Tree-Based Symmetric Key Broadcast Encryption ...

Viewer
Transcript

“Tree-Based Symmetric Key Broadcast Encryption” (Thesis Defense)

Sanjay Bhattacherjee ISI, Kolkata; ENS-Lyon

Supervisor: Prof. Palash Sarkar ISI, Kolkata

Date: 8th October, 2015

Outline

Preliminaries Background Our Contributions Conclusion

Symmetric Key Encryption

Alice

Bob

Symmetric Key Encryption

Alice

Bob

M = “Nandan, 6:30pm”

Insecure Communication Channel

Symmetric Key Encryption

Alice

Oscar

M = “Nandan, 6:30pm”

Insecure Communication Channel

Bob

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

Insecure Communication Channel

K

K Enc

Dec

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

Insecure Communication Channel

K

K Enc

Dec

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

K

Insecure Communication Channel

K

C ← E(M, K )

Enc

Dec

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

K

C ← E(M, K )

Enc

Insecure Communication Channel

C = “KNQXGAQWJGJFOI”

K Dec

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

K

C ← E(M, K )

Enc

Insecure Communication Channel

C = “KNQXGAQWJGJFOI”

M ← E −1 (C, K )

Dec

K

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

K

C ← E(M, K )

Enc

Insecure Communication Channel

C = “KNQXGAQWJGJFOI”

M = “Nandan, 6:30pm”

M ← E −1 (C, K )

Dec

K

Symmetric Key Encryption

Alice

Bob

Oscar

M = “Nandan, 6:30pm”

M = “Nandan, 6:30pm”

K

C ← E(M, K )

Enc

Insecure Communication Channel

C = “KNQXGAQWJGJFOI”

M = “Nandan, 6:30pm”

M ← E −1 (C, K )

Dec

K

One Alice → Many Bobs?

Alice

One Alice → Many Bobs?

Alice

n (Bobs and Oscars)

One Alice → Many Bobs?

privileged

Alice

n (Bobs and Oscars)

One Alice → Many Bobs?

privileged

Alice

revoked

n (Bobs and Oscars)

Pay-TV center → Subscribers

Broadcasting Center (Tata Sky, Dish TV, etc.)

Pay-TV center → Subscribers

Broadcasting Center (Tata Sky, Dish TV, etc.)

n Users

Pay-TV center → Subscribers

privileged users

Broadcasting Center (Tata Sky, Dish TV, etc.)

n Users

Pay-TV center → Subscribers

privileged users

Broadcasting Center (Tata Sky, Dish TV, etc.) revoked users

n Users

DRM in Blu-ray/DVD discs

(Copyrighted) Content Production House

DRM in Blu-ray/DVD discs

(Copyrighted) Content Production House

n Users

DRM in Blu-ray/DVD discs

legitimate player

(Copyrighted) Content Production House

n Users

DRM in Blu-ray/DVD discs

legitimate player

pirated player

(Copyrighted) Content Production House

n Users

Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;

n = |N | r = |R|

Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;

S = {Si : Si ⊆ N }

n = |N | r = |R|

Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;

n = |N | r = |R|

S = {Si : Si ⊆ N } Singleton Set Scheme S = {{u1 }, . . . , {un }} I

Each user is assigned a unique key.

O(1)

I

M has to be encrypted for each user in N \ R.

O(n − r )

Basic Schemes N : set of all users u1 , . . . , un ; R: set of revoked users;

n = |N | r = |R|

S = {Si : Si ⊆ N } Singleton Set Scheme S = {{u1 }, . . . , {un }} I

Each user is assigned a unique key.

O(1)

I

M has to be encrypted for each user in N \ R.

O(n − r )

Power Set Scheme S = {{u1 }, . . . , {u1 , u2 }, . . . , {u1 , . . . , un−1 }, . . . , N } I

Each subset of users is assigned a unique key.

O(2n )

I

M is encrypted only once for the set N \ R ∈ S.

O(1)

Subset Cover Framework [NNL01] 1. Initiation I

Choose the collection

S = {S1 , . . . , Sw }; Si ⊆ N .

