Multi-service Oriented Broadcast Encryption Shaoquan Jiang and Guang Gong Department of Electrical and Computer Engineering University of Waterloo Waterloo, Ontario N2L 3G1, CANADA Email:{jiangshq, ggong}@calliope.uwaterloo.ca

Abstract. Multi-service oriented broadcast encryption is a mechanism that allows a center to securely distribute multiple services to its authorized users. In this paper, we suggest a framework called M framework from the subset cover method [12] using RSA exponentiation technique. In this framework, each user’s secret storage is independent of the number of services. Service subscriptions and service providing can be efficiently processed. The service unsubscriptions are dealt scalably. A small number of service unsubscriptions can be handled without key updating while the number of such users reaches a threshold, a rekeying algorithm is proposed to update the user’s service memberships explicitly. We formalize and prove the framework is dynamically secure under the random oracle model. We realize our framework with two schemes based on complete subtree method [12] and Asano method [1], respectively.

1

Introduction

Broadcast encryption is a mechanism that allows one party to securely distribute his data to privileged users. This mechanism has important applications in pay-TV, stock quotes, and online databases, etc. After the work by Fiat and Naor in 1993 [7], it has been extensively studied in the literature. Examples include schemes for stateless receivers [1, 12, 14], public-key based schemes [2, 6, 15] and rekeying schemes [17, 16, 4, 11]. In this paper, we consider multi-service oriented broadcast encryption (MOBE), which is explained as follows. Suppose that a broadcast center (BC) wants to distribute multiple services to a set of users such that each user is allowed to access a specific service if and only if he has subscribed to it. Here, the security concerns are traitor tracing, service unsubscriptions, etc. One possible solution is to associate each service with a distinct system (in a single service setting). The main problem here is that a user’s secret storage is proportional to the number of his subscribed services. 1.1

Related Work

The MOBE problem is related to the flexible access control problem studied by Chick and Tavares [5], where each user is assigned a master key using an RSA exponentiation technique that allows him to access his subscribed services. However, users get an identical key set if they subscribe to the same set of services. Thus, it is impossible to distinguish such users. Consequently, traitor tracing and service unsubscriptions are not achievable. Narayanan et al. [13] considered a multi-service notion called a practical pay-TV scheme. They proposed three schemes. The third one is the most interesting scheme as it is secure and has traceability. However, their scheme is only suitable for application with a small number of services since the user key size is still linear in the number of subscribed services. Furthermore, their service unsubscription utilizes a unicast channel. It follows that it is not suitable for applications with a large number of users or applications with frequent membership updating. The authors claimed that the second scheme is secure against a collusion attack. However, we show that this is not true.

1.2

Contribution

We propose a framework called the M framework for the MOBE problem. We first achieve multi-service functionality from the subset cover method [12] (in the single service setting) using the RSA exponentiation technique. To further improve the efficiency when unsubscription is frequent (the caused problems include the broadcast overhead increased, management burdens added and revoked IDs wasted), we propose a multi-service rekeying algorithm by extending a previously obtained rekeying framework [9, 11]. In the full framework, a user’s key size in M is independent of the number of services. Subscription and new service provision are handled without involving unintended users. Furthermore, service unsubscription is handled scalably, which makes the system flexible. To gain a better understanding of this framework, we realize it by using two efficient schemes: Mcs and MA , which are based on the complete subtree method [12] and the Asano method [1], respectively. Finally, in order to evaluate the security of our framework, we formalize the notion of dynamic security. This captures threats from an adaptive adversary that might issue queries such as subscription, rekeying, corruption and new service provision. We show that the M framework is secure under such a severe attack. Our proof is in the random oracle model. This paper is organized as follows. In Section 2, we introduce our M framework and show their features. In Section 3, we present a realization of M framework, from the complete subtree method. In Section 4, we introduce the realization of the framework from Asano method. In Section 5, we formalize and prove the dynamic security of the M framework. In Section 7, we comment on the security of the second NRK scheme [13].

2

A Framework for Multi-service Oriented Broadcast Encryption

In this section, we introduce our M framework for the MOBE problem and show some advantages of this framework. 2.1

Description of M Framework

Let U be the set of all possible users; BC be the broadcast center; w be the number of services BC provides. BC wants to provide services {1, · · · , w} with controlled access rights. Preprocessing Phase 1. BC chooses an RSA composite N = pq where p, q are two large primes, and w primes p1 , p2 , · · · , pw . Then he makes N, p1 , · · · , pw public and keeps p, q secret. 2. BC defines a collection of subsets of U : S1 , S2 , · · · , Sz , where z is polynomially bounded. We require that {u} is contained in the collection, for all u ∈ U . Then BC associates a secret number ki with Si , i = 1, ·Q · · , z. 3. BC defines Q = w i=1 pi . Let {1, 2, · · · , w} be the set of services currently available, B(u) be Q Q/Z(u) the set of services to which user u has subscribed, Z(u) = i∈B(u) pi , and K(u) = {ki (mod N )|u ∈ Si , i = 1, · · · , z}. Note that in this paper unless otherwise stated, we always assume that the exponentiation is carried out modulo N .

2

Join Phase When a new person asks to join, BC first finds a free ID u ∈ U and assigns K(u) and a random subscription key cu to this person. Here, cu is only for subscription use and remains unchanged as long as the user is in the system. We denote this person simply by u when the context is clear. Broadcast Phase Let Ui be the set of all the users that subscribe to the service i. When BC wants to broadcast the message M for the service i to all users in Ui \Ri , for some Ri ⊆ Ui , he first finds a set cover Si1 , Si2 , · · · , Sim for U \Ri , i.e., Si1 ∪ Si2 ∪ · · · ∪ Sim = U \Ri . He then forms the ciphertext as Hi (Ri , M ) := hi1 , · · · , im , Eski1 ,i (k), · · · , Eskim ,i (k), Fk (M )i, (1) Q/p

where skij ,i = f (kij i ), E and F are two encryption algorithms (usually E has a higher security than F ), and f : Z∗N → {0, 1}L is a public hash function where L is the key size of E. Decryption Phase When receiving Hi (Ri , M ), a user u in Ui \Ri (⊆ U \Ri ) first finds j such that Q/Z(u) u ∈ Sij . Since u has kij , he can compute skij ,i and obtain message M. Subscribing to More Services We now show that it is convenient for an existing user u to subscribe to more services. Suppose u wants to add service j to B(u). He first updates B(u) to Q/p B 0 (u) = B(u) ∪ {j}, Z(u) to Z 0 (u) = Z(u) × pj . BC then provides a key set {ki j |u ∈ Si , i = 1, · · · , z} to u encrypted under the subscription key cu . When u gets this key set, he can update Q/z 0 (u) K(u) to K 0 (u) := {ki |u ∈ Si , i = 1, · · · , z} as follows. He finds integers a, b using the Euclidean algorithm such that pj a + bZ(u) = 1 and then computes Q/Z(u) a

(ki

Q/pj b

) (ki

aQ/Z(u)+bQ/pj

) = ki

Q 0

= kiZ (u)

(pj a+Z(u)b)

Q/Z 0 (u)

= ki

.

