Key Management Schemes for Stateless Receivers Based on

Time Varying Heterogeneous Logical Key Hierarchy

Miodrag Mihaljevic

ASIACRYPT 2003

December 1, 2003

Reconfigurable Key Management for Broadcast Encryption

or

Secret Bits with Multiple Roles: A Novel

Paradigm for Broadcast Encryption Schemes

- two alternative titles of this talk -

Broadcast Encryption – A Brief Introduction

• Broadcast encryption (BE) schemes define methods for encrypting content so that only privileged users are able to recover the content from the broadcast which is a ciphertext obtained based on a Session Encryption Key (SEK).

• Ensuring that only the valid members of the selected group have SEK at any given time instance is the key management problem in BE.

• On the other hand, for the SEK updating, a system needs another set of keys called the Key-Encrypting Keys (KEKs) that can be used to encrypt and transmit the updated SEK to the valid members of the group.

• Hence, the key management problem reduces to the problem of distributing the KEKs to the members such that at any given time instant all the valid members can be securely reached and updated with the new SEK.

Abstract of the Talk

Scenario under consideration: • broadcasting encryption – stateless receivers• each receiver has a sequence of secret bits to be used during its entire life

Main characteristics of the proposed key management: • it is the re-configurable key management (time varying

key management scheme): it is based on a collection of the underlying structures - at each instant of time a structure from the collection is employed for updating the session key

• segments of the secret bits sequence play different roles depending on employed key management scheme

Roadmap of the presentation

• I. Re-configurable Key Management

• II. Secret Key Bits Play Different Roles:

Re-using of the Keys

• III. Illustrative examples

I. Reconfigurable Key Management

Main Characteristics

Reconfigurable Key Management

KM 1

KM 2

KM n

Collection of

Key Management (KM) schemes

selection of the most appropriate

KMfor given

revocationscenario

currentlyemployed

KM

Reconfigurable Key Management

• “Jumping” from one underlying structure to the another

• to perform the best fit to different revocation scenarios in

• highly dynamical group of users.

Novel Scheme Versus Existing Ones

• Novel Scheme:

• Multiple underlying structures

• Multiple roles of the secret bits

• Time varying

• Local heterogeneous key management

• Adjustable to the revocation dynamics

• Existing Ones:

• Single underlying structure

• Single role of the secret bits

• Static

• Global homogeneous key management

• Non-adjustable to the revocation dynamics

Main Characteristics of Novel Approach

• Novel and Flexible Generic Paradigm for developing Broadcast Encryption Key Management schemes for Stateless Receivers.

• Novel technology is based on the reconfigurability concept (time varying heterogeneous logical tree hierarchy), and it yields the improved overall characteristics in comparison with the previously reported techniques.

Required Cryptographic Primitives

• Reconfigurable key management requires a number of underlying structures for assigning KEKs to the receivers, and in a general case it requires the following two cryptographic primitives:

• cryptographic pseudo-random number generator (keystream generator)

• hash functions

Illustrative Underlying Structures forReconfigurable Key Management

. . .… …

. . .

A general form of the sectioned heterogeneous logical key hierarchy (SH-LKH). The triangles play roles of certain substructures, and in a particular case they are sub-trees, with the root at the triangle up and the leaves at the triangle bottom.

An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf,and the keys are related to the tree nodes.

Reconfigurable Key Management:

Main Implementation Issues • Decision on storage@receiver and processing@receiver

overheads.

• According to the above decision and the expected revocation scenarios, design of a suitable collection of the underlying structures which yield minimization of the communication overload.

(Note that the collection could be established in a non-optimized (ad-hock) or an optimized manner).

Certain Implementation Issues of Reconfigurable Key Management - RKM

(I)• At the center side RKM implementation includes establishing RKM

system. • During the establishing phase the center selects the component key

management schemes so that each of them is suitable for certain class of the revocation patterns.

• Accordingly, during the establishing phase the center forms a list of the following pairs:

(revocation pattern class; key management scheme). • Storage requirements for this list of pairs and related information on the

component schemes is usually negligible in comparison with the number of keys which should be stored at the center.

• So, for each SEK updating, the current revocation patern directly determines the component key management scheme which will be employed.

Certain Implementation Issues of Reconfigurable Key Management – RKM

(II)• One-to-one correspondence between the revocation pattern and the

component scheme implies that RKM employment does not require any additional processing for selecting a particular key management at any time instance.

• At a receiver side RKM operates in a manner very similar to a static key management scheme.

• During SEK updating a legitimate (non-revoked) receiver will be able to extract information about KEK it posses which was employed for obtaining one of SEK encrypted forms delivered via broadcasting.

• This information will tell the receiver which of its KEKs should be employed and how: in a general case, according to the extracted information, a mapping of a KEK should be performed.

• Note that the mapping itself is not a secret operation and usually it is the cryptographic one-way hashing.

