This application claims priority from Korean Patent Application No. 2005-15967, filed on Feb. 25, 2005, the entire content of which is incorporated herein by reference.
1. Field of the Invention
Methods consistent with the present invention relate to broadcast encryption, and more particularly, to hierarchical threshold tree-based broadcast encryption which can improve the performance of a broadcast transmitting system and protect data against collusion attacks by revocators through a hierarchical use of a (t,n)-threshold technique.
2. Description of the Related Art
In general, there are two kinds of encryption systems that are distinguished depending on their encryption key management types: one is a symmetric cipher (or secret key) encryption system and the other is a non-symmetric cipher (or public key) encryption system. The symmetric cipher encryption system is an encryption method that had been mostly used before the public key encryption system came to existence. In the symmetric cipher encryption system, the same key is used for both the encryption and decryption. For example, in the case where a sender converts a plaintext message into a ciphertext through an encryption key and an encryption algorithm, and transmits the ciphertext to a recipient, the recipient may restore the ciphertext back to the original plaintext using a decryption algorithm having the same key used for the encryption algorithm.
In this case, the recipient should safely exchange the encryption key prior to a cryptographic communication. Thus, any third party, who intends to tap into the messages, cannot know the original plaintext unless the third party finds the key used by the sender and the recipient. However, the number of keys that should be managed is increased as the number of sender-recipient parties subject to encryption is increased, from which a number of problems in key management and exchange have arisen.
In comparison to the symmetric cipher encryption system, the non-symmetric cipher encryption system is based on mathematical function. The non-symmetric cipher encryption system has a pair of keys one of which is open to the public so that anyone can use it, and the other of which is secret. Here, the key open to the public is called a public key, and the secret key is called a private key.
In order to communicate between the sender and the recipient using the public key, the sender first encrypts a message with the public key of the recipient and transmits it to the recipient. The recipient obtains the plaintext of the message by decrypting the ciphertext with his/her private key. Even if someone has obtained the ciphertext through a network, the message can be safely transferred because he cannot decrypt the ciphertext without the private key of the recipient. The reason is that the private key is always kept secret by its owner and is not known or transmitted to anyone.
The symmetric cipher is widely used to encrypt/decrypt a broadcast stream because the encryption/decryption using the symmetric cipher can be performed very quickly and the symmetric cipher can be safely transferred through a limited access system that permits an access of privileged users (authorized users) only.
In a data transmission system using general broadcast encryption (BE), contents providers create various beneficial data including audio and video data, and provide the created data to service providers. Then, the service providers broadcast the data to rightful users (e.g., users of mobile digital right management (DRM) networks and smart home DRM networks) who have paid charges for the corresponding data through various kinds of wire/wireless communication networks.
For example, the service provider can transmit data to users' devices such as set-top boxes provided with various satellite receivers via a satellite, and transmit the data to mobile communication terminals through a mobile communication network. Also, the service provider can transmit the data to various terminals of smart home networks through the Internet.
In order to prevent the non-privileged users (unauthorized users) who have not paid the due charges for the corresponding data, the data is encrypted by a BE method.
Security in the encryption/decryption system generally depends on an encryption key management system. In the encryption key management system, an important aspect is how to derive encryption keys. Also, it is important to manage and update the derived encryption keys.
A data transmission method by the public key scheme is a data transmission method that includes key values for rightful users in data to be transmitted from the service provider to the users. That is, the data transmitted by the service provider through broadcast/home network is composed of a header part including authenticated information and an encrypted data part including actual data information. The header part includes a group ID and key value information of the privileged users (authorized users) corresponding to each authorized group so that the data is transmitted only to the users of the authorized group. Therefore, the data is encrypted by Certificate Revocation List (CRL) and Online Certificate Status Protocol (OCSP) including CRL and OCSP information, and the encrypted data is transmitted to the recipients. Then, the privileged users (authorized users) can use the data by confirming their key value information included in the header part of the received data and normally performing an authentication.
