Practical Revocation Schemes for Broadcast Encryption

1
Practical Revocation Schemes for Broadcast
Encryption

• Moni Naor and Benny Pinkas
• Noam Kogan and Tamir Tassa

2
Domain

• Unidirectional broadcast distribution channel
  satellite, cable TV
• Access to content regulated by encryption
• Decryption
• Set Top Terminal (STT)
• Tamper resistant smart card (SC)
• No in-band reverse (uplink) channel

3
Problem

• Broadcast encryption communicate securely with
  any subset of users over insecure broadcast
  channel
• Piracy Legal users that enable illegal users to
  gain access to protected data. Causes significant
  revenue loss.
• Revocation prevent a specific user subset
  (pirates) from accessing any broadcast content.
• Goal Minimize key management overhead!
• Formally initiated in Fiat-Naor93

Users
Service Provider
Send?
Revoked
4
(No Transcript)
5
Typical smartcard solution
Price is an issue

• Slow communication rate (9.6-38.4 Kbps)
• Slow CPU (3.57 Mhz, 8 bit)
• SC decrypts keys, STT decrypts video
• Restricted secure EEPROM (1-8KB)
• limits the number of keys that may be stored on
  SC
• Restricted RAM (0.25K-1Kbytes)
• No Public key accelerator

6
Piracy attack model

• Commercial pirates fabricate STTs clone SCs
• Cheap ways to compromise SC
• Pirates limited in SCs they can obtain and hack
• Few hacked SCs, many clones
• Law enforcement catch pirate SCs
• Identify original hacked SCs
• Piracy revocation characteristics (as opposed to
  PPV)
• Monotonically increasing population
• Permanent revocation
• Concerned only with hacked SCs - relatively few
• Fast response is not critical
• Random pirate distribution

other attacks
7
General setting

• Center issues each user secret data stored on SC
• Perform multiple revocation rounds. Round i
• Center learns of new pirates (ri)
• Re-disables the accumulated set of pirates,
• Ri r1 ? ? ri.
• Content encrypted with key known to all users
  that are not in the revoked subset.
• Approach
• Create new periodic key unknown to the pirates
• Encrypt further content with new key

8
Basic Approaches

• Schemes specify
• What secret data the SC stores?
• What the center broadcasts on a revocation event?
• How the new keys are computed from the secret
  data and broadcast?
• Scheme/construction families
• Combinatorial LS98, ASW00, GSW00
• Tree-based WGL98, NNL01, HS02
• Secret-sharing NP00, SMF02, LN03,KT03

9
The NP scheme (Naor-Pinkas 2000)

• Uses Shamirs polynomial secret sharing.
• Initialization
• The center selects a finite field F sufficiently
  large (assume that F is of a prime size q).
• It generates a random polynomial of degree t over
  F,
• Set a0P(0) as the new key.
• Each user receives a unique identity, u?F, and a
  corresponding share P(u).

10
The NP scheme (cont.)

• Revocation
• Assume that the center learnt the identities of r
  users to be revoked, where r?t.
• It broadcasts the IDs and shares of those users.
• It also broadcasts the IDs and shares of t-r
  dummy users.
• In total, the center broadcasts (ui,P(ui)),
  i1,,t.
• Key recovery
• Every non revoked user may add his own identity
  and share, (u0,P(u0)), and compute P(0) by means
  of interpolation.
• The coalition of all revoked users lack one share
  and cannot learn a thing about P(0).

11
Illustration
New key
Init phase
User 1 Share k1
User 2 Share k2
User 3 Share k3
User 4 Share k4
Revoke user 4
Broadcast (u4,k4)
User 1 Share k1
User 2 Share k2
User 3 Share k3
User 4 Share k4
User 4 Share k4
User 4 Share k4
User 4 Share k4
calculate new group key (2 equations with 2
variables)
-
?
?
?
12
Key recovery _at_ user

• t1 equations with t1 variables

? Self identity share
Vandermonde

• Solve Lagrange interpolation

back
13
Key recovery _at_ user (cont.)
back
14
Reduce calc. _at_ user

• Most of the O(t2) multiplications are common to
  all.
• Denote
• The center computes and broadcasts c1 ,,ct .
• Non-revoked user performs additional O(t)
  computations to recover P(0)