It is clear that K 0 (u) is the current key set for user u. For simplicity, we still denote the updated parameters as K(u), B(u), Z(u), respectively. Service Unsubscription Suppose a set of users Ri0 quit service i at some moment. The main concern is to prevent them from accessing it again afterwards. If the size of Ri0 is small, this can be handled without updating other users’ secret information. Specifically, in the broadcast phase, BC can use a set Ri containing Ri0 as the excluding set. However, as mentioned in the introduction, when the size of Ri0 grows large, this method is inefficient. In our method, we propose an extension of a rekeying algorithm [9] to explicitly update users’ service memberships (see the rekeying phase for details). Providing New Services We show that it is convenient for BC to provide a new service (w + 1). To do this, BC first finds a prime number pw+1 and updates Q to Q0 = Q×pw+1 . Then he computes qw+1 0 qw+1 = p−1 . w+1 (mod φ(N )), where φ(·) is the Euler function. For each ki , he computes ki := ki Q0 /Z(u)

Q/Z(u)

For an existing user u, his secret key information does not change since k 0 i = ki . If u Q0 /pw+1 0 wants to subscribe to service (w + 1), BC provides pw+1 and {k i |u ∈ Si , i = 1, · · · , z} to him, encrypted under cu . Then u updates B(u), Z(u), K(u). As a summary, providing a service does not affect an existing user’s activity and he does not even need to know about this new service. On the other hand, subscribing to this new service is as easy 3

as subscribing to an existing service. Rekeying Phase When the size of the set Ri quitting a certain service i grows large, the system will become inefficient. Thus, it is desired to permanently update users’ service memberships. Let ∆ : U → {1, · · · , w} be a function such that ∆(u) is the set of services that u will quit in this rekeying event. Note that revoking an illegal user can be regarded as the user quitting all the services. We now extend a rekeying algorithm in [9] to the multi-service setting. We remark that the rekeying algorithm in [9] is an extension of that in [11]. Let R be the set of users that will quit at least one service. Then for a given pair (R, ∆), we can simultaneously update every user’s key information (for all possible services). In order to present the algorithm in a clear way, we introduce some notation. Let G(1κ ; r1 r2 · · · rµ ) be the algorithm to generate (k1 , · · · , kz ), where κ is the security parameter and r1 · · · rµ is the random input. Let Ti be the minimum subset of {r1 , · · · , rµ } such that ki is a deterministic function of Ti . Note Ti is well defined and unique. Let A, B be subsets of {k1 , · · · , kz }. When we say the generation process of A and B shares no random bits, we mean ∪ki ∈A Ti is disjoint with ∪kj ∈B Tj . From this notion, we immediately see that if the generation processes of A and B share no random bits, then they are independent. Definition 1. Define C(ki ) to be the minimal subset of {k1 , · · · , kz } containing ki such that generation process for C(ki ) shares no random bits with generation process for {k1 , · · · , kz }\C(ki ). Q/p

Since kt j needs updating if and only if kt needs updating, we only need to determine the subset of {k1 , · · · , kz } that needs updating. In fact, we have the following lemma. Lemma 1. 1. C(ki ) and C(kj ) are either disjoint or identical. 2. Let R be the set of users that will quit at least one service. Then it suffices to update ∪i:Si ∩R6=∅ C(ki ). Proof. 1. First C(ki ) is well-defined. Suppose C1 (ki ) and C2 (ki ) both satisfy the definition for ki . Then in the generation process, C1 (ki ) share no random bits with {k1 , · · · , kz }\C1 (ki ). Thus, C1 (ki ) ∩ C2 (ki ) share no random bits with {k1 , · · · , kz }\C1 (ki ). Similarly, C1 (ki ) ∩ C2 (ki ) share no random bits with {k1 , · · · , kz }\C2 (ki ). Thus, C1 (ki ) ∩ C2 (ki ) share no random bits with {k1 , · · · , kz }\(C1 (ki ) ∩ C2 (ki )). Since ki ∈ C1 (ki ) ∩ C2 (ki ), by the definition of C(ki ) we have C1 (ki ) ⊆ C1 (ki ) ∩ C2 (ki ). Thus, C1 (ki ) = C2 (ki ). Next suppose that C(ki ) ∩ C(kj ) is a non-empty proper subset of C(ki ). Note that by a similar proof as above, we know that ∀kt ∈ C(ki ) ∩ C(kj ), C(kt ) ⊆ C(ki ) ∩ C(kj ). This implies that ∪t C(kt ) = C(ki )∩C(kj ), and that ki 6∈ C(ki )∩C(kj ) (as C(ki )∩C(kj ) ⊂ C(ki )). Thus, it follows that ki shares no random bits with C(ki ) ∩ C(kj ). Therefore, ∃Ω ⊆ {k1 , · · · , kz }\{C(ki ) ∩ C(kj )} which satisfies Definition 1 for ki . On the one hand, Ω ∩ (C(ki ) ∩ C(kj )) = ∅ (definition of Ω). However, the uniqueness of C(ki ) implies that Ω = C(ki ). Thus, Ω ∩ (C(ki ) ∩ C(kj )) 6= ∅, contradiction. 2. From item 1, we have the generation process of ∪i:Si ∩R6=∅ C(ki ) shares no random bits with that for {k1 , · · · , kz }\ ∪i:Si ∩R6=∅ C(ki ). Thus, the latter is independent of the former. The conclusion follows. ¥ From this lemma, we see that the subset to be updated is only dependent on R instead of (R, ∆). For future ease of presentation, we would like to use the sub-collection whose corresponding keys need updating. We denote this sub-collection as D(R). So, D(R) := {Si : ki ∈ ∪i:Si ∩R6=∅ C(ki )}. 4

Definition 2. Let S1 , · · · , Sz be the subsets defined in the preprocessing phase. We say that Si has level l if there exists a chain of length l for Si : Si1 ⊂ Si2 ⊂ · · · ⊂ Sil−1 ⊂ Si ,

(2)

where i1 , i2 , · · · , il−1 , i are distinct; and there is no such chain of length l + 1. We use ⊂ to represent “proper subset”. Intuitively, if Si has level l, it has an inclusion chain of length l but it does not have such a chain of length l + 1. Note this does not rule out the possibility that Si has an inclusion chain of length smaller than l. Recall for each ID u, we require Si = {u} for some i. Thus each set in level 1 contains only one ID. This property will be used in the rekeying algorithm in Table 1. Definition 3. For two subsets Si and Sj with Si ⊂ Sj , if there exists no St ∈ {S1 , · · · , Sz } such that Si ⊂ St ⊂ Sj , then we say Si is a child of Sj . Let L be the maximal level for subsets S1 , · · · , Sz . Our rekeying algorithm is described in Table 1.

1. BC first updates B(u), Z(u) for all u ∈ R, where R is the set of users that will quit one or more services according to ∆. For simplicity, we still use symbols B(u), Z(u) after updating. Note that revoking an illegal user is considered as a case that he quits all the services. 2. Determine D(R). 3. For each service j = 1, · · · , w, do the following: For each set Si ∈ D(R) at level 1 do Q/p Q/pj Let Si = {u}. Send Eski,j (ki0 ) to u if j ∈ B(u) where ski,j = f (ki j ), and ki0 is the updated version for ki . For l = 2, · · · , L do For each set Si ∈ D(R) at level l do 0 Q/pj 0 (ki For each child St of Si , broadcast Eskt,j ) to all users in St if at least one user in St is 0 privileged for service j. Here, skt,j = f (kt0 it is the updated value.

Q/pj

), where kt0 = kt if it is not updated; otherwise,

Table 1. Rekeying Algorithm

Figure 1 graphically demonstrates this rekeying process. R = {u1 , u2 , u4 , u5 } in the figure (note that subsets not involved in the rekeying event are omitted in the graph). Now u1 , u4 will quit service j while u2 and u5 are still legal users for it. Thus u2 (resp. u5 ) decrypts the ciphertext in the box and gets the key k20 Q/pj (resp. k50 Q/pj ). He then uses this key for further updating. The following lemma shows the completeness of the rekeying algorithm. Lemma 2. Any new service key ki0 Q/pj is received by its designated users. Proof. We show that any service key from {ki0 |Si ∈ D(R)} is received by its designated users by Q/Z(u) induction. At level 1, if {u} = Si ∈ D(R), u can compute ki since his current privileged set of services B(u) is a subset of the original one. Hence, he can decrypt Eski,j (ki0 Q/pj ) and update 5

3

7

8

2

9

- :

9



  



 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

,

,

)

9

1



4

5

6

4

4

4

4

;

<

=

>

;

>



&



'

0

? ) *

:@

?)