In the BE method, the header part includes only the group ID and key value information corresponding to the group. Therefore, the rightful users of the authorized group can normally decrypt the received data using their own group key value.
Another BE method is disclosed in “Broadcast Encryption” by Fiat, et al. (Crypto '93, LINCS vol. 839, pp 480-491, 1994) (hereinafter referred to as “Fiat algorithm”). This method has proposed two basic BE algorithms and an algorithm having an enhanced security against collusion attacks.
Now, the Fiat algorithm will be briefly explained. For the explanation of the Fiat algorithm, some coefficients are defined as follows:
U: Set of users with |U|=n
P: Set of privileged users with |U−P|=r
N: RSA composite
y1, . . . , yn: Distinct primes
usri: A user in U where 1≦i≦n
O: A positive integer satisfying 1≦O≦N
The Fiat algorithm enables a server to create system coefficients N, y1, . . . , yn, O of the defined coefficients, and N, y1, . . . , yn of the defined coefficients to be publicly disclosed to anyone to get access. Also, if user usri subscribes to the service, the server performs the following process:
1. Assign value yi to the users usri.
2. Calculate secret information ui=0yi (mod N) of the user usri.
3. Safely transfer the calculated secret information to the user usri.
Initial setup and user subscription procedure are completed through the above process. Then, if privileged user (authorized user) group P⊂U is given, group key KP for each user is set by Equation (1).
At this time, each user included in P can calculate the group key KP of Equation (1) by Equation (2) using the value ui obtained from the server.
Since non-privileged users (unauthorized users) or revocators have a prime number yi, which is not included in the KP, in the exponent of ui, they cannot calculate the group key KP without removing the prime number yi from the exponent. This calculation is actually impossible due to the problem that ‘the prime factorization of N is hard”. Thus, the BE can be effectively done for the rightful user according to the above-mentioned method.
However, if two users, e.g., usri and usrj, share their secret information each other, serious problems may occur in the security of the Fiat algorithm. That is, since yi and yj are relatively prime, integers “a” and “b” satisfying a condition “ayi+byj=1” can be easily obtained. Then, the two users can obtain the secret information “value O” of the system from Equation (3).
uiaujb≡Oay
Therefore, the non-privileged users (unauthorized users) can obtain the group key KP from the “value O” in all cases. That is, if the two users act in collusion to obtain the secret information of the server that broadcasts contents, the security of the system can no longer be assured. The above system, which is secure from one attacker but is not secure from two or more attackers, is called a “1-resilient system.” Although Fiat has proposed a “k-resilient system” based on the 1-resilient system, it is quite inefficient.
The k-resilient system is to remove a certain number of receivers (the number of receivers is “t” at maximum) which attempt to collude with each other. In the system, however, relatively long messages are required, relatively a large number of keys should be stored in the receivers, and each of the receivers should perform one or more decryption operations.
Further, the system does not consider a scenario of a state non-retaining receiver. It is necessary to avoid the difficulty of supposition as to how many receivers will collude with each other. Further, it is necessary to minimize the size of a message and the number of stored keys, and to minimize the decryption operations to be performed by the receivers in order to optimize the performance of the system.
Additionally, other encryption systems like the Fiat system do not provide a scenario of a state non-retaining receiver, and thus they cannot be effectively applied to the protection of contents in a recording medium.
The present invention provides a hierarchical threshold tree-based BE method that is safe from collusion attacks and can reduce transmission/storage/operation loads.
According to an aspect of the present invention, there is provided a hierarchical threshold tree-based BE method, according to the present invention, which comprises a first step for a server initialization and a user subscription; a second step of distributing a message to enable a privileged user (authorized user) to decrypt a group key; and a third step of the privileged user (authorized user) decrypting the message using the group key.
The first step may comprise the steps of constructing a tree with h levels to correspond to all users; dividing nodes of respective levels except level “0” of the tree into one or more sub-groups each of which includes w nodes; randomly creating node keys which correspond to the respective nodes of the tree except level “0”; creating random polynomials of the d-th degree which correspond to all the sub-groups of the respective levels except level “0” for each sub-group; creating shared values for restoring secret values of the d-th degree polynomials by replacing x with IDs of the respective nodes in the created d-th degree polynomials; and transmitting the created node keys and the shared values to the respective users.
