Explicit Exclusive Set Systems with Applications

1
Explicit Exclusive Set Systems with Applications

• David P. Woodruff

Joint work with Craig Gentry and Zulfikar Ramzan
2
Outline

• The Combinatorics Problem
• Our Techniques
• Applications
• Broadcast encryption
• Certificate revocation
• Group testing

3
The Combinatorics Problem

• Find a family C of subsets of 1, 2, ., n such
  that any large set S µ 1, 2, , n is the union
  of a small number of sets in C
• S S1 S2 ? St
• Parameters
• Universe is n 1, , n
• S gt n-r
• Write S as a union of t sets in C
• Goal
• Minimize C

4
The Combinatorics Problem

• Find a family C of subsets of n such that any
  set S µ n with S n-r is union of t sets in
  C
• S S1 S2 ? St

• Example t 1
• C all sets of size n-r
• C

• Example t n
• C all sets of size 1
• C n

• C excludes sets of size r
• C is an exclusive set system

5
Another Example

• Example r 1, t 2
• Write each i 2 n as (i1, i2) 2 n1/22

x
S
1 i
n
excludes 1st coordinate i1
excludes 2nd coordinate i2

• C 2n1/2

6
Another Example (Generalized)

• r 1, t log n
• Write each i 2 n as (i1, i2 , , it) 2 n1/tt
• Sets in C are named (x, y) 2 t x n1/t
• i 2 (x,y) iff ix ? y
• C tn1/t
• If S n n i,
• S (1, i1) (2, i2) (t, it)

7
Example Summary

• r arbitrary
• t 1 C
• t n C n
• t log n
• r 1 C tn1/t

How does C grow given n, r, and t?
8
A Lower Bound
Claim

• At least sets of size n-r
• Only different unions
• Thus,
• Solve for C

Proof
9
Example Summary

• r arbitrary
• t 1 C
• t n C n
• t log n
• r 1 C tn1/t

tight
tight
tight
What happens for arbitrary n, r, and t?
10
Known Results

• Bad once n and r are chosen, t and C are fixed

11
Known Results

• Only known general result
• If r t, then C O(t3(nt)r/t log n) KR
• Drawbacks
• Probabilistic method
• To write S S1 S2 St , solve Set-Cover
• C has large description
• Bad for applications
• Suboptimal size

12
Our Results

• Main result C poly(r,t)
• n, r, t all arbitrary
• Match lower bound up to poly(r,t)
• In applications r, t ltlt n
• When r,t ltlt n, get C O(rt )
• Our construction is explicit
• Find sets S S1 St in poly(r, t, log n)
  time
• Improved cryptographic applications

13
Outline

• The Combinatorics Problem
• Our Techniques
• Applications
• Broadcast encryption
• Certificate revocation
• Group testing

14
Techniques

• Case analysis
• r, t ltlt n
• algebraic solution
• general r, t
• use divide-and-conquer approach
• to reduce to previous case

15
Case r,t ltlt n

• Find a prime p n1/t ?
• Integers n are points in (Fp)t
• Consider the ring FpX1, , Xt
• Goal find set of polynomials C such that for any
  R ½ n with R r, there exist p1, , pt 2 C
  such that
• R Variety(p1, , pt)

16
The Polynomial Collection

• Consider the following collection

and
17
The Polynomial Collection (Cond)
and
Proof choose ?j1R (X1 uj1) let
ui1, ui2, , uiR be the ith coordinates
and ui11, ui12, , ui1R be the (i1)st
coordinates choose pi1 f(Xi) Xi1
by interpolating from f(uij) ui1j
for all j
Claim If no two points in R have the same ith
coordinate for any i, then we can find
p1, , pt with Variety(p1, , pt) R
18
The Polynomial Collection (Cond)
Proof choose ?j1R (X1 uj1) let
ui1, ui2, , uiR be the ith coordinates
and ui11, ui12, , ui1R be the (i1)st
coordinates choose pi1 f(Xi) Xi1
by interpolating from f(uij) uij1
for all j
Proof Induction. If x in variety, x1 u1j for
some j pi1(x) f(xi) xi1 0 so
f(xi) f(uij) ui1j xi1
Claim 2 If x 2 n n R, then x not in
Variety(p1, , pt)
Claim 1 Every point in R is in Variety(p1, ,
pt)
Proof Immediate
19
The Polynomial Collection (Cond)