Subset Cover Framework [NNL01] 1. Initiation I

Choose the collection

S = {S1 , . . . , Sw }; Si ⊆ N . I

Assign key Li to each Si ∈ S I

Only u ∈ Si gets Li

Subset Cover Framework [NNL01] 1. Initiation I

Choose the collection

S = {S1 , . . . , Sw }; Si ⊆ N . I

Assign key Li to each Si ∈ S I

Only u ∈ Si gets Li

2. Encryption Broadcast Message

(sent in sessions)

Message Block M

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R):

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih }

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt:

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt: I

M with random Ks ;

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt: I I

M with random Ks ; Ks with Lij of each Sij ∈ Sc

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt: I I

M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M)

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt: I I

M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M)

ELi1 (Ks )

···

ELih (Ks )

Subset Cover Framework [NNL01] 2. Encryption (M, R) For each session (with privileged users N \ R): I

Find the Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that

N \ R = Si1 ∪ · · · ∪ Sih I

Encrypt: I I

M with random Ks ; Ks with Lij of each Sij ∈ Sc FKs (M) body

ELi1 (Ks )

··· header

ELih (Ks )

Subset Cover Framework [NNL01]

3. Decryption FKs (M)

For u ∈ Sij where Si,j ∈ Sc I

Find ELi (Ks ) in the header j

ELi1 (Ks )

···

ELih (Ks )

Subset Cover Framework [NNL01]

3. Decryption FKs (M)

For u ∈ Sij where Si,j ∈ Sc I

Find ELi (Ks ) in the header

I

EL−1 (ELi (Ks )) ij j

j

Ks ←

ELi1 (Ks )

···

ELih (Ks )

Subset Cover Framework [NNL01]

3. Decryption FKs (M)

For u ∈ Sij where Si,j ∈ Sc I

Find ELi (Ks ) in the header

I

Ks ←

EL−1 (ELi (Ks )) ij j

I

M ← FK−1 (FKs (M)) s

j

ELi1 (Ks )

···

ELih (Ks )

Parameters of Interest I

|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost

Parameters of Interest I

|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost

I

|Iu |: user storage (may be costly) Example: High-end military receivers

Parameters of Interest I

|Sc | = h: header length (costliest parameter) Example: Pay-TV bandwidth cost

I

|Iu |: user storage (may be costly) Example: High-end military receivers

I I

Encryption time Decryption time Example: TV set-top box booting time

Applications of BE I I

Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.

Blu-ray Disc Manufacturer

Player Manufacturer

Applications of BE I I

Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.

Blu-ray Disc Manufacturer

I

Player Manufacturer

Military Broadcasts I I

Global Broadcast Service (US) Joint Broadcast System (Europe)

Applications of BE I I

Pay-TV, CableLabs standard. AACS: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony.

Blu-ray Disc Manufacturer

I

Military Broadcasts I I

I I

I I I

Player Manufacturer

Global Broadcast Service (US) Joint Broadcast System (Europe)

File Sharing in Encrypted File Systems. Mailing list encryption: [BGW05] OpenPGP functions as a BE system Online content sharing and distribution [BBW06] eCommerce: trade secret broadcasts ...

Why NOT use Public-Key BE?

Efficiency!!! (decryption time, hence cost)

Preliminaries Background Our Contributions Conclusion

The collection S

S = {S1, . . . , Sw }; Si ⊆ N

The collection S

S = {S1, . . . , Sw }; Si ⊆ N I

determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih

The collection S

S = {S1, . . . , Sw }; Si ⊆ N I

determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih

I

determines the user storage |Iu | (through the key assignment and distribution algorithm)

The collection S

S = {S1, . . . , Sw }; Si ⊆ N I

determines the header length h (through the cover generation algorithm) Subset Cover Sc = {Si1 , . . . , Sih } ⊂ S such that N \ R = Si1 ∪ · · · ∪ Sih

I

determines the user storage |Iu | (through the key assignment and distribution algorithm)

I

determines the encryption and decryption time (through the key assignment and distribution algorithm)

Two types of S

I

Subset Difference {1}, {3}, {6, 7, 8}

I

Punctured Interval {1, 3, 6}, {7, 8} Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless receivers. In Joe Kilian, editor, CRYPTO, volume 2139 of Lecture Notes in Computer Science, pages 41–62. Springer, 2001. Nam-Su Jho and Jung Yeon Hwang and Jung Hee Cheon and Myung-Hwan Kim and Dong Hoon Lee and Eun Sun Yoo. One-Way Chain Based Broadcast Encryption Schemes. In Ronald Cramer, editor, EUROCRYPT, volume 3494 of Lecture Notes in Computer Science, pages 559–574. Springer, 2005.