To LIF
back
15
Cost

• The revocation message includes
• t identities (each of size Slog n)
• t shares (each is a field element of size Llog
  q)
• c1 ,,ct
• Altogether t ?(S2L)
• The user performs 3t?M(t1)?D

To LIF
back
16
Many revocation rounds

• Goal
• Always be capable of revoking up to t users.
• Solution
• Prepare t revocation schemes, RS1,,RSt, where
  the polynomial in RSi is Pi of degree i.

t
t
r
r
t

• When the center learns of r users to revoke, it
  uses RSr to do so.
• It then broadcasts the shares of those r revoked
  users in Pi for ir1,,t.

17
Many revocation rounds (cont.)

• As a result, the effective degrees of the
  remaining polynomials is decreased by r.
• Hence, the center is now capable of revoking only
  t-r additional users, whenever the need might
  arise.

t
t
r
r
t

• In order to restore the original ability of
  revoking up to t users, the center generates new
  polynomials of degrees t-r1,,t.
• When the system is less busy, it broadcasts to
  all n-r remaining users their shares in those new
  polynomials.

18
Improvements (KSW)

• The degrees of the polynomials are dilated by
  d1. This way, with the same number of
  polynomials (and shares per user), we increase
  the revocation capability.
• Split work between STT and SC.

19
SC-STT work split

• Observation
• Almost all O(t) user calculations are non-secret
• Idea
• STT performs O(t) non-secret calculations
• Complete computation of Lagrange interpolation
  coefficients (STT receive SCs self ID)
• Sum terms in Lagrange interpolation formula,
  excluding the one involving
  the users own share
• SC performs O(1) secret calculations
• Avoid SC Comm., CPU, RAM bottlenecks SC
  O(1), STT O(t)

20
SC-STT work split (cont.)

• STT computes

• STT sends C0 and P(0) to SC
• SC computes

Only 1 multiplication 1 addition in a field,
involving the user's own share
To LIF
21
A quick review of univariate interpolation

• The problem
• Find P(x)?Ftx according to P(xi), i0,,t.
• It is all a question of basis
• The standard basis
• The problem the system of equations is full and
  ill-posed (Vandermonde).

22
Univariate interpolation (cont.)

• The Lagrange basis
• Here, the matrix of coefficients is the identity.
• But the evaluation is inefficient.
• Also, this form is not scalable.

23
Univariate interpolation (cont.)

• The Newton basis
• The matrix of coefficients is triangular.
• Evaluation of coefficients is efficient.
• This form is scalable.

24
Newton-based revocation scheme

• Initialization
• As before, the center generates a random
  polynomial of degree t over F,
• The secret this time will be the upper
  coefficient at
• Each user gets identity and share, (u,P(u))

25
Newton-based revocation scheme (cont.)

• Revocation
• When the center learns the identities of t users
  to revoke, it expresses the polynomial in Newton
  form with respect to those users
• It then broadcasts

26
Newton-based revocation scheme (cont.)

• The computation at the center

back
27
Newton-based revocation scheme (cont.)

• A non-revoked user, u, computes
• The revoked users cannot perform this computation
  since then the denominator would vanish.

back
28
Newton Vs. Lagrange cost comparison

• Measurement units
• L log q is field size in bits S ID size in
  bits
• Field Multiplications and divisions M and D
  

• In most implementations, D / M is somewhere
  between 9 and 30. So the saving factor at the
  user is between 6 and 16.
• The saving factor in bandwidth is roughly 2.

To LIF
To NIF
Matrix
3tt
29
Multi-round revocation

• The set of revoked users, R , is slowly growing
• ? R 0 ? R 1 ? R 2 ?
• A given polynomial may be used only once.
  Whenever new users are added to R we must use a
  new polynomial to revoke them.
• We focus on the scenario of stateless receivers.

30
Stateless receivers

• The center creates a sequence of polynomails, Pi,
  where degPi ti id.
• The dilation factor d is an upper bound on
• ri R i - R i-1 .
• Each SC is given an identity and shares,
• ( u, P1(u), P2(u),, Pm(u) )
• The number of shares, m, should reflect the
  number of expected revocation rounds in the
  lifetime of the SC.

