GUNNAR KREITZ

Master’s Degree Project Stockholm, Sweden 2005

TRITA-NA-E05036

Numerisk analys och datalogi KTH 100 44 Stockholm

Department of Numerical Analysis and Computer Science Royal Institute of Technology SE-100 44 Stockholm, Sweden

Optimization of Broadcast Encryption Schemes

GUNNAR KREITZ

TRITA-NA-E05036

Master’s Thesis in Computer Science (20 credits) at the School of Computer Science and Engineering, Royal Institute of Technology year 2005 Supervisor at Nada was Johan Håstad Examiner was Johan Håstad

Abstract Broadcast encryption is an interesting application of cryptography to broadcast content to a changing group of intended recipients in such a way that noone outside this group can recover the content. This has natural applications in e.g. media distribution in mobile and cable TV networks. In this thesis, several new ideas for reducing the bandwidth requirements of broadcast encryption systems will be presented. Among them a new generic framework achieving better performance than state-of-the-art schemes, both in theory and practice.

Optimering av broadcast-krypteringssystem Examensarbete

Sammanfattning Broadcast-kryptering är en intressant tillämpning av kryptografi som möjliggör massutsändningar till en dynamisk grupp mottagare på ett sådant sätt att ingen utom de tilltänkta mottagarna kan avkoda innehållet. Detta har naturliga användningsområden inom t.ex. mediadistribution i mobil- och kabel-TV-nätverk. I detta examensarbete presenteras ett flertal nya idéer för att minska bandbreddskraven hos broadcast-krypteringssystem. Bland dessa finns ett nytt system som uppnår bättre prestanda än de bästa kända nuvarande systemen, både i teorin och praktiken.

Contents 1 Introduction 1.1 Further applications 1.2 Goal . . . . . . . . . 1.3 Scope . . . . . . . . 1.4 Contributions . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

1 2 2 3 3

2 Background 2.1 Broadcast Encryption . . . . . . . . . . 2.2 Other alternatives . . . . . . . . . . . . 2.3 Notational conventions . . . . . . . . . . 2.4 Model . . . . . . . . . . . . . . . . . . . 2.4.1 Cheating members . . . . . . . . 2.4.2 Authentication and implicit keys 2.4.3 Changing the media key . . . . . 2.4.4 Restrictions . . . . . . . . . . . . 2.5 Classifications . . . . . . . . . . . . . . . 2.5.1 State . . . . . . . . . . . . . . . . 2.5.2 Assumptions . . . . . . . . . . . 2.6 Security aspects . . . . . . . . . . . . . . 2.6.1 Security models . . . . . . . . . . 2.6.2 Backward and forward secrecy . 2.6.3 Collusion . . . . . . . . . . . . . 2.7 The mobile network . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

. . . . . . . . . . . . . . . .

4 4 5 5 6 6 7 7 7 7 8 8 9 9 9 9 10

. . . . . . . . .

12 12 12 13 14 14 15 15 16 16

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

3 Previous works 3.1 Naive algorithms . . . . . . . . . . . . . . . . . . . . 3.2 Logical Key Hierarchy (LKH) . . . . . . . . . . . . . 3.2.1 One-way Function Tree (OFT) . . . . . . . . 3.2.2 Efficient Large-group Key distribution (ELK) 3.3 Subset Cover schemes (SC) . . . . . . . . . . . . . . 3.3.1 Structure of a subset cover message . . . . . . 3.3.2 Key-indistinguishability . . . . . . . . . . . . 3.3.3 Complete Subtree . . . . . . . . . . . . . . . . 3.3.4 Subset Difference (SD) . . . . . . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

3.4 3.5 3.6 3.7

3.3.5 Layered and Stratified Subset Difference (LSD and SSD) 3.3.6 Dynamic Subset Difference (Dynamic SD) . . . . . . . . 3.3.7 Improving performance by prefix truncation . . . . . . . 3.3.8 Hierarchical Key Tree (HKT) . . . . . . . . . . . . . . . Scalable and Lightweight Key Distribution (SLKD) . . . . . . . Hybrid Schemes . . . . . . . . . . . . . . . . . . . . . . . . . . . Problems with previous works . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.7.1 Stateful algorithms . . . . . . . . . . . . . . . . . . . . . 3.7.2 Stateless algorithms . . . . . . . . . . . . . . . . . . . .

4 Optimization ideas 4.1 Stateful Subset Cover . . . . . . . 4.1.1 An intuitive description . . 4.1.2 Generalized subset covering 4.1.3 The framework . . . . . . . 4.1.4 Generic cover . . . . . . . . 4.1.5 Subset Difference . . . . . . 4.1.6 Hierarchical Key Tree . . . 4.2 Stateful over stateless . . . . . . . 4.3 Filters . . . . . . . . . . . . . . . . 5 Theoretical evaluation 5.1 Stateful Subset Cover . . . . . 5.1.1 Performance . . . . . . . 5.1.2 Correctness . . . . . . . 5.1.3 Security . . . . . . . . . 5.1.4 General cover algorithm 5.1.5 Subset difference . . . . 5.1.6 Hierarchical key tree . . 5.2 Filters . . . . . . . . . . . . . . 5.2.1 Performance . . . . . . . 5.2.2 Security . . . . . . . . . 5.3 Stateful over stateless . . . . .

. . . . . . . . . . .

. . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

6 Practical evaluation 6.1 User modeling . . . . . . . . . . . . . . 6.1.1 Johansson’s scenarios . . . . . . 6.1.2 TV model . . . . . . . . . . . . 6.1.3 Sparse trees . . . . . . . . . . . 6.2 About the test environment . . . . . . 6.3 Performance in Stateful Subset Cover . 6.3.1 Subset Difference . . . . . . . . 6.3.2 Hierarchical Key Tree . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . .

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

. . . . . . . . . .

17 17 18 18 19 20 20 21 21 21

. . . . . . . . .

. . . . . . . . .

. . . . . . . . .

23 23 23 24 25 25 26 29 30 31

. . . . . . . . . . .

33 33 33 34 34 34 35 35 35 35 36 36

. . . . . . . .

37 37 37 40 42 42 42 43 44

. . . . . . . . . . .

. . . . . . . .

. . . . . . . . . . .

. . . . . . . .

6.4

. . . . . . . . . . . . .

45 45 46 47 47 49 49 49 50 51 51 52 52

7 Conclusion 7.1 Recommendations . . . . . . . . . . . . . . . . . . . . . . . . . . . .

53 54

References

55

A Performance evaluation figures

57

6.5

6.6

6.7 6.8

The impact of basechange . . . . . . . . . . . . . . . . . . . 6.4.1 Varying the a parameter in Stateful Hierarchical Key The effect of oversized trees . . . . . . . . . . . . . . . . . . 6.5.1 Scaling with userbase size . . . . . . . . . . . . . . . 6.5.2 Network traffic . . . . . . . . . . . . . . . . . . . . . 6.5.3 Summary . . . . . . . . . . . . . . . . . . . . . . . . Security in Stateful Subset Cover . . . . . . . . . . . . . . . 6.6.1 Cheating model . . . . . . . . . . . . . . . . . . . . . 6.6.2 Subset Difference . . . . . . . . . . . . . . . . . . . . 6.6.3 Hierarchical Key Tree . . . . . . . . . . . . . . . . . 6.6.4 Cheating in sparse trees . . . . . . . . . . . . . . . . Filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Stateful over stateless . . . . . . . . . . . . . . . . . . . . .

. . . Tree . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . . . . . . . . . .

Chapter 1

Introduction The year is 2010 and the latest reality show, Surviving Idol, has just begun airing. A few hundred contestants have been situated on a small group of remote islands in the southwestern Pacific with scarce supplies of food. Their basic mission is of course to survive, but they must also show off artistic talents (the winner gets a record deal). Contestants have been gathered from many different countries to ensure a worldwide audience and the show is broadcasted in over 100 countries. What is new for this season, and hopefully of interest to the reader of this thesis, is how you watch the show and vote. Only small portions of the action are shown on TV. Mainly, you view the show on your mobile phone’s Pay-Per-Minute service. Every contestant is tracked by a personal camera, 24/7. The way to vote is simply by watching your favorite contestant. Every minute a contestant’s personal camera is watched by someone is counted as a vote for that contestant to remain in the game. For the content distribution, the only feasible technique is broadcasting or multicasting. Unicasting the material to members will simply consume too much bandwidth. One of the problems that arise is how to ensure that only the paying audience can watch the show. The potential audience is enormous,1 but at the same time, bandwidth can be a scarce resource in the mobile network, so a highly scalable security solution must be found. Finding such a solution is the subject of this thesis. The scenario described here is the same type of scenario as in broadcast encryption, which is a natural solution to this problem. There is a “secret” (i.e. the valuable 24/7 live feeds of contestants eating and sleeping) that should be broadcasted to a group of recipients. There is also a central authority deciding who the recipients are. The group of recipients can change frequently (customers turn phones on and off, go out of range and forget to pay bills) and no one outside the intended group of recipients should be able to see the material.

1

There are already over 1.5 billion mobile phones in the world

1

1.1

Further applications

Selling video to mobile phone subscribers is not the sole application of broadcast encryption. Another interesting application is secure group communications (for instance conference calling or virtual private networks) where multiple parties act as senders and recipients. In this specific case, a broadcast encryption scheme can be used to maintain group security, as long as a trusted key server exists. Broadcast encryption techniques can also be used for off-line media content protection, which is used in e.g. DVD:s. In this case, the material on the disk (such as a movie) is encrypted in such a way that only authorized players can decrypt it. The main two reasons for wanting to do this in DVD:s is to combat piracy (preventing consumers from making copies) and to have a zoning system, preventing a movie sold in USA from working in Europe. In such a scenario, a “user” in the broadcast encryption system could be a specific playback device, a model, or even a whole brand. Should unauthorized software (or hardware) appear with the ability to decrypt the contents, a traitor tracing scheme can then be used to find out what key was leaked, and that key could then be disabled, or revoked, so that the unapproved device is prevented from decrypting new releases. These other applications present very different usage patterns and requirements than our scenario. For instance, with off-line media content protection, it is likely that the system will have very few revocations (if any). There, it is also not feasible to have two-way communication between “users” and the key server. This places certain limits on what solution can be used. In particular, a stateful protocol will be impossible to use. There is also an application which is similar to the mobile scenario in many respects, and that is the distribution of digital TV over more traditional mediums, such as cable TV. The main difference from our scenario is not the usage (which can be expected to be similar), but rather the available bandwidth which is much more plentiful in traditional TV broadcast mediums.

1.2

Goal

Broadcast encryption has been studied since 1994 and there are many solutions available in the literature. Previous works are good and work well for most applications, but they require too much bandwidth for large-scale mobile usage, as was shown in [10]. It is likely that mobile phones with their growing capabilities will become increasingly interesting as media playback devices. The goal of this thesis is to sufficiently improve current broadcast encryption methods, so that they become usable in very large-scale networks with limited bandwidth (e.g. cellular networks). The optimizations could also be of benefit to other broadcast encryption applications. Reducing the bandwidth consumed by the broadcast encryption itself leaves more bandwidth available for the content. 2

1.3

Scope

The scope of this thesis is lowering the bandwidth usage of broadcast encryption methods. Related problems, such as authentication, billing, or attracting people to pay for watching the content (such as a reality show) are not discussed. Optimization ideas are discussed and analyzed with regards to security and bandwidth consumption. Quite simplistic user models are used for performance measurements and security analysis.

1.4

Contributions

The primary contribution of this thesis is the introduction of a new framework for adding state to subset cover schemes. This framework is analyzed with good results, showing significant decreases in bandwidth requirements. A new, generic framework for running a stateful scheme “over” one or more stateless schemes is presented. This framework is extremely flexible in that it allows several different schemes to be used simultaneously and users can dynamically, as their behaviour is categorized, be moved to using a suitable scheme. The idea of adding filters to the network is presented. The addition of filters in a mobile setting gives significant gains, since bandwidth is limited at the edges of the network, near the customers, while there is plenty of bandwidth available more centrally. A simplistic model of user behaviour has been created and bandwidth usage has been evaluated in that model, as well as in the scenarios from Johansson’s master thesis [10].

3

Chapter 2

Background This chapter provides background information about the problem and discusses the concept and goals of broadcast encryption, along with related topics. Notational conventions used throughout the entire thesis will also be presented here, so even a reader familiar with the background will probably want to read through those. It is assumed that the reader has some knowledge about cryptography and computer science. For some light reading on cryptography in general, see [19]. For a more technical coverage, see a text-book on the subject such as [14] or [20].