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Subset Difference (SD) Scheme [NNL01] Naor-Naor-Lotspiech (2001) I

Patented

I

Used in the AACS standard

Subset Difference (SD) Scheme [NNL01] Naor-Naor-Lotspiech (2001) I

Patented

I

Used in the AACS standard 0 1

2

3 7 15

8 16

5

4

17

9 18

19

10 20

21

6

11 22

23

13

12 24

25

Assumed n = 2`0

26

27

14 28

29

30

Collection SNNL−SD has:

Collection SNNL−SD has: I

For all internal nodes i

Collection SNNL−SD has: I

For all internal nodes i

I

For all corresponding nodes j(6= i) in the subtree Ti

Collection SNNL−SD has: I

For all internal nodes i

I

For all corresponding nodes j(6= i) in the subtree Ti Si,j = Ti \ Tj

Collection SNNL−SD has: I

For all internal nodes i

I

For all corresponding nodes j(6= i) in the subtree Ti Si,j = Ti \ Tj

Ti

Tj

All users that are in Ti but not in Tj

Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Key Assignment Key for Si,j :

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed)

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed)

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi

j

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi )

j

GR (seedi )

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))

GR (seedi ) GR (GL (seedi ))

j

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))

GR (seedi ) GR (GL (seedi ))

j

seedi,j = GR (GL (GL (seedi )))

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))

GR (seedi ) GR (GL (seedi ))

j

seedi,j = GR (GL (GL (seedi )))

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))

GR (seedi ) GR (GL (seedi ))

j

seedi,j = GR (GL (GL (seedi )))

Li,j = GM (seedi,j )

Key Assignment Key for Si,j : I

Assign random seedi to each internal node i

I

Pseudo-random generator (PRG): G : {0, 1}k → {0, 1}3k G(seed) = GL (seed)||GM (seed)||GR (seed) seedi GL (seedi ) GL (GL (seedi ))

GR (seedi ) GR (GL (seedi ))

j

seedi,j = GR (GL (GL (seedi )))

Li,j = GM (seedi,j )

Key of Si,j : Li,j = GM (seedi,j )

Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi .

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi

u

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi )

u

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

u

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi )) GR (GL (GL (seedi )))

u

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

`

GR (GL (GL (seedi )))

u

GR (GL (GL (GL (seedi ))))

Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

`

GR (GL (GL (seedi )))

u

GR (GL (GL (GL (seedi ))))

1+ Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

`

GR (GL (GL (seedi )))

u

GR (GL (GL (GL (seedi ))))

1+2+ Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

`

GR (GL (GL (seedi )))

u

GR (GL (GL (GL (seedi ))))

1 + 2 + · · · + `0 = Figure: Secrets stored by u

User Storage User u stores: for every ancestor i (at level `), the derived seeds of nodes “falling-off” from the path between i and u, derived from seedi . seedi GR (seedi ) GR (GL (seedi ))

`

GR (GL (GL (seedi )))

u

GR (GL (GL (GL (seedi ))))

1 + 2 + · · · + `0 = Figure: Secrets stored by u

`0 (`0 +1) 2

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh }

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

Sc = {

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

Sc = {

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

Sc = {

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

Sc = {

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i1

j1

Sc = {

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i1

j1

Sc = S{S , Si2 ,j2 , i1 ,j1{ c =

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i1

j1

Sc = S{S , Si2 ,j2 , i1 ,j1{ c =

Covered

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i1

j1

Sc = S{S , Si2 ,j2 , i1 ,j1{ c =

Covered

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i1

j1

Sc = S{S , Si2 ,j2 , i1 ,j1{ c =

Covered

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i3 i4 i1

j3

Si ,j 4 3

j1

Sc = S{S , Si2 ,j2 , i1 ,j1{ c =

Covered

Si ,j 1 1

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i3 i4 i1

j3

Si ,j 4 3

j1

Covered

Si ,j 1 1

Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i3 i4

j3

Si ,j 4 3

Covered j1

i1

Covered

Si ,j 1 1

Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i5 i3 i4

j3

Si ,j 4 3

Covered j1

i1

Covered

Si ,j 1 1

Sc S=c {S = S{S S1{i,2 ,jS2 i,2 ,jS2 i,4 ,j3 , i1c,j1 = i,1 ,j

i2

Si ,j 2 2

j2

Subset Cover Finding Algorithm Given R, find Sc = {Si1 ,j1 , . . . , Sih ,jh } such that Si1 ,j1 ∪ . . . ∪ Sih ,jh = N \ R

i5 i3 i4

j3

Si ,j 4 3

Covered j1

i1

Covered

Si ,j 1 1

ScS= = {S = {S ,,jS , S{,,SS, S ,, . ., .} = cS c {S i1 ,jS 1i1 c 1 i1i2,j,j12i2 ,j2 i2i4,j,j23i4 ,j3

i2

Si ,j 2 2

j2

NNL-SD Parameters

For n users out of which r are revoked: I

User storage: O(log2 (n)).

