Abstract
The problem of (stateless, symmetric-key) broadcast encryption, in which a central authority distributes keys to a set of receivers and can then send encrypted content that can be decrypted only by a designated subset of those receivers, has received a significant amount of attention. Here, we consider a generalization of this problem in which all members of the group must have the ability to act as both sender and receiver. The parameters of interest are the number of keys stored per user and the bandwidth required per transmission, as a function of the total number of users n and the number of excluded/revoked users r.
As our main result, we show a multi-sender scheme allowing revocation of an arbitrary number of users in which users store O(n) keys and the bandwidth is O(r). We prove a matching lower bound on the storage, showing that for schemes that support revocation of an arbitrary number of users \(\varOmega (n)\) keys are necessary for unique predecessor schemes, a class of schemes capturing most known constructions in the single-sender case. Previous work has shown that \(\varOmega (r)\) bandwidth is needed when the number of keys per user is polynomial, even in the single-sender case; thus, our scheme is optimal in both storage and bandwidth.
We also show a scheme with storage \(\mathrm{polylog} (n)\) and bandwidth O(r) that can be used to revoke any set of \(\mathrm{polylog} (n)\) users.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Notes
- 1.
Another possibility is to run \(\log r_\mathrm{max}\) independent copies of the scheme using powers of two for the maximum size of the revoked set. This allows the bandwidth to depend on the actual number of revoked users r, though increases storage by a factor of \(\log r_\mathrm{max}\).
- 2.
These parameters are not stated explicitly by Dyer et al., who report only the total number of keys. However, Corollary 1 and the proof of Theorem 4 in their paper show that the per-user storage is \(O(r_\mathrm{max}^2 \log n)\); the bandwidth is bounded by the number of keys held by any user acting as a sender.
- 3.
When computational security suffices, any single-sender BE scheme can be modified to have \(s^*=1\) by having the sender use a PRF to derive all the keys in the system. In the information-theoretic setting that is not the case.
- 4.
For long messages, user i can encrypt the message using a fresh key k and encrypt k using each key in \(K_{i,S}\).
References
Aiello, W., Lodha, S., Ostrovsky, R.: Fast digital identity revocation. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 137–152. Springer, Heidelberg (1998). doi:10.1007/BFb0055725
Austrin, P., Kreitz, G.: Lower bounds for subset cover based broadcast encryption. In: Vaudenay, S. (ed.) AFRICACRYPT 2008. LNCS, vol. 5023, pp. 343–356. Springer, Heidelberg (2008). doi:10.1007/978-3-540-68164-9_23
Balenson, D., McGrew, D., Sherman, A.: One-way function trees and amortized initialization. Internet Draft, Key management for large dynamic groups (1999)
Bhattacharjee, S., Sarkar, P.: Reducing communication overhead of the subset difference scheme. IEEE Trans. Comput, to appear. https://eprint.iacr.org/2014/577
Bhattacherjee, S., Sarkar, P.: Concrete analysis and trade-offs for the (complete tree) layered subset difference broadcast encryption scheme. IEEE Trans. Comput. 63(7), 1709–1722 (2014)
Blom, R.: An optimal class of symmetric key generation systems. In: Beth, T., Cot, N., Ingemarsson, I. (eds.) EUROCRYPT 1984. LNCS, vol. 209, pp. 335–338. Springer, Heidelberg (1985). doi:10.1007/3-540-39757-4_22
Blundo, C., De Santis, A., Herzberg, A., Kutten, S., Vaccaro, U., Yung, M.: Perfectly secure key distribution for dynamic conferences. Inf. Comput. 146(1), 1–23 (1998)
Blundo, C., Mattos, L.A.F., Stinson, D.R.: Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution. In: Koblitz, N. (ed.) CRYPTO 1996. LNCS, vol. 1109, pp. 387–400. Springer, Heidelberg (1996). doi:10.1007/3-540-68697-5_29
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). doi:10.1007/11535218_16
Canetti, R., Garay, J.A., Itkis, G., Micciancio, D., Naor, M., Pinkas, B.: Multicast security: a taxonomy and some efficient constructions. In: IEEE INFOCOM, pp. 708–716 (1999)