Certain Implementation Issues of Reconfigurable Key Management – RKM

(III)

• Accordingly, employment of RKM requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver.

• On the other hand, it is true that RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.

II. Secret Key Bits Play Different Roles

Re-using of the Keys

Reconfigurable Key Management and Secret Key Bits

• Reconfigurable key management includes reusing of the same secret bits segments in different modes

• An important implementation issue: methodology for reusing of the secret key bits so that they can play different roles.

Shared Mail Box Problem

• Each user Ui holds just one secret key Ki.

• For each i=1,2,…,k, the mail box Bi can only be opened by the user Ui who possesses the secret key Ki.

• The shared mail box SB can be opened by every user in the group, but not any outsider.

• Even when k-1 users conspire together, it is computationally difficult for the k-1 users to open the other user's private mail box.

• Important Note: The shared mail box problem can be solved by employment of appropriate one-way hash functions.

Reusing of the Secret Bits

main issues

Reusing of the Secret Key Bits

• reusing of the independent keys

• reusing of the dependent keys

- direct reusing

- indirect reusing

employment of appropriate

mappings of the (dependent) keys

rules forsecret bitsprocessing

secret key bits

specification of the secret bits subsets

subset-by-subset mapping

collection of the keys

selected instance of re-configurablekey management

block for secret bits processing

One-Way Hash

Subset of StoredSecret Key Bits

Desired KEK

Mapping of the Keys

Sharing of the Secret Bits

• NOTE: Appropriate processing – mapping of the secret key bits yields a possibility for the shared use of the same secret bits even within joint framework of secret key and public key encryption techniques.

III: Illustrative Example

Reconfigurable Key Management Based on Sectioned Key Tree

An illustration of the sectioned key tree (SKT). As usually, the center is associated to the tree root, a receiver is at a leaf,and the keys are related to the tree nodes.

Two Particular Key Management Schemes

SKT-A and SKT-B

SKT-A

CST

LSD LSD LSD

SKT-B

CST

LSD

LSD

Analysis of the Proposed Schemes

Storage, Communications and Processing Overheads

Characteristics of SKT-A

Proposition 1. SKT-A key management requires the following overhead for R revocations in total which affect R0 different sections:

• dimension of the storage@receiver overhead:

O(H01.5 - H0 + log2 N)

• dimension of the communications overhead:

O(R + R0 ((log2 N) - H0 ) – R0 log2 R0 )

• dimension of the processing@receiver overhead:

O(H0).

Characteristics of SKT-B

Proposition 2. SKT-B key management requires the following overhead for R revocations in total which affect R0 and R1 different sections in the lower two layers, the bottom (0-th) and the middle (1-st) ones, respectively:

• dimension of the storage@receiver overhead:

O(H01.5 + H1

1.5 – H0 – H1 + log2 N)• dimension of the communications overhead:

O(R + R0 + R1((log2 N)-H1 –H0) – R1 log2 R1)• dimension of the processing@receiver overhead:

O(max {H0, H1})

Comparison

technique storage processing

CST (Crypto 2001) O(log N) O(log (log N))

SD (Crypto 2001) (O(log N))2 O(log N)

Basic LSD (Crypto 2002)

(O(log N))1.5 O(log N)

SKT-A

H0 < log N

O(H01.5 – H0 + log N) O(H0)

SKT-B

H0 + H1 < log N

O(H01.5 – H1

1.5 - H0 – H1+ log N)

O(max{H0, H1})

Advantages of the Novel Approach (Discussion of the previous Illustrative Example)

• Storage: In a system with a million users the novel technology based key management requires only 35 keys at the receiver in comparison with 400 and 90 keys required by SD and LSD methods, respectively.

• Processing: The novel technology based key management yields more than three times lower processing overhead at a receiver in comparison with SD and LSD methods.

• Communication Overhead: In a large number of the revocation scenarios the novel technology based key management implies the

same communications overhead as SD and LSD methods.

Instead Conclusions (1)

• A novel framework for key management schemes based on reconfigurable logical key hierarchy is proposed which has a number of differences and advantages over the previously reported approaches.

• Recall that the main characteristics of the up to now reported key management schemes include employment of a static underlying structure for the key management, and addressing the subset covering problem over the entire underlying structure.

• Oppositely, the main underlying ideas for developing of the reconfigurable key management (RKM) include the following:

• (i) employment of a reconfigurable underlying structure; and• (ii) in a general case employment of a divide-and-conquer approach

over the underlying structure.

Instead Conclusions (2)

• RKM appears as a very suitable approach for highly dynamic revocation scenarios.

• Employment of RKM for a SEK updating requires just a slight (almost negligible) increase of required processing at the both sides, at the center and at the receiver.

• On the other hand, RKM requires a moderate processing at the center side in order to establish the system, but this operation should be done just once.

Thank You Very Much for the Attention,

and

QUESTIONS Please!