2.1

Broadcast Encryption

In traditional cryptography, the focus has been to enable secure communication over an insecure medium. Traditionally, this is accomplished by a symmetric (also known as private key) cryptosystem where anyone having the key can both encrypt and decrypt messages. Normally, the scenario where only two parties are communicating (and thus share the key) is considered. Symmetric cryptography works well for a group too, as long as the group is static (i.e. no one leaves or joins). Should someone leave, he must be prevented from being able to decrypt further group communication. However, the only means the group has of communicating securely is by using the shared group key, which the party now excluded also knows. This is where broadcast encryption comes in. The basic principle is the same, a symmetric key is handed out to all group members. But in broadcast encryption, some extra information is also given to members, so that new symmetric keys can be distributed securely and efficiently to those remaining in the group after someone leaves. This shared symmetric key is then used to encrypt whatever content (such as a reality show) that the content provider wishes to broadcast. When a user is removed from the system (either by issuing a leave request, or by being forced out), the media key must be changed. If it was not changed, that user would be able to continue decrypting broadcasted material. The key must also be changed when a user is added to the system. If it was not changed, the user would in that case be able to decrypt broadcasts which occurred before the user joined the 4

group. For a TV show for instance, it would be enough for the user to pay for the last minute, but he could still watch the entire show (albeit late). Berkovits published a paper, [2], in 1991 where he showed how to broadcast a secret to an intended set of reciptients. In 1994, Fiat and Naor [6] started a more formal study of the field and also presented a basic broadcast encryption scheme.

2.2

Other alternatives

Could there perhaps be some better option for broadcasting secret information than to distribute a symmetric key and then broadcasting the information encrypted with this key? If such a method exists, that method could also be used for broadcast encryption since it must be able to distribute information in such a way that only members can retrieve the information. To convert such a system into a broadcast encryption scheme, we simply select the information to be distributed to be a media key, and then broadcast an encrypted media stream as usual. Further investigation of other options than broadcast encryption is beyond the scope of this thesis. It is worth noticing that if the size of the information to be broadcasted is small (e.g. stock quotes), it might be better to distribute the information directly as the “key”, instead of distributing a media key and then the encrypted information.

2.3

Notational conventions

The following notational conventions will be used throughout the entire thesis. A user allowed to view the content is called a member and a user not allowed to view the content is called revoked. The sets of members and revoked users are denoted M and R, respectively. Note that it must hold that M ∩ R = ∅, since a user cannot simultaneously be a member and revoked. The union of members and revoked users are simply called users and are denoted U = M ∪ R. When a user goes from being in M to R, we say that the user is removed from the system. This could in practice occur for a number of reasons, either by user request or by being forced out. Analogously, when a user goes from being in R to M, we say that the user is added to the system. The symmetric encryption key that is used to encrypt the media, and that thus needs to be distributed to all members m ∈ M is called media key and denoted KM . Symmetric encryption of information I with key K is denoted EK (I). For all sets defined here, we let the lower-case letter denote the size of the set, i.e. m = |M|, r = |R| and u = |U|. Let ∆m and ∆r denote the number of users who have been added and removed since the last stateful key update. Both ∆m and ∆r are non-negative integers, and ∆m − ∆r is positive if the number of members has increased since the last stateful key update. There will often be a need to discuss nodes of binary trees. Let l(n) and r(n) denote the left and right children of node n, respectively. Let par(n) denote the 5

parent node and sib(n) denote the sibling node. With binary trees, logarithms will commonly be occuring and we will take it was a convention that log with the base unspecified is base 2 logarithms.

2.4

Model

The basic model is that we assume that there is a (secure) key server, responsible for generating new keys and distributing the new media key to members, when the media key, KM , changes. Then there is a content server (possibly the same computer as the key server), receiving the current media key from the key server and using this key to encrypt its media and then broadcasting it to all members. All transmissions occur over an insecure network, e.g. Internet, where they can easily be eavesdropped. An assumption is made that users can communicate with the key server, for instance via a network connection. This is only used implicitly in the thesis, by allowing the use of stateful (see 2.5.1) schemes which require some form of recovery in the presence of packet loss.

2.4.1

Cheating members

One possibility for members to cheat would be by simply re-distributing the media key to revoked users, something which would most likely be impossible to detect. In our scenario, with mobile phone user terminals, this can be mitigated by various techniques to make extraction of the short-lived media key cost-inefficient. For instance, a new form of key, packet keys, could be added. The whole key management protocol could be handled by some tamper-resistant DRM module which stores the long-term keys and also handles the decryption of the short-term media key. Then, for each packet, a new key could be derived from the media key by the DRM module using a secure hash function and this new key would be given to the application. This implies the addition of some explicit packet counter within the media stream to cope with packet loss and know what packet key is to be used. This technique is used in 3GPP today. A more serious form of cheating would be someone purchasing a mobile phone and extracting the long-term user keys from it. A pirate decoder could then be manufactured using those keys, which could be re-sold for a profit. This can be made difficult, and thus costly, by placing such long-time keys into tamper-resistant storage. To deal with pirate decoders, should they be built, traitor tracing methods, such as those presented in [17], can be used. These methods show how to track down what key the pirate box is using (given access to such a box) in an efficient way, so that these keys can be disabled. Means for detection and mitigation of various key-extraction attacks are not considered in this thesis. 6

2.4.2

Authentication and implicit keys

For the scope of this thesis, it is assumed that authentication is handled by some other mechanism and that the broadcast encryption system always have current lists of which users are members and which are revoked. Further, it is assumed that each user implicitly shares a symmetric key with the key server (this could be provided for instance at authentication) so that the key server can always communicate securely with an individual user. Some of the schemes explicitly mention this key, some do not.

2.4.3

Changing the media key

When should the media key be changed? That is a difficult question and is highly dependent on the confidentiality of the content, the number of users, required performance levels, etc. For a system with strict confidentiality, where it is critical that a removed user is thrown out immediately, then immediate rekeying as soon as a remove event occurs is needed. In the general case, however, it is often beneficial for performance to wait until a number of remove requests have arrived, or a certain amount of time has passed before the actual revocation occurs. This implies that newly removed members may be able to continue watching for a short time before being locked out. In this thesis, it is generally assumed that the updating of the media key occurs periodically, since this is what fits best in the given scenario. We will generally speak of the key being refreshed after rounds of user movements (i.e. additions and removals), which should be read as a periodical rekeying.

2.4.4

Restrictions

There needs to be some limit on the computational and storage capacity of the devices (user agents, key server, attackers) involved. The key server must run in polynomial time (in the number of users), and is allowed to access a source of randomness (to be able to generate random keys). Storage-wise, no strict limit is given. The user agent is limited to sub-linear time and memory. Linear performance is acceptable for smaller systems or when a divide-and-conquer approach is used, as in section 4.2. We limit attackers to probabilistic polynomial time.

2.5

Classifications

There are a few parameters which are important in the evaluation of a broadcast encryption scheme, in addition to its directly measurable performance. One very important parameter is if the scheme is stateful or not. Another one would be what assumptions, if any, that the system is dependent on for its security. 7

2.5.1

State

A broadcast encryption system can be either stateful or stateless. In a stateless system, all long-term keys are distributed at initialization (or the first time a user joins). In our scenario, this could mean that the keys are stored on the SIM card. The long-term keys are then static throughout the lifetime of the system and no new such keys are added. The only key which is changed is the media key. This means that a user, if he loses connectivity or for some other reasons misses key management packets will fail to decrypt the current part content stream, but as soon as he gets the next key management packet, he can recover the next media key and continue watching without any extra effort. In stateful schemes, on the other hand, long-term keys may be updated or added through key-management messages. This means that if the user misses key management packages, it may be impossible for him to decrypt the next media key without somehow first receiving the packet he missed. If packet loss can occur, and it certainly can in our scenario, a stateful scheme must thus be augmented with some form of recovery mechanism. This can be implemented through some general means (e.g. by using a reliable multicast protocol). In general, a stateful scheme can always be transformed into a stateless scheme by in each message including all previous messages. This is, however, a very unrealistic solution, as the message size will grow large very rapidly. One stateful broadcast encryption scheme, ELK (section 3.2.2), includes an interesting recovery mechanism which is integrated in the protocol where users who miss key management packets can recover keys by brute-forcing a part of the key. There are some slight variations to this division of schemes. For instance, dynamic subset difference (section 3.3.6) is multicast stateless, that is, it is stateless for all multicast messaging, but performs some stateful key updates over unicast. Hybrid schemes and stateful subset cover schemes (sections 3.5 and 4.1) can both be referred to as semi-stateless, that is, they support running statelessly for periods of time at the cost of bandwidth performance.

2.5.2

Assumptions

For the security analysis of a system, some assumptions generally need to be made. For instance, in general, we need to assume that BPP 6= NP if the media content is recognizable to an attacker. Otherwise, an attacker could try all possible KM to decrypt the encrypted media broadcast and then select the correct one in probabilistic polynomial time. Recall also the built-in assumption in the model that the attacker is limited to probabilistic polynomial-time attacks. There are broadcast encryption systems which are unconditionally secure and thus do not rest on any assumptions to show their security. These systems, do, however, use a model where only a limited number (determined at system setup) of messages can be broadcast. For these protocols, lower bounds have been proven on memory at receivers and broadcast size in [3]. These demands are much too high for our setting, and thus this class of protocols are beyond the scope of this thesis. 8

Assumptions which have been used to build more efficient systems range from weak assumptions such as the existence of one-way functions to stronger, more specific assumptions related to the RSA cryptosystem.

2.6

Security aspects

To analyze and prove the security of a cryptosystem, a model is needed to define the capabilities of the attacker. Since the scenario is different from that of classical cryptography, the classic security models cannot be used. In broadcast encryption, two important security aspects, aside from the model, are backward and forward security and user collusion, which will be briefly discussed in this section.

2.6.1

Security models

For classic cryptography, several different types of attacker capabilities, e.g. chosen plaintext, have been defined. These are not applicable to the broadcast encryption scenario, so a similar model is needed in that area. To the author’s knowledge, no such model exist which generally define attacker capabilities in a broadcast encryption setting. Two limited models exist, one for subset cover schemes (section 3.3) and one for hybrid schemes (3.5). The subset cover model defines attacker capabilties similar to those defined in the classical CCA-I (chosen ciphertext attack) model. Particularily interesting is that a proof has been given that subset cover schemes which have a certain property called key indistinguishability (section 3.3.2) are secure in this model. The hybrid scheme security model is in the author’s opinion somewhat flawed in that it removes a viable way of attack from an attacker. The hybrid scheme framework (section 3.5) is also vulnerable to this attack and have limited backward security. In this framework, a proof has also been given for logical key hierarchy (section 3.2).

2.6.2

Backward and forward secrecy

The concept of backward secrecy means that a member cannot use the information he has to recover material that was broadcast before he was added. In our scenario, this means that a user cannot simply record the entire broadcast, then pay for the last second, and then view all broadcasted material (albeit late). Forward secrecy analogously means that a removed member must be prevented from being able to continue viewing the broadcast.

2.6.3

Collusion

When analyzing the security of a broadcast encryption scheme, it is generally assumed that revoked users may collude (i.e. cooperate) to break the security. Different schemes offer a varying degree of resistance against colluding users, some schemes 9

Key server

Internet GSM/GPRS WCDMA

GGSN

IP network

Content server

Network belonging to mobile operator

Figure 2.1. Sample network figure

remain secure even if all of R cooperates, whereas other can only guarantee security against up to some fixed constant k colluding revoked users. Note that collusion in general requires that users are able to directly access their own keys. This is something which can be made difficult, and thus expensive, in our partciular scenario (see section 2.4.1).

2.7

The mobile network

As the main scenario this thesis is concerned with is a mobile phone setting, a brief overview of the networks used will be presented here. For most parts of this thesis, the network will only be seen as a simple broadcast medium where everything broadcasted by the key server reaches all users. The IP network of an operator is connected to the cellular phones through what is called a Gateway GPRS Support Node (GGSN). From a networking perspective, this acts as a regular router. Between the GGSN and the phones, there is a three-tier network, where we will not go into details. Many of the devices in this path already know about and modify IP traffic (e.g. doing header compression). The key server and the media server will probably be situated either on the content provider’s network or directly at a mobile service provider’s network. It is reasonable to assume that a single key server and/or media server may be used to service customers on multiple service provider’s networks. For instance, if a large operator such as Sony was to distribute some content, they would most likely want to operate the content server themselves with customers on various mobile networks such as Vodafone and Telia. In figure 2.1, an example is given where both the key server and the content server are two separated entitites connected to a mobile phone operator’s network through the public internet. This could be the case where one company works as a content provider, one company provides the secure content handling (i.e. the key management), both independent of the mobile operator. 10

The bandwidth available at the edge of the network (i.e. the radio link) is quite limited. In GSM/GPRS (“2.5G”), a phone has a maximum available bandwidth of approximately 36 kb/s. In WCDMA (“3G”), at least 384 kb/s is available, a value that can be expected to increase in the future. In the rest of the network, as far as our application is concerned, there is plenty of bandwidth available.

11

Chapter 3

Previous works In this chapter, several previous protocols will be covered. Many of these will in one way or another be used for optimizations later on. It is not the author’s intention to give complete presentations of previous works, but rather just briefly cover how they work to help the reader understand the problems of and main ideas behind the protocols. For details, see the respective papers where the protocols were originally presented.

