Computer Science Revocation and Tracing Schemes for Stateless Receivers Dalit Naor, Moni Naor, Jeff...
-
Upload
mavis-jordan -
Category
Documents
-
view
230 -
download
1
Transcript of Computer Science Revocation and Tracing Schemes for Stateless Receivers Dalit Naor, Moni Naor, Jeff...
Computer Science
Revocation and Tracing Schemes for Stateless Receivers
Dalit Naor, Moni Naor, Jeff Lotspiech
Presented by Attila Altay YavuzCSC 774 In-Class Presentation
(Based on Authors’ presentation)
Computer Science
Outline
• Digital Content and the stateless scenario for trace and revoke
• The Subset Cover Framework for T&R schemes• Two subset cover schemes
– Complete Subset Tree
– Subset Difference Tree
• Tracing:– General Tracing Algorithm
– Bifurcation property
• Conclusion
Computer Science
Problems and MotivationProblems and Motivation
• Digital Content: Very easy to generate, transfer and reproduce. However - also easy to violate ownership. CRITICAL!!:– Copyright– Privacy
• Protecting content : methods for discouraging/preventing redistribution of content - after decryption
• Watermarking• Fingerprinting
• Protecting cryptographic keys– Broadcast Encryption/Revocation
• Send information only to intended recipients
– Tracing Traitors– Trace and Revoke
Computer Science
The Broadcast Encryption ProblemThe Broadcast Encryption Problem
Computer Science
Components of a stateless systemComponents of a stateless system
• Notations: NN - set of n users, R - set of r users whose privileges are to be revoked
• Scheme Initiation :– a method to assign secret information to devices, Iu to u.
• The broadcast algorithm -– For message M and a set R of users to be revoked, produce
a ciphertext C to broadcast to all.• A decryption algorithm (at device)-
– a non-revoked device should produce M from ciphertext C. – Stateless Users: Decryption should be based on the current
message and the secret information Iu only.– Goal: Impossible to produce M from ciphertext even when
provided with the secret information of all revoked users.
Computer Science
Subset Cover Framework Subset Cover Framework ::An algorithmAn algorithm
Underlying collection of subsets (of devices)
S1, S2 , ... ,SW Sj N.
• Each subset Sj associated with long-lived key Lj
– A device u Sj should be able to deduce Lj from its
secret information Iu
• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets
Si1, Si2
, ... , Sim (NN \ RR = Sij
)
– a session key K is encrypted m times with Li1, Li2
, ... , Lim .
Computer Science
S.Cover:S.Cover:The Broadcast AlgorithmThe Broadcast Algorithm
• Choose a session key K• Given R, find a partition of N \ R into disjoint
sets: Si1, Si2 , ... , Sim NN \ RR = Sij
– with associated keys Li1, Li2 , ... , Lim
• Encrypt message M
• E: Long Term Alg. F: Moderate Term
Computer Science
S.Cover: S.Cover: The Decryption Step at uThe Decryption Step at u
• Either– Find the subset ij such that u Sij , or– null if u R
• Obtain Lij from the private information Iu
• Compute DLij(ELij(K)) to obtain K
• Decrypt FK(M) with K to obtain the message M.
Computer Science
A Subset-Cover AlgorithmA Subset-Cover Algorithmss
Computer Science
The Complete SubThe Complete Sub--tree Methodtree Method
Computer Science
Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method
Computer Science
The Subset-difference Method:The Subset-difference Method: Subset DefinitionSubset Definition
Computer Science
Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method
Computer Science
Key-AssignmentKey-Assignment: : Subset-Difference MethodSubset-Difference Method
Computer Science
Key-AssignmentKey-Assignment : : Subset-Difference MethodSubset-Difference Method
Computer Science
Tracing TraitorsTracing Traitors
• Some Users leak their keys to pirates
• Pirates construct unauthorized decryption devices and sell them at discount
• Trace and Revoke for all subset cover algorithms satisfying bifurcation property
• More efficient procedure for subset difference
• Goal: output one of the two– a user u contained in the box
– a partition S = Si1 , Si2, …, Sim that disables the box
Computer Science
Subset TracingSubset Tracing
Computer Science
Definition: Bifurcation PropertyDefinition: Bifurcation Property
• Any subset Si can be partitioned into (roughly) two equal sets Si1 and Si2.
• Si = Si1 U Si2
• Bifurcation value:– Max { |Si1/Si|, |Si2/Si|}– Complete sub-tree method (since sub-trees re
complete), can be spitted in two equal part.– Subset Difference methods generally have 2/3.
• Fundamental for following Tracing algorithm.
Computer Science
The Tracing AlgorithmThe Tracing Algorithm
Computer Science
The Tracing AlgorithmThe Tracing Algorithm
Computer Science
Conclusion
• Define the Subset-CoverSubset-Cover framework– Family of algorithms, encapsulating previous methods
• Rigorous security analysis :Sufficient condition for an algorithm in framework to be secure.
• Provide the Subset-DifferenceSubset-Difference revocation algorithms– r-flexible (it does not assume a upper bound for # of
revoked receiver)– concise message length
• Tracing algorithm – Works for any algorithm in framework satisfying the
bifurcation property– Seamless integration with the revocation algorithm– Withstands any coalition size
Computer Science
Future Works
• Can we modify these approaches used in group key management in dynamic wireless networks such as MANETs.
• Compromised nodes for sensor networks together with broadcast authentication?
• Real world application?
Computer Science
Questions
• Thank you for listening!
• Questions?