Here, the first step may further comprise the step of storing the node keys and the shared values transmitted from the server as secret keys of the users.
The degree “d” of the d-th degree polynomials may be a value that satisfies a condition of 1≦d≦w/2.
The secret values may be obtained by replacing x with “0” in the d-th degree polynomials.
The second step may comprise the steps of creating the group key sk, constructing a Steiner tree by linking all the nodes which correspond to members belonging to a set R of revocators when the set R is given; calculating the number of nodes belonging to the Steiner tree for the respective sub-group S1,j; creating the broadcasting messages using different encryption methods in accordance with which condition the number I1,j of nodes belonging to the Steiner tree satisfies between 1≦I1,j≦w/2 and I1,j>w/2; and transmitting the created broadcasting messages.
Here, the step of creating the broadcasting message may comprise the steps of creating a first ciphertext by encrypting the group key using the secret value of the d-th degree polynomial which corresponds to the respective sub-group if the number I1,j of nodes belonging to the Steiner tree satisfies a condition of 1≦I1,j≦w/2; adding the shared value which corresponds to the respective sub-group and the first ciphertext to a first region of the broadcasting message; searching for a node that does not belong to the Steiner tree of the respective sub-group and creating a second ciphertext by encrypting the group key using the node key of the searched node if the number I1,j of nodes belonging to the Steiner tree satisfies a condition I1,j>w/2; adding the second ciphertext to a second region of the broadcasting message; and creating a third ciphertext by encrypting the group key using the shared value located in the first part, the first ciphertext and the second ciphertext located in the second part, and creating the broadcasting message to be transmitted to the respective user by adding the created third ciphertext to a third region of the broadcasting message.
The third step may comprise the steps of confirming whether the shared ID corresponding to the shared value retained by the privileged user (authorized user) exists in the first region of the broadcasting message; if it is confirmed that the shared ID exists in the first part, restoring the secret value of the corresponding polynomial and decrypting the group key from the first ciphertext using the restored secret value; and decrypting the broadcasting message using the group key.
Here, it is desirable for the shared ID to be the information which lets known the shared value among the shared values retained by the user, that is to be used to restore the above secret value.
The secret value of the corresponding polynomial is restored using the shared value corresponding to the shared ID, the shared value retained by the user and a Lagrange polynomial.
The third step may further comprise the steps of searching for the corresponding node ID in the second region of the broadcasting message and decrypting the group key using the node key corresponding to the node ID if the shared ID corresponding to the shared value retained by the privileged user (authorized user) does not exist in the first region of the broadcasting message; and decrypting the broadcasting message using the group key.
Here, it is desirable for the above node ID to be the information which lets known to the user the node key that is to be used to decrypt the group key.
Now, coefficients used to explain the hierarchical threshold tree-based BE method according to an exemplary embodiment of the present invention are defined as follows:
N: Set of all users, the number of users being |N|=n=2a.
R: Set of revocators, the number of revocators being |R|=r, where R is a subset of N.
Ni: Identifier of node i in the tree.
w: w of an assumed perfect w-ary tree.
h: Depth of tree, which is h=logwn.
l: The level of the tree; starts from the root where the level of the route is “0.”
Sl,j: j-th sub-group corresponding to level l. ID of Sl,j is denoted by sl,j.
fl,dS
kN
sk: Group key.
FK: [0,1]*→[0,1]*: Used to encrypt a message M and the group key sk. FK should be fast in its rate and the length of input values should not be expanded due to the encryption. The data and the key K may be XOR-gated as a simple implementing method.
FK−1: [0,1]*→[0,1]*: Decryption function of FK.
h: [0,1]*→[0,1]K: Collision-resistance unidirectional hash function.
