Your Federal Quarterly Tax Payments are due April 15th Get Help Now >>

Efficient State Update for Key Management by yurtgc548

VIEWS: 0 PAGES: 24

									Efficient State Update for
    Key Management
      Proc. IEEE, Vol. 92, No.6, June 2004




                                             1
                      Outline
•   Introduction
•   The LKH (logical key hierarchy) scheme
•   The state update problem
•   A concise presentation of keys
    – A method with no security against collusions
    – A method secure against collusions
• Updating keys


                                                     2
                        Introduction

• Encryption is widely used to enforce usage rules for digital
  content
• Content is encrypted using a group key which is known to a
  group of users in many scenarios
• When users leave or join the group, the group key must be
  changed
   – prevent leaving members from decrypting content in the future
   – Prevent joining members from decrypting previous content
     (backward secrecy)
   – O(n) messages
• How to reduce the overhead of the key update messages?



                                                                     3
The LKH scheme




                 4
            The LKH scheme
• The GC (group controller) associates a binary
  tree with the group and associates each user with
  a different leaf of this tree
• The GC associate a random key with each node
  of the tree and knows the keys of all the nodes
• Each user knows the keys in the path from the
  user’s leaf to the root


                                                  5
            The LKH scheme
• When a user is removed from the group
  – The GC must change all the keys in the path from
    this user’s leaf to the root
  – All the users that remain in the group must update
    their keys
  – The GC send a single message containing an
    encryption of 2log(n)-1 keys
  – Canetti etc. reduce the overhead to a single message
    with log(n) encryptions of keys

                                                           6
            The LKH scheme
• When a user wants to join the group
  – The keys that the joining user receives must be
    different than the keys previously used in the system
  – The joining user is assigned a leaf
  – All the keys in the path from this leaf to the root
    must be updated
    (Why not change only the root key?)



                                                            7
        The state update problem
• The LKH method is efficient
   – Each user has to keep a personal key with log n keys
     (length=log(n)|k|bits)
   – The length of a key update message is also log(n)|k|bits
• The main drawback of the basic LKH method
   – The requirement that group users update their state whenever users join
     or leave the group
   – The total length of the message = t log(n) |k|
• The key update messages might not be received by all users since
  Internet’s multicast communication is lossy
• Users might be offline most of the time in a DRM setting-Once
  the user is online again, it should get the group keys that were
  used since the last time it was connected


                                                                               8
         The state update problem
• Make state updates as efficient as possible
  – Traditional method: t log(n) keys if t key updates
  – New method : t + log(n) keys if t key updates
       (only need to know the “current” personal keys of the nodes in the path
       from the user’s leaf to root)
• Additional improvements
    – Group keys can be generated in a method that enables a concise
      representation of a sequence of consecutive keys
    – Insecure against collusion attacks
      t consecutive group keys can be sent using a message of O(1) keys
      ( 2|k|bits )
    – Secure against collusion attacks
      t consecutive group keys can be sent using a message of O(log t ) keys
      ( 2 log t|k| bits )


                                                                                 9
     The state update problem
• The communication overhead of t state updates
  – Traditional method: O(t log(n)|k|)bits
  – New method in this paper: O(log t|k|) bits
     • Insecure against collusion attacks
       O(|k|) + O(log t|k|) bits
     • Secure against collusion attacks
       O(log t|k|) + O(log t|k|) bits




                                                  10
         A concise representation of keys-
    A method with no security against collusions

• Let N be a predefined constant, and let F be a
  pseudorandom generator with input length |k|bits
  and output length 2|k|bits
• The GC chooses two seeds L1 and RN, each of length
  k. Denote by F0(x) and F1(x), the left and right halves
  of the output of F
                                                 x

                                                 F

                                         F0(x)       F1(x)



                                                             11
      A concise representation of keys-
 A method with no security against collusions
• The method is not secure against collusions
  – e.g. user A paid for content during [1,100]
         user B paid for content during [201,300]
         user A is offline during [50,70]
         user B is offline during [250,270]
         Þ the GC gives user A L50, R70
                     gives user B L250, R270
            A and B can use L50 and R270 to compute
            k50,…,k270


