Optimising SD and LSD in Presence of Non-uniform Probabilities of Revocation

Some years ago two efficient broadcast encryption schemes for stateless receivers, referred to as SD (Subset Difference Method) [NNL01] and LSD (Layered Subset Difference Method) [HS02] , were proposed. They represent one of the most suitable solution to broadcast encryption. In this paper we focus on the following issue: both schemes assume uniform probabilities of revocation of the receivers. However, in some applications, such an assumption might not hold: receivers in a certain area, due to historical and legal reasons, can be considered trustworthy, while receivers from others might exhibit more adversarial behaviours. Can we modify SD and LSD to better fit settings in which the probabilities of revocation are non-uniform? More precisely, we study how to optimise user key storage in the SD and LSD schemes in presence of non-uniform probabilities of revocation for the receivers. Indeed, we would like to give less keys to users with higher probability of revocation compared to trustworthy users. We point out that this leads to the construction of binary trees satisfying some optimality criteria. We start our analysis revisiting a similar study, which aims at minimising user key storage in LKH schemes. It was shown that such a problem is related to the well-known optimal codeword length selection problem in information theory. We discuss the approach therein pursued, pointing out that a characterisation of the properties a key assignment for LKH schemes has to satisfy, does not hold. We provide a new characterisation and give a proof of it. Then, we show that also user key storage problems of SD and LSD are related to an interesting coding theory problem, referred to as source coding with Campbell's penalties. Hence, we discuss existing solutions to the coding problem.

[1]  Moni Naor,et al.  Revocation and Tracing Schemes for Stateless Receivers , 2001, CRYPTO.

[2]  Shimshon Berkovits,et al.  How To Broadcast A Secret , 1991, EUROCRYPT.

[3]  Michael Baer,et al.  Source Coding for Campbell's Penalties , 2005 .

[4]  L. Campbell,et al.  Definition of entropy by means of a coding problem , 1966 .

[5]  Michael B. Baer Source Coding for Quasiarithmetic Penalties , 2006, IEEE Transactions on Information Theory.

[6]  Dong Hoon Lee,et al.  Generic Transformation for Scalable Broadcast Encryption Schemes , 2005, CRYPTO.

[7]  Aggelos Kiayias,et al.  Self Protecting Pirates and Black-Box Traitor Tracing , 2001, CRYPTO.

[8]  P. Erdös,et al.  Families of finite sets in which no set is covered by the union ofr others , 1985 .

[9]  Bernhard Plattner,et al.  Efficient security for large and dynamic multicast groups , 1998, Proceedings Seventh IEEE International Workshop on Enabling Technologies: Infrastucture for Collaborative Enterprises (WET ICE '98) (Cat. No.98TB100253).

[10]  Pil Joong Lee,et al.  Efficient Broadcast Encryption Scheme with Log-Key Storage , 2006, Financial Cryptography.

[11]  John S. Baras,et al.  An Information Theoretic Analysis of Rooted-Tree Based Secure Multicast Key Distribution Schemes , 1999, CRYPTO.

[12]  Mohamed G. Gouda,et al.  Secure group communications using key graphs , 1998, SIGCOMM '98.

[13]  Aggelos Kiayias,et al.  Traceable Signatures , 2004, EUROCRYPT.

[14]  Dilip D. Kandlur,et al.  Key management for secure lnternet multicast using Boolean function minimization techniques , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[15]  Donald W. Davies,et al.  Advances in Cryptology — EUROCRYPT ’91 , 2001, Lecture Notes in Computer Science.

[16]  Moni Naor,et al.  Multicast security: a taxonomy and some efficient constructions , 1999, IEEE INFOCOM '99. Conference on Computer Communications. Proceedings. Eighteenth Annual Joint Conference of the IEEE Computer and Communications Societies. The Future is Now (Cat. No.99CH36320).

[17]  Amos Fiat,et al.  Broadcast Encryption , 1993, CRYPTO.

[18]  John S. Baras,et al.  An information-theoretic approach for design and analysis of rooted-tree-based multicast key management schemes , 2001, IEEE Trans. Inf. Theory.

[19]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[20]  Ronald Cramer,et al.  Advances in Cryptology - EUROCRYPT 2005, 24th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Aarhus, Denmark, May 22-26, 2005, Proceedings , 2005, EUROCRYPT.

[21]  Victor Shoup Advances in Cryptology - CRYPTO 2005: 25th Annual International Cryptology Conference, Santa Barbara, California, USA, August 14-18, 2005, Proceedings , 2005, CRYPTO.

[22]  Dong Hoon Lee,et al.  One-Way Chain Based Broadcast Encryption Schemes , 2005, EUROCRYPT.

[23]  Daniele Micciancio,et al.  Optimal Communication Complexity of Generic Multicast Key Distribution , 2004, EUROCRYPT.

[24]  Lawrence L. Larmore,et al.  A fast algorithm for optimal length-limited Huffman codes , 1990, JACM.

[25]  Matthew Franklin,et al.  Advances in Cryptology – CRYPTO 2004 , 2004, Lecture Notes in Computer Science.

[26]  Jacques Stern,et al.  Advances in Cryptology — EUROCRYPT ’99 , 1999, Lecture Notes in Computer Science.

[27]  Moti Yung,et al.  Advances in Cryptology — CRYPTO 2002 , 2002, Lecture Notes in Computer Science.

[28]  Alan T. Sherman,et al.  Key Establishment in Large Dynamic Groups Using One-Way Function Trees , 2003, IEEE Trans. Software Eng..

[29]  Ran Canetti,et al.  Efficient Communication-Storage Tradeoffs for Multicast Encryption , 1999, EUROCRYPT.

[30]  Adi Shamir,et al.  The LSD Broadcast Encryption Scheme , 2002, CRYPTO.

[31]  Douglas R. Stinson,et al.  Advances in Cryptology — CRYPTO’ 93 , 2001, Lecture Notes in Computer Science.

[32]  Michael T. Goodrich,et al.  Efficient Tree-Based Revocation in Groups of Low-State Devices , 2004, CRYPTO.

[33]  George Varghese,et al.  A lower bound for multicast key distribution , 2001, Proceedings IEEE INFOCOM 2001. Conference on Computer Communications. Twentieth Annual Joint Conference of the IEEE Computer and Communications Society (Cat. No.01CH37213).

[34]  Eric J. Harder,et al.  Key Management for Multicast: Issues and Architectures , 1999, RFC.