*+

, -)

.

Q

L

E

J

M

R

F G S I &

A : '

O

,

7

8

P 1

K T V

Q

E

L F

G

M

J

J

4

5

6

R

S I &

'

O

P

K T T

J







()





*+

, -)

.

/ 0

,

)

2

1 1

  














 

 

 










 

 

 










 

 

 







 

 

 







 

 

 







 

 

& !







Q

E

L F G

M

J

R

S I & !

Q

E

L

F G X I

J

M

R


 

& &

& & O

P

K O

J

T U

P

J

K

Q

E

L F G S

J

M

R

I & & Q

E

L

F G S

M

J

R

I & !

O

P

K ^

J

O

P

K W

  



J

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



&

]

Z

[

Q

E

F G\

I

L

M

J

R

&

D

[

J

O

P

K

Q E

F GY

L

I

Z

Q

E

L

F G S

M

M

J

J

O

R

P Q

R J

K

I

E

L F G

S H

J

M

R

I &

]

O

P [

O

P

K V

J

K J



  





  







































































 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 





















































 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Q

E

F

G

L

I

M

Q J

R

E

F G H

L

I

M

J

R

!

O

V

&

"

#

&

%

!

J

P

N

K

"

J

#

$

!

"

%

_ a

`

&

$ 6

8

.

_

`

%

C

"

#

$

$

'

.

#

!

C

"

%

.

_ a

`

C

$ 6

%

"

$

N

8

P

#

$

'

$ 6

O

K

8

.

_

#

%

$

N

`

B

B

8

$ 6

N

Fig. 1. A Small Example for Rekeying Process Q/p

ki j to ki0 Q/pj for every j ∈ B(u). Thus the user’s keys corresponding to Si at level 1 are properly updated. Assume that keys corresponding to levels lower than l are properly updated, we consider level l. Let Si ∈ D(R) be a subset at level l. Then for any child St of Si , each u ∈ St has the most recent version kt0 Q/pr if kt is updated since St has a level at most l − 1; kt0 = kt if it is not updated. 0 Q/pj ) and update k Q/pj to k 0 Q/pj properly. 0 (k Therefore, he can obtain ki0 Q/pj by decrypting Eskt,j i i i With {ki0 Q/pj |j ∈ B(u)}, he can easily compute ki0 Q/Z(u) by using elementary number theory. 2.2

¥

Performance

Now we discuss the performance of our framework. Other parameters, e.g., broadcast overhead, rekeying complexity, can be clear only in a specific construction. User Storage From the key assignment, we know that user u’s private storage is at most |K(u)|+ 11 and is independent of the number of services. On the other hand, an efficient representation of primes could be achieved by a generation program. Thus, the corresponding memory can be regarded as negligible. Thus, our framework has an important gain over the method using an independent system for each service, especially when the number of services is large. Flexible Subscription/Unsubscription In our method, a user’s subscription does not interfere with other users. Service unsubscription is scalable. A small number of service unsubscriptions can be treated without key updating. However, if this number reaches a certain threshold, the rekeying algorithm can update the user key sets explicitly. Such scalability indeed avoids inefficiency problems which occur in a stateless scheme when unsubscriptions are frequent (e.g., incremental management burden, reduced capacity of users). 1

Note the actual storage might be smaller than this (e.g., a construction based Asano method [1], see Section 5.4 for details).

6

3

Mcs Scheme

The Complete Subtree (CS) broadcast encryption scheme for stateless receivers was proposed by Naor et al. [12]. This is a single service oriented scheme. Roughly speaking, BC first builds a complete binary tree with the leaves being users and then puts a random key at each node. A user’s secret key set is composed of the keys on the path from the root to this user inclusive. In this section, we provide a realization of the M framework based on the CS method. We called this concrete scheme the Mcs scheme.

3.1

Description of Mcs

Preprocessing 1. BC chooses an RSA composite N = pq where p, q are two large primes, and takes w primes p1 , · · · , pw . He then makes N and p1 , · · · , pw public and keeps p, q secret. 2. BC builds a binary complete tree T R with n leaves. Let these leaves from left to right be users u1 , · · · , un , and let the internal nodes be v1 , · · · , vn−1 in breadth-first order. For simplicity, we also identify node ui with vi+n−1 , i = 1, · · · , n. Define Si to be the set of users rooted at node vi , i = 1, · · · , 2n − 1. BC picks a secret random number ki of appropriate length and associates it with Si ,Q i = 1, · · · , 2n − 1. 3. Let Q = w i=1 pi . Let {1, · · · , w} be the currently available services, B(u) the set of services Q Q/Z(u) that user u has subscribed to, Z(u) = i∈B(u) pi , and K(u) = {ki |u ∈ Si , i = 1, · · · , z}. Broadcast Let Ui be the set of users that subscribe to service i. If BC wants to broadcast message M to all users Ui excluding Ri (⊆ Ui ), then BC first finds a Steiner tree Steiner(Ri ) (i.e., the smallest subtree of T R that covers users Ri and the root v1 ). Let vi1 , vi2 , · · · , vim be all the nodes that hang off Steiner(Ri ), where we say a node v hangs off Steiner(R) if v is not in Steiner(R) but v has a neighbor in Steiner(R). Since Si1 ∪ Si2 ∪ · · · ∪ Sim = U \Ri , then BC forms the ciphertext as follows Hi (Ri , M ) = hi1 , i2 , · · · , im , Eski1 ,i (k), · · · , Eskim ,i (k), Fk (M )i, Q/pi

where skij ,i := f (kij Decryption u has

Q/Z(u) kij

), where f is a hash function.

When receiving Hi (Ri , M ), a user u ∈ Ui \Ri first finds j such that u ∈ Sij . Since and pi is a factor of Z(u), he can compute skij ,i and then get message M.

User joining, subscribing to more services, service unsubscriptions, and provision of new services can be carried out as in the M framework. We next present our rekeying algorithm. Rekeying Algorithm It is clear that the maximal level for the collection S1 , · · · , S2n−1 is L = 1 + log n. Since the fact that Si has level l is equivalent to saying that vi is at depth L − l. Suppose that the users in R have one or more services to quit. Note that a different user can quit arbitrary services of his choice. Our rekeying algorithm can handle the service quitting for all R simultaneously, see Table 2. This algorithm actually is an extension of the algorithm in [11] to the multi-service setting. We remark that in the single service setting, the algorithm for the quitting of a single user was proposed in [3, 17]. 7

1. BC updates B(u), Z(u) for all u ∈ R (but we still use these symbols for simplicity). He then finds Steiner(R) (i.e., the smallest subtree in T R that includes R and the root) and for each vi ∈ Steiner(R) he updates ki to a random number ki0 of the same length. 2. For service j = 1, · · · , w do the following: (i) For each v ∈ Steiner(R) at depth L − 1 do Q/pj Suppose Si = {v}. BC sends Eski,j (ki0 ) to v if j ∈ B(v). (ii) For l = L − 2, · · · , 0 do For each node vi ∈ Steiner(R) at depth l, BC updates ki to a random key ki0 ; For each child vb of vi , do Q/pj ) to all users rooted at vb if some of them is privileged for send Esk0 b,j (ki0 Q/p

0 j ) and k0 b is the current associated random = f (kb0 service j, where skb,j number for vb if it is updated; otherwise, k0 b = kb .