3.1

Naive algorithms

There are naive algorithms accomplishing an absolute minimum in bandwidth consumption or memory consumption. To get minimal memory usage, the key server can simply give each user a personal key. When the center wishes to distribute a 0 once with every member’s key and broadcasts the new KM , it simply encrypts KM result. The bandwidth requirement is linear in the number of members, but each user only has to keep track of one key. The other way would be to assign one key per subset of users (i.e. one key per set s ∈ P(U) which is distributed to all u ∈ s, where P(U) denotes the power set of U). Then the key server just has to find the key Ki , corresponding to the 0 ). The bandwidth requirement subset of current members and broadcast EKi (KM is constant (just one encrypted message per media key change), but users have to store an exponential amount of keys; each user must store 2u−1 keys.

3.2

Logical Key Hierarchy (LKH)

Logical Key Hierarchy (LKH) is a protocol which was proposed in [21, 22]. In LKH, members are assigned positions as leaves in a tree. Revoked users are not in the tree and do not have any keys (except for the implicit symmetric key shared with the server that all users have). The tree should preferably be balanced for performance reasons, but it is not a strict necessity. The tree does not have to be binary. 12

1

2

4

3

5

6

7

Figure 3.1. Sample LKH tree

Every node v in the tree is assigned a randomly generated key Kv . A member is given the keys associated with all of the nodes on the path from the member’s leaf to the root. Since only all the members, have access to the key assocated with the root (i.e. K1 ), that key is used as the media key KM . When a member is removed, all keys that member had must be changed to maintain forward secrecy. This can be accomplished by generating new keys Kv0 for all nodes v that the member had. These random keys are then distributed encrypted with children keys which the recently revoked member does not have access to. As an example, assume that a member at position 7 in figure 3.1 is removed. That member had keys K7 , K3 and K1 , so the key server creates random new K30 and K10 . Node 7 will be removed from the tree, so the key server does not need to generate K70 until a new user is added at that position. These are then distributed by making the following broadcast: EK6 (K30 ), EK2 (K10 ), EK30 (K10 ). All keys in nodes that the member at position 7 had, have thereby been replaced or removed. The current keys are changed in a similar manner when a user is added to the tree, except that then the new key Kv0 is broadcasted, encrypted with the old Kv (this is possible now, since everyone who had Kv before the addition of a new member should get Kv0 ). All keys belonging to the new member are securely unicasted to that member, using the member’s implicit symmetric key. As described here, this system revokes immediately. The scheme can be extended to do batched updates, i.e. handle a number of addition or removal requests simultaneously. Such methods and their performance were evaluated in [10].

3.2.1

One-way Function Tree (OFT)

One-way Function Tree (OFT) is a stateful broadcast encryption scheme which was introduced in [13]. It uses the same key structure as LKH but it requires that the key tree structure is a binary tree. Instead of having keys of different nodes independent, as in LKH, the key of a parent node v is f (g(Kl(v) ), g(Kr(v) )), where f is a “mixing” 13

function and g is a one-way function. This means that a user knowing g(Kl(v) ) and g(Kr(v) ) can calculate Kv . The value g(Kv ) is referred to as a blinded node key for the node v. Just as in LKH, a member knows all the keys associated with nodes on the path from the member’s leaf to the root. In OFT, a member will also always know the blinded keys of all sibling nodes to those nodes the member should have acess to. As an example, in figure 3.1, the member at position 7 will have access to keys K7 , K3 and K1 and the blinded keys g(K6 ) and g(K2 ). This structure gives OFT slighly better coefficients for key updates than LKH. For details on how the scheme works, see [13].

3.2.2

Efficient Large-group Key distribution (ELK)

ELK [18] is a protocol explicitly designed to address issues that crop up in largegroup key distribution. It has the exact same key structure as LKH has, but the tree must in this case be a binary tree. In general, ELK is designed to trade-off computational power, both at the key server and at members in exchange for lower bandwidth requirements. ELK contains several interesting ideas such as using a one-way function to update all keys in the tree when a member is added. This puts some computational strain on the key server if many members join, but saves bandwidth since added members can in most cases be handled without any multicast communication. This requires a simple counter to be added to the data stream to inform members of how many times one-way functions need to be applied to their keys. ELK also uses an interesting idea of reserving some space in the actual data stream messages for checksums and some bits of changed keys. Since ELK is a stateful scheme, like LKH and OFT, packet loss will likely be an issue in practice. In ELK, given the information within the data stream, a member who missed a key management can brute-force a reasonably small space to recover the keys. For details on this scheme, see [18].

3.3

Subset Cover schemes (SC)

Subset cover schemes were presented in [17] where some general results concerning them were proven and two concrete schemes were presented, Complete Subtree (CS) and Subset Difference (SD). The general principle behind subset cover based schemes is that we have a (fixed) family F = S1 , · · · , Sw of subsets over the set of all users of our system (i.e. F ⊆ P(U)). Singleton sets for all users must be present, to ensure that we can address each user individually (this requirement can be seen as explicitly mentioning the individual keys we assume the key server shares with each user, see section 2.4.2). Each subset Si is associated with a key Ki which is then given to the users belonging to the subset. The key can either be given directly, or it can be given as some data from which one or several keys can be computed (e.g. with a one-way function). 14

0 to a set of users, it computes a When the key server wants to send a new KM S set covering C ⊆ F of this set such that C = M using the fixed subsets and then 0 with the keys belonging to the subsets in the cover. For convenience, encrypts KM S S we take C as a shorthand for c∈C c, i.e. the union of all sets in the family C. In general, the problem of calculating an optimal subset cover is NP-complete. However, the concrete schemes used select these subsets in such a way that there is a polynomial-time algorithm which does yield an optimal cover. Optimality in this case is using as few subsets as possible. Note that the bandwidth usage is O(|C|), so to keep bandwidth requirements down, |C| should be minimized. The optimality of a selected subset cover is, however, not too important, if a good approximation can be made. The general subset cover problem can be approximated within 1 + ln m with an algorithm given in [11]. Since F is fixed beforehand, the keys can be given to the users at startup. The key for a subset is never changed, meaning that this scheme is stateless.

3.3.1

Structure of a subset cover message

The structure of a subset cover message is quite straight-forward, but there is one subtlety, the use of envelope keys, which is important. The basic structure of a key update message in a subset cover scheme is 0 0 0 < C, EKc1 (KM ), EKc2 (KM ), · · · , EKcm (KM )>

where c1 , · · · , cm were the m sets used for the cover and C here is some information on what sets were used for the cover. This is needed to allow a member to calculate 0 and what part of the broadcast to decrypt. In what key he is to use to decrypt KM practice, this would likely be a list of set identifiers for the sets used in the cover, but it could also be a description of what users were covered, making members calculate the cover for themselves, thus discovering what keys were used. 0 directly, the key server can use an intermediary ranInstead of encrypting KM domly generated key, called an envelope key, and instead broadcast 0 < C, EKc1 (KE ), EKc2 (KE ), · · · , EKcm (KE ), EKE (KM )>

This does not give any bandwidth gains in the normal case when we have |KE | = 0 |, but it turns out to be useful later, when we discuss stateful subset cover and |KM stateful over stateless (sections 4.1 and 4.2). In these cases, more information than 0 is to be distributed to members, and K will be smaller than the size simply KM E of this information.

3.3.2

Key-indistinguishability

Key-indistinguishability (kIND) is a possible property of a Subset Cover scheme (3.3). For a scheme to have the kIND property, it must hold that for every key Ki in the system, for an attacker given all information available to all users in 15

1

2

3

5

4

8

9

10

6

11

12

7

13

14

15

Figure 3.2. The sets S2,10 and S6,12 in a SD tree

U\Si , the key is still indistinguishable from a random string of the same length. Indistinguishability here means that an attacker (as usual limited to bounded-error probabilistic polynomial time (BPP)) cannot differentiate between the two with more than non-negligible probability. For a strict definition, see [17]. A proof has been given that a subset cover scheme satisfying the kIND property is secure in the security model presented in the same paper. It has further been shown that the two methods Complete Subtree and Subset Difference both satisfy kIND.

3.3.3

Complete Subtree

Complete subtree is probably the simplest of the subset-cover schemes. It uses a key structure identical to LKH with a binary tree. A big difference here is that all of U are leaves of the tree, not just M. The keys are also static and the scheme is thus stateless. For every node v in the tree, Sv ∈ F, where Sv is the set of all leaves in the subtree rooted in v. The keys for different subsets are independent. There is an efficient algorithm for calculating the subset cover when using this method, based on calculating the Steiner tree with the root and all leaves belonging to revoked users. For details, see the original paper [17].

3.3.4

Subset Difference (SD)

Subset difference was presented in the same paper ([17]) as the complete subtree scheme. It represents a significant improvement in bandwidth consumption compared to the previous method at the cost of slightly more client memory (O(log2 u) compared to O(log u)) and the need for a secure pseudo-random number generator. For every node v in the tree, and every node w below v, we have Sv,w ∈ F, where Sv,w is the set of all leaves in the subtree rooted in v, except for those in the 16

subtree rooted in w. In figure 3.2, two such sets are shown, the set S2,10 and the set S6,12 . In the figure, leafs within either set have been drawn with normal lines and nodes outside of the sets have been drawn with dashed lines. Internal nodes have also been drawn solid or dashed to make the set structure more clear, even if those nodes do not represent users. The user is not given the keys directly, since that would consume too much user memory. Instead, he is given values from which the keys he should have access to can be derived by O(log m) applications of a pseudo-random number generator. For details on how the key derivation in SD works, see [17].

3.3.5

Layered and Stratified Subset Difference (LSD and SSD)

There are two later variations of SD which both offer a tradeoff between user storage and bandwidth. They are called Layered Subset Difference (LSD, [8]) and Stratified Subset Difference (SSD, [7]). Both methods have worse bandwidth performance than the original SD scheme, but can offer significant decreases in user storage. Since the focus of this thesis is on reducing bandwidth requirements, these schemes will not be discussed further. Both schemes, like SD, rely on the existance of a secure pseudorandom number generator for their security. LSD has the kIND property, while SSD does not. It is, however, easy to modify SSD such that it also has kIND. For comparison purposes, both LSD and SSD will be included in the summary table in section 3.7.

3.3.6

Dynamic Subset Difference (Dynamic SD)

A recent paper [4] presents a modification to the basic SD protocol where some state is introduced in order to improve the efficiency. Instead of keeping all users in one large binary tree, members are put into smaller trees and revoked users may or may not be present in a tree. When a user is added as a member, the key server looks for the leftmost unassigned leaf. If such a leaf is found, the user is assigned to that leaf and gets all the keys associated with that position. If no unassigned leaf is found, a new tree will be created and the user is then assigned to the leftmost leaf in that tree and given the keys associated with the position. When a member is removed, the position he previously occupied in the tree is permanently revoked, i.e. it will not be assigned to anyone, not even the recently removed member, should he return. When a tree becomes empty, it is discarded by the key server. To do a key update, the key server simply performs a regular SD update on each tree individually. In the paper significant improvements in broadcast size were shown when the percentage of members out of the total number of users is between 30–70%, which is the range in which regular SD performs its worst. Various strategies for moving non-revoked users to new trees in order to improve performance were also evaluated in the same paper. 17

1

3

2

5

6

7

8

9

4

10

11

12

13

Figure 3.3. Hierarchical key tree, showing subsets S2,110 and S1,011 selected

3.3.7

Improving performance by prefix truncation

A technique called prefix truncation was suggested in [17] to reduce the bandwidth requirements of a subset cover scheme. Recall that the structure of a subset cover message is 0 < C, EKc1 (KE ), EKc2 (KE ), · · · , EKcm (KE ), EKE (KM )> 0 |. Decreasing |K | will thus significantly and thus the size is |C| + m|KE | + |KM E reduce the bandwidth usage, while making the scheme more vulnerable to bruteforce attacks. Since what KE protects is just a new short-lived media key, in a commercial setting we can assume that it is not worth it for an attacker to expend significant efford to recover that key illegally. In practice, a standard block cipher with a block size of 128 bits or larger will likely be used for the encryption of KE , thus setting a minimum on |KE |. However, we can go lower than this by using prefix truncation. When creating a new message key the key server created a random string U the same size as the block size of the cipher used and a KE of arbritrary size smaller than |U|. Then, let the key management message be 0 < C, U, Prefix(EKc1 (U)) ⊕ KE , · · · , Prefix(EKc2 (U)) ⊕ KE , EKE (KM )>

where Prefix() is a function that extracts the top |KE | bits from its argument and ⊕ is the exclusive-or (xor) function.