Canetti, R., Malkin, T., Nissim, K.: Efficient communication-storage tradeoffs for multicast encryption. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 459–474. Springer, Heidelberg (1999). doi:10.1007/3-540-48910-X_32
Cheon, J.H., Jho, N.-S., Kim, M.-H., Yoo, E.S.: Skipping, cascade, and combined chain schemes for broadcast encryption. IEEE Trans. Inf. Theor. 54(11), 5155–5171 (2008)
Dodis, Y., Fazio, N.: Public-key broadcast encryption for stateless receivers. In: Security and Privacy in Digital Rights Management (ACM CCS Workshop), pp. 61–80. ACM (2002)
Dyer, M., Fenner, T., Frieze, A., Thomason, A.: On key storage in secure networks. J. Cryptol. 8(4), 189–200 (1995)
Erdös, P., Frankl, P., Füredi, Z.: Families of finite sets in which no set is covered by the union of \(r\) others. Israeli J. Math. 51(1–2), 79–89 (1985)
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 372–387. Springer, Heidelberg (1994)
Gafni, E., Staddon, J., Yin, Y.L.: Efficient methods for integrating traceability and broadcast encryption. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 372–387. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_24
Gentry, C., Ramzan, Z., Woodruff, D.P.: Explicit exclusive set systems with applications to broadcast encryption. In: 47th Annual Symposium on Foundations of Computer Science (FOCS), pp. 27–38. IEEE (2006)
Goodrich, M.T., Sun, J.Z., Tamassia, R.: Efficient tree-based revocation in groups of low-state devices. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 511–527. Springer, Heidelberg (2004). doi:10.1007/978-3-540-28628-8_31
Halevy, D., Shamir, A.: The LSD broadcast encryption scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002). doi:10.1007/3-540-45708-9_4
Hwang, J.Y., Lee, D.H., Lim, J.: Generic transformation for scalable broadcast encryption schemes. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 276–292. Springer, Heidelberg (2005). doi:10.1007/11535218_17
Jho, N.-S., Hwang, J.Y., Cheon, J.H., Kim, M.-H., Lee, D.H., Yoo, E.S.: One-way chain based broadcast encryption schemes. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 559–574. Springer, Heidelberg (2005). doi:10.1007/11426639_33
Kautz, W.H., Singleton, R.C.: Nonrandom binary superimposed codes. IEEE Trans. Inf. Theor. 10(4), 363–377 (1964)
Kumar, R., Rajagopalan, S., Sahai, A.: Coding constructions for blacklisting problems without computational assumptions. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 609–623. Springer, Heidelberg (1999). doi:10.1007/3-540-48405-1_38
Kumar, R., Russell, A.: A note on the set systems used for broadcast encryption. In: 14th Annual Symposium on Discrete Algorithms (SODA), pp. 470–471. ACM-SIAM (2003)
Luby, M., Staddon, J.: Combinatorial bounds for broadcast encryption. In: Nyberg, K. (ed.) EUROCRYPT 1998. LNCS, vol. 1403, pp. 512–526. Springer, Heidelberg (1998). doi:10.1007/BFb0054150
Micciancio, D., Panjwani, S.: Optimal communication complexity of generic multicast key distribution. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 153–170. Springer, Heidelberg (2004). doi:10.1007/978-3-540-24676-3_10
Mitchell, C.J., Piper, F.C.: Key storage in secure networks. Discrete Appl. Math. 21(3), 215–228 (1988)
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_3
Wallner, D.M., Harder, E.J., Agee, R.C.: Key management for multicast: issues and architectures. Internet Draft, RFC 2627 (1999)
Wang, S.-Y., Yang, W.-C., Lin, Y.-J.: Balanced double subset difference broadcast encryption scheme. Secur. Commun. Netw. 8(8), 1447–1460 (2015)
Wong, C.K., Gouda, M., Lam, S.S.: Secure group communications using key graphs. In: Proceedings of ACM SIGCOMM, pp. 68–79 (1998)
Acknowledgments
This research was supported in part by the NSF REU-CAAR program, award #1262805; we thank Bill Gasarch for organizing that program. We thank Daniel Apon, Seung Geol Choi, Jordan Schneider, and Arkady Yerukhimovich for discussing various aspects of this problem with us.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A Information-Theoretic Single-Sender Schemes
A Information-Theoretic Single-Sender Schemes
In this section we describe various single-sender schemes that, to the best of our knowledge, have not appeared previously in the literature. The parameters of the schemes presented here do not beat the parameters of the best known single-sender schemes, but they have the advantage of having information-theoretic security.
