Fast Algorithms for the Free Riders Problem in Broadcast

Encryption

Zulfikar Ramzan

David P. Woodruff

Crypto 2006

Broadcast Encryption

Server

Users

Many applications: payperview TV, music, videosOffline phase - Server distributes keysOnline phase - Encrypt a session key for privileged users

Broadcast Encryption

• Parameters– Storage per user (# keys)– Server storage – Communication vs. computation– Sets of privileged users it can support

• Security– Computational vs. Information-theoretic

Free Riders

• [ASW] If we allow a small fraction of non-privileged (revoked) users to decrypt the broadcast, can we significantly save resources?

• A revoked user decrypting the broadcast is a free rider

• Commercial view These savings might be worth more than the loss

from allowing a few free riders

• [ASW] Consider the subset-cover framework

Subset Cover Framework [NNL][n] = {1, …, n} is set of users

Offline

• For some S ½ [n], server distributes a key KS to all users in S. Let C be the collection of S

Online• R ½ [n] are the revoked users

• Server finds subsets S1, S2, …, St in C such that

S1 [ S2 [ [ St = [n] \ R

• Broadcast ES1(M), ES2(M), …, ESt(M)

Free Riders

• [ASW] Hardness– Given a worst-case C, a revoked set R, and a

bound f on the number of free riders

– NP-hard to find smallest t and S1, S2, …, St 2 C

• S1 [ S2 [ [ St contains [n] n R

• S1 [ S2 [ [ St contains · f elements of R

– Finding t’ with t’ · (1+)t also hard

• Leave open the complexity for specific C

Our Contribution

For a popular, information-theoretically secure scheme in subset-cover framework, known as the Complete Subtree Scheme, we find optimal t and S1, St in O(rf) time

Can find t’ · (1+)t and S1, St’ for uniform R of size r in O~(rf1/3) time

Techniques useful for other schemes in the subset-cover framework

Complete Subtree Scheme [NNL]

Complete Binary Tree on n leaves

Key at each node v given to users in subtree(v)

u1 u2 u3 u4

v

v

Complete Subtree Scheme [NNL]

n users/leaves# keys = # nodes = 2n-1

# keys per user = log n + 1

uu1 u2 u5u4 u6 u8u7

Communication = O(r log n/r)Information-theoretic security

Supports any revoked set of any size r

Benefits of Free Riders

• Can reduce communication from O(n1/2) to O(log n) in Complete Subtree Scheme

• Need an algorithm to find free riders – random assignment bad with overwhelming probability

• Preserve computation, storage, etc.

Benefits of Free Riders

Diagram shows revoked users

Optimal to make all singletons free riders

… …

…

Algorithm Overview• Given a set R of leaves and a bound f of free

riders, find smallest t and nodes v1, v2, …, vt

Privileged users covered by some subtree(vi) and at most f revoked users covered

• Dynamic programming algorithmFor each v with children L(v), R(v)

• AL(v)[i] = optimal cost of assigning at most i free riders to subtree(L(v))

• Av[i] = minj AL(v)[j] + AR(v)[i-j]

Backtrack from root to find assignment

Algorithm Overview

• Algorithm has O(nf) time. Bad for large n

• In practice, r very small

• For CS scheme, can achieve O(rf) by only computing arrays Av at joining nodes

x y z

Initialize Ax = [0 0] Az = [0 0]Ay = [0 0]

p

q

Compute Ap[i] = minj Ax[j] + Ay[i-j], Ap = [0 0 0]

Lift Ap = [0 0 0] to Ap’= [1 1 1]

Lift Az = [0 0] to Az’= [2 1]

Compute Aq[i] = minj Ap’[j] + Az’[i-j], Aq = [3 2 2]

p and q are the only joining nodes

Algorithm Overview

1. Compute joining nodes v

2. For each v, let L(v) and R(v) be nearest joining nodes in left and right subtree of v

1. “Lift” AL(v) and AR[v]

1. Av[i] = minj AL(v)[j] + AR(v)[i-j]

3. Backtrack using DFS to find optimal assignment

Step 2: MinSum Problem

Av[i] = minj AL(v)[j] + AR(v)[i-j] for all i

Given a1 ¸ a2 ¸ ¸ am1 and

b1 ¸ b2 ¸ ¸ bm2,

output 8 i, minj a[j] + b[i-j]

• Easy O(m1 m2) time

• Computational geometry: O(m1 m2/log m1m2)

• Implies overall algorithm is O(rf) time

Step 2: MinSum Problem

Given a1 ¸ a2 ¸ ¸ am1 and

b1 ¸ b2 ¸ ¸ bm2,

output 8 i, minj a[j] + b[i-j]

Relaxations1. 8 i, output j’ for which

a[j’] + b[i-j’] · (1+) minj a[j] + b[i-j]2. Bounded differences for CS scheme

a[j] – a[j+1] = O(log n) and b[j] – b[j+1] = O(log n)

Our result: O~(m1 m21/3) time

If R uniformly chosen from sets of size r, time is O~(rf1/3)

Summary of Results

1. O(rf)-time to optimally find set of f free riders given revoked set R of size r

2. For every > 0, given a1 ¸ ¸ am1 and b1 ¸ ¸ bm2 with aj – aj+1 and bj – bj+1 small, for all i output j’ such that

aj’ + bi-j’ · (1+)minj aj + bi-j

in O~(m1 m21/3) time

3. Yields O~(rf1/3)-time algorithm

Open Questions

• Extend to other broadcast schemes

• Develop a better understanding of the benefits of free riders - computation and storage savings?

• Faster algorithms for the MinSum problem

MinSum Observations

• If a[j] + b[i-j] is the minimum for level i, then a[j] + b[i+-j] is the approximate minimum for level i +

• To approximately solve level i, only try a few indices j because a[j] + b[i-j] ¼ a[j+1] + b[i-j-1]

• If aj’ = aj’+1 = = aj’+r , then for level i,

a[j’] + b[i-j’] ¸ a[j’+1] + b[i-j’-1] ¸ … ¸ a[j’+r] + b[i-j’-r],

so we need only consider ai’