Computer Science Revocation and Tracing Schemes for Stateless Receivers Dalit Naor, Moni Naor, Jeff Lotspiech Presented by Attila Altay Yavuz CSC 774 In-Class Presentation (Based on Authors’ presentation)
Computer Science
Revocation and Tracing Schemes for Stateless Receivers
Dalit Naor, Moni Naor, Jeff Lotspiech
Presented by Attila Altay YavuzCSC 774 In-Class Presentation
(Based on Authors’ presentation)
Computer Science
Outline
• Digital Content and the stateless scenario for trace and revoke
• The Subset Cover Framework for T&R schemes• Two subset cover schemes
– Complete Subset Tree
– Subset Difference Tree
• Tracing:– General Tracing Algorithm
– Bifurcation property
• Conclusion
Computer Science
Problems and MotivationProblems and Motivation
• Digital Content: Very easy to generate, transfer and reproduce. However - also easy to violate ownership. CRITICAL!!:– Copyright– Privacy
• Protecting content : methods for discouraging/preventing redistribution of content - after decryption
• Watermarking• Fingerprinting
• Protecting cryptographic keys– Broadcast Encryption/Revocation
• Send information only to intended recipients
– Tracing Traitors– Trace and Revoke
Computer Science
The Broadcast Encryption ProblemThe Broadcast Encryption Problem
Computer Science
Components of a stateless systemComponents of a stateless system
• Notations: NN - set of n users, R - set of r users whose privileges are to be revoked
• Scheme Initiation :– a method to assign secret information to devices, Iu to u.
• The broadcast algorithm -– For message M and a set R of users to be revoked, produce
a ciphertext C to broadcast to all.• A decryption algorithm (at device)-
– a non-revoked device should produce M from ciphertext C. – Stateless Users: Decryption should be based on the current
message and the secret information Iu only.– Goal: Impossible to produce M from ciphertext even when
provided with the secret information of all revoked users.
Computer Science
Subset Cover Framework Subset Cover Framework ::An algorithmAn algorithm
Underlying collection of subsets (of devices)
S1, S2 , ... ,SW Sj N.
• Each subset Sj associated with long-lived key Lj
– A device u Sj should be able to deduce Lj from its
secret information Iu
• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets
Si1, Si2
, ... , Sim (NN \ RR = Sij
)
– a session key K is encrypted m times with Li1, Li2
, ... , Lim .
Computer Science
S.Cover:S.Cover:The Broadcast AlgorithmThe Broadcast Algorithm
• Choose a session key K• Given R, find a partition of N \ R into disjoint
sets: Si1, Si2 , ... , Sim NN \ RR = Sij
– with associated keys Li1, Li2 , ... , Lim
• Encrypt message M
• E: Long Term Alg. F: Moderate Term
Computer Science
S.Cover: S.Cover: The Decryption Step at uThe Decryption Step at u
• Either– Find the subset ij such that u Sij , or– null if u R
• Obtain Lij from the private information Iu
• Compute DLij(ELij(K)) to obtain K
• Decrypt FK(M) with K to obtain the message M.
Computer Science
A Subset-Cover AlgorithmA Subset-Cover Algorithmss
Computer Science
The Complete SubThe Complete Sub--tree Methodtree Method
Computer Science
Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method
Computer Science
The Subset-difference Method:The Subset-difference Method: Subset DefinitionSubset Definition
Computer Science
Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method
Computer Science
Key-AssignmentKey-Assignment: : Subset-Difference MethodSubset-Difference Method
Computer Science
Key-AssignmentKey-Assignment : : Subset-Difference MethodSubset-Difference Method
Computer Science
Tracing TraitorsTracing Traitors
• Some Users leak their keys to pirates
• Pirates construct unauthorized decryption devices and sell them at discount
• Trace and Revoke for all subset cover algorithms satisfying bifurcation property
• More efficient procedure for subset difference
• Goal: output one of the two– a user u contained in the box
– a partition S = Si1 , Si2, …, Sim that disables the box
Computer Science
Subset TracingSubset Tracing
Computer Science
Definition: Bifurcation PropertyDefinition: Bifurcation Property
• Any subset Si can be partitioned into (roughly) two equal sets Si1 and Si2.
• Si = Si1 U Si2
• Bifurcation value:– Max { |Si1/Si|, |Si2/Si|}– Complete sub-tree method (since sub-trees re
complete), can be spitted in two equal part.– Subset Difference methods generally have 2/3.
• Fundamental for following Tracing algorithm.
Computer Science
The Tracing AlgorithmThe Tracing Algorithm
Computer Science
The Tracing AlgorithmThe Tracing Algorithm
Computer Science
Conclusion
• Define the Subset-CoverSubset-Cover framework– Family of algorithms, encapsulating previous methods
• Rigorous security analysis :Sufficient condition for an algorithm in framework to be secure.
• Provide the Subset-DifferenceSubset-Difference revocation algorithms– r-flexible (it does not assume a upper bound for # of
revoked receiver)– concise message length
• Tracing algorithm – Works for any algorithm in framework satisfying the
bifurcation property– Seamless integration with the revocation algorithm– Withstands any coalition size
Computer Science
Future Works
• Can we modify these approaches used in group key management in dynamic wireless networks such as MANETs.
• Compromised nodes for sensor networks together with broadcast authentication?
• Real world application?
Computer Science
Questions
• Thank you for listening!
• Questions?