I

Maximum header length: 2r − 1.

I

Maximum decryption time: O(log n).

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Layered Subset Difference Scheme [HS02]

Halevy-Shamir (CRYPTO, 2002): “special levels” Special Levels 0

4 1

15

8 16

5

4

7 0

2

3

2

17

9 18

19

10 20

21

6

11 22

23

13

12 24

25

26

27

14 28

29

30

Using layering (with special levels), SHS−LSD ⊂ SNNL−SD .

Layered Subset Difference Scheme [HS02]

Halevy-Shamir (CRYPTO, 2002): “special levels” Special Levels 0

4 Layer 2

1

Layer 1 15

8 16

5

4

7 0

2

3

2

17

9 18

19

10 20

21

6

11 22

23

13

12 24

25

26

27

14 28

29

30

Using layering (with special levels), SHS−LSD ⊂ SNNL−SD .

Layered SD subsets Which Si,j ∈ SHS−LSD ? I

If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD

I

If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD

Layered SD subsets Which Si,j ∈ SHS−LSD ? I

If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD

I

If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD Ti

Tj

Layered SD subsets Which Si,j ∈ SHS−LSD ? I

If i is at a special level: for all j in T i , Si,j ∈ SHS−LSD

I

If i is not at a special level: for all j in T i that are in the same layer as i, Si,j ∈ SHS−LSD Ti special level

Tj

Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I

i is not at a special level

I

and i and j are not in the same layer

Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I

i is not at a special level

I

and i and j are not in the same layer

How to cover these subsets?

Layered SD subsets Si,j ∈ SNNL−SD \ SHS−LSD if I

i is not at a special level

I

and i and j are not in the same layer

How to cover these subsets? SPLIT!!! Ti special level Tk

Tj

Subsets in SSD \ SLSD are split into: Si,j = Si,k ∪ Sk ,j .

Layered SD Scheme I

Key for Si,k is Li,k = GM (GL (seedi ))

I

Key for Sk ,j is Lk ,j = GM (GR (GL (seedk ))) seedi k

special level

GR (seedi )

seedi,k = GL (seedi ) Li,k = GM (seedi,k ) seedk k GL (seedk )

GR (seedk ) j

seedk ,j = GR (GL (seedk ))

Lk ,j = GM (seedk ,j )

LSD Parameters

NNL-SD scheme: I

User storage needed: O(log2 (n)).

I

Maximum Header Length: 2r − 1.

I

Decryption Time: O(log n).

HS-LSD scheme: I

User Storage needed: O(log3/2 n).

I

Maximum header length: 4r − 2.

I

Decryption Time: O(log n).

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Other SD-based Schemes [GoodrichST04] Stratified SD I

Key assignment: Left and right preorder tree traversals

I

O(log n) storage; O(n) decryption time

I

Double header length

[FukushimaKTS08] 3-ary tree SD “However, in a general a-ary tree with a ≥ 4,... our hash chain approach fails... Thus, the construction of a coalition resistant a-ary SD method with reasonable communication, computation, and storage overhead is an open issue.”

[WangYL14] Balanced Double SD I

Published after I submitted my thesis

I

We have better results now

Analysis of SD scheme [ParkB06] I

Generating function for N(n, r , h)

I

Mean header length: “complex to compute and difficult to gain insight from”

[EagleOPR08] I

Small standard deviations

[MartinMW09] I

Maximum header length

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Complete Tree SD (CTSD) Scheme

Question: What happens when n 6= 2`0 ? Answer: Add dummy users to get to the next power of two. I

If the dummy users are considered revoked, then the effect on the header length is disastrous.

I

If the dummy users are privileged, the situation is better but, there is still a measurable effect on the header length.

Solution: Use a complete binary tree. I

“Completes” (and also subsumes) the NNL-SD scheme to work for any number of users.

I

Conceptually simple; working out the details is a bit involved.

CTSD Scheme: Header Length Analysis (n, r )-revocation A choice of r revoked users out of total n users For each (n, r )-revocation, h ∈ {1, . . . , hmax }

N(n, r , h) #(n, r )-revocations for which the the header length is h.

CTSD Scheme: Header Length Analysis (n, r )-revocation A choice of r revoked users out of total n users For each (n, r )-revocation, h ∈ {1, . . . , hmax }

N(n, r , h) #(n, r )-revocations for which the the header length is h. How to compute N(n, r , h)? The only known method would I enumerate all possible n (n, r )-revocations r I

run the cover finding algorithm for each

I

count the number of (n, r )-revocations leading to a header of size h.