Table 2. Rekeying Algorithm for Mcs

Example: To illustrate the algorithm, we demonstrate an example of 8 users in Figure 2. In this example, let R = {u2 , u5 } and suppose u2 will quit service j and u5 will quit service j 0 (the update key for service j 0 is not shown in the figure). The thick subtree in the figure is Steiner(R). The secret seeds on this subtree are first updated by the broadcast center. The keys are distributed for service j to their users. Since j 6∈ B(u2 ), u2 is not eligible to get updated k20 Q/pj . However, since 0 Q/pj ). He then updates u5 does not quit service j, he is eligible to receive and decrypt Esk12,j (k12 Q/pj

k12

0 Q/pj . to k12


 
  





    

    # 




$      

 



 
  

    



     !



       

  







     "


    !  "





Fig. 2. A Small Example for Rekeying Process in Mcs

8

#

3.2

Performance

We now briefly summarize the performance of Mcs . The following parameters are our main concerns: (1) a user’s secret storage, (2) the message overhead in the broadcast phase, i.e. the number of the cover sets used there, and (3) the number of rekeying ciphertexts, representing the computational complexity at the server and the number of times the broadcast channel is used. In Mcs , a user only needs to store 1 + log n secret keys in K(u). Additionally, he should store p1 , · · · , pw , N and B(u) (as before, when w is large, primes pi ’s can be represented by a generation program). The message overhead in the broadcast phase is r log(n/r), where r = |Ri |. To see this, let the left subtree of root have r1 users in Ri and the right subtree have r2 users in Ri . Then by induction on n, the overhead is upper bounded by r1 log(n/2r1 ) + r1 log(n/2r1 ) if both r1 , r2 > 0; otherwise, bounded by 1 + r log(n/2r). Using inequality r1 log 1/r1 + r2 log 1/r2 ≤ (r1 + r2 ) + (r1 + r2 ) log 1/(r1 + r2 ), we can easily shows both are upper bounded by r log(n/r). The number of rekeying ciphertexts is upper bounded by 2rw log(n/r)) + 4wr − 2w for r = |R|, as the number of nodes in Steiner(R) is upper bounded by r log(n/r) + 2r − 1. To see this, let r1 (resp. r2 ) be the number of nodes in the left subtree of root (resp. right subtree of root). Then using induction on n, the size of Steiner(R) is upper bounded by 1 + r1 log(n/2r1 ) + 2r1 − 1 + r2 log(n/2r2 ) + 2r2 − 1 ≤ r log(n/r) + 2r − 1 for r1 , r2 > 0; otherwise, it is upper bounded by 1 + r log(n/2r) + 2r − 1 ≤ r log(n/r) + 2r − 1. Thus, the conclusion holds for both cases. Notice that r for R or Ri is always less than the threshold. Thus, these two parameters can always be kept small.

4

MA Scheme

Asano [1] proposed a revocation scheme for stateless receivers (in a single service setting) based on the RSA assumption. He presented two methods in his paper. We realize the M framework based on his second method [1]. We denote this scheme by MA . Preprocessing 1. BC chooses a RSA composite N = pq, where p, q are two large primes. He then takes w primes p1 , · · · , pw , and primes q1 , · · · , q2a −1 , where a is a constant. Then he makes N, p1 , · · · , pw and q1 , · · · , q2a −1 public. 2. BC constructs an a-ary complete tree with n leaves. Let these leaves from left to right represent users u1 , · · · , un and let the internal nodes be v1 , · · · , v n−1 in breadth first order. Identify ui a−1

a with vi+ n−1 , i = 1, · · · , n. For each i = 1, · · · , n−1 a−1 and h = h1 · · · ha ∈ {0, 1} − {0}. Let a−1

Si,h := {uj |∃ t s.t. ht = 1 and uj is rooted at the t-th child of ui }.

(3)

Q a −1 Let T0 := 2h=1 qh . For each internal node vi , BC chooses a random number ki of appropriate T /q length and then associates the key ki,h := ki 0 h with Si,h . Qw 3. Let Q = i=1 pi . Let {1, · · · , w} be the currently available services. Let B(u) be the set of Q services user u has subscribed to and Z(u) = i∈B(u) pi . Let Q/Z(u)

K(u) := {ki,h

|u ∈ Si,h , i = 1, · · · , 9

n−1 , h ∈ {0, 1}a − {0}}. a−1

Note that from the elementary number theory K(u) can be implicitly stored as ½ QT0 ¾ n−1 Z(u)W (j) I(u) := ki |u is rooted at the j-th child of vi for some j, i = 1, · · · , , a−1 Q where W (j) := h∈{0,1}a :hj =1 qh and hj is the j-th bit of h.

(4)

User joining, subscription to more services, implicit service unsubscriptions, and a provision of new services are described as in the framework M. Broadcast Let Ui be the set of users that subscribe to service i. If BC wants to broadcast the message M to all Ui \Ri for some Ri ⊂ Ui , then BC first finds the Steiner tree Steiner(Ri ). Let {vi1 , vi2 , · · · , vim } be the set of internal nodes in Steiner(Ri ). Associate an a-bit number H(j) with each node vj ∈ {vi1 , · · · , vim }, where for each t = 1, · · · , a, the t-th bit of H(j) is 1 if and only if the t-th child of vj is not in Steiner(Ri ) (i.e., no user in Ri is rooted at the t-th child of vj ). Remove vj from {vi1 , · · · , vim } if H(j) = 0. Without loss of generality, we still assume that the remaining nodes are vi1 , · · · , vim . Then Si1 ,H(i1 ) ∪ · · · ∪ Sim ,H(im ) = U \Ri .

(5)

Thus the ciphertext is defined as follows. Hi (Ri , M ) := hi1 , · · · , im , Esk(i1 ,H(i1 )),i (k), · · · , Esk(im ,H(im )),i (k), Fk (M )i,

(6)

Q/p

i ). where sk(ij ,H(ij )),i := f (kij ,H(i j)

Decryption When receiving Hi (Ri , M ), user u ∈ Ui \Ri first finds j such that u ∈ Sij ,H(ij ) . ConQ/Z(u)

sequently, he can compute sk(ij ,H(ij )),i from kij ,H(ij ) since pi |Z(u). Thus he can get M . Rekeying Algorithm The rekeying algorithm described below is a compact version obtained from the rekeying algorithm in the M framework. Let R be the set of users that will quit one or more services. Let ∆ : R → 2{1,···,w} (i.e., the collection of all subsets of {1, · · · , w}) denote the specific function such that ∆(u) is the set of services that u will quit in this rekeying event. 1. BC updates B(u) and Z(u) according to ∆(u) for each u ∈ R, and then finds Steiner tree Steiner(R). 2. For each node vi at depth L − 1 of Steiner(R) (assume the considered a-ary complete tree has total depth L). Change ki on node vi to a random number ki0 of the length |ki |; T0 Q

For j = 1, · · · , a, let u be the j-th child of vi , BC sends Esk(i,Ij ),r (ki0 W (j)pr ) to u for each T0 Q qI pr j

) and Ij is an a-bit number with all bits being zero r ∈ B(u), where sk(i,Ij ),r := f (ki except the j-th bit. 3. Define an a-bit number I = 11 · · · 1. For l = L − 2, · · · , 0 do For each node vi in Steiner(R) at depth l, change ki to a random number ki0 of the same length. 10

For j = 1, · · · , a, do Let the j-th child of vi be vt . Then he broadcasts Esk0 (t,I

j ),r

(ki0 T0 Q/(W (j)pr ) ), r = 1, · · · , w

T Q/(p q )

r Ij ), where kt0 is the new value to all users rooted at node vt . Here sk 0 (t,Ij ),r = f (kt0 0 on vt if it is updated; otherwise kt0 = kt . (Note: For given t, i and j are automatically determined.)