3.3.8

Hierarchical Key Tree (HKT)

A method due to Asano [1] puts users in a balanced a-ary tree, called a Hierarchical Key Tree (HKT), instead of the binary trees used in, for instance, subset difference. The subsets here consist of all nodes under an arbitrary set of children of a specific parent node. I.e. for each node, there are 2a − 2 subsets (“none of the children” is not very useful and “all of the children” is equivalent to moving the parent one level up) . There is also a special subset for the entire tree (i.e. U), in the case that there are no revoked users. 18

The subsets are labeled as Sv,b , where v is a node and b is a a-bit string. Bit i in the string is 1 if the nodes below the i:th child of node v are included, and is 0 if they are not included in the subset. For an example, see figure 3.3. Asano uses the master key technique from [5] to reduce the amount of private storage needed for the users. Two methods are presented in the paper, one which reduces private storage in users to O(log u/log a), the other reducing it to O(1). The second method, with O(1) private key storage forces the key server to generate, and the users to store, a too large amount of (non-secret) primes to be useful in our scenario, so in this thesis, when we talk about hierarchical key tree, we will always refer to the first method. The downside is that the key server must publish a possibly large amount of primes which the users will have to download (but will not have to worry about keeping secret). The keys stored by users in the system will also necessarily be larger than keys used in other systems, since the keys are elements in the group Zpq where p and q need to be large primes, so that pq is difficult to factor. Asano’s scheme is a stateless scheme, and rests on computational assumptions for its safety. In this case, the scheme’s safety relies on the following assumption related to the RSA cryptosystem: Proposition 3.1. If factors q1 , q2 of a large composite M = q1 q2 are unknown then computing pth roots (mod M ) for integral p > 1 is difficult.

3.4

Scalable and Lightweight Key Distribution (SLKD)

In a paper from 2004, Lee and Shieh [12] presented a technique that could be used to build a key distributing network. Such a network consists of three types of entities, a key generator, key distributors and members. The key generator is responsible for generating new media keys and sending out information to new joiners, thus taking the same role as the normal key center. The key distributors are important parts of the network, in that they actively change the message passing through them, and for a member to be able to decode the message, he must receive his message from the correct key distributor. The key distributors themselves are not able to get any information about the media key. In the start-up, the key generator selects large primes p, q and keeps them secret, while publishing n = pq. It also selects a secret number S ∈ Zn∗ and m + 1 numbers ∗ {x0 , x1 , · · · , xm } ∈ Zφ(n) , where m is the number of key distributors in the network. It also selects a large, secret integer w, with bit length twice as long as n. For each key distributor Ni , let Np(i) be the key distributor it receives messages from. As a special case, let the key generator be N0 , so a key distributor connected directly to the generator will have N0 as its parent. The key generator securely sends Ni , xi x−1 p(i) mod wφ(n) and wφ(n) to each key distributor. To each user attached to key distributor Ni , the key generator securely −1 sends S xi mod n. 19

To establish a new shared key, the key generator picks a random number r ∈ and broadcasts x0 r to all adjacent nodes. Adjacent key distributors Ni will use their secrets to calculate xi x−1 0 · x0 r ≡ xi r(mod wφ(n)) and broadcast that. Users attached to a key distributor Ni will receive xi r and be able to calculate the shared −1 key S r simply by calculating (S xi )xi r ≡ S r (mod n). The key generator, knowing S, n and r can easily calculate S r mod n. To revoke a user from the system, we only need to update keys in other nodes adjacent to the key distributor Ni that the user is attached to. The key generators 0 picks a new random x0i and securely unicasts x−1 i xi to Ni . To update key distributors which are clients to Ni , it securely unicasts xi x0−1 to all those. It also securely i 0−1 −1 unicasts S xi −xi to all non-revoked users attached to Ni . A key distributor receiving such a message can correctly update its transformation parameter simply by multiplying the old one with the received value. Users receiving an update will do 0−1 0−1 −1 −1 the same, since S xi S xi −xi = S xi . ∗ Zφ(n)

3.5

Hybrid Schemes

Recently, Jiang and Gong [9] have proposed a scheme which they call hybrid broadcast encryption. What this scheme does is that it revokes users statelessly up until a certain number of users have been revoked. Once this threshold is reached, users are explicitly (i.e. statefully) revoked. A simple application of this scheme would be a combination of the CS and LKH protocols. In the normal rekeying the key server performs covering of users using the CS method to keep revoked users from receiving the media key. When the number of revoked users is too large, a stateful rekeying is performed instead, changing the keys that revoked users had access to. After this, the key is transformed and will only contain members and will thus be coverable using few subsets. Note that this scheme only provides limited backwards security. This means that a user joining could have recorded messages since the last rekeying and possibly be able to decrypt some content. This since that place would have been empty in the tree when those broadcasts were made and thus may have been covered during stateless broadcasts.

3.6

Problems with previous works

Almost all schemes presented here suffer from various problems which make them not fully suitable for our scenario. The subset cover based schemes (except for dynamic subset difference) all have in common that they perform poorly if m u and the members are randomly distributed in the tree. Such a user distribution will effectively reduce the scheme to the same performance as the naive method with one key per user. The naive scheme requiring one message per member is much too expensive, and the power set method by far exceeds the memory available in clients for large u. 20

Johansson [10] has shown that for large m, various variations of LKH do not perform well enough for our scenario either.

3.7

Summary

Many protocols have been covered in the previous chapter, so a brief recap is in order. The main attributes of all protocols discussed have been summarized into two tables, one for the stateful protocols and one for the stateless. Since the main focus of this thesis is bandwidth optimization, we will be extra careful in that portion of the table and give the coefficients, instead of just giving the measurement in ordo notation. Note that often, the difference in bandwidth performance between protocols will be in the constants.

3.7.1

Stateful algorithms

All the stateful algorithms covered in this chapter have been summarized in table 3.1. For the stateful algorithms, the performance is normally dependent on the number of added and removed members since last rekeying. Recall that ∆m and ∆r denote the number of users who have been added and removed since the last stateful rekeying, respectively. For the tree-based systems, to be more precise, the bandwidth consumption is generally linear (with a low constant) in the number of keys in the key tree which must be changed. This number depends on how the changes are distributed in the tree, the closer to eachother changes occur, the more nodes they will have in common and the fewer keys will thus have to be changed. We denote the number of keys changed as aj and note that aj = O(∆m log m) and aj = O(∆r log m) for removals. For the hybrid schemes, the bandwidth cost for the stateful updates are given here. Additions in hybrid schemes is dependant on a free position being available as they are presented in [9], thus no addition-cost is given in the table. For hybrid HKT, a is the branching factor of the tree, just as in normal HKT. For SLKD, it is impossible to properly analyze the performance, since it depends heavily on the network structure which is used. For this reason, no bandwidth usage costs are given in the table.

3.7.2

Stateless algorithms

The stateless algorithms discussed in this chapter have been summarized in table 3.2. For LSD, the values given here represent the basic LSD, which uses only two layers. As stated in [8], the basic LSD is what would most likely be useful in practice. The generalized LSD decreases user memory slightly at an increasingly large cost in bandwidth, which is the opposite direction from the aim of this thesis. 21

Scheme

User memory

Additions

Removals

Reference

LKH OFT ELK Hybrid LKH + CS Hybrid HKT SLKD

O(log m) O(log m) O(log m) O(log m) m O(2a + log log a ) O(1)

aj aj 0 N/A N/A N/A

2aj aj − 1 aj − j m 3∆r + 2∆r log ∆r ∆r−1 m a−1 + ar loga ∆r N/A

[21, 22] [13] [18] [9] [9] [12]

Table 3.1. An overview of stateful schemes

Scheme

User memory

Worst case bandwidth

Reference

Naive 1 Naive 2 CS SD LSD Dynamic SD SSD HKT

O(1) O(2u ) O(log u) O(log2 u) 2 O(log 3 u) O(H 2 ) O(k log u) u O(2a + log log a )

m 1 min(r log ur , m) min(2r − 1, m) min(4r − 2, m) min(Nt + 2r − 1, m) min(4kr − 2, m) log(u/r) min(r log a + 1 , m)

N/A N/A [17] [17] [8] [4] [7] [1]

Table 3.2. An overview of stateless schemes

Recall from the discussion of dynamic SD (section 3.3.6) that it is not entirely stateless. It is however multicast stateless and, since it has more in common with the stateless protocols than with the stateful protocols, it was placed in this category. The analysis of worst case bandwidth is difficult, since it depends on what reorganizing strategy is utilized. In the table, let H denote the height of trees used and let Nt denote the number of trees currently active. For SSD, k is a constant that decides how much work needs to be done by the 1 client. The client’s computational usage is u k , so k must be sufficiently large to make this number reasonable. For HKT, in our scenario, the separation of private and public storage is not very important so the number presented is the sum of private and public storage required. The parameter a is the branching factor of the tree used.

22

Chapter 4

Optimization ideas In this chapter, some new ideas for improving the bandwidth performance will be presented. The main contribution is a general framework for making subset difference schemes stateful, presented in section 4.1. A further development of the idea in dynamic subset difference (section 3.3.6) will be presented in 4.2. The ideas of modifying the distribution network will be explored with the concept of filters (section 4.3).

4.1

Stateful Subset Cover

Current subset cover schemes generally have bandwidth performance which is linear in r while stateful schemes accomplish (∆m + ∆r) log m, where ∆m and ∆r are the total number of added and removed users since last key update, respectively. In this section, a general technique for transforming a subset cover scheme into a stateful scheme through the introduction of a state key is presented. This makes the bandwidth performance linear in ∆m + ∆r instead of in r. As will be discussed further in section 5.1.3, this weakens the security of the system somewhat in that it opens up the opportunity for collaboration. This risk can be mitigated by periodically using the normal update mechanism of the underlying subset cover scheme. This is referred to as a hard update. The basic idea presented here was developed at Ericsson Research before the author started working on this project. The author’s contributions are the algorithms for specific subset cover schemes, much of the formalisms, and the work on evaluating the performance and security of the system.

4.1.1

An intuitive description

Recall that a subset cover scheme (section 3.3) works by covering members using a static family of subsets of users. The subsets are created at startup-time and are constant throughout the life of the system. Each subset is associated with a key which only users in that subset have access to. To distribute a new media key, the 23

media center broadcasts the new media key encrypted with the key for each subset in the cover. Such schemes can be extended by adding a state key, which is distributed alongside with the media key to members. This state key is then used for distributing the next media key and state key. When the key server broadcasts a new media key (and state key) it will not encrypt the new media key directly with the keys of the selected subsets, instead it will use the key of the selected subset transformed by the current state key with some suitable function (e.g. xor or a secure hash function). This means that to decrypt the new media key, a user must not only be in a selected subset, but must also have the current state key. The key server, when it saves bandwidth doing so, is thus free to cover nonmembers too, as long as these non-members do not have access to the state key. Or, to phrase it another way, the key server must only avoid the revoked users which have the current state key, i.e. those who were removed recently. To discourage cheating (see section 6.6), we’d like for this cover to cover as few revoked users as possible, which is called a cheap cover. The alert reader may have noticed a problem with the system as described. If the state key is needed to decrypt the new media key and state key, how do we handle recently joined members, who do not have the current state key? The answer is that the state key is not used when covering joiners, and thus all of R must be avoided. However, the scheme is free to cover current members who have a state key, and we’d like it to cover as many of these as it can, since those covered here will not have to be covered in the cover using the state key. This is called a generous cover. This class of schemes also supports running in what can be called semi-stateless mode. That means that the key server is in each round free to decide whether it wishes to update the state key or not. As long as the state key is not updated, the scheme will have the properties of a stateless scheme, but the bandwidth performance will gradually increase since ∆m and ∆r will increase. A media key update when the state key is changed is called a stateful update and one where the state key remains unchanged is called stateless update.

4.1.2

Generalized subset covering

For this type of scheme to work, a new cover function is needed. The traditional subset cover has two types of users: members and revoked, or blue and red. The new cover function has three types of users: blue, red and black. The output is a cover covering all users marked blue and not covering any red users. Users marked as black, can be either covered or not covered. For security reasons, there are two versions of the cover algorithm for each scheme, generous and cheap. Both versions will primarily minimize the number of subsets used for the cover. The generous cover will attempt to cover as many black nodes as possible and the cheap cover will cover as few as possible. More formally, we have a new decision problem, Optional-Set-Cover(F, M, m, n), where F is a family of subsets of some finite set S, M is subset of the same 24

S and m and n are integers. The problem is: is there a subset C ⊆ F such that S S S C ⊇ M, |C| = n and | C| = m? Recall that, for convenience, we let C denote S c∈C c, i.e. the union of all subsets in the family C. This decision problem is NP-complete, which can easily be proved. First, it is in NP since it has a polynomial-sized certificate, C. Second, Subset-Cover() can trivially be reduced to it, since Subset-Cover(F, n) is equivalent to OptionalS S Subset-Cover(F, F, | F|, n). The two optimization problems, generous and cheap, both primarily want to minimize n, and then on the second hand either want to maximize or minimize m, respectively. The optimization problems are denoted Generous-Cover(F, M, R) and Cheap-Cover(F, M, R). For notational convenience, a third parameter,R, is added with the set of red users. It is trivial to, in polynomial time, filter out from the set F those sets which intersect with R, so this does not affect the complexity. This is also a more natural notation given how the cover algorithm is used in broadcast encryption.