Recurrence relation for N(n, r , h) I

P N(λi , r1 , h1 ) = T (λi , r1 , h1 ) + j∈IN(i) T (λj , r1 , h1 − 1) where IN(i) is the set of all internal nodes in the subtree T i excluding the node i.

I

T (λi , r1 , h1 ) = Ph1 Pr1 −1 0 0 0 0 r 0 =1 h0 =0 N(λ2i+1 , r , h ) × N(λ2i+2 , r1 − r , h1 − h ) where λ2i+1 (respectively λ2i+2 ) is the number of leaves in the left (respectively right) subtree of T i .

T (λi , r1 , h1 )

r1 < 0

r1 = 0

r1 = 1

r1 > n

0 0

0 0

0 0

2 ≤ r1 < n 0 from rec.

r1 = n

h1 = 0 h1 ≥ 1

1 0

0 0

N(λi , r1 , h1 )

r1 < 0

r1 = 0

r1 = 1

2 ≤ r1 < n

r1 = n

r1 > n

h1 = 0 h1 = 1 h1 > 1

0 0 0

0 1 0

0 n 0

0 from rec. from rec.

1 0 0

0 0 0

Table: Boundary conditions on T (n, r , h) and N(n, r , h).

Computing N(n, r , h) Dynamic Programming: I

N(n, r , h) can be computed in O(r 2 h2 log n + rh log2 n) time and O(rh log n) space.

I

N(n, r , h) for all possible h can be computed in O(r 4 log n + r 2 log n) time and O(r 2 log2 n) space.

I

N(n, r , h) for all possible r and h can be computed in O(n4 log n + n2 log2 n) time and O(n2 log n) space.

I

N(i, r , h) for 2 ≤ i ≤ n and all possible r and h can be computed in O(n5 + n3 log n) time and O(n3 ) space.

The combinatorics behind the cover generation algorithm was well captured! (for n ~125)

Using N(n, r , h): Maximum Header Length

Theorem The maximum header length in the CTSD method for n users is hmax = min(2r − 1, n2 , n − r ). I I

For the NNL-SD scheme, the bound of 2r − 1 was known. Complete (refined) picture: I I I

if r ≤ n/4, hmax = 2r − 1; if n/4 < r ≤ n/2, hmax = n/2; and for r > n/2, hmax = n − r .

Using N(n, r , h): More analysis nr The value of n for which the header length of 2r − 1 is achieved with r revoked users. I

Obtained a complete characterization of nr .

Generating Function I

Similar to that of [PB06]

Probabilities and Expectation I

For n ~125

I

Compute probabilities of h ∈ {1, . . . , hmax }

I

Compute expected value Hn,r

Expected Header Length Random experiment Select a random subset of revoked users R from N (Select a random (n, r )-revocation).

Event: Node i generates a subset Si,j I

i = 1 if S ∈ S for some j; Xn,r c i,j

I

i = 0 otherwise. Xn,r 0 1 n−1 h = Xn,r + Xn,r + · · · Xn,r =

n−1 X

i Xn,r

i=0

Hn,r : expected header length for (n, r )-revocations. Hn,r =

n−1 X i=0

i ]= E[Xn,r

n−1 X i=0

i = 1] Pr[Xn,r

Hn,r for all SD based schemes

This technique has been useful for other SD-based schemes:

Hn,r =

n−1 X

i Pr[Xn,r = 1]

i=0

For the NNL-SD scheme: Computing Hn,r requires O(r log n) time and O(1) space.

Hn,r for the NNL-SD Scheme

Theorem: For all n ≥ 1, r ≥ 1, the expected header length Hn,r ↑ Hr , as n increases through powers of two, where Hr = 3r − 2 − 3 ×

r −1 X i=1

r Hr /r

2 1.25

3 1.25

! k i k) i (2 − 3 1 i X + (−1)k − . k (2k − 1) 2 k =1

4 1.2455

5 1.2446

6 1.2448

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

Halevy-Shamir LSD Scheme Special Levels `0 = 4

0

d1 = 2

1 `1 = 2

d2 = 2 15

9

8 16

5

4

7 `2 = 0

2

3

17

18

19

10 20

21

6

11 22

23

13

12 24

25

26

27

14 28

29

[HS02]: “The root is considered to be at a special level, p and in addition we consider every level of depth k · log (n) for k = 1 . . . log (n) as special (wlog, we assume that these numbers are integers).” n = 2`0 with `0 = 4, 9, 16, 25 only?

30

Layering Strategy

A choice of special levels is called a layering strategy.

