Explicit Exclusive Set Systems with Applications to Broadcast Encryption David P. Woodruff MIT FOCS 2006 Craig Gentry Stanford Zulfikar Ramzan Symantec

Broadcast Encryption Server Clients 1 server, n clients Server broadcasts to all clients at once E.g., payperview TV, music, videos Only privileged users can understand broadcasts E.g., those who pay their monthly bills Need to encrypt broadcasts

Subset Cover Framework [NNL] Offline stage: For some S ½ [n], server creates a key K(S) and distributes it to all users in S Let C be the collection of S Server space complexity ~ |C| ith user space complexity ~ # S containing i

Subset Cover Framework [NNL] Online stage: Given a set R ½ [n] of at most r revoked users Server establishes a session key M that only users in the set [n] n R know Finds S 1, …, S t 2 C with [n] n R = S 1 [ … [ S t Encrypt M under each of K(S 1 ), …, K(S t ) Content encrypted using session key M

Subset Cover Framework [NNL] Communication complexity ~ t Tolerate up to r revoked users Tolerate any number of colluders Information-theoretic security

The Combinatorics Problem Find a family C of subsets of {1, …., n} such that any large set S µ {1, …, n} is the union of a small number of sets in C S = S 1 [ S 2 [ [ S t Parameters: Universe is [n] = {1, …, n} |S| >= n-r Write S as a union of · t sets in C Goal: Minimize |C|

A Lower Bound Claim: 1. At least sets of size ¸ n-r 2. Only different unions 3. Thus, 4. Solve for |C| Proof:

Known Upper Bounds Bad: once n and r are chosen, t and |C| are fixed t|C|authors (r log n / log r) 2 GSY r log n/r2nLNN, ALO 2rn log nLNN r 3 log n / log r KRS

Known Upper Bounds Only known general result: If r · t, then |C| = O(t 3 (nt) r/t log n) [KR] Drawbacks: Probabilistic method Set-Cover To write S = S 1 [ S 2 [ … [ S t, solve Set-Cover C has large description No way to verify C is correct Suboptimal size:

Our Results Main result: tight upper bound |C| = poly(r,t) n, r, t all arbitrary Match lower bound up to poly(r,t) In applications r, t << n When r,t << n, get |C| = O(rt ) Our construction is explicit Find sets S = S 1 [ … [ S t in poly(r, t, log n) time Improved cryptographic applications

Cryptographic Implications Our explicit exclusive set system yield almost optimal information-theoretic broadcast encryption and multi- certificate revocation schemes General n,r,t Contrasts with previous explicit systems Poly(r,t, log n) time to find keys for broadcast Contrasts with probabilistic constructions Parameters For poly(r, log n) server storage complexity, we can set t = r log (n/r), but previously t = (r 2 log n)

Techniques Case analysis: r, t << n: algebraic solution general r, t: use divide-and-conquer approach to reduce to previous case

Case: r,t << n Find a prime p = n 1/t + Users [n] are points in (F p ) t Consider the ring F p [X 1, …, X t ] Goal: find set of polynomials C such that for any R ½ [n] with |R| · r, there exist p 1, …, p t 2 C such that R = Variety(p 1, …, p t )

Case: r,t << n First design a polynomial collection so that for any R ½ [n] with |R| · r such that for every coordinate i, 1 · i · t, All |R| points differ on the ith coordinate (*) Then perform a few permutations :[n] -> [n] and construct new polynomial collections on([n]). Take the union of these collections. Can find the deterministically using MDS codes

Example Collection: r = 2, t = 3 For r = 2, t = 3, our collection is: 1. (X 1 – a)(X 1 – b) for all distinct a,b 2. aX 1 + b – X 2 for any a, b 2 F p 3. aX 2 + b – X 3 for any a,b 2 F p Revoke u = (u 1, u 2, u 3 ) and v = (v 1, v 2, v 3 ) u 1 v 1, u 2 v 2, and u 3 v 3 Let p 1 = (X 1 – u 1 )(X 1 -v 1 ). Find p 2 by interpolating from au 1 + b – u 2 = 0, av 1 + b – v 2 = 0 Find p 3 by interpolation. Variety(p 1, p 2,p 3 ) = u, v We broadcast with keys K(p i ), distributed to users which dont vanish on p i If u 1 v 1, u 2 = v 2, and u 3 v 3, then (u 1, u 2, v 3 ) also in variety…

Our General Collection and Intuition: First type of polynomials implement a base case. Second type of polynomials implement ANDs.

Wrapping up the r,t << n case. Using many tricks – balancing techniques, expanders, etc., can show even without distinct coordinates, can achieve size O(rt ). Almost matches the (t ) lower bound. Open question: resolve this gap.

General n, r, t 1n Let m be such that r/m, t/m << n For every interval [i, j], form an exclusive set system with n = j-i+1, r = r/m, t = t/m Given a set R, find intervals which evenly partition R. ij x x x Problem! n 2 term ?!? Fix:- hash [n] to [r 2 ] first - do enough hashes so there is an injective hash for every R - apply construction above on [r 2 ]

Summary and Open Questions Main result: tight explicit upper bound |C| = poly(r,t) n, r, t arbitrary Cover sets in poly(r, t, log n) time Optimal # of keys per user Other result: Slightly improve [LS] lower bound on keys per user in any scheme using a relaxed sunflower lemma: from ( )/(rt) to ( )/r Open question: improve poly(r,t) factors