4.1.3

The framework

The system is initialized exactly as the underlying subset cover scheme, with one exception. A state key, KS is generated by the key server and given to all initial members of the system. The key server also keeps track of the set of users to which it has given the current state key, the set S. The family of sets defined by the underlying subset cover scheme will be denoted F. To update the key, the key server first decides whether it is time to do a hard update or not. If a hard update is done, it uses the underlying scheme to distribute 0 and K 0 and sets S ← M. a new KM S If it was not time to do a hard update, it begins by calculating a cover C1 as C1 ← Generous-Cover(F, M\S, R). Note that this cover is empty if M\S is empty, i.e. if no new members have been added since KS was last updated. After this, it checks if R ∩ S = ∅. If this is the case, i.e. no one has been removed since KS was last updated, no one besides members has KS and thus KS can be used to securely communicate with members. If R ∩ S = 6 ∅, it instead calculates S C2 ← Cheap-Cover(F, M\( C1 ), R ∩ S). The key server then broadcasts a message consisting of, first, for every c ∈ C1 : EKc (KE ), where Kc is the key associated with subset c. Secondly, if R ∩ S = 6 ∅, the message will contain, for every c ∈ C2 : EKc (KF ), or if R ∩ S = ∅, EKS (KF ). We let KE = f (KF , KS ), where f is a suitable function, such as xor or a hash 0 , K ) or E 0 0 function. Finally, the message will contain EKE (KM S KE (KM , KS ) if it was a stateless or stateful update, respectively.

4.1.4

Generic cover

In general, a normal subset cover algorithm can be used to solve the optional subset cover problem, but in general not optimally. Since subset cover schemes generally 25

have bandwidth performance which scales linearly with R, it is often beneficial to minimize R. So, for the optional subset cover problem, we can simply re-mark all black users blue and then run the normal subset cover algorithm on the resulting set. Postprocessing can be done to remove any sets covering only originally black users. Post-processing can also, in the cheap variant, attempt to narrow a set down (i.e. change the set so that fewer black users are covered). For a specific underlying scheme, it is often possible to make better use of the black nodes than this rather naive transformation. Two such algorithms for subset difference and hierarchical key tree will be discussed in sections 4.1.5 and 4.1.6 respectively.

4.1.5

Subset Difference

For subset difference (section 3.3.4), which is one of the most important subset cover schemes, a new cover algorithm has been developed. The algorithm has slightly worse constants than the original cover algorithm, but the same asymptotic complexity. This algorithm could also be used in stateful variants of other subset cover schemes which use the SD cover method, such as LSD and SSD (section 3.3.5). We let each node v have three variables, two booleans, v.blue and v.red and one integer, v.black. Black counts the number of black nodes which can be excluded under that node. If blue is true, it means that there are uncovered blue nodes (i.e. nodes which must be covered) below that node. If red is true, it means that there are red nodes (i.e. nodes which must not be covered) below that node. A basic observation is that a node v where both the left and the right child has a red node below it cannot be used as a top node for a key. So, if any blue nodes are below such a node, the top node to use for the set cannot be higher up in the tree than l(v) or r(v). For the algorithms given, we assume that the bottom nodes (i.e. the user nodes) have already been colored. That means that for a blue node v, v.blue = true, v.red = false and v.black = 0. Analogously for a red node. For a black node v, v.blue = v.red = false and v.black = 1. The algorithm consists of three functions. Find-Cover() is the top-level function which is called to generate the entire cover, with a parameter telling it if a generous or cheap cover is wanted. All Find-Cover does is that it “adds up” the color in children nodes, and call a helper-function to calculate the exact subset when it discovers that a subset has to be placed. When subsets are placed, they are guaranteed to cover all remaining blue nodes under the current node. This means that there is nothing left to be covered below that node, so the parent will be covered with only red, instead of the usual “sum” of the child nodes. Then, there are two other functions, Generous-Find-Subset() and CheapFind-Subset() which calculate a single subset, given a top node which is the highest place for the top node of the subset. Both versions use the color markings placed by Find-Cover() to calculate the subset. The generous version will just ensure that 26

no red nodes are covered, while the cheap version will both ensure that no red nodes are covered and will attempt to exclude as many black nodes as possible. To make the pseudo-code more readable, we let Find-Cover() “call” the nonexistant function Find-Subset() with a generous parameter, instead of checking generous and calling Generous-Find-Subset() if it is true and Cheap-FindSubset() otherwise. Generous-Find-Subset(T , v) (1) if not v.red (2) if v = root (3) return S1,Φ (4) else (5) return Spar(v),sib(v) (6) excl ← n (7) while not l(excl).red or not r(excl).red (8) if l(excl).red (9) excl ← l(excl) (10) else (11) excl ← r(excl) (12) return Sv,excl

Cheap-Find-Subset(T , v) (1) if not v.red and not v.black (2) if v = root (3) return S1,Φ (4) else (5) return Spar(v),sib(v) (6) if not l(v).blue (7) return Cheap-Find-Subset(T , r(v)) (8) else if not r(v).blue (9) return Cheap-Find-Subset(T , l(v)) (10) excl ← v (11) while excl.blue (12) if l(excl).red (13) excl ← l(excl) (14) else if r(excl).red (15) excl ← r(excl) (16) else if l(excl).black > r(excl).black (17) excl ← l(excl) (18) else (19) excl ← r(excl) (20) return Sv,excl 27

R

R

B,R,K

R,K

B,R

R

B

K

B,R

B,K

R

B

K

B

R

Figure 4.1. A sample coloring of a stateful subset difference tree

Find-Cover(T , generous) Input: T is a stateful SD tree where the nodes representing users have been colored. generous is a boolean, true for generous cover, false for cheap Output: A cover C (1) C←∅ (2) foreach node v ∈ T in depth-first order (3) if l(v).red and r(v).red and (l(v).blue or r(v).blue) (4) if r(v).blue (5) C ← C ∪ Find-Subset(T, r(v), generous) //Shorthand for Generous-Find-Subset or Cheap-Find-Subset (6) if l(v).blue (7) C ← C ∪ Find-Subset(T, l(v), generous) (8) v.red ← true (9) else (10) v.red ← l(v).red | r(v).red (11) v.blue ← l(v).blue | r(v).blue (12) if v.blue (13) v.black ← max(l(v).black, r(v).black) (14) else (15) v.black ← l(v).black + r(v).black (16) if root.blue (17) C ← C ∪ Find-Subset(T, root, generous) (18) return C As an example, consider the tree shown in figure 4.1. Due to the lack of color printing, we let the letter ’R’ denote v.red = true, ’B’ denote v.blue = true and ’K’ denote v.black = 1. The bottom nodes have all been colored in the input to the algorithm. Going through the nodes in depth-first (left-to-right) order, in the first node, the red and blue from the children node is combined into the parent. In its sibling, the black and red colors propagate up. When we get to node 2 (the left child of the root), then both children are marked with red and at least one of the children is marked with blue. This will cause 28

Generous-Find-Subset() or Cheap-Find-Subset() to be called, depending on if it is a cheap or generous cover we are calculating. In both cases, find-subset will select the subset S4,8 , which covers the single blue node 9. For the right subtree, colors will propagate upwards and the coloring will reach node 3 without Find-Subset() behing called. However, both children of the root are colored red, and node 3 is blue, so one of the Find-Subset() functions will be called again. In this case, the subset S3,14 will be selected, which covers the two blue nodes 12 and 14 and the black node 13.

4.1.6

Hierarchical Key Tree

For hierarchical key tree (section 3.3.8), an optional-cover algorithm has been developed. This algorithm is similar to the one given for subset difference, but is much simpler. Just as with subset difference, the algorithm assumes that the nodes representing members have already been colored in the input to the algorithm. Find-Subset(T , v, generous) (1) top ← v (2) if not generous (3) while top has exactly one blue child and that child is not a leaf (4) top ← top’s blue child (5) b←0 (6) for i = 1 to a (7) if childi (top).blue or (generous and not childi (top).red) (8) set the i:th bit in b to 1 (9) return Stop,b

Find-Cover(T , generous) Input: T is an a-ary HKT tree where the nodes representing users have been colored. generous is a boolean, true for generous cover, false for cheap Output: A cover C (1) C←∅ (2) foreach node v ∈ T in depth-first order (3) v.blue ← child1 (v).blue or child2 (v).blue or · · · or childa (v).blue (4) v.red ← child1 (v).red or child2 (v).red or · · · or childa (v).red (5) if v.red and v.blue (6) C ← C ∪ Find-Subset(T, v, generous) (7) v.blue ← false (8) if root.blue (9) C ← C ∪ Find-Subset(T, root, generous) (10) return C Consider the key structure of HKT. If a node has at least one blue and at least one red child, a subset must be created at that node. The subset cannot be placed 29

r

r

r

b

b

k

k

k

k

b

b

b

Figure 4.2. A sample coloring of a stateful hierarchical key tree

higher up in the tree, or the red node would be covered. In the cover algorithm, the color black can actually be ignored, so there is no need to propagate it. Also, a node can only be either red or black, a node can never have multiple colors as in stateful SD. That a node v is red in this case means that v has at least one red leaf below it (or is a red leaf). A node v being colored blue means that v only has blue or black leaves below it (or is itself a blue leaf). As an example of the cover algorithm, let us consider the example in figure 4.2. At first, only the leaves are colored. For the three leftmost leaves, their parent node becomes both blue and red in the coloring step, and thus Find-Subset() is called which creates the subset S2,010 or S2,011 if generous was true, and the blue from the parent is thus removed. Considering node 3 (the middle node), it remains uncolored since it has neither blue nor red children. Node 4 (the right node) is colored blue since it has at least a blue child. The root is then colored both red and blue in the coloring step, causing another call to Find-Subset() and removal of the blue color. This time, if generous is false, then the top of the subset will be stepped down to node 4, causing the subset to become S4,111 = S1,001 . If generous is true, the top can never be moved down and the selected set will instead be S1,011 .

4.2

Stateful over stateless

The basic idea of dynamic subset difference (section 3.3.6) is interesting. Instead of putting all users into a large structure at the beginning, users can instead be inserted in small trees, which are generated dynamically, as needed. With rebalancing algorithms, we can strive to keep the active trees well populated, since stateless protocols generally have a bandwidth performance of O(r). A trivial generalization of the dynamic SD protocol is to replace SD in the small trees with a different stateless protocol, or even several different protocols. As noted in [15, 16], it can be beneficial to use several different schemes simultaneously depending on various characteristics such as user behaviour or time. A slightly less trivial generalization is to connect the trees together with a stateful protocol, such as LKH or OFT. For the stateless protocol, consider each tree a user. When a user leaves or joins, revoke and immediately (if any users are left) re-join the node belonging to the tree that user was or is in. Only a slight modification needs to be done in the stateful protocol, and that is that when a user’s private 30

1Mb, 64kbps 1Mb,64kbps "Router"

Provider Network

1Mb, 64kbps

Key server

Network without filter

0.5Mb, 64kbps 1Mb,128kbps Filter

Provider Network

0.5Mb, 64kbps

Key server

Network with filter

Figure 4.3. Inserting a filter making a perfect split of the members

key is to be used, the stateful protocol must instead use the stateless protocol to communicate with the members. The negative effect of this modification is that the entire system becomes stateful. However, bandwidth savings are possible, especially if user movements is small. While this scheme could work by putting a stateful scheme over a stateful subset cover scheme, that would most likely not give any large benefits and could in fact even make the bandwidth performance slightly worse. This framework is heavily dependent on heuristics to acheive good performance. In [4] a few different balancing strategies were explored for dynamic SD showing that bandwidth performance will vary greatly with heuristics choices. One reason why SD may not be the best choice for a system where subset cover trees are dynamically allocated is that SD has a quite large storage requirement per user (O(log2 u)), which means higher cost to create a new tree and communicating the keys to members. In hierararchical key tree, each user has instead O(log u/log a) keys. There are also a number of non-secret primes which must be stored by a member, but the same set of primes can be used for all trees in the system. Thus, these only need to be transferred to users at startup-time and do not add to the cost of moving a member to a new tree.

4.3

Filters

Instead of just seeing the network as a single broadcast medium, we can insert devices in the network which actively modify the message. The simplest form of 31

such modification would be to simply drop the parts of messages which are not relevant to users located behind the device. We refer to a device simply dropping parts of messages as a filter. The idea of filters was developed at Ericsson Research before the author’s project there started. For the scenario given in this thesis, a filter can be very useful. Each filter, given that they’re placed strategically in the network, has the same amount of bandwidth as was originally available without filters. This since the bandwidth limit exists only at the edge of the network, close to the customers. As an example, illustrated in figure 4.3, assume the bandwidth at the edge of the network available to key management is 64 kb/s and the system has two million users. The key management message for these users is one megabyte. A pair of filters are added, each of which cover one million users. This means that the traffic passing through each filter can use 64 kb/s and need only cover one million users. If the split is ideal and no keys are split, each filter will have to pass approximately a half megabyte of data. Thus, the total time for the key update will be half the original time. Just randomly taking e.g. an SD tree and dividing the users into two (or more) groups depending on where they are localized in the network structure will not give a perfect split. Many sets used in the cover will cover users on both filters and thus must be let through both of them. To avoid this, a structure with a forest of SD trees can be used with users being placed in an SD tree depending on what filter they are behind. When the users moves in the network, as cellular users do, they will be removed from their old tree and added into a new one. Two schemes suitable for this type of usage are dynamic SD (section 3.3.6) and stateful over stateless (section 4.2).