Performance Since K(u) can be implicitly stored as I(u), it follows that the user’s secret storage in the MA scheme is loga n keys. Furthermore, he needs to store public parameters N, p1 , · · · , pw , and q1 , · · · , q2a −1 . As observed by Asano, if a or w is large, these primes can be implicitly stored by a program that generates them. The communication overhead for message broadcast is r(1 + loga (n/r)), where r = |Ri | and the proof is the same as in [1]. As a comparison, a user’s secret storage and communication overhead for message broadcast coincide with those of the Asano method. Furthermore, the rekeying communication overhead is wa(r−1+r loga (n/r)), where the proof is to show by induction on n that the size of internal nodes in Steiner(R) is upper bounded by r − 1 + r loga (n/r). The proof is similar to Mcs case, and is thus omitted.

5

Security

In this section, we investigate the security of our M framework. We consider the security threats only from the dynamic feature of the key assignments. We first give a primitive notion of the key computational infeasibility property, which is similar to the notion of key indistinguishability [12]. We then formalize an adversary model for our M framework and analyze the dynamic security of the M framework in the random oracle model. Definition 4. Let A be any probabilistic polynomial time (PPT) adversary against the (static) key assignment of M scheme. And let {p1 , · · · , pν } be the set of primes currently used to define the service keys. Let kt be the key associated with St , t = 1, · · · , z. A first chooses a pair (i, j). Then he p receives all kt ∈ C(ki ) for St 6⊆ Si and all kr j for Sr ⊆ Si such that kr ∈ C(ki ). The M scheme is said to satisfy the key computational infeasibility (KCI) property if the success probability of A in computing ki is negligible. We stress that in the above definition we are not concerned in kt 6∈ C(ki ) as such keys can be simulated by A himself. We are now ready to formalize an adversary model for the M framework, for which the KCI property is not affected by the dynamic feature of the key assignments. In other words, we assume that A can issue four types of queries: corruption of existing users, provision of new services, subscription to more services, and a running of the rekeying algorithm. As a response, the ciphertexts in the case of the last two events will be provided to the adversary. Upon corruption, the corrupted user’s secret key set as well as his subscription key will be provided to the adversary. After interaction with the challenger for a certain time, the adversary will announce an attack on a specific service key. He then tries to compute the target. The M scheme is said to be dynamically secure if the success probability of A is negligible. Formally, Definition 5. Let A be a PPT adversary against M scheme. We let ID u ∈ U always represent the user who is currently using this ID. A first chooses (i, j) as his target. Then A can issue the following queries. 11

1. He can request for a provision of a new service. As a response, the challenger will choose a new q prime pw+1 and then update kr to kr0 = krw+1 , where qw+1 = p−1 w+1 (mod φ(N )) and w is the number of existing services. Then he provides pw+1 to A. 2. He can ask to subscribe to a new service J on behalf of some user u. As a response, A will Q/p receive the ciphertext Ecu ({kr J : u ∈ Sr , r = 1, · · · , z}). 3. He can ask to execute the rekeying algorithm on (R, ∆) of his choice, where ∆ : R → 2{1,···,w} (i.e., the collection of all subsets of {1, · · · , w}) is a function such that ∆(u) is the set of services that u will quit in this query. As a response, he will receive all the ciphertexts in this rekeying event. 4. He can ask to corrupt a user u. As a response, A will receive K(u) as well as cu . After interaction with the challenger for a while, A can announce an attack as long as no user in Si , who is privileged for service j, is corrupted at the present time. The M scheme is said to be Q/p dynamically secure if the success probability for A to compute ki j is negligible. Remark. Two clarifications follow here. 1. When an adversary announces an attack, we require that currently corrupted users should not Q/p be privileged for service j. This is reasonable since such a person directly has ki j . Obviously, success by this does not imply the weakness of the system. On the other hand, we stress that we indeed allow a user to be corrupted at some earlier time but later purged from the system (recall that revoking a user is looked as quitting all the services). 2. We require the adversary to select his target pair (i, j) before his interaction. This has the same power as an adversary who chooses his target adaptively. The reason is that a non-adaptive adversary always can correctly guess the target pair of an adaptive adversary with non-negligible probability. Theorem 1. Assume that E is semantically secure against chosen plaintext attack (IND-CPA). Let f () be a random oracle. Suppose that for any i, C(ki ) is distributed exactly the same as {kja |kj ∈ C(ki )}, i = 1, · · · , z, where a is coprime with φ(N ). If M satisfies the KCI property, then it is dynamically secure. Proof. If there exists a PPT adversary A breaking the dynamic security of M with non-negligible probability, we will construct a PPT adversary B to break KCI property of the key assignment. B gets the public parameter N , the description of S1 , · · · , Sz and the description of the generation algorithm G for {k1 , · · · , kz }. He runs A with such public parameters. In turn, he receives (i, j) as the target of A. Let the number of rekeying queries involving Si ∈ D(R) (i.e., updating C(ki )) be upper bounded by a polynomial poly(κ). He takes vi uniformly at random from {0, 1, · · · , poly(κ)}, hoping that A will issue exactly vi rekeying queries involving Si throughout the simulation. Furthermore, let the number of services be upper bounded by ν. He takes p1 , · · · , pν as the prime numbers associated with the possible services. Then B internally simulates the challenger interacting with A. B also maintains the random oracle f as follows. To answer a query of x, he first checks if such a query was requested before. If yes,he responds with the existing answer; otherwise, he responds with a random number r of appropriate length and records (x, r). The simulation is divided into two stages: Stage one is the simulation before the vi -th rekeying event involving Si occurs; Stage two handles the remaining simulation. If vi = 0, he directly goes to Stage two. If v1 > 0, then in the beginning, B simulates G to generate k˜1 , · · · , k˜z . Let the 12

initially services be {1, · · · , w}. B defines the initial k1 , k2 , · · · , kz as k˜1Dw , · · · , k˜zDw , where Qavailable ν Dw = l=w+1 pl . He then continues Stage one. Stage one: D /p - Upon a new service request, let ki be updated to ki0 = k˜i w w+1 , where k˜i is obtained by the newly rekeying process on C(ki ). Note that w is the most recent new service (thus w could vary over time). For simplicity, we still use ki to denote ki0 when the context is clear. B then provides pw+1 to A. - Upon a subscription of service J for some ID u, B first checks if cu has been defined for the current holder of u. If not, he takes cu uniformly at random from the key space of E; otherwise, he uses the existing cu . Then he provides the subscription ciphertext normally. - Upon a rekeying request on (R, ∆), he follows normally, except in the key updating process where he follows the initialization stage. Specifically, let C(kr1 ), · · · , C(krt ) correspond to D(R). 0 ˜ ˜ ˜ Dw He runs QνG to obtain k1 , · · · , kz . For each kt in some C(krv ), he updates kt to kt = kt , for Dw = l=w+1 pl . - Upon a corruption of an ID u, he provides K(u) and cu to A.

