Computer Science
Revocation and Tracing Schemes for
Stateless Receivers
Dalit Naor, Moni Naor, Jeff Lotspiech
Presented by Attila Altay Yavuz
CSC 774 In-Class Presentation
(Based on Authors’ presentation)
Outline
• Digital Content and the stateless scenario for trace
and revoke
• The Subset Cover Framework for T&R schemes
• Two subset cover schemes
– Complete Subset Tree
– Subset Difference Tree
• Tracing:
– General Tracing Algorithm
– Bifurcation property
• Conclusion
Computer Science
Problems and Motivation
• Digital Content: Very easy to generate, transfer and reproduce.
However - also easy to violate ownership. CRITICAL!!:
– Copyright
– Privacy
• Protecting content : methods for discouraging/preventing
redistribution of content - after decryption
• Watermarking
• Fingerprinting
• Protecting cryptographic keys
– Broadcast Encryption/Revocation
• Send information only to intended recipients
– Tracing Traitors
– Trace and Revoke
Computer Science
The Broadcast Encryption Problem
Computer Science
Components of a stateless system
• Notations: N - set of n users, R - set of r users whose
privileges are to be revoked
• Scheme Initiation :
– a method to assign secret information to devices, Iu to u.
• The broadcast algorithm -
– For message M and a set R of users to be revoked, produce
a ciphertext C to broadcast to all.
• A decryption algorithm (at device)– a non-revoked device should produce M from ciphertext C.
– Stateless Users: Decryption should be based on the current
message and the secret information Iu only.
– Goal: Impossible to produce M from ciphertext even when
provided with the secret information of all revoked users.
Computer Science
Subset Cover Framework :An algorithm
Underlying collection of subsets (of devices)
S1, S2 , ... ,SW
Sj  N.
• Each subset Sj associated with long-lived key Lj
– A device u Sj should be able to deduce Lj from its
secret information Iu
• Given a revoked set R, the non-revoked users N \ R
are partitioned into m disjoint subsets
Si1, Si2 , ... , Sim
(N \ R =

Sij )
– a session key K is encrypted m times with Li1, Li2 , ... , Lim .
Computer Science
S.Cover:The Broadcast Algorithm
• Choose a session key K
• Given R, find a partition of N \ R into disjoint
sets:
Si1, Si2 , ... , Sim
N \ R =  Sij
– with associated keys Li1, Li2 , ... , Lim
• Encrypt message M
• E: Long Term Alg. F: Moderate Term
Computer Science
S.Cover: The Decryption Step at u
• Either
–
–
Find the subset ij such that u  Sij , or
null if u R
• Obtain Lij from the private information Iu
• Compute DLij(ELij(K)) to obtain K
• Decrypt FK(M) with K to obtain the message
M.
Computer Science
A Subset-Cover Algorithms
Computer Science
The Complete Sub-tree Method
Computer Science
Subset Cover of non-revoked devices
Complete Subtree Method
Computer Science
The Subset-difference Method:
Subset Definition
Computer Science
Subset Cover of non-Revoked Devices
Subset-Difference Method
Computer Science
Key-Assignment: Subset-Difference Method
Computer Science
Key-Assignment : Subset-Difference Method
Computer Science
Tracing Traitors
• Some Users leak their keys to pirates
• Pirates construct unauthorized decryption
devices and sell them at discount
• Trace and Revoke for all subset cover
algorithms satisfying bifurcation property
• More efficient procedure for subset difference
• Goal: output one of the two
– a user u contained in the box
– a partition S = Si1 , Si2, …, Sim that disables the box
Computer Science
Subset Tracing
Computer Science
Definition: Bifurcation Property
• Any subset Si can be partitioned into (roughly)
two equal sets Si1 and Si2.
• Si = Si1 U Si2
• Bifurcation value:
– Max { |Si1/Si|, |Si2/Si|}
– Complete sub-tree method (since sub-trees re
complete), can be spitted in two equal part.
– Subset Difference methods generally have 2/3.
• Fundamental for following Tracing algorithm.
Computer Science
The Tracing Algorithm
Computer Science
The Tracing Algorithm
Computer Science
Conclusion
• Define the Subset-Cover framework
– Family of algorithms, encapsulating previous methods
• Rigorous security analysis :Sufficient condition for an
algorithm in framework to be secure.
• Provide the Subset-Difference revocation algorithms
– r-flexible (it does not assume a upper bound for # of
revoked receiver)
– concise message length
• Tracing algorithm
– Works for any algorithm in framework satisfying the
bifurcation property
– Seamless integration with the revocation algorithm
– Withstands any coalition size
Computer Science
Future Works
• Can we modify these approaches used in group
key management in dynamic wireless networks
such as MANETs.
• Compromised nodes for sensor networks
together with broadcast authentication?
• Real world application?
Computer Science
Questions
• Thank you for listening!
• Questions?
Computer Science