31
Stateless receivers - transition

• Assume that during the ith round, the center got
  a request to revoke more users.
• The center determines the new number of revoked
  users, R i1 , and, consequently, the next
  polynomial in the sequence to be used (Pi1).
• It broadcasts the shares of all revoked users in
  R i1 with respect to Pi1 . Note the number of
  dummy users is ti1- R i1 .
• After a sufficient wait time, it starts using the
  new key (the upper coefficient of Pi1).
• The old and the new revokees are disabled from
  now on.

32
Stateless receivers - transition

• Most of the (i1)th revocation message is already
  known during the ith round.
• Example
• Assume that d10 (i.e., the polynomial degrees
  are 10,20,30,).
• Assume that we are during the 20th round and that
  R 20 104.
• Even though we still do not know when will the
  next revocation request arrive and how many users
  it will include, it is possible to start
  preparing for the 21st round in which P21 will be
  used (degP21 210).

33
Example (cont.)

• Assume revokees in the next round ? d10.
• The center generate 96 dummy users and starts
  expressing P21 with respect to
• u1,,u104 v1,,v96
• During the ith round, the center slowly
  broadcasts the above 200 identities and
  corresponding coefficients in the Newton
  representation of P21 .
• Assume r218. The center completes the revocation
  message by sending the identities and
  corresponding coefficients of those 8 2
  additional phantoms
• u1,,u104 v1,,v96 u105,, u112 v97,v98
• Assume r2115. Then we revoke only 10 of them in
  this round, and delay the revocation of the other
  5 to the next round.

34
Transition between revocation rounds

• Preliminary part
• Center
• Choose id ri phantom users.
• Compute and send the corresponding coefficients
  bj , j0,,id-1, of Pi1 .
• User u has to compute and store only 2 values
• Short complementary part
• Center computes the remaining d coefficients and
  sends them with the new revokee identities.
• User uses P(u), z1, z2 and the complementary
  message to compute the last coefficient bt.

To NIF
35
Transition between rounds (cont.)

• Newton interpolants enable us to send most of the
  message during idle time in the revocation round.
• As a consequence, once a new revocation request
  is received, it is possible to respond to that
  request faster.
• In the Lagrange based scheme, all of the ci
  parameters depend on all revokee identities.
  Hence, they can be broadcast only after the new
  revocation request was received.

36
Transition between rounds (cont.)

• Example
• S logn 32 L logq 128
• d 10.
• Transition to round i 100.
• Complementary message with Lagrange
• d(SL)idL 129600 bits
• Complementary message with Newton
• d(SL) 1600 bits
• If the response time is dictated and so is the
  required number of repetitions of the revocation
  message, the bandwidth consumption with Newton
  interpolants will be about 80 times less than
  that with Lagrange interpolants.

37
A multi-round scheme based on DDH

• If we settle down for computational rather than
  perfect security, we may use the same polynomial
  for many revocation rounds.
• The idea is to lift Shamirs secret sharing
  scheme to the exponents.
• The idea is presented next for the Newton-based
  scheme.

38
A multi-round scheme (cont.)

• Select
• p a large prime.
• q (p-1) a large prime.
• g ? Fp is of order q.
• t an upper bound on the accumulating number of
  revoked users.
• P(x) a polynomial over Fq of degree t.

39
A multi-round scheme (cont.)

• Each user gets u and P(u), both from Fq .
• If need to revoke u1,,ur,ur1,,ut, the center
• Computes b0,,bt-1 of P(u) w.r.t those users.
• Selects a random h ? Fq .
• Broadcasts
• u1,,ut gh ghb0 , , ghbt-1
• The first values are from Fq the rest are from
  ?g?
• The secret that the users compute is ghbt .
• The idea is that even though we reuse P(x), its
  coefficients are masked by the random number h.

40
A multi-round scheme (cont.)

• Theorem The scheme is secure against coalitions
  of up to t revoked users in the following sense
  even if they know the secret key from
  polynomially many previous rounds,
• ghibt i1,,m ,
• they cannot distinguish between the current key
  ghbt and a random number, assuming DDH.
• Decisional Diffie-Hellman assumption
• If ?g?q is large, no efficient algorithm can
  distinguish between ga, gb, gc and ga, gb,
  gab , if a,b,c are chosen randomly in Fq .