Broadcasting message transmitted by the server. MB may be briefly divided into three parts. The first region sharei means a shared value used to restore the secret value fi (0) of the polynomial in the (t,n)-threshold scheme. IDS
The above aspects of the present invention will be more apparent by describing certain exemplary embodiments of the present invention with reference to the accompanying drawings, in which:
Certain exemplary embodiments of the present invention will be described in greater detail with reference to the accompanying drawings.
In the following description, same drawing reference numerals are used for the same elements even in different drawings. The matters defined in the description such as a detailed construction and elements are nothing but the ones provided to assist in a comprehensive understanding of the invention. Thus, it is apparent that the present invention can be carried out without those defined matters. Also, well-known functions or constructions are not described in detail since they would obscure the invention in unnecessary detail.
The hierarchical threshold tree-based BE method according to an exemplary embodiment of the present invention comprises a setup step S220 for a server initialization and a user subscription, a broadcast step S240 of distributing a message to enable a privileged user (authorized user) to decrypt a group key, and a decryption step S260 of the privileged user (authorized user) decrypting the message using the group key.
First, the setup step for the server initialization and user subscription will be described with reference to the drawings.
In the setup step, it is assumed that the key structure corresponding to all the users has a form of a perfect w-ary tree, and all the nodes of levels except level 0 (e.g.; root) are divided into sub-groups S1,j each of which has 4 nodes.
First, a server randomly creates a node key kN
The server creates a shared value fl,dS
Then, the server transmits the created node key and the shared value fl,dS
Each user Ui stores two types of key values as the secret key. One type of the secret key is h node keys kN
The other type of the secret key stored by the user is h×(w/2) shared values fl,dS
When the setup step (S220) is completed as described above, the server performs the broadcast step (S240) for broadcasting a group key sk and a message M to privileged users (authorized users) as follows.
First, the server calculates the number Il,j of nodes belonging to ST(R) of each sub-group Sl,j (S430). When the calculated number I1,j of nodes belonging to ST(R) satisfies 1≦I1,j≦w/2 (S440), the server creates a first ciphertext fl,dS
fl,dS
The server adds the shared key fl,dS
of the broadcasting message MB (460). As an identifier to inform a member of the shared value among the shared values retained by the member, used to recover the secret value, the IDS
Meanwhile, if the calculated number I1,j of nodes belonging to ST(R) satisfies the condition I1,j>w/2 (S470), the server searches for a node that does not belong to ST(R) for all the sub-groups Sl,j satisfying the condition I1,j>w/2, and creates a second ciphertext
by encrypting the group key sk using the node key of the searched node (480). Then, the server adds the created second ciphertext
to a second region
of the broadcasting message MB (S490). As an identifier of node key Ki used to decrypt the group key, IDk
Then, the server creates a third ciphertext Fsk(M) by encrypting the message to be transmitted using the group key sk (S492).
The server completes the message broadcast step after transmitting the resultant broadcasting message MB created according to the above method to the users (S494).
Last, the third step that is a message decryption step is performed. After each user Ui receives the broadcasting message M from the server, the user obtains the group key sk and decrypts the message MB through the following method.
First, the user confirms whether the shared ID corresponding to his/her own shared value exists in the first region
of the broadcasting message (S520). Upon confirming that the shared ID exists in the first region (S530), the user restores the secret value of the corresponding polynomial using a Lagrange polynomial with his/her own shared value and the corresponding shared value (S540).
After the applicable polynomial is restored, the user decrypts the group key sk from a first ciphertext Ff
If the shared ID corresponding to his/her own shared value does not exist in the first region
of the broadcasting message (S530), the user searches for the corresponding node ID in the second region
of the broadcasting message (S560). Then, the group key sk is decrypted using the node key corresponding to the searched node (S570).
Last, the broadcasting message MB is calculated using the decrypted group key (S580). That is, the broadcasting message MB is calculated from Fsk−1(Fsk(M)).
To aid the understanding of the present invention, the hierarchical threshold tree-based BE method according to an exemplary embodiment of the present invention will be explained under the assumption that |N|=n=26, |R|=r=5, w=22.