We begin with a simple scheme that revokes exactly one user (i.e., \(r_\mathrm{max}=1\)). Fix some b, and identify the n users with b-tuples whose coordinates range from 1 to \(n^{1/b}\). The sender holds a set of keys \(K = \{k_{i, w}\}_{i\in [b], \, w \in [n^{1/b}]}\) of size \(b \cdot n^{1/b}\). The user associated with tuple \((w_1, \ldots , w_b)\) is given the set of keys \(\{k_{i,w}\}_{i\in [b], \, w \ne w_i}\); in other words, key \(k_{i,w}\) is held by all users whose ith coordinate is not w. To revoke the single user \((w_1, \ldots , w_b)\), the sender encrypts the message using the b keys \(k_{1,w_1}, \ldots , k_{b, w_b}\) not held by that user. It follows that:
Theorem 5
For any b, there is an information-theoretic, single-sender BE scheme with \(r_\mathrm{max}=1\) having per-user storage \(b \cdot n^{1/b} - b\), bandwidth b, and \(b \cdot n^{1/b}\) total keys.
Gentry et al. [18] show that in any information-theoretic, single-sender scheme with \(r_\mathrm{max}=1\), storage s, and bandwidth b, it holds that \(n \le s^b\). The above scheme shows this bound is tight within a constant factor.
We now show how to build an information-theoretic scheme \(\varPi ^*\) revoking any number of users based on any scheme \(\varPi \) revoking a single user. The high-level idea is to apply the SD approach [29] but to schemes rather than keys. In the SD approach, users are arranged at the leaves of a binary tree, and for each pair of nodes i, j in the tree with i a parent of j, we let \(S_{i,j}\) denote the users who are descendants of i but not descendants of j. Naor et al. show that any set of users S can be partitioned into O(r) such sets, where \(r=n-|S|\) is the number of revoked users. In the SD scheme, for all i, j as above there is a single key \(k_{i,j}\) that is known exactly to those users in \(S_{i,j}\); hence, the bandwidth of the scheme is O(r). Here, we generalize the approach so that there is a set of keys allowing only those users in \(S_{i,j}\) to decrypt.
We again arrange the users at the leaves of a binary tree. In this tree, let \(T_i\) denote the sub-tree rooted at some node i. For each such sub-tree \(T_i\) of height h, we associate the root node i of that sub-tree with h instances of \(\varPi \) (recall, \(\varPi \) is a single-sender scheme supporting revocation of a single user) corresponding to the h levels of \(T_i\) not including the root node itself. The “virtual users” of instance \(\ell \in \{0, \ldots , h-1\}\) of \(\varPi \) correspond to the nodes at height \(\ell \) in \(T_i\), and we imagine giving each node the keys it would receive as a virtual user in all instances of \(\varPi \) in which it is involved. The real users, at the leaves, store the keys that would be given to its ancestors.
To send a message to a subset S of the users, the sender partitions S into a collection of subsets \(S_{i,j}\) as in the SD scheme. To encrypt a message such that only the users in \(S_{i,j}\) can read it, the sender uses the instance of \(\varPi \) in which node i is the sender and the nodes on the same level as j are the receivers, and revokes user j.
Rather than analyzing the above in the general case, we compute the bandwidth and storage when applied to the single-sender scheme \(\varPi \) from Theorem 5. Naor et al. showed that any set of S users can be partitioned into at most \(2r-1\) subsets \(S_{i,j}\), where \(r=n-|S|\) is the number of revoked users. Since the scheme \(\varPi \) from Theorem 5 has fixed bandwidth b independent of the number of users, we conclude that the bandwidth of our scheme here is at most \(b \cdot (2r-1)\). The storage per user is given by \(\sum _{h=1}^{\log n} \sum _{\ell =0}^{h-1} (n/2^{h-\ell })^{1/b} = O(n^{1/b})\). Similarly, one can show that the total number of keys is O(n). Summarizing:
Theorem 6
(Scheme 1). For any b, there is an information-theoretic, single-sender BE scheme supporting arbitrarily many revoked users having per-user storage \(O(n^{1/b})\), bandwidth \(O(b \cdot r)\), and O(n) total keys.
Specifically, there is an information-theoretic, single-sender BE scheme supporting arbitrarily many revoked users having per-user storage \(O(\sqrt{n})\), bandwidth O(r), and O(n) total keys.
Rights and permissions
Copyright information
© 2017 Springer International Publishing AG
About this paper
Cite this paper
Freitag, C., Katz, J., Klein, N. (2017). Symmetric-Key Broadcast Encryption: The Multi-sender Case. In: Dolev, S., Lodha, S. (eds) Cyber Security Cryptography and Machine Learning. CSCML 2017. Lecture Notes in Computer Science(), vol 10332. Springer, Cham. https://doi.org/10.1007/978-3-319-60080-2_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-60080-2_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-60079-6
Online ISBN: 978-3-319-60080-2
eBook Packages: Computer ScienceComputer Science (R0)