General layering strategy ` I

Layering strategy ` = (`0 , . . . , `e ): I I

I

has e + 1 special levels `0 > `1 > . . . > `e−1 > `e = 0.

Layering strategy d = (d1 , . . . , de ) I I

di = `i − `i−1 is a layer length In general, the layer lengths need not be (almost) equal.

Extending the HS Scheme Residual bottom layer Write `0 = d(e − 1) + p where 1 ≤ p ≤ d. Then the special levels are `0 , `0 − d, `0 − 2d, . . ., ` − d(e − 1), 0.

Balanced layering or extended-HS (eHS) Write `0 = d(e − 1) + p = (e − d + p)d + (d − p)(d − 1). Define the layer lengths from the top to be (d, . . . , d , d − 1, . . . , d − 1). | {z } | {z } e−d+p

d−p

Layering Strategy and User Storage

Layering strategy: ` = (`0 , . . . , `e )

storage0 (`) =

e−1 X i=0

e−1

`i +

1X (`i − `i+1 )(`i − `i+1 − 1). 2 i=0

storage0 (`0 , `1 , . . . , `e ) (`0 − `1 )(`0 − `1 − 1) = `0 + + storage0 (`1 , . . . , `e ). 2

Storage Minimal Layering SML0 (`0 ) A layering strategy which minimizes the user storage among all layering strategies.

#SML0 (`0 ) User storage required by SML0 (`0 ).

#SML0 (`0 ) = #SML0 (e, `0 ) =

min #SML0 (e, `0 );

1≤e≤`0

min storage0 (`0 , `1 , . . . , `e )

(`0 ,...,`e )

Dynamic programming algorithm to compute #SML0 (`0 ): O(`30 ) time and O(`20 ) space.

Root at a Non-Special Level [HS02]: “The root is considered to be at a special level, and ...”

Making root level `0 non-special: I

storage1 (`) = storage0 (`) − `1 . Hence, user storage decreases.

I

0 = 1] is small. Pr[Xn,r Hence, negligible increase in the expected header size.

SML1 (`0 ): SML with non-special root. #SML1 (`0 ): corresponding user storage.

Examples of SML

Suppose there are 228 users, i.e., `0 = 28 (a good estimate as per the CableLabs website) Scheme Name NNL-SD: eHS: SML0 : SML1 :

Layering ` (28,0) (28,22,16,10,5,0) (28,21,15,10,6,3,1,0) (22,16,11,7,4,2,0)

Storage |Iu | 406 146 140 119

Other Results

Complete Tree LSD scheme Maximum Header Length I

hmax = min (4r − 2,

I

hmax = min (4r − 3,

n n2 2

, n − r ) if root is non-special. , n − r ) if root is special.

Expected Header Length: I

The splitting of subsets complicates the analysis.

I

O(r log2 n) time and O(1) space.

Constrained Minimization I

I

For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I

I

Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.

Constrained Minimization I

I

For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I

I

Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.

Result: Hn,r close to that of NNL-SD, but, with lower user storage.

Constrained Minimization I

I

For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I

I

Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.

`max = `0 − log2 r

Result: Hn,r close to that of NNL-SD, but, with lower user storage.

Constrained Minimization I

I

For a given r , the contribution of level `max = `0 − log2 r to the header is maximum. As r ↑, `max ↓. Hence, I

I

Depending on the application, fix a value of rmin and set `max = `0 − log2 rmin . Let ` = {`max , 0}.

`max = `0 − log2 r

Result: Hn,r close to that of NNL-SD, but, with lower user storage.

A CML Example

n = 228 and rmin = 210 . Scheme NNL-SD: eHS: CML:

Layering ` (28,0) (28,22,16,10,5,0) (23, 18,0)

|Iu | 406 146 219

Hn,r (normalized with NNL-SD) (1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00, 1.00) (1.69, 1.63, 1.64, 1.67, 1.69, 1.72, 1.73, 1.74, 1.75, 1.75) (1.14, 1.08, 1.04, 1.03, 1.01, 1.01, 1.00, 1.00, 1.00, 1.00)

Header lengths for 10 equispaced values of r from 210 to 214 normalized by the header length of the NNL-SD scheme.

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

k -ary tree SD seedi i

Li,{j} = G100 (seedi )

G010 (seedi )

j j1

G001 (seedi )

j2

Li,{j ,j } = G011 (Li,{j} ) 1 2

Figure: Key of Si,{j1 ,j2 } is G000 (Li,{j1 ,j2 } ) = G000 (G011 (G100 (seedi ))).

