Computer Science

Revocation and Tracing Schemes for Stateless Receivers

Dalit Naor, Moni Naor, Jeff Lotspiech

Presented by Attila Altay YavuzCSC 774 In-Class Presentation

(Based on Authors’ presentation)

Computer Science

Outline

• Digital Content and the stateless scenario for trace and revoke

• The Subset Cover Framework for T&R schemes• Two subset cover schemes

– Complete Subset Tree

– Subset Difference Tree

• Tracing:– General Tracing Algorithm

– Bifurcation property

• Conclusion

Computer Science

Problems and MotivationProblems and Motivation

• Digital Content: Very easy to generate, transfer and reproduce. However - also easy to violate ownership. CRITICAL!!:– Copyright– Privacy

• Protecting content : methods for discouraging/preventing redistribution of content - after decryption

• Watermarking• Fingerprinting

• Protecting cryptographic keys– Broadcast Encryption/Revocation

• Send information only to intended recipients

– Tracing Traitors– Trace and Revoke

Computer Science

The Broadcast Encryption ProblemThe Broadcast Encryption Problem

Computer Science

Components of a stateless systemComponents of a stateless system

• Notations: NN - set of n users, R - set of r users whose privileges are to be revoked

• Scheme Initiation :– a method to assign secret information to devices, Iu to u.

• The broadcast algorithm -– For message M and a set R of users to be revoked, produce

a ciphertext C to broadcast to all.• A decryption algorithm (at device)-

– a non-revoked device should produce M from ciphertext C. – Stateless Users: Decryption should be based on the current

message and the secret information Iu only.– Goal: Impossible to produce M from ciphertext even when

provided with the secret information of all revoked users.

Computer Science

Subset Cover Framework Subset Cover Framework ::An algorithmAn algorithm

Underlying collection of subsets (of devices)

S1, S2 , ... ,SW Sj N.

• Each subset Sj associated with long-lived key Lj

– A device u Sj should be able to deduce Lj from its

secret information Iu

• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets

Si1, Si2

, ... , Sim (NN \ RR = Sij

)

– a session key K is encrypted m times with Li1, Li2

, ... , Lim .

Computer Science

S.Cover:S.Cover:The Broadcast AlgorithmThe Broadcast Algorithm

• Choose a session key K• Given R, find a partition of N \ R into disjoint

sets: Si1, Si2 , ... , Sim NN \ RR = Sij

– with associated keys Li1, Li2 , ... , Lim

• Encrypt message M

• E: Long Term Alg. F: Moderate Term

Computer Science

S.Cover: S.Cover: The Decryption Step at uThe Decryption Step at u

• Either– Find the subset ij such that u Sij , or– null if u R

• Obtain Lij from the private information Iu

• Compute DLij(ELij(K)) to obtain K

• Decrypt FK(M) with K to obtain the message M.

Computer Science

A Subset-Cover AlgorithmA Subset-Cover Algorithmss

Computer Science

The Complete SubThe Complete Sub--tree Methodtree Method

Computer Science

Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method

Computer Science

The Subset-difference Method:The Subset-difference Method: Subset DefinitionSubset Definition

Computer Science

Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method

Computer Science

Key-AssignmentKey-Assignment: : Subset-Difference MethodSubset-Difference Method

Computer Science

Key-AssignmentKey-Assignment : : Subset-Difference MethodSubset-Difference Method

Computer Science

Tracing TraitorsTracing Traitors

• Some Users leak their keys to pirates

• Pirates construct unauthorized decryption devices and sell them at discount

• Trace and Revoke for all subset cover algorithms satisfying bifurcation property

• More efficient procedure for subset difference

• Goal: output one of the two– a user u contained in the box

– a partition S = Si1 , Si2, …, Sim that disables the box

Computer Science

Subset TracingSubset Tracing

Computer Science

Definition: Bifurcation PropertyDefinition: Bifurcation Property

• Any subset Si can be partitioned into (roughly) two equal sets Si1 and Si2.

• Si = Si1 U Si2

• Bifurcation value:– Max { |Si1/Si|, |Si2/Si|}– Complete sub-tree method (since sub-trees re

complete), can be spitted in two equal part.– Subset Difference methods generally have 2/3.

• Fundamental for following Tracing algorithm.

Computer Science

The Tracing AlgorithmThe Tracing Algorithm

Computer Science

The Tracing AlgorithmThe Tracing Algorithm

Computer Science

Conclusion

• Define the Subset-CoverSubset-Cover framework– Family of algorithms, encapsulating previous methods

• Rigorous security analysis :Sufficient condition for an algorithm in framework to be secure.

• Provide the Subset-DifferenceSubset-Difference revocation algorithms– r-flexible (it does not assume a upper bound for # of

revoked receiver)– concise message length

• Tracing algorithm – Works for any algorithm in framework satisfying the

bifurcation property– Seamless integration with the revocation algorithm– Withstands any coalition size

Computer Science

Future Works

• Can we modify these approaches used in group key management in dynamic wireless networks such as MANETs.

• Compromised nodes for sensor networks together with broadcast authentication?

• Real world application?

Computer Science

Questions

• Thank you for listening!

• Questions?