(r
O O(log2n) O(1) O(1)
For designing stateless broadcast encryption schemes. We can regard it as an subset-cover problem:
For a set N={1,2,3,…,n} How to set subset S1,S2,...Sw ⊂N such that for any N
R⊂ we can find
it
i
i S S
S , ,...,
2
1 where
it
i
i S S
S ∪ ∪...∪
2
1 =N \R
In the above system. We can regard N as users. All set S has an unique key i K , i elements in S are the users who have key K . t is the header size for sending message to i subset N \R. Key size for each user is the number of subsets a user belongs to.
2.1Private Key Broadcast Encryption
In private key BE system, only the server who knows all secrets can broadcast encrypted message. Here we introduce CS, SD, LSD and SIC schemes.
2.1.1 Complete Subtree (CS) Scheme
This scheme was proposed by Noar[12] in 2001. The collection of subsets N
S S
S1, 2,... w ⊂ in this scheme corresponds to all complete subtrees in the full binary
tree with N leaves. For any node v in the full binary tree , the subset i S is the i collection of receivers u that correspond to the leaves of the subtree rooted at node
v .Following picture (Fig1) is an example i
Figure 1 CS scheme
a,b,c,d,e,f ,g,h are users. SV ={a.b.c.d} SW ={g,h}
The key assignment method simply assign each subset S an independent and i random value K . It is easy to see that each user only needs to store valuei K where i is i nodes on the path from root to user. For example, user b needs to store Kb,KY,KV,KR. In a full binary tree, we know that the height of the tree is log , so the key size for each n user is O(logn).
V
a b c d
W
e f
R
Y
X
g h
Figure 2 Revoke d in CS scheme
For a given set R of revoked receivers, we remove the edges and nodes from revoked receivers to root, and we get subtree
i1
S ,…,
it
S . If we revoke user d in figure 1.
we get SY,Sc,SX (Fig 2.). The header will be like :
>
=<S ,S ,S ,E (k),E (k),E (k)
Hdr Y c X KY Kc KX .
The cover size of CS scheme is at most rlog(n/r). 2.1.2 Subset Difference(SD) Scheme
Disadvantage of the Complete Subtree method is that N \R may be partitioned into rlog(n/r) subsets. It is large. Now we want to reduce the partition size.
Consequently, we needs to increase subsets. A Subset Si,j in SD scheme is the Si −Sj in CS scheme (Fig3.).
V
a b c
W
e f
R
Y
X
g h
d
Figure 3 Subset Si,j in SD scheme
SD scheme partitions the non-revoked receivers into at most 2r-1 subsets. However, there are O(n) subsets for an user belongs in. It means that everyone needs to store
) (n
O keys. It is very impractical, so we use pseudorandom function to derive keys from parent’s label. Let G:{0,1}n →{0,1}3n be a pseudo-random sequence generator that triples the input, whose output length is three times the length of the input; For each node
v . We assign it a i labeli ={0,1}3n. Let GR(S) denote the left third of the output of G on seed S , GR(S) the right third and GM(S) the middle third. We say that
n
G{0,1}n →{0,1}3 is a pseudo-random sequence generator if no polynomial-time adversary can distinguish the output of G on a randomly chosen seed from a truly random string of similar length. Now, consider the subtree T (root at i v ). i jL and jR are i's left and right child. We will use the following top-down labeling process. The root is assigned a label L .The label i
jL
Li, is computed from GL(Li)and
jR
Li, is computed fromGR(Li).The key Ki,j of set Si,j is derived from GM(Li, j). Therefore, if we get the label value of v , we can derive all keysi Ki,j={Ki,j| j is an descendant of i}
of subset Si,j. Now, each user only needs to store Labeli,j= {labeli,j| i is ancestor of u , i
j
Subset Si,j
and for each i , j is the sibling of nodes on the path from user to i }.For example :
Figure 4 Key generation in SD scheme
In Figure 4, for node i, user u needs to store Li,1,Li,2,Li,3,Li,x. We can discover that an user in a n-users SD-BE system needs to store :
1 2log log 1
2 1 1
1 log 1 2
1 − = + +
+
∑
=n+ k n nk =O(log2n) values.
The Cover. For a set R of revoked receivers, we find Steiner Tree ST(R) with the property that any u∈N\R that is below a leaf of tree has been covered. We start by making T =ST(R) and then iteratively remove nodes from T until T consists of just a single node:
1. Find two leaves v and i v in T such that there least-common-ancestor j v does not contain any other leaf of T . Let v and l v be the two children of k v .v is k ancestor of v and j v is ancestor of l v . (i v =l v =k v when there is only one leaf left)
2. If vl ≠ then add the subset vi Sl,i to the collection; likewise, if vk ≠ add the vj subset Sk,j to the collection.
3. Remove from T all the descendants of v and make it a leaf u
Labeli
Labeli,1= GR(Labelj)
Labeli,3
1
2 3
x i
Ki,1= GM(Labeli,1) Labeli,2= GLGL(Labeij)
Labeli,x
A cover in SD scheme contains at most 2r-1 subsets for any set of r revocations.
2.1.3 LSD Scheme
In 2002, Halevy and Shamir propose Layer Subset Difference (LSD) method which can reduce key size to O(log1+1/k) with header size O(kr).
Here we describe the simplest version of the Layered Subset Difference scheme where k=2.
In LSD, set partition is the same as SD scheme. A set Si,j we can split it into
j k k
i S
S, ∪ , ( k is a descendant of i and j is a descendant of k). Figure 5 demonstrates the set Si,k ∪Sk,j =Si,j.