User storage 1 + (2

k −1

− 1)

`0 X `=1

`=1+

`0 (`0 + 1) k −1 (2 − 1) 2

... reduced using additional tree structure (constructed using cyclotomic cosets mod 2k − 1)

k -ary tree SD: Results I

Why k -ary trees? I

|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑)

k -ary tree SD: Results I

Why k -ary trees? I

|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑)

always?

k -ary tree SD: Results I

Why k -ary trees? I I

|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization

always?

k -ary tree SD: Results I

Why k -ary trees? I I

I

always?

Header length analysis I I

I

|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization

hmax = min (2r − 1, dn/k e, n − r ) Algorithm to compute Hn,r (for n = k `0 ) O(r log n) space; O(1) time

Reducing user storage I I

Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )

k -ary tree SD: Results I

Why k -ary trees? I I

I

I

I

I

Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )

Complete Tree for arbitrary number of users Layering I

I

hmax = min (2r − 1, dn/k e, n − r ) Algorithm to compute Hn,r (for n = k `0 ) O(r log n) space; O(1) time

Reducing user storage I

I

always?

Header length analysis I

I

|S| ↑ =⇒ (Hn,r ↓, |Iu | ↑) Hierarchy of Optimization

Storage Minimal Layering

Header length simulation study (for n 6= k `0 )

k -ary tree SD: Header length and user storage n

103

105

107

k

usk

2 3 4 5 6 7 8 2 3 4 5 6 7 8 2 3 4 5 6 7 8

55 56 60 90 120 180 340 153 132 180 216 336 378 714 300 240 312 396 540 810 1224

MHLk /r (1.10, 0.98, 0.72) (1.27, 1.06, 0.72) (1.21, 0.96, 0.59) (1.11, 0.84, 0.50) (1.03, 0.73, 0.42) (0.95, 0.65, 0.36) (0.86, 0.58, 0.32) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31)

n

104

106

108

k

usk

2 3 4 5 6 7 8 2 3 4 5 6 7 8 2 3 4 5 6 7 8

105 90 112 126 252 270 510 210 182 220 270 432 648 952 378 306 420 468 792 990 1530

MHLk /r (1.11, 0.97, 0.71) (1.26, 1.07, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.86, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.07, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31) (1.11, 0.97, 0.71) (1.27, 1.06, 0.72) (1.20, 0.96, 0.59) (1.11, 0.84, 0.49) (1.02, 0.73, 0.41) (0.94, 0.65, 0.36) (0.87, 0.58, 0.31)

Table: MHLk /r for r = (0.1n, 0.2n, 0.4n).

k -ary tree SD

k δk

3 0.44

4 0.19

5 0.11

6 0.07

7 0.05

8 0.04

Table: Values of the threshold δk .

16 < 0.01

Outline Preliminaries Background NNL-SD: Initiation Define SNNL−SD Key Assignment Key Distribution

NNL-SD: Encryption Halevy-Shamir Layered SD Other Related Works Our Contributions Paper 1: Arbitrary n; Detailed Analysis Paper 2: Layering; Minimizing Storage Paper 3: k -ary Generalization Paper 4: Assured Savings on Communication Conclusion

a-ABTSD scheme

I

SNNL−SD ⊂ Sa−ABTSD I

Augment trees of height a (with k = 2a leaf nodes)

a-ABTSD scheme

I

SNNL−SD ⊂ Sa−ABTSD I I

Augment trees of height a (with k = 2a leaf nodes) (Better?) Hierarchy of Optimization

a-ABTSD scheme

I

SNNL−SD ⊂ Sa−ABTSD I I

I

Header length analysis I

I

Augment trees of height a (with k = 2a leaf nodes) (Better?) Hierarchy of Optimization hmax = min (2r − 1, dn/k e, n − r )

Reducing user storage I I

Using cyclotomic cosets modulo 2k − 1 An additional tree structure T (k )

I

Complete Tree for arbitrary number of users

I

Header length simulation study

a-ABTSD: Header length and user storage

n 103

105

107

a

usa (n)

MHLa /r

1 2 3 4 1 2 3 4 1 2 3 4

55 145 1279 115247 153 425 4233 432123 300 852 8902 950634

(1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.31, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16)

n 104

106

108

a

usa (n)

1 2 3 4 1 2 3 4 1 2 3 4

105 287 2757 271629 210 590 6024 629652 378 1080 11428 1234578

MHLa /r (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16) (1.11, 0.97, 0.71) (0.96, 0.78, 0.53) (0.75, 0.53, 0.31) (0.52, 0.30, 0.16)

Table: MHLa /r for three different choices of r namely, r = (0.1n, 0.2n, 0.4n).

a-ABTSD performance

with b = 2a − 1 and c = `0 .