                                                      12
      A concise representation of keys-
 A method with no security against collusions
• The key ki is used as the group key after the ith key
  update
• Given Li and Rj with i<j, one can compute all the
  keys ki,…,kj
  Þ the length of the update message is 2|k| bits




                                                          13
     A concise representation of keys-
A method with no security against collusions




<proof>




                                               14
         A concise representation of keys-
        A method secure against collusions
• let F be a pseudorandom generator with input length |k|bits
  and output length 2|k|bits, and denote by F0(x), F1(x) the left
  and right halves of the output of F for an input x
• The GC choose a random key of length |k| for the root of a full
  binary tree of depth log(N) which as N leaves
• Go from the root down: let v be a node, and let v0, v1 be its two
  sons.
• Denote the key of node v by kv,
  then kv0=F0(kv) and kv1=F1(kv)
• The key of the ith leaf is used as the group key after the ith key
  update


                                                                  15
         A concise representation of keys-
        A method secure against collusions
• A key of a node v can be used to compute the keys of all the
  leaves of the subtree rooted in v
• <Theorem 2>
  Given any set S of leaves, and the values of the keys of a set of
  nodes R (either internal nodes or leaves) such that S is exactly
  the union of the leaves of the subtrees rooted by nodes in R, the
  values of the other nodes of the tree are pseudorandom
• Consider a user which did not receive the messages of t
  successive key updates and needs to learn the keys of the t
  successive leaves which were associated with the group keys sent
  in these key updates. Denote this set of leaves as S, the GC
  should send to the user the keys of the nodes in R


                                                                  16
         A concise representation of keys-
        A method secure against collusions
• <Lemma 2>
  Let T be a complete binary tree with N=2n leaves. Then given
  any set S of consecutive leaves, there is a set R of at most 2n-
  2 nodes such that S is exactly the union of the leaves of the
  subtrees rooted by the nodes in R.
  <proof>
• <Theorem 3>
  Given any set S of t consecutive leaves in a complete binary
  tree, there is a set R of at most             nodes such that S
  is exactly the union of the leaves of the subtrees rooted by the
  nodes in R.
  <proof>


                                                                     17
  Updating keys on the path from a
          leaf to the root
• <Theorem4>
  For any user, after t key updates of random leaf
  keys using the LKH protocol:
  – It holds with high probability that log t + O(1) keys
    need to be updated;
  – The expected number of keys that have to be
    updated is at most log(t) + log log(n/t) + O(1)
<proof>

                                                            18
Updating keys on the path from a
        leaf to the root




                                   19
     A concise representation of keys-
A method with no security against collusions




                                               20
     A concise representation of keys-
A method with no security against collusions




                                               21
         A concise representation of keys-
        A method secure against collusions
Let Ti be a complete binary tree with 2i leaves.




Þ Ri=max(Ri-1,2Ei-1)
  Ei=max(Ei-1,Ei-1+1)=Ei-1+1
R1=E1=1
Ri=2Ei-1=2i-2
Ei=i

                                                   22
       A concise representation of keys-
      A method secure against collusions
Let N=2n be the number of leaves in the tree
Let r=
Consider the tree of as a collection of N/2r subtrees
t/2<2r≤t Þleaves in S can span at most three consecutive
            such subtrees
           (some or all of the leaves of the outer subtrees
            are contained in S)
Applying Lemma 2, |R|=Er+1+Er=2r+1=


                                                         23
      Updating keys on the path from a
              leaf to the root
Considering t key updates,
P( the intersection with all the paths from the leaves of the updated keys are of length at most l)
=(1-2-l)t
                                                                                                      High
Setting l=log t +c, (1-2-l)t=                                                                         prob.
E( the length of the intersection path)
<
Setting c=loglog(n/t)
E( )=logt+loglog(n/t)+O(1)

                                                                                                              24

								
To top