Figure 5 Subset in LSD
We define some of the logn levels as “special”. The root is considered to be at special level, and in addition we consider every level of depth
) log(n
t⋅ for t=1... log(n)as special. We define set Si,j is an useful set if i and j belong to the same layer or i is at a special layer. Any set in SD we can present by at most two useful sets. The keys need to be stored for each user u is similar to SD scheme, but it only need to store Li,j where Si,j is an useful set. For example, user u in Figure6
i i
k
j j
for ascendant i. The labels he needs to store is the same in SD scheme, but for ascendant V, he only needs to store LV,2.
Figure 6 LSD scheme.
The total number of keys an user needs to store for each layered is O( logn2)=O(logn) . There are logn layers. The total storage size is
) (log )
(log )
(logn O 1/2n O 3/2n
O = .
Any subset in SD scheme is at most divided into two subsets in this scheme. So header size is at most 4r-2.
Using the similar method, we can divide a subset S\R into more subsets and get )
(log11/ n
O + k storage size with O(kr) header size tradeoff.
2.1.4 SIC Scheme
Addrapadung proposed Subset Incremental Chain (SIC) [15] scheme in 2005. This scheme improves storage size to O(logn)and header size to O(r) with O(n)
computation cost. Using RSA-Accumulator technique, it can reduce storage size to O(1) , but it needs more computation for finding primes. This scheme also can be layered. We introduce no layered situation.
u Labeli,i
Labeli,1
Labeli,2
1
2
i
V
3
x
Special Level Special Level
Graph-decomposition.
This paper’s authors give a method to analyze the relationship between keys. For any set S, we can regard it as a node . If set A⊂ there is a direct path from A to B . In B following example Stoy ={{1},{2},{3},{4},{1,2},{2,3},{2,4},{3,4},{1,2,3}}
Figure 7 Graph-decomposition.
Using DAG graph, we can easily reduce it to chain decomposition and find that when using pseudorandom function ,we can derive all keys from five independent values
34 4 3 2
1,K ,K ,K ,K
K .
The Cover. In this scheme, we define following notaions For i, j∈N ={1,2,...,n} and i< denote: j
}}, ,..., { },..., 1 , { }, {{
:
}}, ,..., { },..., 1 , { }, {{
:
i j j
j j j i
j i i
i i j i
−
=
←
+
=
→
l :The leftmost leaf under v v r :The rightmost leaf under v v
BTL:The set of internal nodes which are left children BTR:The set of internal nodes which are right children
For root, we assign 1→n and 2←n. For each internal node, if v∈BTL we assign it lv + 1←rv , otherwise v∈BTR we assign it lv →rv −1.A 16 users example was shown in Fig8.
Figure 8 Sets of SIC scheme
All sets in SIC scheme are:
U U
L R
BT
v v BT
v v v
v
SIC l r l r n n
S
∈ ∈
←
∪
→
∪
−
→
∪
← +
= ( 1 ) ( 1) (1 ) (2 )
Using previous graph decomposition method. We can arrange all sets into chain decomposition graph. For instance, we can arrange all sets in Figure8 into Figure 9.
1 1,2 1,2,3 1,...,4 1,...,5 1,...,6 1,...,7 1,...,8
…1,...,16
2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
3,4 2,3,4
5,6 5,6,7
7,8 6,7,8 5,...,8 4,...,8 3,...,8
2,...,8 9,...,15
9,10 9,10,11 9,...,12 9,...,13 9,...,14
11,12 10,11,12
13,14 13,14,15
3,...,16 2,...,16
4,...,16 5,...,16 6,...,16 7,...,16
Figure 9 Chain decomposition.
Then, we have two ways to derive keys:
1. Based on PRSG:
Choosing an PRSG G:{0,1}n →{0,1}n. For each chain, we only need to generate an independent value for root, then all nodes above it can be derived from root. For example, )K123 =G(K12)=G2(K1 . In each chain, user stores keys for subsets which he belongs to and nearest to the root. For example in the Fig.8, our paradigm with the chain decomposition in the Figure9 point out user2 needs to store the keys
12 16
~ 2 8
~ 2 234
2,K ,K ,K ,K
K .Since one user is at most in logn+1chains, the storage size for each user is O(logn).
2. Based on RSA-Accumulator
We construct a Maximin Matrix An×m . n = The number of users.
m = The number of chains.
Maximin Matrix Definition:
For a set system X, for all S∈SX there exist j:1≤ j≤m where
ij S N i ij
S
i a min \ a
max∈ < ∈
Consider a chain decomposition {G1,...,GM}∈SX
For each chain Gj :S1 → ...→Sl we construct j' column vector s
w w
ij i S S
S i
otherwise if if
l w
a \
0
1 1
∈ +
∈
⎪⎩
⎪⎨
⎧
=
Then we choose a random number s, a big integer N = pq and n distinct primes p . j Compute secret value p(u) and assign to each user.
N s
u p
m
j
pjauj
mod )
(
1
∏
==
The key k(S) for each set S :
N compute it on exponentiation. Following figure is an exhibition:
1
Figure 10 Translate decomposition chain into Maximin matrix.
User 1 can derive subset key K123 by:
Security of this scheme is based on RSA Assumption. Using this scheme , everyone only needs to store O(1) keys , but needs to compute Maximin matrix and find n primes. The header size of SIC scheme is at most 2r-1. It is same as SD scheme.