1. Setup Step
The server randomly creates node keys kN
Then, the server creates shared values fl,dS
Each user Ui stores three node keys kN
In this exemplary embodiment, only the key information to be retained by the user U21 will be explained without losing the general property of the invention.
2. Message Broadcasting Step
The server performs a process of broadcasting the group key sk and the message M to a privileged user (authorized user).
First, the server creates the group key (sk). If a set of revocators is given by {U21, U36, U123, U124, U125}, the server constructs a Steiner tree ST(R) by linking all the nodes which correspond to the members belonging to the set R of revocators.
The server calculates the number Il,j of nodes belonging to ST(R) of each sub-group Sl,j. Regarding all the sub-groups Sl,j belonging to each level shown in
level1→[S1,1: 2]
level2→[S2,1: 2, S2,2˜S2,3: 0, S2,4: 1]
level3→[S3,1: 1, S3,2˜S3,3: 0, S3,4: 1, S3,5˜S3,15: 0, S3,16: 3]
Then, the server checks which condition the calculated number I1,j of nodes satisfies between 1≦I1,j≦w/2 and I1,j>w/2. In this exemplary embodiment, since w=4, the sub-groups satisfying the condition of 1≦I1,j≦w/2 are S1,1, S2,1, S2,4, S3,1, S3,4, and the sub-group satisfying the condition of I1,j>2 is S3,16.
First, the server performs a broadcasting message creating process for the sub-groups satisfying 1≦I1,j≦w/2, as follows.
The server encrypts a shared value f1,21(1) of the 2nd degree polynomial corresponding to S1,1 and a polynomial's secret value f1,21(0) using the group key sk, and then adds the encrypted value f1,21(0)⊕ sk to a first region of the broadcasting message MB.
Similarly, the server encrypts two shared values f2,21(5) and f2,21(8) of the 2nd degree polynomial corresponding to S2,1 and the polynomial's secret value f2,21(0) using the group key sk, and then adds the encrypted value f2,21(0)⊕ sk to the first region of the broadcasting message MB.
Also, the server encrypts a shared value f2,14(20) of the 1st degree polynomial corresponding to S2,4 and a polynomial's secret value f2,14(0) using the group key sk, and then adds the encrypted value f2,14(0)⊕ sk to the first region of the broadcasting message MB.
Also, the server encrypts a shared value f3,11(21) of the 1st degree polynomial corresponding to S3,1 and a polynomial's secret value f3,11(0) using the group key sk, and then adds the encrypted value f3,11(0)⊕ sk to the first region of the broadcasting message MB.
Also, the server encrypts a shared value f3,14(36) of the 1st degree polynomial corresponding to S3,4 and a polynomial's secret value f3,14(0) using group key sk, and then adds the encrypted value f3,14(0)⊕ sk to the first region of the broadcasting message MB.
Meanwhile, the server performs the following broadcasting message creating process for the sub-group satisfying the condition of I1,j>2. That is, the server searches for a node satisfying the condition of I1,j>2, which does not belong to ST(R) of each sub-group, encrypts the group key sk using the node key corresponding to the searched node, and then adds the encrypted value to a second region of the broadcasting message MB.
In this exemplary embodiment, the sub-group satisfying the condition of I1,j>2 is S3,16. Referring to
If the first and second regions of the broadcasting message MB have been constructed as above, the server creates the encrypted value M⊕ sk of the message M using the group key (sk), adds the encrypted value to the broadcasting message, creates the resultant broadcasting message, and then broadcasts the resultant broadcasting message to the user.
