation

Question: Is it possible to obtain expected header length close to thatof NNL-SD, but, with lower user storage?

For each level, consider the expected number of subsets arisingfrom the nodes at that level.Suppose ` is a level which maximises this quantity.

Question: How to choose `?Answer: Extensive experimentation has shown that ` = `0 − log2 r is agood choice.


isilogo

Constrained Minimisation Layering

Fix a value of r and set ` = `0 − log2 r .Level ` is made special, so that subsets arising from level ` are notsplit.All levels below ` are made non-special.At most one level above ` (mid-way between ` and the root) ismade special; all other levels are made non-special.

`max = `0 − log2 r


isilogo

A CML Example

Number of users is n = 228 i.e., `0 = 28 and suppose rmin = 210.

NNL-SD: layering: 28,0; storage: 406.eHS: layering: 28,22,16,10,5,0; storage: 146;header lengths:(1.69,1.63,1.64,1.67,1.69,1.72,1.73,1.74,1.75,1.75).CML: layering: 23, 18,0; storage: 219;header lengths:(1.14,1.08,1.04,1.03,1.01,1.01,1.00,1.00,1.00,1.00).

Header lengths for 10 equispaced values of r from 210 to 214

normalised by the header length of the NNL-SD scheme.


isilogo




Power Set scheme

NNL-SD scheme

HS-LSD scheme

SML-SD scheme

CML-SD scheme


isilogo

Header Length Reduction.


isilogo

Approach-I: k -ary Tree

Use of a k -ary tree with k ≥ 2:Header length with k > 3 is usually lower than header length withk = 2, though this is not always true.The comparison of header lengths for k = 3 and k = 2 is veryinteresting.User storage grows.


isilogo

k -ary tree SD Performance


isilogo

Approach-II: Augmented Binary Tree SD Scheme

To each node of the binary tree, append an additional binary treehaving a levels.

Leads to a clear decrease in header length compared to theNNL-SD scheme.The user storage increases.Two other parameters are introduced to obtain O(n log n)schemes with header-length/user-storage trade-offs which varyfrom the NNL-SD scheme to the power set scheme.


isilogo

a-ABTSD Performance


isilogo




Power Set scheme

NNL-SD scheme

HS-LSD scheme

SML-SD scheme

CML-SD scheme

a-ABTSD schemes(for different values of a)

k -SD schemes(for different values of k )


isilogo

Thank you for your kind attention!


symmetric key broadcast encryption: state-of-the-artpalash/talks/samsungirn.pdf · goal:gestation...

Documents