32

Chapter 5

Theoretical evaluation This chapter will cover some theoretical evaluation of the optimizations presented in chapter 4. The theoretical evaluation mainly consists of two parts, evaluation of worst-case performance and security. For the algorithms given, correctness and performance analysis will also be done.

5.1

Stateful Subset Cover

Stateful Subset Cover is a generic framework for transforming a subset cover protocol into a stateful protocol which was presented in section 4.1. In this section, theoretical evaluation of the performance and security of the general framework is done. Proofs of the correctness and analysis of the running time of the cover algorithms presented are also given.

5.1.1

Performance

The storage requirements will not be changed by the addition of state, so they will be the same as those of the underlying scheme. The system will take on the negative properties of a stateful system in that packet loss becomes a more serious issue which will need to be mitigated, see the discussion in section 2.5.1. The bandwidth performance will in general improve. The bandwidth usage for the first cover calculated (for joining members, where the state key is not used) is at worst that of the underlying scheme with ∆m members and r revoked users. For the second cover, where the state key is used, the performance is at worst that of the underlying scheme with m members and ∆r revoked users. Plugging in the values for SD, we get a worst-case bandwidth performance of min(2r +1, ∆m)+min(2∆r + 1, m), which will for reasonable values be ∆m + 2∆r + 1. This can be compared to e.g. OFT which has a performance of (∆m + ∆r) log m. The worst-case performance is better than previous protocols. A comparative performance evaluation in several usage scenarios has also been performed, and the results are presented in chapter 6. 33

5.1.2

Correctness

The framework is correct in that a member can recover the new key, as long as he has not missed any broadcasts relative to the last stateful update. For a member, there are two cases. Either, he has recently been added and does not have the current state key or he has the current state key. If a member m does not have the current state key, then the set M\S 6= ∅ since it must at least contain m. In this case, the cover C1 = Generous-Cover(M\S, R) will be calculated and the underlying scheme will be used to distribute the keys with the resulting cover. If the underlying scheme is correct, the member will be able to recover the key and current state key. If, on the other hand, m does have the current state key, there are three cases. If m is covered by C1 then he can discover that fact by looking at the information about the cover and recover the key, given that the underlying scheme was correct. 0 ) and since If R ∩ S = ∅, then the new media key will be distributed as EKS (KM m has KS , he can recover the new media key. S If R∩S 6= ∅, then a second cover, C2 = Cheap-Cover(M\( C1 ), S ∩R) will be calculated. Since m has the state key and was not covered by C1 , he will be covered by C2 . Given that the underlying scheme is correct, he can then recover KF , from which he can derive KE since KE = f (KF , KS ) and he has both of KF and KS . He 0 ) since he can can then recover the new media key which is distributed as EKE (KM calculate KE .

5.1.3

Security

With regards to security, it is easy to see that collaboration could be used to cheat. If a recently revoked user, who has the state key, co-operates with a previously revoked user who is covered, they can together recover the new state key and media key. Since the key server is the unaware that they have the state key, it may cover them in subsequent rounds, allowing them to continue to decrypt the content. However, as will be analyzed in section 6.6, this does not appear to be a big risk. Recall from the discussion in section 2.4.1 that in our scenario, we can make it costly to extract keys by storing them in tamper-resistant DRM-modules. The expectancy of how long a cheating user can illegaly watch the broadcast is so short that it will most likely not be cost-effective to extract state keys and distribute them. Stateful subset cover is a stateful protocol and, as was discussed in section 2.6.1, no general security models defining attacker capabilities exist for such protocols. Developing such a model was beyond the scope of this thesis, so the security evaluation is limited to the practical analysis of how severe the problem with collaboration is.

5.1.4

General cover algorithm

It is easy to see that the general cover algorithm will work correctly, given that the underlying cover algorithm does. The pre-processing will mark all black nodes as blue, which means that the underlying algorithm will cover all black and blue 34

nodes, and avoid covering any red nodes. The post-processing then removes any sets selected consisting only of black nodes, or if possible, cuts down the sets to reduce the number of revoked users in them. Neither of these steps will either cause the cover to miss a blue node, or to cover a red node. At most u users can be undecided, so at worst, u nodes must be re-labeled. The output of the cover will cover each undecided or cover node exactly once, so the cost of going through the sets is at most the number of such nodes, which is u. Thus, the added runtime for both the pre-processing and post-processing steps is O(u).

5.1.5

Subset difference

The performance of the cover algorithm is O(u). On the way up, each node will be visited exactly once and the tree has O(u) nodes. When Find-Subet() is called, the top node will only be colored red. All downward traversal in the Find-Subset() functions will always stop at a node colored only red. This means that on the way down (i.e. in Find-Subet()) each node can be visited at most twice.

5.1.6

Hierarchical key tree

The performance of the cover algorithm is O(u), just as with stateful subset difference. The number of nodes in the tree is O(u) and each node can be visited at most twice. First, during the coloring of nodes, each node is visited. In Find-Subset(), if generous is false, the algorithm walks down through the tree. However, it will only go down to a lone blue child. The node on which Find-Subset() was called will either be marked red or be the root, and thus that node will never be reached again by Find-Subset().

5.2

Filters

The filter is a simple device, simply removing those parts of the key management message which are not relevant to users behind it. This implies that the filter needs knowledge both of what users are located behind it, network-wise and knowledge of the key structure and message structure of the broadcast encryption scheme used.

5.2.1

Performance

The performance benefit of inserting filters into the network is dependent on how large part of the messages that can be filtered out. In the best case, the insertion of n filters will split the key management message in n identically large parts and will thus reduce the time it takes to send the message by a factor n, given that there is enough bandwidth available on the path between the key management server and the filters. On the other hand, should all of the message be relevant to users behind one of the filters, the total time for the key management update will be unchanged. The relevant measurement of performance is how long time it takes for all members to 35

receive the full key management update message, since the content server cannot 0 until all members have received K 0 . Should it do so, some members start using KM M would not be able to decrypt the content.

5.2.2

Security

An attacker gaining control of one or more filters does not gain any information or any capabilities he did not have before. We already assume that the network is insecure and that attackers can freely read messages sent to users, so he learns no new information, since a filter only sees traffic sent over the network. In practice, gaining control of a filter would allow an attacker to perform a denialof-service attack simply by dropping all packets or in some other way destroying data passing through the filter. However, denial-of-service attacks against low-bandwidth data networks can be accomplished in much simpler ways.

5.3

Stateful over stateless

For stateful over stateless schemes, the performance is highly dependent on the parameters of the system and the re-balancing strategy used to move users from sparse trees. This makes the framework highly adaptable to a partciular user base, but at the same time makes it difficult to perform an analysis of the performance. It is easy to see that user storage will be the sum of the key-size in their local stateless scheme and the key-size for the stateful scheme running on top of it. User computation will also, in the worst case, be the sum of worst-case times since the user will first have to decrypt the stateless broadcast to receive its new node key in 0 . the stateful scheme and then use that node key to recover KM Since it is a stateful scheme, there is also a lack of a security model in which security could be proved. The development of such a security model is likely a large undertaking and is beyond the scope of this thesis.

36

Chapter 6

Practical evaluation The worst-case performance is of course an important measurement for the protocols, but some form of average-case or real-world performance analysis can also be valuable. Especially since one of the optimization ideas, OFT over stateless (see section 4.2), is based on heuristics. A comparative performance analysis of the optimization ideas along with some previous protocols was performed on several different usage scenarios. These usage scenarios are based on guesswork as to how users will behave in the system, but the results may be of interest in any case. Since collaboration is possible in stateful subset cover (section 4.1), a simple model for collaboration cheating has been defined and the expectancy for how long a cheater can succesfully cheat the system in this model is evaluated experimentally.

6.1

User modeling

To evaluate the performance of the algorithms, a model for user behavior was needed. Johansson [10] created several scenarios which were re-used in this thesis. The author also developed a slightly more complex model which makes a naive attempt to model how users watch TV. This model is entirely based on guesswork as the author did not have access to any good real-world data.

6.1.1

Johansson’s scenarios

As part of his thesis [10], Johansson developed six usage scenarios. The same scenarios were also used in this thesis with some parameter changes. Base change In all of the scenarios, a certain amount of base change is present. This is a value between 0 and 1 signifying how large fraction of the members will be replaced by non-members during each round. This does not significantly affect the total number of members at any time. Johansson used a base change of 2% during his evaluation 37

35000

Users

30000 25000 20000 15000 10000 5000 0 0

20

40

60

80

100 120 140 160

Rounds

Figure 6.1. The decreasing dataset with 215 users

work. In this thesis, a base change of 0–2% will be used. The effects of varying the base change rate will be evaluated in section 6.4. Just as with the data models, it is very difficult to predict user behaviour for this type of system. A certain amount of dynamic can be expected. For the normal subset cover schemes, base change does not affect performance, whereas it does raise bandwidth requirements for stateful subset difference. Thus, we will generally use a very high base change rate of 2% when analyzing, in order to give “worst-case” performance. 2% is high compared to what we could reasonably expect to observe in real-world situations.

Decreasing dataset In the decreasing dataset, everyone starts out as a member and users leave the system quite rapidly. This is intended to model e.g. the end of a popular TV show where users turn off their systems manually. The simulation decreases down to approximately five percent of the original number of users. The dataset is shown in figure 6.1.

Growing dataset The growing datset is in some sense the opposite of the decreasing dataset. Here, membership starts out low but increases at an increasing rate. However, more variance can be expected at the start of a show than at the end, so a small sinusshaped variance has been added to the curve. The dataset is shown in figure 6.2.

Large gap dataset In the large gap dataset, a large group of users join and leave periodically. This could simulate a good TV series or a popular recurring sports event. The dataset is shown in figure 6.3. 38

35000

Users

30000 25000 20000 15000 10000 5000 0 0

20

40

60

80

100 120 140 160

Rounds

Figure 6.2. The growing dataset with 215 users 30000

Users

25000 20000 15000 10000 5000 0 0

20

40

60

80

100 120 140 160

Rounds

Figure 6.3. The large-gap dataset with 215 users 35000

Users

30000 25000 20000 15000 10000 5000 0 0

20

40

60

80

100 120 140 160

Rounds

Figure 6.4. The small-gap dataset with 215 users

39

9000 8000 7000 6000 5000 4000 3000 2000 1000 0

Users

0

20

40

60

80

100

120

140

160

Rounds

Figure 6.5. The moving dataset with 215 users

Small gap dataset In the small gap dataset, as in the large gap dataset, there is a recurring popular event. However, in this case, much fewer users leave the system in between this event. This could be used to simulate e.g. flatrate fees, so that many users will simply leave their devices on the entire time. The small gap dataset is shown in figure 6.4. Moving dataset In the moving dataset, the number of users is roughly constant. However, the user base is divided into 4 groups. Group 1 is composed of users 1 · · · u/4, group two of users u/4+1 · · · u/2, etc. In the first few rounds, the probability that a user in group 1 is a member is 75% and the probability for users in the other groups is 9%. After a few rounds, the distribution switches and users in group 2 have a high probability of being members. This could be the case where some form of marketing data has been used to order users based on what shows they like. The dataset is shown in figure 6.5. Sinus-shaped dataset The sinus-shaped dataset simulates a slowly shifting member group, periodically turning on and off. The dataset is shown in figure 6.6.