Before moving to Stage two, we first show that the simulation of Stage one is perfect. Indeed, the only difference from a normal simulation is the generation of C(kr ) which is defined as {ktDw : kt ∈ C(kr )}. However, according to our assumption, these two random variables are identically distributed. If A does not issue the vi -th rekeying query involving Si , then B aborts with failure. Otherwise, p he sends (i, j) to his oracle and in turn he receives (1) all k˜r j , satisfying Sr ⊆ Si and k˜r ∈ C(k˜i ); (2) k˜t , satisfying St 6⊆ Si but k˜t ∈ C(k˜i ). He defines kt for kt ∈ C(ki ) to be k˜tDw (Note here we do not guarantee that B knows kt if j ≤ w). B continues the simulation in Stage two. Stage Two: 1. Upon the vi -th rekeying query involving Si , B checks if finishing this query is able to purge all the corrupted parties in Si . If not (meaning the guess of vi is incorrect), then B aborts with failure. Otherwise, he normally simulates the rekeying procedure, except that C(ki ) is defined as in the paragraph right before Stage two. There are two difficulties preventing B from a normal simulation: a. skt,j , for St ⊆ Si with kt ∈ C(ki ), is required as an encryption key, where skt,j corresponds to the updated j-th service key for St . In this case, B takes skt,j as uniformly at random. In order to consistent, the random oracle f is changed as follows. Given any query x, the Q p random oracle first checks if xpj = ktQ (= k˜tΩ , Ω = νr=1 pr ) (note kt j is known to B in any case). If yes, it responds with skt,j ; otherwise, it responds normally. Q/p b. The j-th service key kr j for Sr ⊆ Si with kr ∈ C(ki ) is required as the encryption input. In this case, B does not have this knowledge. Instead, he computes a dummy ciphertext (i.e., plaintext is 0). 2. If vi = 0, the initialization for C(ki ) is done as described in the paragraph right before Stage two. For other C(kt ), the initialization is normal (see the simulation right before Stage one). 3. Upon the v-th rekeying query involving Si for v > vi , B aborts with failure (recall vi is supposed to be a guess of the total number of rekeying queries involving Si ). If a rekeying query does not involve Si , the simulation is normal, except when skt,j for St ⊆ Si with kt ∈ C(ki ) (obtained in 13

the vi -th rekeying query involving Si ) is required as an encryption key. In this case, if skt,j is not set before, then B sets it uniformly at random and modifies the random oracle f correspondingly as stated before. If it has been set, he uses the defined value as the encryption key. D /p 4. Upon a new service provision query, the processing of kt is normal (i.e., update to k˜t w w+1 ). Then B provides pw+1 to A. 5. Upon a subscription query of service J for ID u, if u ∈ Si , B feeds back a dummy ciphertext Ecu (0). Otherwise, he answers normally. 6. Upon a corruption query for ID u, if u ∈ Si , B then aborts with failure (recall in the security definition, no user in Si is corrupted after the last rekeying query involving Si ); otherwise, he responds normally. Q/p

Ω/p

Finally, if A outputs ki j = k˜i j (corresponding to the vi -th rekeying query involving Si ), p Ω/p then B succeeds with k˜i , computed from k˜i j (received from his challenger) and k˜i j . Let Γs be the game simulated above by B. Consider a mental game Γ1 , which is defined as Γ5 , except that in Step 5 of Stage two, the dummy ciphertexts in answering a subscription query for u ∈ Si , are replaced with real ciphertexts. Lemma 3. | Pr[Succ(A, Γs )] − Pr[Succ(A, Γ1 )]| = negl(κ). Proof. If the conclusion were incorrect, we will build an adversary C to break the IND-CPA security of E. C plays the roles of both B and the challenger of B. Assume Si has a size Di , and let the number of subscriptions for users in Si at Step 5 of Stage two be upper bounded by O. C takes di ← {1, · · · , Di }, takes o ← {1, · · · , O}. The simulation follows the code of B, except Step 5 of Stage two. In this case, cu for the di -th ID u in Si is defined to be the hidden key in the encryption oracle of C. Then the first o − 1 subscriptions in Step 5 of Stage two for users in Si are answered using dummy ciphertexts (the ciphertext for the di -th ID u is obtained by asking the encryption oracle of C). If the o-th subscription is for the selected u, then C requests a ciphertext from his oracle, who will provide either a real ciphertext or a dummy ciphertext with probability 1/2. C sets the response from his oracle as the response to A. If the o-th subscription for users in Si is not for ID u, then C aborts with output 0 or 1 equally likely (this means that the guess of ID u is incorrect). The subscription for users in Si beyond the o-th query is answered with the real ciphertexts. Finally, (l) if A succeeds, then C outputs 1; otherwise, it outputs 1 or 0 equally likely. Let Γs be the game where the first l queries with u ∈ Si in Step 5 of Stage two are according to Γs while the rest of such queries are according to Γ1 . Consider the case where the o-th subscription in the above is always for the di -th ID u. In this case, if the challenging ciphertext is an encryption of 0, then the (o) (o−1) simulated game is distributed according to Γs ; otherwise, it is distributed according to Γs . On the other hand, the guess that the o-th subscription in the above is indeed di -th is correct with probability exactly D1i , as the adversary’s view is independent of di before the occurrence of the said o-th subscription. Thus, (o) (o−1) 1+Pr[Succ(A,Γs )] )] 1 PO s Adv(C) = OD − 1+Pr[Succ(A,Γ ) o=1 ( 2 2 i 1 = 2ODi (Pr[Succ(A, Γs )] − Pr[Succ(A, Γ1 )]), non-negligible, a contradiction to IND-CPA security of E.

¤

Now let Γ2 be the variant of Γ1 such that at Step 1.b in Stage two, the ciphertext is the real ciphertext instead of the dummy ciphertext. 14

Lemma 4. | Pr[Succ(A, Γ1 )] − Pr[Succ(A, Γ2 )]| = negl(κ). (v) Proof. For ease of presentation, we use k˜t to denote the key k˜t that is generated in the v-th (v)Ω/pj rekeying event involving St . Let Bad denote the event where A issues query k˜t to the random Q (v)Ω/pj ˜ oracle f for St ⊆ Si while any real user for kt is never corrupted, where Ω = νr=1 pr . Ω/p Q/p Recall that k˜t j = kt j is always the j-th service key corresponding to set St . We first show that | Pr[Bad(Γ1 )] − Pr[Bad(Γ2 )]| is negligible. Otherwise, we can build an adversary D to break the IND-CPA security of E. Let (v −1)Ω/pj (v )Ω/pj T = {f (k˜t i ), f (k˜t i ) : St is a child of Sr for some kr ∈ C(ki ) }

and leave the real random oracle values of 0the elements in T to be defined later. Recall that (v )Ω/pj Ω/p f (k˜t j ) = skt,j . D takes a random key f (k˜t i ) from T and defines it to be the hidden key in the encryption oracle E. Then D follows Γ1 (and Γ2 ) to simulate Stage one, playing both the roles (v 0 )Ω/pj of B and the challenger of B, except when f (k˜t i ) is required as the encryption key, he asks for help from his encryption oracle. If Bad has occurred before the vi -th rekeying query involving (v 0 )Ω/pj Si , then D outputs 1 or 0 equally likely and exits. In addition, if f (k˜t i ) is not required as an encryption key, then D outputs 1 or 0 equally likely and exits. Otherwise, all ciphertexts (v 0 )Ω/pj generated before using f (k˜t i ) as the encryption key are according to Γ1 (i.e., they are dummy 0 )Ω/p (v j i ciphertexts). When f (k˜t ) is required as the encryption key, C asks his encryption oracle to generate the challenge ciphertext which is either real or dummy. The remaining ciphertexts in this rekeying event are according to Γ2 (i.e., they are real). Finally, if the Bad event happens after the vi -th rekeying event involving Si , then D outputs 1 and exits; otherwise, the Bad event never happens and D outputs 0 or 1 equally likely. (l) Let Γ1 be the variant game of Γ1 such that in the vi -th rekeying event involving Si , the first l (0) ciphertexts are dummy, while the rest of the ciphertexts are real. Then Γ1 = Γ2 and Γ (z) = Γ1 . Before the vi -th rekeying event involving Si occurs, the adversary’s view in the simulation by D is distributed exactly as in both Γ1 and Γ2 . Thus, if we let Bad1 happen before the vi -th rekeying (l) event involving Si , then Pr[Bad1 (Γ1 )] = Pr[Bad1 (Γ1 )] = Pr[Bad1 (Γ2 )], for any l. Furthermore, 0 (v )Ω/pj if f (k˜ i ) is required as an encryption key for the l-th ciphertext during vi rekeying event t