• C O(tpr), where p n1/t ?
• Density theorems ! C O(tnr/t)
• Only works if R has distinct coordinates

20
Handling Non-distinct Coordinates

• Perform coordinate tranformations
• Each u 2 n is a degree-(t-1) polynomial pu in
  Fpx
• Translate polynomial representation to point
  representation by evaluation
• pu -gt (pu(1), pu(2), , pu(t))
• pu ? pu implies translations are distinct
• Idea choose many transformations (sets of t
  points in Fp), so every R has a transformation
  with distinct coordinates
• Apply previous construction

21
Handling Non-distinct Coordinates
Suppose R 1, , r
1 2 3 t (t1) (t2) 2t (2t1)
p1 p2 p3 pr
1 2 3 t
(t1) (t2) 2t
(2t1)
2 2 3 t
3 2 3 t


r 2 3 t
22
Handling Non-Distinct Coordinates

• How many blocks of t points do we need to
  consider?
• Two distinct degree-(t-1) polynomials can agree
  on at most t-1 points.
• Thus, at most can have
  non-distinct coordinates
• So choose blocks, apply
  distinct coordinate construction for each block
  
• Take union of constructions for all blocks

23
Summary and Improvements

• O(r2 t) blocks, each O(t nr/t) sets
• O(r2 t2 nr/t) sets in total!
• Can improve to O(rt )

24
Improvements

• Choose special points in Fp for blocks
• Mix the blocks with an expander
• Balance complexity of two types of sets

25
General n, r, t
x x x x x x
1
n

• Problem! n2 term ?!?
• Fix- hash n to r2 first
• - do enough hashes so there is an
  injective
• hash for every R
• - apply construction above on r2

• Let m be such that r/m, t/m ltlt n
• For every interval i, j, form an exclusive set
  
• system with n j-i1, r r/m, t t/m
• Given a set R, find intervals which evenly
• partition R.

26
Outline

• The Combinatorics Problem
• Our Techniques
• Applications
• Broadcast encryption
• Certificate revocation
• Group testing

27
Broadcast Encryption
Clients
Server

• 1 server, n clients
• Server broadcasts to all clients at once
• E.g., payperview TV, music, videos

• Only privileged users can understand broadcasts
• E.g., those who pay their monthly bills
• Need to encrypt broadcasts

• Online phase - Server encrypts a session key so
  only privileged users can decrypt

Offline phase - Server distributes keys
28
Subset Cover Framework NNL

• Offline stage
• For some S ½ n, server creates a key K(S) and
  distributes it to all users in S
• Idea choose sets S from an exclusive set system
  C
• Server space complexity C
• ith user space complexity S containing i

29
Subset Cover Framework NNL

• Online stage
• Given a set R ½ n of at most r revoked users
• Server establishes a session key M that only
  users in the set n n R know
• Finds S1, , St with n n R S1 St
• Encrypt M under each of K(S1), , K(St)
• For u 2 n n R, there is Si with u 2 Si
• For u 2 R, no Si with u 2 Si
• Content encrypted using session key M

30
Subset Cover Framework NNL

• Online stage
• Communication complexity t
• Tolerate up to r revoked users
• Tolerate any number of colluders
• Information-theoretic security

31
Our Results

• Use our explicit exclusive set system
• General n,r,t
• Contrasts with previous explicit systems
• Poly(r,t, log n) time to find keys for broadcast
• Contrasts with probabilistic constructions
• Parameters
• For poly(r, log n) server storage complexity, we
  can set t r log (n/r), but previously t ?(r2
  log n)

32
More Reasons to Study Exclusive Sets

• Other applications
• Certificate revocation
• Group testing
• Fun mathematical problem

33
Open problems

• O(rt ) versus ?(t )
• Our O(rt ) bound needs t o(log n)
• Bound for general r,t is poly(r,t)
• Improve the poly(r,t) factor
• Find more applications