6.1.2

TV model

The TV model is a simple model attempting to weigh in the quality of different shows and the preferences of various user groups. We model each user as belonging to a user group. Then we define a sequence of programs, each associated with three attributes: appeal to each user group, quality, and length (measured in the number of media key changes). The two datasets which will be used for evaluation are shown in figure 6.7. 40

16000 14000 12000 10000 8000 6000 4000 2000 0

Users

0

20

40

60

80

100 120 140 160

Rounds

Figure 6.6. The sinus-shaped dataset with 215 users

The simulation proceeds by simulating a round at a time. Each user acts individually. If a user is not watching, there will be a certain chance he will start watching the current round. This chance depends on how appealing he finds the current program and for how long this program has been running. For each user who is watching, there is a probability that he will turn off during the current round. The probability that this occurs depends on the quality of the program and for how long the user has been watching. Turning on For deciding the probability that a user who is not watching will turn on during the current round a normal distribution is used, which is scaled by an appeal value. Each program has some appeal (a value in the range 0–1) to each user group and each user belongs to a user group. This appeal value is then multiplied with a normal distribution with expectancy 0 and standard deviation 2. Turning off Turning off the TV is handled in almost the same way as turning on is. In this case, the quality value of a program, which is the same for all user groups, is the value used to determine the probability. The normal distribution also has slightly different parameters, with an expectancy of 2 and a standard deviation of 6. The expectancy is motivated by the fact that a user who has turned on a show is likely to watch it for a little while to determine if it is interesting, but if the user has watched for some amount of time, chances are that the user will get “stuck”, i.e. want to see how the show ends. Switching shows When a new show begins, the simulation considers all users as “not watching”. This is a clear flaw in the simulator, it is very likely that users who were watching the 41

14000

16000 14000 12000

Users

12000 10000

Users

10000 8000

8000 6000

6000 4000 2000 0

4000 2000 0 0

20

40

60

80

100 120 140 160

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure 6.7. The first (left) and second (right) TV dataset with 215 users

previous show are more likely to watch the next show than those who were not watching.

6.1.3

Sparse trees

Since the subset cover schemes generally perform poorly when m u, such tests were also performed. To perform this type of tests, the same user behaviour as was discussed in the previous section was used, but a program was created to scale up the user-size. For instance, a simulation might be run with 215 users. These users are then randomly mapped into positions in a userbase of 220 positions. All the unmapped positions in this userbase will just remain non-members throughout the simulation.

6.2

About the test environment

All tests have been performed in a single test application developed in the C++ programming language. The application is a simple application which only simulates the system; no broadcasts or encryptions were performed. Development was done in cygwin running on Windows 2000 using standard open source and free software tools such as gcc, cvs, GNU make and vim on a PC provided by Ericsson. Diagrams were generated with gnuplot.

6.3

Performance in Stateful Subset Cover

The performance of the stateful subset cover framework was evaluated using the scenarios presented in sections 6.1.1 and 6.1.2. As will be shown, the performance is significantly better than that of normal subset cover schemes, as could be expected from the theoretical analysis. The influence of the base change parameter will be examined, as will the a parameter in stateful HKT in sections 6.4 and 6.4.1, respectively. Since stateful subset cover schemes use a basic stateless key structure which must be pre-allocated, there will often be a need for trees to be oversized compared to the number of active 42

1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure 6.8. Normal (left) and stateful (right) SD with 220 users, decreasing dataset with basechange 2%.

Scheme Stateful SD Normal SD

Avg. sets used

Max sets used

43 214 170 175

59 798 305 225

Table 6.1. Performance comparison between normal and stateful SD with 220 users in the decreasing dataset with basechange 2%.

users, i.e. sparse trees. Looking at the theoretical evaluation, this is expected to have a much smaller impact in stateful subset difference than it has in normal subset difference. This will be analyzed in section 6.5.

6.3.1

Subset Difference

Figure 6.8 shows a comparison between normal subset difference and stateful subset difference in the decreasing dataset. The red curve shows the number of members and the green crosses shows the number of sets used in the cover each round. The base change rate is set to 2% in this simulation, which is significantly higher than what could be expected for real-world performance. A high base change in this case has a negative impact on the performance of stateful subset difference. Still, as the diagram shows, the stateful subset difference clearly outperforms traditional subset difference. Table 6.1 shows both the average number of sets used per round and the maximum number of sets used in a single round. Both these measurements are important to minimize. The average to keep total bandwidth usage down and the maximum to keep the latency for key refresh reasonably slow. As the diagram and table shows, the stateful version acheives significantly lower bandwidth requirements compared to the normal stateless SD. The worst-case performance (i.e. the maximum number of sets used) is reduced by a factor 5 and the average case is reduced by a factor 4. As seen, the performance is also much more even throughout the simulation, the large fluctuations of the original scheme are gone. 43

1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure 6.9. Normal (left) and stateful (right) HKT with 220 users, a = 8, decreasing dataset with basechange 2%.

Scheme Stateful HKT Normal HKT

Avg. sets used

Max sets used

45 490 96 802

61 947 130 851

Table 6.2. Performance comparison between normal and stateful HKT with 220 users and a = 8 in the decreasing dataset with basechange 2%.

6.3.2

Hierarchical Key Tree

Compared to SD, stateful HKT does not show quite as large an improvement in the stateful version compared to the normal version. Whereas the stateless version of HKT is significantly better than stateless SD, the stateful version actually performs slightly worse than stateful SD. As can be seen in figure 6.9, the stateful version again has a much more even performance than the normal stateless version. Table 6.2 shows the average number of sets used and maximum number of sets used in the covers.

Basechange 0 0.5% 1% 2%

Avg. sets used 68 71 83 99

387 830 454 587

Max sets used 99 106 118 137

537 935 927 210

Table 6.3. Average sets used in covers and maximum sets used in a round for stateful SD with 220 users in the sinus-shaped dataset with varying basechange.

44

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

100 120 140 160

Users Cover size

0

20

40

60

Rounds 500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

80

100 120 140 160

Rounds

100 120 140 160

Users Cover size

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure 6.10. Stateful SD performance with 220 users in the sinus-shaped dataset with basechange 0, 0.5%, 1% and 2% (top left, top right, bottom left, bottom right)

a 3 4 8 16

Avg. sets used 104 88 61 42

Max sets used

933 282 114 639

143 117 77 52

275 321 508 368

Table 6.4. Average sets used in covers and maximum sets used in a round for stateful HKT with 220 users in the growing dataset with varying a parameter.

6.4

The impact of basechange

The basechange is the percentage of current members who are replaced by nonmembers during each round. This is intended to simulate phones going in and out of range and generally increase the membership volatility and group dynamics. As can be seen in figure 6.10 and table 6.3, the bandwidth usage of the system increases linearly as the base change increases. This is to be expected, since the bandwidth performance is linear in ∆m + ∆r. For traditional stateless schemes, the basechange does not affect the performance.

6.4.1

Varying the a parameter in Stateful Hierarchical Key Tree

The HKT scheme has a parameter a, which is the branching factor of the tree the users are positioned in. As can be seen in figure 6.11 and table 6.4, increasing the 45

1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 1.2e+06

1.2e+06

Users Cover size

1e+06

80

100 120 140 160

Rounds Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure 6.11. Stateful HKT performance with 220 users in the growing dataset with a = 3, 4, 8, 16 (top left, top right, bottom left, bottom right)

Scheme Normal SD Stateful SD Normal HKT Stateful HKT

Treesize 215 Avg. sets Max sets 5 1 3 1

307 351 018 422

9 1 4 1

551 893 091 961

Treesize 220 Avg. sets Max sets 10 1 9 1

047 381 576 691

31 2 28 2

326 047 739 912

Table 6.5. Comparison of the performance of stateless and stateful subset cover schemes with 215 active users in trees sized 215 and 220 .

parameter a significantly decreases the bandwidth requirements of the scheme. However, the cost of increasing the a parameter is two-fold since both (public) user storage and computation cost is O(2a ). Since the operations involved are multiplying primes in a rather large group and user devices in our scenario are still relatively computationally limited, we feel that 8 is probably a reasonable value for a. However, both user storage capacities and computational power is steadily increasing, so what is reasonable for a will likely be a value between 8 and 16.

6.5

The effect of oversized trees

Current subset cover schemes generally perform poorly when m u, i.e. when they have sparse trees. The way this this test is done is by simulating a small number of 46

35000

35000

Users Cover size

30000

Users Cover size

30000

25000

25000

20000

20000

15000

15000

10000

10000

5000

5000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 35000

35000

Users Cover size

30000

80

100 120 140 160

Rounds Users Cover size

30000

25000

25000

20000

20000

15000

15000

10000

10000

5000

5000

0

0 0

20

40

60

80

100 120 140 160

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure 6.12. Normal (above) and stateful (below) SD performance with 215 active users in trees sized 215 (left) and 220 (right). In the oversized case for normal SD, the set curve can be difficult to see, since it is so close to the user curve.

users (e.g. 215 ) as normal. Those users are then randomly assigned positions in a much larger (e.g. 220 ) userbase where they will be the only active users. As can be seen in figure 6.12 and table 6.5, the stateful subset cover protocols handle oversized trees significantly better than the normal versions. This is important in our scenario. There are extremely many potential users, but even the best show is unlikely to appeal to a significant fraction of these. The normal version comes extremely close to naive performance (i.e. 1 set per member) while the stateful versions remain almost unaffected by the oversized tree.

6.5.1

Scaling with userbase size

As was shown in [10], the bandwidth performance of normal SD scales linearly with u. As can be seen in table 6.6, this property remains with the stateful version of SD too. Throughout this chapter, most evaluations have been made with u = 220 . That the bandwidth performance scales so linearly with u means that it is easy to extrapolate approximate values for other u.

6.5.2

Network traffic

It can be interesting to relate the measurement used in this chapter (i.e. number of sets (or equivalently keys) used for the cover) with total transfer size or time to transfer. To predict this, a number of variables must be estimated. 47

u 215 216 217 218 219 220

Avg. sets 1 2 4 9 17 35

123 253 507 013 982 993

Max sets 5 10 20 40 81 162

158 399 524 939 381 901

Table 6.6. Number of sets used in stateful subset difference in the small gap dataset with basechange 1% compared to userbase size, u

Most importantly, how much information do we need to transfer per set used? This includes the keysize used, but also information on what key was used. The information could be sent in a more compact form at the cost of client computation, but most likely a real-world implementation would simply use some set-identifier per set used. The underlying network protocol will likely have some headers which add some transfer size, and most likely the link-layer hardware will have some maximum transfer unit (MTU) affecting how many packets (and thus network protocol overhead) must be sent. To estimate the time to transfer, the bandwidth available to key management must also be determined. As an example, let us assume that 128-bit keys are used and that 64-bit set identifiers are used, i.e. 24 bytes per set. If the system was implemented today, IPv4 and UDP would likely be the network and transport layer protocols used. These protocols together have a minimum header size of 28 bytes (20 for IP and 8 for UDP). The MTU can be difficult to estimate, but it is reasonable that all newer link-layer protocols will have an MTU of at least 1280 bytes, since that is the minimum required MTU for IPv6. As for bandwidth, 64 kilobit per second (kb/s) is probably reasonable to allocate for key management. In a 384 kb/s network, which is the minimum in WCDMA, that would leave 320 kb/s for content, which is enough for reasonable picture quality. The total size of data will be 24|C|, where |C| is the number of sets in the cover. 0 and K 0 , which There will also be some negligable overhead for the encrypted KM S we will ignore. The overhead for protocol headers sent will be 28d24|C|/MTU − 28e, since MTU − 28 bytes of data can be fit into each packet. Looking at the values from 6.1, normal SD used an average of 170 175 sets and a maximum of 305 225 while the same figures for stateful SD were 43 214 and 59 768 respectively. In terms of time, these would translate to 510 seconds on average and a maximum of 914 seconds for normal SD. This means that the minimum key refresh time that could be used is slightly over 15 minutes. For stateful SD, the average time is 129 seconds and the maximum time is 180 seconds. 48

Scheme Normal HKT (a = 8) Stateful HKT (a = 8) Normal SD Stateful SD Scheme Normal HKT (a = 8) Stateful HKT (a = 8) Normal SD Stateful SD

Decreasing 96 29 170 25

932 776 372 022

Moving 83 32 125 37

Growing 111 45 198 41

Large gap

209 358 787 130

Sinus

131 714 423 901

117 74 229 83

545 308 773 454

94 38 135 42

568 674 810 376

Small gap 87 34 124 35

204 967 235 992

TV1

TV2

116 21 221 23

106 15 188 14

239 127 213 225

032 053 734 574

Table 6.7. Average number of sets for stateless and stateful SD and HKT on all the datasets with 220 users and basechange 1%

6.5.3

Summary

As has been shown in this chapter with a simulated userbase, the bandwidth performance of stateful subset cover schemes is considerably better than normal subset cover schemes. As a reference, the results for stateful and normal versions of SD and HKT are presented in table 6.7. All datasets have been generated with a basechange of 1%. For the figures for these runs, see chapter A. In this chapter, we have also shown that the stateful variants handle oversized trees (which is likely in our scenario) considerably better than normal subset cover. As can be guessed from the worst-case performance and structure of HKT, increasing the a parameter reduces bandwidth requirements at the cost of client computations and memory. Sadly, these both scale exponentially with a, so a must be small.

6.6

Security in Stateful Subset Cover

The security in stateful subset cover is not perfect. Users can collaborate by one revoked user who has recently been removed sharing the current state key with a user who is covered, but who does not have the state key. In this section, a model for this type of cheating will be defined and the expectancy for how long cheaters gain access will be analyzed using the same data as was used for performance evaluations.