(l)

involving Si , then the adversary’s view in the simulation is distributed exactly according to Γ1 (v 0 )Ω/pj (l−1) (resp. Γ ) if the challenge ciphertext is dummy (resp. real). Since f (k˜ i ) is chosen from T t

1

randomly, it happens to be the encryption key required for the l-th ciphertext with probability Thus, we have Adv(D) = = =

PT

(l)

(l)

(l−1)

Pr[Bad1 (Γ1 )]+Pr[Bad&Bad1 (Γ1 )] Pr[Bad1 (Γ1 − 2 (l) (l−1) 1+Pr[Bad(Γ1 )] 1+Pr[Bad(Γ1 )] 1 PT − l=1 2 2 |T | Pr[Bad(Γ1 )]−Pr[Bad(Γ2 )] , 2|T | 1 |T |

l=1

(l−1)

)]+Pr[Bad&Bad1 (Γ1 2

(l)

1 |T | .

)]

(l−1)

non-negligible as |T | ≤ 2z, where the second equality is due to the fact Pr[Bad1 (Γ1 )] = Pr[Bad1 (Γ1 Thus, we have proved that Pr[Bad(Γ1 )] = Pr[Bad(Γ2 )]. Furthermore, from Claim 1 below, we have that the Bad event happens in Γ1 and Γ2 with negligible probability. Thus, by a hybrid argument similar to Lemma 3, we can prove the lemma. Further details are omitted. ¤

15

)].

Claim 1. Pr[Bad(Γ2 )] = negl(κ). Proof. We notice that if the abortion event in Γ2 is replaced with a normal execution, then the adversary’s view is distributed exactly according to the real game Γ in Definition 5. It follows that Pr[Bad(Γ2 )] ≤ Pr[Bad(Γ )]. Thus, it suffices to show that Pr[Bad(Γ )] = negl(κ). If this conclusion were incorrect, we show that an adversary K can break the KCI property of C(ki ). K starts by running A with public parameters. On receiving (i, j) from A, he guesses the first Bad event in Γ (n )Ω/pj happening to k˜t t by randomly taking St ← {Sr : Sr ⊆ Si , r = 1, · · · , z} and nt ← {0, · · · , µ}, where µ is the upper bound of the number of the rekeying queries involving St . Then K follows Γ , except a. if a Bad event occurs before the nt -th rekeying query involving Si occurs, then K aborts with failure. b. upon the nt -th rekeying query involving St , K sends (t, j) as his target to his own challenger. He (n )p (n ) will then receive k˜r t for all kr ∈ C(kt ) but Sr 6⊆ St , and k˜l t j for all Sl ⊆ St and kl ∈ C(kt ). (n )Ω/pj Using the received key set, he simulates the rekeying ciphertexts, where he defines f (k˜ t ) l

(n )Ω/pj to be uniformly at random for each kl ∈ C(kt ) with Sl ⊆ St . Since such a k˜l t is unknown to K, he modifies the random oracle as follows (for consistency). Upon a query x, he checks if (n )Ω it constitutes a Bad event. If not, K answers normally; otherwise, if xpj = k˜t t , he computes (n )p (n ) k˜t t from x and k˜t t j and succeeds; otherwise, he aborts with failure (in this case, the guess of the first Bad event is incorrect since it does not correspond to t and nt ). Furthermore, the (n )Ω/pj ciphertext of k˜l t , satisfying Sl ⊆ St and kl ∈ C(kt ), is replaced with a dummy ciphertext. (n )Ω/pj for Sl ∈ St and kl ∈ C(kt ), it c. if a subscription needs to compute any ciphertext of k˜l t computes a dummy ciphertext.

Finally, if no Bad event occurs, K terminates with failure. First, we use the hybrid arguments very similar to the proof of Lemma 3 to prove that the probability of the Bad event in the simulated game is negligibly close to the variant game except that the dummy ciphertexts in items (b) and (c) are changed back to real ones. Denote the latter game by Γ re . Notice that in Γ re , before the first Bad event occurs, the adversary’s view is identically distributed as in the real game Γ (especially, it is independent of (t, nt ))). It follows that the first (n )Ω/pj )] 1 Bad event (if it exists) happens to k˜t t . Thus, Pr[Succ(K)] = Pr[Bad(Γ with probability zµ zµ is non-negligible, a contradiction to KCI property of C(ki ). ¤ (v )Ω/pj We now calculate the probability that A in Γ2 finally outputs k˜i i . Note that if vi happens to be the total number of rekeying queries involving Si , then the adversary’s view in the simulated (v )Ω/pj game distributed exactly as in Γ ; otherwise, B will abort (and k˜i i is not the desired final output of A in order to declare his success). Also, notice that before the vi -th rekeying query (if it exists) occurs, the adversary’s view is distributed exactly according to Γ . It follows that the guess 1 1 of vi is correct with probability exactly poly(κ) . Thus, Pr[Succ(A, Γ2 )] = poly(κ) Pr[Succ(A, Γ )]. Since the success of A in Γs implies the success of B, from Lemma 3 and Lemma 4 we have )] Pr[Succ(B)] = Pr[Succ(A,Γ + negl(κ), non-negligible, a contradiction to KCI property of M. ¥ poly(κ)

Based on Theorem 1, we can easily conclude the security of Mcs . 16

Corollary 1. If ki is chosen uniformly at random in Z∗N , i = 1, · · · , z, and E is secure against CPA attack, then Mcs is dynamically secure. Proof. Since ki is uniformly at random, it follows that hk1a2 , · · · , kzaz i has the same distribution as hk1 , · · · , kz i for any ai ∈ Z∗φ(N ) , i = 1, · · · , z. Furthermore, KCI property holds due to one-wayness of the RSA function. By Theorem 1, the conclusion follows. ¥ For the security of our MA scheme, we again have Corollary 2. Assume that E is secure against a CPA attack, that RSA is one-way, and that ki is chosen uniformly at random. Then MA scheme is dynamically secure. Proof Note that MA follows the specification of the M method except for the rekeying algorithm. However, the ciphertext in this algorithm is a subset of that in the scheme obtained strictly according to the M method. Thus, the security of the latter implies that of the former. Thus we only need to verify the conditions of Theorem 1. Due to the fact that ki is chosen uniformly at random, {ki,h : h 6= 0, i = 1, · · · , (n − 1)/(a − 1)} is distributed the same as ai {ki,h : h 6= 0, i = 1, · · · , (n − 1)/(a − 1)}. In addition, KCI follows from the one-wayness of RSA function. ¥

6

Traitor Tracing

Traitor tracing is an algorithm which traces illegal users who contribute to build a pirate decoder. Naor et al. [12] presented a subset tracing algorithm to locate a traitor in logarithmic time. They assume that the collection of subsets S1 , · · · , Sz has a bifurcation property. This property essentially allows a binary search technique to efficiently conclude that the pirate decoder must know a secret key, which has been assigned to a single user (i.e, this key is associated with some Si containing a single user. In our system, we can apply their algorithm for each service. Finally, we can also Q/p conclude that the pirate decoder must know some kt j , where St = {u} for some user u. Note that our security theorem implies that the user u must contribute to build the pirate decoder. Thus, their tracing procedure can be applied to our setting as well.

