Presentation is loading. Please wait.

Presentation is loading. Please wait.

Revocation and Tracing Schemes for Stateless Receivers

Published byMary Briggs Modified over 5 years ago

Similar presentations

Presentation on theme: "Revocation and Tracing Schemes for Stateless Receivers"— Presentation transcript:

1 Revocation and Tracing Schemes for Stateless Receivers
Young June Pyun Department of Computer Science NC State University November 11, 2005

2 Outline Introduction Previous Works Subset-Cover Revocation
Traitor Tracing Conclusion

3 Broadcast Encryption Problem
Center transmits a message to a large group A subset of receivers is revoked and should not decrypt the message Subset changes dynamically Receivers are stateless Independent of history Essential for “off-line” applications Center Message M non-revoked revoked

4 Previous Works LKH (Logical-Key-Hierarchy)
Designed for stateful receivers Multicast re-keying application Revocation of r receivers among n receivers message length: O(rlogn) # of keys per receiver: O(logn) # of decryption per receiver : O(r) CPRM (Content Protection for Recordable Media) Designed for stateless receivers Copyright protection application Bounded by the number of revoked receivers (r)

5 Subset-Cover Revocation Framework
Notation: N – set of n users R – set of r users whose privileges are to be revoked Assumption: Stateless receivers Goal: Transmit an encrypted message M, so that a non-revoked user can decrypt M correctly no coalition of revoked users can decrypt M

6 Components Scheme Initiation Broadcast Algorithm Decryption Algorithm
Assigns secret information to receivers Iu → user u N Broadcast Algorithm Given a message M the set R of users to be revoked, outputs a ciphertext message M’ that is broadcast to all. Decryption Algorithm A non-revoked receiver should produce M from M’ , based on the current message and the secret information only.

7 Algorithm Framework Underlying collection of subsets (of receivers)
S1, S2, … , Sw (Sj N) Each subset Sj is assigned a long-lived key Lj A user u of Sj should be able to deduce Lj from its secret information Iu Given a revoked set R, the non-revoked users in N|R are partitioned into disjoint subsets Si1, Si2, … , Sim (N|R = Sij)

8 Broadcast Algorithm Choose a session key K
Given R, partition users in N|R into disjoint subsets Si1, Si2, … , Sim (N|R = Sij) with associated long-lived keys Li1, Li2, … , Lim Encrypt message M i1, i2, … , im, ELi1(K), ELi2(K), … , ELim(K) FK(M) HEADER BODY

9 Complete Subtree Method
Full-binary tree with n leaves Underlying subsets: S1, S2, … , Sw Si = set of all leaves in the subtree of vi w = 2n-1 Key assignment Assign a random and independent key Li to every node vi in the tree User keys Store all logn+1 keys along the path to the root vi Li Si

10 Complete Subtree: Key Assignment
users u Iu = {L1, L2, L5, L11, L22, L45} User key storage size = log n+1

11 Complete Subtree: Subset Cover
non-revoked revoked cover Average cover size = r log n/r

12 Subset Difference Method
Underlying subsets: Si,j Si,j = set of all leaves in the subtree of vi but not in vj vi vi vj vj Si,j

13 Subset Difference: Subset Cover
non-revoked revoked cover Si,j = vi vj Average cover size =1.25 r

14 Subset Difference: Key Assignment
Naive approach: Assign a key Li,j to every pair [vi, vj] in the tree Impractical: each user must store O(n) keys Use G, a pseudo-random sequence generator that triples the input length (k→3k) Use G to derive a labeling process S=LABELi – node GL(S) – left child GR(S) – right child GM(S) – node S GL(S) GR(S) G(S) = GL(S) GM(S) GR(S)

15 Subset Difference: Key Assignment (cont’)
S=LABELi vi GL(S) GR(S) GL(GL(S)) GR(GL(GL(S))) GL(GL(GL(S))) vj LABELi,j = GR(GL(GL(LABELi))) Li,j = GM(LABELi,j)

16 Subset Difference: Key Assignment (cont’)
A receiver corresponds to a leaf u in the tree For every vi ancestor of u with LABELi, u receives all LABELi,k that are hanging off the path from vi to u. u can compute all keys of the subset it belongs to rooted at vi, but not any other keys LABELi vi vi1 vi2 vi3 vik u User key storage size = 1/2log2 n

17 Comparison of Subset-Cover Revocation
Complete Subtree Subset Difference Message Length r log n/r 2r-1 1.25r (avg.) # of Keys per user log n ½ log2 n Processing Cost log log n # of Decryption per user 1

18 Traitor Tracing Traitor Tracing Mechanism “Trace and Revoke” Scheme
Efficient tracing of traitors who contributed their keys to an illicit decryption box(es) Black-box tracing: outputs a subset consisting of traitors “Trace and Revoke” Scheme Integration of traitor tracing and revocation with little additional cost or change Trace leaking keys and revoke them from the system for future uses

19 Conclusion Efficient Revocation for Stateless Receivers
Useful for Mobile Ad-hoc Networks But not for sensor networks due to resource constraints Stateless (SDR) vs. Stateful (LKH) LKH is good for immediate and small batch rekeying SDR is good when r is large However, may be as bad as sending GK individually to each remaining users via unicast when r is too large

Download ppt "Revocation and Tracing Schemes for Stateless Receivers"

Similar presentations

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.

Efficient Kerberized Multicast Olga Kornievskaia University of Michigan Giovanni Di Crescenzo Telcordia Technologies.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.

Group Protocols for Secure Wireless Ad hoc Networks Srikanth Nannapaneni Sreechandu Kamisetty Swethana pagadala Aparna kasturi.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.

1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.
Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,

Key Management Schemes for Stateless Receivers Based on Time Varying Heterogeneous Logical Key Hierarchy Miodrag Mihaljevic ASIACRYPT 2003 December 1,
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.

Secure Multicast Xun Kang. Content Why need secure Multicast? Secure Group Communications Using Key Graphs Batch Update of Key Trees Reliable Group Rekeying.
CS2420: Lecture 13 Vladimir Kulyukin Computer Science Department Utah State University.

CS2420: Lecture 13 Vladimir Kulyukin Computer Science Department Utah State University.
Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.

Scalable Secure Bidirectional Group Communication Yitao Duan and John Canny Berkeley Institute of Design Computer Science.
Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.

Multicast Security May 10, 2004 Sam Irvine Andy Nguyen.
Group Key Distribution Chih-Hao Huang

Group Key Distribution Chih-Hao Huang
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
Network Aware Resource Allocation in Distributed Clouds.

Network Aware Resource Allocation in Distributed Clouds.
Secure Group Communication: Key Management by Robert Chirwa.

Secure Group Communication: Key Management by Robert Chirwa.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.
Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published.

Dong Hoon Lee CIST Korea University Efficient Communication-Storage Tradeoffs for Broadcast Encryption Schemes ( will be published.
Korea University CRYPTO ‘05 Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim Generic Transformation for Scalable Broadcast Encryption Schemes.

Korea University CRYPTO ‘05 Jung Yeon Hwang, Dong Hoon Lee, Jong In Lim Generic Transformation for Scalable Broadcast Encryption Schemes.

Similar presentations

Ads by Google