6.6.1

Cheating model

In a commercial setting, the concern is to make it cost-inefficient rather than impossible to illegally decrypt the broadcast. As was stated in section 2.4.1, it is possible to make it expensive to extract state keys. By using periodic hard updates, cheaters will also periodically be removed from the system. 49

8 7 6

12

Average free time for cheaters

Average free time for cheaters

10 8

5 4

6

3 2 1 0

4 2 0 0

20

40

60

80

100

120

140

160

0

Rounds

20

40

60

80

100

120

140

160

Rounds

Figure 6.13. Average free time for cheaters in stateful SD. 220 users, decreasing dataset, basechange 2%, hard updates every 10 (left) and 160 (right) rounds

However, as was considered in section 3.3.7, one way to improve the performance of subset difference systems in general is to use a short key length to protect the highly temporary media key. Since the state key is protected in the same way as the media key in the broadcast, it would be good if its existance did not prevent this optimization. In this section, we will analyze the expectancy of the time a user who illegally gets a state key can watch. In our model, every user who is removed from the system is given the next round’s state key and media key, so he can watch for at least one more round. Then, as long as that user is covered using the state key, he can keep watching, but as soon as he is not covered in a round, he will lose his ability to decrypt the broadcast. This model of cheating simulates a user using a brute-force attack to illegally recover a state key. It is run over the same simulation data as the performance tests to give a real-world like cover. This also means that some users will be added again before they are successfully revoked by the system. These are ignored when calculating the average. In the simulation, we measure the average number of rounds users who left in round r could watch the show, given that they brute-forced one key. In the simulations, a hard update is always run immediately after the end of the simulation, i.e. it is assumed that after the last round, all current cheaters were revoked.

6.6.2

Subset Difference

In figure 6.13, the average numbers of rounds a revoked user can watch if he bruteforces that key is shown. The cheating model used is described in more detail in section 6.6.1. As can be seen, even with hard updates done every 160:th round, a cheater can still at best expect to see approximately 10 rounds for the cost of brute-forcing a broadcast. While this is worse than the normal schemes, where this number is constantly 1, it is still reasonably small. At the cost of bandwidth, the number of rounds an attacker can watch by bruteforcing a key can be lowered by doing hard updates more frequently. If hard up50

4 3.5 3

4 3.5 3

Average free time for cheaters

2.5 2

2.5 2

1.5 1 0.5 0

1.5 1 0.5 0 0

20

40

60

80

100

120

140

160

Average free time for cheaters

0

20

40

60

Rounds

80

100

120

140

160

Rounds

Figure 6.14. Average free time for cheaters in stateful HKT. 220 users, a = 8, decreasing dataset, basechange 2% hard updates every 10 (left) and 160 (right) rounds 8 7 6

14

Average free time for cheaters

Average free time for cheaters

12 10

5 4 3 2 1 0

8 6 4 2 0 0

20

40

60

80

100

120

140

160

0

Rounds

20

40

60

80

100

120

140

160

Rounds

Figure 6.15. Average free time for cheaters in stateful SD with 215 users in a tree sized for 220 users, decreasing dataset, basechange 2% hard updates every 10 (left) and 160 (right) rounds

dates are done every 10:th round instead, brute-forcing keys becomes even less costefficient.

6.6.3

Hierarchical Key Tree

With stateful HKT, the average numbers of rounds gained for brute-forcing a key is significantly lower than in stateful SD. As can be seen in figure 6.14, the average number of rounds goes up to at most 4.

6.6.4

Cheating in sparse trees

As was shown in section 6.5, stateful subset cover schemes handle sparse trees very well, compared to normal subset cover. This implies that many revoked users will be covered, something which is likely to affect the resilience to cheating in our model. As shown in figure 6.15, the values still stay reasonably small, and the increase compared to a correctly sized tree is small. 51

6.7

Filters

To evaluate the performance of filters, not only is a model of user behaviour needed, but a model of how the users move in the network is also neccecary. Such a model was not available during this project and developing one is beyond the scope of this thesis.

6.8

Stateful over stateless

For the stateful over stateless framework, there are a large number of parameters which need to be tested and an effective balancing heuristic for moving members from sparse trees must be developed. Sadly, there was not time for developing reasonable such heuristics and testing parameters during this thesis.

52

Chapter 7

Conclusion Broadcast encryption is a currently active field of research, which is likely to grow in significance in the coming years, as digital media broadcast systems become increasingly common. In particular over mediums with limited bandwidth, e.g. mobile systems. In this thesis, a new generic framework for introducing state into subset cover schemes, called stateful subset cover has been presented in section 4.1. The framework has a few drawbacks in that the system becomes stateful and vulnerable to collaborating users. However, the advantage is that it offers lower bandwidth requirements than current state-of-the-art broadcast encryption schemes, both asymptotically and with simulated datasets. A generalisation of the dynamic subset difference scheme have been presented in form of the stateful over stateless framework. This framework uses a stateful scheme to tie together a forest of stateless key structures. It is a very flexible framework with several parameters and heuristics which can be tuned to suit measured or expected user behaviour. Filters have also been discussed as a simple mechanism for increasing performance. Particularly in the mobile network, there exist several suitable positions in the existing network structure where filters could be placed. It is worth noticing that filters in a fixed network will likely perform very well, since users in such networks have very low, if any, mobility. As was seen in the practical evaluation, while the new stateful subset cover framework has considerably improved performance compared to state-of-the-art schemes, it still is not quite sufficient for extremely large-scale usage over heavily bandwidthlimited networks. With approximately 1 million users, key refresh times could reach approximately three minutes. Since bandwidth performance scales linearly with the number of members, a 10-fold increase in the number of members will make key refresh times reach half an hour.

53

7.1

Recommendations

It is the author’s belief that much further development can be done in the field of broadcast encryption. Of particular interest is the further development of new subset cover schemes for two reasons. First, there exists a reasonable security model for subset cover schemes and secondly, subset cover schemes can be converted into stateful schemes to gain bandwidth performance through the stateful subset cover framework. Particularly a subset cover scheme with performance better than linear in the number of revoked users would be a very interesting and impressive development. The author also believes that significant progress can be made in developing new stateful schemes with performance significantly better than current state-of-the art schemes. Along these lines, it would also be interesting to see the development of a security model more strictly defining attacker capabilities and thus enabling more rigid security analysis of broadcast encryption schemes. While the bandwidth requirements of stateful subset cover are significantly lower than previous schemes, they are most likely still not small enough for very widespread mobile usage. Aside from practical usage scenarios, broadcast encryption is a very interesting theoretical problem.

54

References [1] Tomoyuki Asano. A revocation scheme with minimal storage at receivers. Lecture Notes in Computer Science, 2501:433–450, 2002. [2] Shimshon Berkovits. How to broadcast a secret. Lecture Notes in Computer Science, 547:535–541, 1991. [3] Carlo Blundo, Luiz A. Frota Matos, and Douglas R. Stinson. Trade-offs between communication and storage in unconditionally secure schemes for broadcast encryption and interactive key distribution. Lecture Notes in Computer Science, 1109:387–400, 1996. [4] Weifeng Chen, Zihui Ge, Chun Zhang, Jim Kurose, and Don Towsley. On Dynamic Subset Difference Revocation Scheme, 2004. [5] Gerald C. Chick and Stafford E. Tavares. Flexible access control with master keys. Lecture Notes in Computer Science, 435:316–322, 1990. [6] Amos Fiat and Moni Naor. Broadcast encryption. Lecture Notes in Computer Science, 773:480–491, 1994. [7] Michael T. Goodrich, Jonathan Z. Sun, and Roberto Tamassia. Efficient treebased revocation in groups of low-state devices. Lecture Notes in Computer Science, 3152:511–527, 2004. [8] Dani Halevy and Adi Shamir. The LSD broadcast encryption scheme. Lecture Notes in Computer Science, 2442:47–60, 2002. [9] Shaoquan Jiang and Guang Gong. Hybrid Broadcast Encryption and Security Analysis. Cryptology ePrint Archive, Report 2003/241, 2003. http://eprint. iacr.org/. [10] Mattias Johansson. Practical Evaluation of Revocation Schemes. Master’s thesis, Nada, Royal Institute of Technology, 2004. [11] David S. Johnson. Approximation algorithms for combinatorial problems. In Proceedings of the fifth annual ACM symposium on Theory of computing, pages 38–49. ACM Press, 1973. 55

[12] Fu-Yuan Lee and Shiuhpyng Shieh. Scalable and lightweight key distribution for secure group communications. International Journal of Network Management, 14:167–176, 2004. [13] David A. McGrew and Alan T. Sherman. Key Establishment in Large Dynamic Groups Using One-Way Function Trees. Manuscript, 1998. [14] Alfred J. Menezes, Scott A. Vanstone, and Paul C. Van Oorschot. Handbook of Applied Cryptography. CRC Press, Inc., 1996. [15] Miodrag J. Mihaljević. Broadcast encryption schemes based on the sectioned key tree. Lecture Notes in Computer Science, 2836:158–169, 2003. [16] Miodrag J. Mihaljević. Key management schemes for stateless receivers based on time varying heterogeneous logical key hierarchy. Lecture Notes in Computer Science, 2894:137–154, 2003. [17] Dalit Naor, Moni Naor, and Jeff Lotspiech. Revocation and tracing schemes for stateless receivers. Lecture Notes in Computer Science, 2139:41–62, 2001. [18] Adrian Perrig, Dawn Song, and J. D. Tygar. ELK, a new protocol for efficient large-group key distribution. In Proceedings of the IEEE Symposium on Security and Privacy, pages 247–262. IEEE Computer Society, 2001. [19] Simon Singh. The code book: the evolution of secrecy from Mary, Queen of Scots, to quantum cryptography. DOUBLEDAY, 1999. [20] Douglas R. Stinson. Cryptography: Theory and Practice, 2nd Ed. CRC Press Inc., 2002. [21] Debby M. Wallner, Eric J. Harder, and Ryan C. Agee. Key Management for Multicast: Issues and Architectures. Internet Request for Comment RFC 2627, Internet Engineering Task Force, 1999. [22] Chung Kei Wong, Mohamed Gouda, and Simon S. Lam. Secure group communications using key graphs. In Proceedings of the ACM SIGCOMM ’98 conference on Applications, technologies, architectures, and protocols for computer communication, pages 68–79. ACM Press, 1998.

56

Appendix A

Performance evaluation figures 1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 1.2e+06

1.2e+06

Users Cover size

1e+06

80

100 120 140 160

Rounds Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure A.1. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the decreasing dataset with basechange 1%

57

1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 1.2e+06

1.2e+06

Users Cover size

1e+06

80

100 120 140 160

Rounds Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure A.2. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the growing dataset with basechange 1% 1e+06 900000 800000 700000 600000 500000 400000 300000 200000 100000 0

1e+06 900000 800000 700000 600000 500000 400000 300000 200000 100000 0

Users Cover size

0

20

40

60

80

100 120 140 160

Users Cover size

0

20

40

60

Rounds 1e+06 900000 800000 700000 600000 500000 400000 300000 200000 100000 0

1e+06 900000 800000 700000 600000 500000 400000 300000 200000 100000 0

Users Cover size

0

20

40

60

80

80

100 120 140 160

Rounds

100 120 140 160

Users Cover size

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure A.3. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the large gap dataset with basechange 1%

58

1.2e+06

1.2e+06

Users Cover size

1e+06

Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 1.2e+06

1.2e+06

Users Cover size

1e+06

80

100 120 140 160

Rounds Users Cover size

1e+06

800000

800000

600000

600000

400000

400000

200000

200000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure A.4. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the small gap dataset with basechange 1% 300000

300000

Users Cover size

250000

Users Cover size

250000

200000

200000

150000

150000

100000

100000

50000

50000

0

0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 300000

300000

Users Cover size

250000

80

100 120 140 160

Rounds Users Cover size

250000

200000

200000

150000

150000

100000

100000

50000

50000

0

0 0

20

40

60

80

100 120 140 160

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure A.5. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the moving dataset with basechange 1%

59

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

100 120 140 160

Users Cover size

0

20

40

60

Rounds 500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

80

100 120 140 160

Rounds

100 120 140 160

Users Cover size

0

20

40

60

Rounds

80

100 120 140 160

Rounds

Figure A.6. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the sinus dataset with basechange 1% 400000 350000 300000 250000

400000 350000 300000 250000

Users Cover size

200000 150000 100000 50000 0

Users Cover size

200000 150000 100000 50000 0 0

20

40

60

80

100 120 140 160

0

20

40

60

Rounds 400000 350000 300000 250000 200000 150000 100000 50000 0

400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

80

100 120 140 160

Rounds

100 120 140 160

Users Cover size

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure A.7. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the first TV dataset

60

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

100 120 140 160

Users Cover size

0

20

40

60

Rounds 500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

500000 450000 400000 350000 300000 250000 200000 150000 100000 50000 0

Users Cover size

0

20

40

60

80

80

100 120 140 160

Rounds

100 120 140 160

Users Cover size

0

Rounds

20

40

60

80

100 120 140 160

Rounds

Figure A.8. Normal (left) and stateful (right) SD (above) and HKT (below) performance with 220 users in the second TV dataset

61