Optimal subset-difference broadcast encryption with free riders

Cataloged from PDF version of article.Broadcast encryption (BE) deals with secure transmission of a message to a group of receivers such that only an authorized subset of receivers can decrypt the message. The transmission cost of a BE system can be reduced considerably if a limited number of free riders can be tolerated in the system. in this paper, we study the problem of how to optimally place a given number of free riders in a subset-difference (SD)-based BE system, which is currently the most efficient BE scheme in use and has also been incorporated in standards, and we propose a polynomial-time optimal placement algorithm and three more efficient heuristics for this problem. Simulation experiments show that SD-based BE schemes can benefit significantly from the proposed algorithms. (C) 2009 Elsevier Inc. All rights reserved

Dynamic Tardos Traitor Tracing Schemes

We construct binary dynamic traitor tracing schemes, where the number of watermark bits needed to trace and disconnect any coalition of pirates is quadratic in the number of pirates, and logarithmic in the total number of users and the error probability. Our results improve upon results of Tassa, and our schemes have several other advantages, such as being able to generate all codewords in advance, a simple accusation method, and flexibility when the feedback from the pirate network is delayed.Comment: 13 pages, 5 figure

Complete Tree Subset Difference Broadcast Encryption Scheme and its Analysis

The Subset Difference (SD) method proposed by Naor, Naor and Lotspiech is the most popular broadcast encryption (BE) scheme. It is suitable for real-time applications like Pay-TV and has been suggested for use by the AACS standard for digital rights management in Blu-Ray and HD-DVD discs. The SD method assumes the number of users to be a power of two. We propose the Complete Tree Subset Difference (CTSD) method that allows the system to support an arbitrary number of users. In particular, it subsumes the SD method and all results proved for the CTSD method also hold for the SD method. Recurrences are obtained for the CTSD scheme to count the number, $N(n,r,h)$, of possible ways $r$ users in the system of $n$ users can be revoked to result in a transmission overhead or header length of $h$. The recurrences lead to a polynomial time dynamic programming algorithm for computing $N(n,r,h)$. Further, they provide bounds on the maximum possible header length. A probabilistic analysis is performed to obtain an $O(r \log{n})$ time algorithm to compute the expected header length in the CTSD scheme. Further, for the SD scheme we obtain an explicit limiting upper bound on the expected header length

Complete tree subset difference broadcast encryption scheme and its analysis

The subset difference (SD) method proposed by Naor, Naor and Lotspiech is the most popular broadcast encryption (BE) scheme. It is suitable for real-time applications like Pay-TV and has been suggested for use by the AACS standard for digital rights management in Blu-Ray and HD-DVD discs. The SD method assumes the number of users to be a power of two. We propose the complete tree subset difference (CTSD) method that allows the system to support an arbitrary number of users. In particular, it subsumes the SD method and all results proved for the CTSD method also hold for the SD method. Recurrences are obtained for the CTSD scheme to count the number, N(n, r, h), of possible ways r users in the system of n users can be revoked to result in a transmission overhead or header length of h. The recurrences lead to a polynomial time dynamic programming algorithm for computing N(n, r, h). Further, they provide bounds on the maximum possible header length. A probabilistic analysis is performed to obtain an O(r log n) time algorithm to compute the expected header length in the CTSD scheme. Further, for the SD scheme we obtain an explicit limiting upper bound on the expected header length

Optimal sequential fingerprinting: Wald vs. Tardos

We study sequential collusion-resistant fingerprinting, where the fingerprinting code is generated in advance but accusations may be made between rounds, and show that in this setting both the dynamic Tardos scheme and schemes building upon Wald's sequential probability ratio test (SPRT) are asymptotically optimal. We further compare these two approaches to sequential fingerprinting, highlighting differences between the two schemes. Based on these differences, we argue that Wald's scheme should in general be preferred over the dynamic Tardos scheme, even though both schemes have their merits. As a side result, we derive an optimal sequential group testing method for the classical model, which can easily be generalized to different group testing models.Comment: 12 pages, 10 figure

A key Management Scheme for Access Control to GNSS Services

Conditional access is a challenging problem in GNSS scenarios. Most key management schemes present in literature can not cope with all GNSS related issues, such as extremely low bandwidth, stateless receivers and the absence of an aiding channel. After assessing existing techniques, a novel key management scheme called RevHash has been devised with particular emphasis on guaranteeing revocation capabilities to the system, in order for it to be robust against anomalies and attacks

Tree based symmetric key broadcast encryption

The most influential broadcast encryption (BE) scheme till date was introduced in 2001 by Naor, Naor and Lotspiech (NNL) and is based on binary trees. This paper generalizes the ideas of NNL to obtain BE schemes based on k-ary trees for any k≥2. The treatment is uniform across all k and essentially provides a single scheme which is parameterized by the arity of the underlying tree. We perform an extensive analysis of the header length and user storage of the scheme. It is shown that for a k-ary tree with n users out of which r are revoked, the maximum header length is min(2r−1,n−r,⌈n/k⌉). An expression for the expected header length is obtained and it is shown that the expression can be evaluated in O(rlogn) time. Experimental results indicate that for values of r one would expect in applications such as pay TV systems, the average header length decreases as k increases. The number of keys to be stored by any user is shown to be at most (χk−2)ℓ0(ℓ0+1)/2, where ℓ0=⌈logkn⌉ and χk is the number of cyclotomic cosets modulo 2k−1. In particular, when the number of users is more than 1024, we prove that the user storage required for k=3 is less than that of k=2. For higher values of k, the user storage is greater than that for binary trees. The option of choosing the value of k provides a designer of a BE system with a wider range of trade-offs between average header length and user storage. The effect of layering on the k-ary tree SD scheme is also explored

A practical key management and distribution system for IPTV conditional access

Conditional Access (CA) is widely used by pay-television operators to restrict access to content to authorised subscribers. Commercial CA solutions are available for structured broadcast and Internet Protocol Television (IPTV) environments, as well as Internet-based video-on-demand services, however these solutions are mostly proprietary, often inefficient for use on IP networks, and frequently depend on smartcards for maintaining security. An efficient, exible, and open conditional access system that can be implemented practically by operators with large numbers of subscribers would be beneficial to those operators and Set-Top-Box manufacturers in terms of cost savings for royalties and production costs. Furthermore, organisations such as the South African Broadcasting Corporation that are transitioning to Digital-Terrestrial-Television could use an open Conditional Access System (CAS) to restrict content to viewing within national borders and to ensure that only valid TV licence holders are able to access content. To this end, a system was developed that draws from the area of group key management. Users are grouped according to their subscription selections and these groups are authorised for each selection's constituent services. Group keys are updated with a key-tree based approach that includes a novel method for growing full trees that outperforms the standard method. The relations that are created between key trees are used to establish a hierarchy of keys which allows exible selection of services whilst maintaining their cryptographic protection. Conditions for security without dependence on smartcards are defined, and the system is expandable to multi-home viewing scenarios. A prototype implementation was used to assess the proposed system. Total memory consumption of the key-server, bandwidth usage for transmission of key updates, and client processing and storage of keys were all demonstrated to be highly scalable with number of subscribers and number of services