Fast Algorithms for the Free Riders Problem in Broadcast Encryption

1
Fast Algorithms for the Free Riders Problem in
Broadcast Encryption

• Zulfikar Ramzan
• David P. Woodruff

Crypto 2006
2
Broadcast Encryption
Users
Server
Many applications payperview TV, music, videos
Offline phase - Server distributes keys
Online phase - Encrypt a session key for
privileged users
3
Broadcast Encryption

• Parameters
• Storage per user ( keys)
• Server storage
• Communication vs. computation
• Sets of privileged users it can support
• Security
• Computational vs. Information-theoretic

4
Free Riders

• ASW If we allow a small fraction of
  non-privileged (revoked) users to decrypt the
  broadcast, can we significantly save resources?
• A revoked user decrypting the broadcast is a
  free rider
• Commercial view
• These savings might be worth more than the
  loss from allowing a few free riders
• ASW Consider the subset-cover framework

5
Subset Cover Framework NNL

• n 1, , n is set of users
• Offline
• For some S ½ n, server distributes a key KS to
  all users in S. Let C be the collection of S
• Online
• R ½ n are the revoked users
• Server finds subsets S1, S2, , St in C such that
• S1 S2 ? St n \ R
• Broadcast ES1(M), ES2(M), , ESt(M)

6
Free Riders

• ASW Hardness
• Given a worst-case C, a revoked set R, and a
  bound f on the number of free riders
• NP-hard to find smallest t and S1, S2, , St 2 C
• S1 S2 ? St contains n n R
• S1 S2 ? St contains f elements of R
• Finding t with t (1?)t also hard
• Leave open the complexity for specific C

7
Our Contribution

• For a popular, information-theoretically
  secure scheme in subset-cover framework, known as
  the Complete Subtree Scheme, we find optimal t
  and S1, ? St in O(rf) time
• Can find t (1?)t and S1, ? St for uniform
  R of size r in O(rf1/3) time
• Techniques useful for other schemes in the
  subset-cover framework

8
Complete Subtree Scheme NNL
v
v
u1
u2
u3
u4
Complete Binary Tree on n leaves Key at each
node v given to users in subtree(v)
9
Complete Subtree Scheme NNL
u
u1
u2
u5
u4
u6
u8
u7
n users/leaves keys nodes 2n-1 keys per
user log n 1
Communication O(r log n/r) Information-theoretic
security Supports any revoked set of any size r
10
Benefits of Free Riders

• Can reduce communication from O(n1/2) to O(log n)
  in Complete Subtree Scheme
• Need an algorithm to find free riders random
  assignment bad with overwhelming probability
• Preserve computation, storage, etc.

11
Benefits of Free Riders



Diagram shows revoked users Optimal to make all
singletons free riders
12
Algorithm Overview

• Given a set R of leaves and a bound f of free
  riders, find smallest t and nodes v1, v2, , vt
• Privileged users covered by some subtree(vi) and
  at most f revoked users covered
• Dynamic programming algorithm
• For each v with children L(v), R(v)
• AL(v)i optimal cost of assigning at most i
  free riders to subtree(L(v))
• Avi minj AL(v)j AR(v)i-j
• Backtrack from root to find assignment

13
Algorithm Overview

• Algorithm has O(nf) time. Bad for large n
• In practice, r very small
• For CS scheme, can achieve O(rf) by only
  computing arrays Av at joining nodes

14
q
p
x
y
z
Initialize Ax 0 0
Az 0 0
Ay 0 0
Lift Ap 0 0 0 to Ap 1 1 1 Lift Az 0
0 to Az 2 1 Compute Aqi minj Apj
Azi-j, Aq 3 2 2
p and q are the only joining nodes
Compute Api minj Axj Ayi-j, Ap 0 0
0
15
Algorithm Overview

• Compute joining nodes v
• For each v, let L(v) and R(v) be nearest joining
  nodes in left and right subtree of v
• Lift AL(v) and ARv
• Avi minj AL(v)j AR(v)i-j
• Backtrack using DFS to find optimal assignment

16
Step 2 MinSum Problem

• Avi minj AL(v)j AR(v)i-j for all i
• Given a1 a2 ? am1 and
• b1 b2 ? bm2,
• output 8 i, minj aj bi-j
• Easy O(m1 m2) time
• Computational geometry O(m1 m2/log m1m2)
• Implies overall algorithm is O(rf) time

17
Step 2 MinSum Problem

• Given a1 a2 ? am1 and
• b1 b2 ? bm2,
• output 8 i, minj aj bi-j
• Relaxations
• 8 i, output j for which
• aj bi-j (1?) minj aj bi-j
• Bounded differences for CS scheme
• aj aj1 O(log n) and bj bj1
  O(log n)
• Our result O(m1 m21/3) time
• If R uniformly chosen from sets of size r, time
  is O(rf1/3)

18
Summary of Results

• O(rf)-time to optimally find set of f free riders
  given revoked set R of size r
• For every ? gt 0, given a1 ? am1 and b1 ?
  bm2 with aj aj1 and bj bj1 small, for all i
  output j such that
• aj bi-j (1?)minj aj bi-j
• in O(m1 m21/3) time
• 3. Yields O(rf1/3)-time algorithm

19
Open Questions

• Extend to other broadcast schemes
• Develop a better understanding of the benefits of
  free riders
• - computation and storage savings?
• Faster algorithms for the MinSum problem

20
MinSum Observations

• If aj bi-j is the minimum for level i, then
  aj bi?-j is the approximate minimum for
  level i ?
• To approximately solve level i, only try a few
  indices j because aj bi-j ¼ aj1
  bi-j-1
• If aj aj1 ? ajr , then for level i,
• aj bi-j aj1 bi-j-1
  ajr bi-j-r,
• so we need only consider ai