7

On the security of the second NRK scheme at ACISP’03

An alternative multi-service oriented broadcast encryption scheme was studied by Narayanan et al. [13]. In their work, the main purpose of their work was to minimize the broadcast overhead. They proposed three schemes. The most interesting scheme is the third one, which is secure and has traceability. The drawback of this scheme is that the broadcast overhead always has the length of the security threshold, which is usually large. Thus, the scheme is inefficient. The second scheme has a small overhead and was claimed to be secure against a collusion attack. However, we show that this is not true. 7.1

Description of the second NRK scheme

The Broadcast Center (BC) first chooses an l-bit RSA number N = pq. Let Rφ(N ) + 1 be a 2l-bit number which has a l-bit factor d, where R is some integer. Then BC chooses three 2l-bit numbers, 17

d1 , d2 , d3 such that d|di , i = 1, 2, 3 and gcd(d2 , d3 ) = d. For each service i, BC chooses a secret number gi , i = 1, · · · , w, where w is the number of services. Then he keeps d1 , d2 , d3 , p, q, g1 , g2 , · · · , gw as his secret keys. If a user uj wants to join the system, BC first assigns a secret triple (e1j , e2j , e3j ) to him such that e1j d1 + e2j d2 + e3j d3 = Rφ(N ) + 1. If uj wants to subscribe to service i, then BC will further e give gi 1j to him. To broadcast the message M in service i, BC chooses x such that gcd(x, φ(N )) = 1 and computes the ciphertext C := hx, M d1 gix , M d2 , M d3 i. User uj can decrypt the ciphertext as follows e

M = (M d1 gix )e1j (M d2 )e2j (M d3 )e3j /(gi 1j )x . 7.2

(7)

Collusion of users can compute gi

We now show that a set of users collude can compute gi . Suppose users u1 , · · · , us , (s ≥ 4) collude. In particular, they get equations 3 X r=1

er1 dr =

3 X

er2 dr = · · · =

r=1

3 X

ers dr .

(8)

r=1

As observed in [13], these users can derive vector (h dd1 , h dd2 , h dd3 ), for some number h. Since gcd(d2 , d3 ) = d, they can find v2 , v3 such that v2 (h dd2 ) + v3 (h dd3 ) = h. Hence, they can derive h and further obtain the vector ( dd1 , dd2 , dd3 ). Also, using the ciphertext C, they can also compute M d since M v2 d2 · M v3 d3 = (M d )v2 d2 /d+v3 d3 /d = M d .

(9)

d1

Thus, they can compute M d1 , because M d1 = (M d ) d and d1 /d is computed above. Thus, they can compute gix = M d1 gix /M d1 . Since e11 , · · · , e1s are random even numbers, with high probability, gcd(e11 , · · · , e1s ) = 2. Thus, from (gie11 , · · · , gie1s ) they can compute gi2 . Since gcd(x, φ(N )) = 1, x must be odd. Thus, they can compute gi from gi2 and gix . This contradicts the claim in [13].

8

Conclusion

We proposed a framework for multi-service oriented broadcast encryption, namely, the M framework by using the subset cover method for stateless receivers (in a single service setting) combined with the RSA exponentiation method. In this framework, the amount of each user’s secret storage is independent of the number of services. Furthermore, subscribing or providing new services can be achieved efficiently, and service unsubscription is carried out implicitly for the case that the number of such users is small; otherwise, the user’s service memberships are updated explicitly by applying a rekeying algorithm. Secondly, we formalized a notion of dynamic security for the M framework and showed that the M framework is dynamically secure in the random oracle model, provided the security requirements of two primitives are satisfied. Finally, we realized the M framework with 18

two concrete schemes that are based on complete subtree method and Asano method, respectively.

Acknowledgement

The authors would like to thank anonymous referees for instructive comments. Shaoquan Jiang would like to thank Huaxiong Wang for encouragement and Kenny Paterson for critical comments on the earlier version.

References 1. T. Asano, A Revocation Scheme with Minimal Storage at Receivers, Advanced in Cryptology-Asiancrypt’02, Y. Zheng (Ed.), LNCS 2501, Springer-verlag, 2002, pp. 433-450. 2. D. Boneh and M. K. Franklin, An Efficient Public Key Traitor Tracing Scheme, Advances in CryptologyCRYPTO’99, M. J. Wiener (ed.), LNCS 1666, Springer-verlag, 1999, pp. 338-353. 3. R. Canetti, J. A. Garay, G. Itkis, D. Micciancio, M. Naor and B. Pinkas, Multicast Security: A Taxonomy and Some Efficient Constructions, IEEE INFOCOM’99, 21-25, March 1999, New York, Vol. 2, 708-716 4. R. Canetti, T. Malkin and K. Nissim, Efficient Communication-Storage Tradeoffs for Multicast Encryption, Advances in Cryptology-EUROCRYPT’99, J. Stern (Ed.), LNCS 1592, Springer-verlag, 1999, pp. 459-474. 5. Gerald C. Chick, Stafford E. Tavares, Flexible Access Control with Master Keys, Advances in CryptologyCRYPTO’89, G. Brassard (Ed.), LNCS 435, 1990, Springer-verlag, 316-322. 6. Y. Dodis and N. Fazio, Public Key Trace and Revoke Scheme Secure against Adaptive Chosen Ciphertext Attack, Public Key Cryptography 2003, Y. Desmedt (Ed.), LNCS 2567, Springer-verlag, 2002, pp. 100-115. 7. A. Fiat and M. Naor, Broadcast Encryption, Advances in Cryptology-CRYPTO’93, D. Stinson (Ed.), LNCS 773, Springer-verlag, 1994, pp. 480-491. 8. Yong Ho Hwang, Chong Hee Kim, Pil Joong Lee, An Efficient Revocation Scheme with Minimal Message Length for Stateless Receivers, ACISP 2003, 377-386. 9. S. Jiang and G. Gong, Hybrid Broadcast Encryption and Security Analysis, Available at http://eprint.iacr.org/2003/241. 10. Shaoquan Jiang and Guang Gong, Multi-service Oriented Broadcast Encryption, Available at http://calliope.uwaterloo.ca/∼jiangshq 11. Hartono Kurnio, Reihaneh Safavi-Naini, Huaxiong Wang, A Secure Re-keying Scheme with Key Recovery Property, ACISP 2002, L. M. Batten et al. (Eds.), LNCS 2384, Springer-Verlag, 2002, pp. 40-55. 12. D. Naor, M. Naor and J. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, Advances in Cryptology-Crypto’01, J. Kilian (Ed.), LNCS 2139, Springer-verlag, 2001, pp. 41-62. 13. Arvind Narayanan, C. Pandu Rangan, Kwangjo Kim, Practical Pay TV Schemes. ACISP 2003, 192-203. 14. D. R. Stinson and R. Wei, Combinatorial Properties and Constructions of Traceability Schemes and Frameproof Codes, SIAM Journal on Discrete Mathematics, 11(1): 41-53 (1998). 15. W. Tzeng and Z. Tzeng, A Public-Key Traitor Tracing Scheme with Revocation Using Dynamic Shares, Public Key Cryptography 2001, K. Kim (ed.), LNCS 1992, Springer-verlag, 2001, pp. 207-224. 16. D. M. Wallner, E. J. Harder and R. C. Agee, Key Management for Multicast: Issues and Architectures, Internet Request for Comments 2627, June, 1999. Available: ftp.ietf.org/rfc/rfc2627.txt 17. Chung Kei Wong, Mohamed G. Gouda, Simon S. Lam, Secure Group Communication Using Key Graphs, Sigcomm’98.

19