(a, b, c)-ABTSD

with a = 5 and c = `0 .

(a, b, c)-ABTSD

with b = 2a − 1.

Preliminaries Background Our Contributions Conclusion

Implementations

Schemes: I

NNL-SD, HS-LSD and all new schemes

Analysis: I

Header length algorithms

I

User storage algorithms

I

...

What this thesis is NOT about

Asymptotic Improvements

What this thesis is ALL about

Combinatorial and Probabilistic Analysis

What this thesis is ALL about

Combinatorial and Probabilistic Analysis Obtaining Hierarchies of Optimization

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees?

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes? 1 N(n, r , h)

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes? 1 N(n, r , h) 1 Generating function [PB06]

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ?

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Choice of S: |S| ↑ or |S| ↓?

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering 2 Constrained minimization layering

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Choice of S: |S| ↑ or |S| ↓? 2 Storage minimal layering 2 Constrained minimization layering 3 k -ary tree SD scheme

Summary of Contributions I

What if n 6= 2`0 ?

1, 2, 3, 4 Use dummy users or complete trees? I

Analysis of SD-based schemes?

1 N(n, r , h) 1 Generating function [PB06] 1, 2, 3, 4 Maximum and Mean Header Lengths (Hn,r )? I

In [PB06]: too complicated!!! (approximations)

1 Upper bound on Hn,r ? I I

I

1.38r (sketchy proof [NNL01]) 1.25r (empirical [NNL01]) - theoretical analysis?

Choice of S: |S| ↑ or |S| ↓? 2 2 3 4

Storage minimal layering Constrained minimization layering k -ary tree SD scheme (a, b, c)-ABTSD scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓

Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme

Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

a-ABTSD schemes (for different values of a)

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

a-ABTSD schemes (for different values of a)

k -SD schemes (for different values of k )

|S|

Intuition: Choice of S: |S| ↑ or |S| ↓ Power Set scheme

NNL-SD scheme HS-LSD scheme Singleton Set scheme

a-ABTSD schemes (for different values of a)

k -SD schemes (for different values of k )

Publications Sanjay Bhattacherjee and Palash Sarkar. Complete tree subset difference broadcast encryption scheme and its analysis. Des. Codes Cryptography, 66(1-3):335–362, 2013. Sanjay Bhattacherjee and Palash Sarkar. Concrete analysis and trade-offs for the (complete tree) layered subset difference broadcast encryption scheme. IEEE Transactions on Computers, 63(7): 1709–1722, 2014. Sanjay Bhattacherjee and Palash Sarkar. Tree based symmetric key broadcast encryption. J. Discrete Algorithms, 34: 78–107, 2015. Sanjay Bhattacherjee and Palash Sarkar. Reducing communication overhead of the subset difference scheme. IEEE Transactions on Computers, to appear. Sanjay Bhattacherjee and Palash Sarkar. Implementations related to the above papers, https://drive.google.com/ folderview?id=0B7azs7qqqdS0UnB5aHp3WmJwcDQ&usp=sharing_eil. Uploaded on 13th August, 2014.

Open Questions

Schemes:

Open Questions

Schemes: I

More hierarchies of optimization?

Open Questions

Schemes: I

More hierarchies of optimization?

I

Practical scheme with hmax < r

Open Questions

Schemes: I

More hierarchies of optimization?

I

Practical scheme with hmax < r

I

Stateless as well as forward secure?

I

...

Analysis:

Open Questions

Schemes: I

More hierarchies of optimization?

I

Practical scheme with hmax < r

I

Stateless as well as forward secure?

I

...

Analysis: I

Non-uniform distribution of revoked users?

I

...

Acknowledgement

I

Prof. Palash Sarkar

I

Friends

I

Family

Desirable Properties

Fully Collusion Resistant

Desirable Properties

Fully Collusion Resistant

Dynamic revocation

Desirable Properties

Fully Collusion Resistant

Stateless / Stateful

Dynamic revocation

Desirable Properties

Fully Collusion Resistant

Dynamic revocation

Stateless / Stateful

Traitor Tracing

Desirable Properties

Fully Collusion Resistant

Dynamic revocation

Dynamic joining / leaving of users

Stateless / Stateful

Traitor Tracing

Assigning seeds to users

Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti

u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj

u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj

u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj

u Ti

Tj u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj

u Ti

Tj u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti

u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj u Ti

u Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj u Ti

u Tj Figure: From one derived seed, keys of many subsets can be generated

Assigning seeds to users Ti Tj u Ti

u Tj Figure: From one derived seed, keys of many subsets can be generated