In this exemplary embodiment, the resulting broadcasting message which is last created is given as follows:
MB=<[h(1,2,1)∥f1,21(1)∥f1,21(0⊕sk∥h(1,2,4)∥f1,24(4)∥f1,24(0)⊕sk∥h(2,2,1)∥f2,21(5)∥f2,21(8)∥f2,21(0)⊕sk∥h(2,1,4)∥f2,14(20)∥f1,24(0)⊕sk∥h(3,1,1)∥f3,11(21)∥f3,11(0)⊕sk∥h(3,1,4)∥f3,14(36)∥f3,14(0)⊕sk],[h(126)∥k126⊕sk],M⊕SK≦
3. Message Decryption Step
If the broadcasting message is received from the server, the user obtains the group key sk, and decrypts the message through the following method.
First, referring to
User {U25, . . . , U32} restores a secret value f2,21(0) of the 2nd degree polynomial using shared values f2,21(5), f2,21(8) corresponding to a shared ID h(2,2,1) in the broadcasting message MB and his/her own shared values f2,21(6), f2,21(7), and decrypts the group key sk using the restored secret value.
Also, user {U33, . . . , U35} decrypts the group key sk using a shared value f3,14(36) corresponding to a shared ID h(3,1,4) in broadcasting message MB and his/her own shared values f3,14(33), f3,14(34), f3,14(35). And also, the user {U37, . . . , U110} and the user {U111, . . . , U122} calculate the group key sk as described above.
Since the shared ID corresponding to user U126 does not exist the first region <h(1,2,1)∥, . . . , h(3,1,4)∥f3,14(36)∥f3,14(0)⊕sk]> of the broadcasting message, user U126 searches for a node ID corresponding to the second region [h(126)∥k126⊕sk] of the broadcasting message, decrypts the group key sk using the node key k126 of the corresponding node.
When the group key decryption process is completed, the privileged user (authorized user) {U22, . . . , U35, U37, . . . , U122, U126} decrypts the message received from the server using Fsk−1(Fsk(M)).
If one user is withdrawn at an initial state, six messages are needed. If one more user is withdrawn, only one message is added at minimum, but five messages are added for the worst. As described above, it is required to add five messages for each additional revocator until the condition of 1<r (the number of revocators)<25 is satisfied. Therefore, if 1<r<25, the communication traffic becomes 5r+1. However, if r=25, only four messages are added, thereby resulting in 5·25 of the communication traffic. Also, If 25<r<26(26−1), three messages are added for each additional revocator, thereby resulting in 3r+26 of the communication traffic.
If one user is withdrawn in a state that 26(26−1)<r<26·26, two messages are added at maximum, thereby resulting in 2r+212 of the communication traffic. Last, if 212<r≦216, one message is increased, which follows an equation r+213 that has a slope of 1 and a constant of 213. As a result, if the revocators are maximum, e.g., r=216, the communication traffic becomes 216+213, which is considered as 1.125r for the sake of convenience.
Table 1 below shows communication traffic, user's storage amount and an amount of calculation required for the user to decrypt the message in the hierarchical threshold tree-based BE method according to an exemplary embodiment of the present invention.
As described above, according to an exemplary embodiment of the present invention, it is possible to prevent any group of privileged users (authorized users) from obtaining secret information of the server using secret information of the respective users and information being broadcast by the server. Also, it is possible to prevent any group of revocators from obtaining the group key using their secret information and information being broadcast by the server.
The foregoing exemplary embodiment and advantages are merely exemplary and are not to be construed as limiting the present invention. The present teaching can be readily applied to other types of apparatuses. Also, the description of the exemplary embodiments of the present invention is intended to be illustrative, and not to limit the scope of the claims, and many alternatives, modifications, and variations will be apparent to those skilled in the art.
Number | Date | Country | Kind |
---|---|---|---|
10-2005-0015967 | Feb 2005 | KR | national |
Number | Name | Date | Kind |
---|---|---|---|
5592552 | Fiat | Jan 1997 | A |
6359986 | Tatebayashi | Mar 2002 | B1 |
6839436 | Garay et al. | Jan 2005 | B1 |
7340603 | Asano | Mar 2008 | B2 |
20030126299 | Shah-Heydari | Jul 2003 | A1 |
Number | Date | Country | |
---|---|---|---|
20070189539 A1 | Aug 2007 | US |