Elsevier

Information Sciences

Volume 180, Issue 6, 15 March 2010, Pages 1060-1072
Information Sciences

Efficient broadcast encryption with user profiles

https://doi.org/10.1016/j.ins.2009.11.024Get rights and content

Abstract

Broadcast encryption (BE) deals with secure transmission of a message to a group of users such that only an authorized subset of users can decrypt the message. Some of the most effective BE schemes in the literature are the tree-based schemes of complete subtree (CS) and subset difference (SD). The key distribution trees in these schemes are traditionally constructed without considering user preferences. In fact these schemes can be made significantly more efficient when user profiles are taken into account. In this paper, we consider this problem and study how to construct the CS and SD trees more efficiently according to user profiles. We first analyze the relationship between the transmission cost and the user profile distribution and prove a number of key results in this aspect. Then we propose several optimization algorithms which can reduce the bandwidth requirement of the CS and SD schemes significantly. This reduction becomes even more significant when a number of free riders can be allowed in the system.

Introduction

Broadcast encryption (BE) enables secure transmission of data to a large set of users such that only an authorized subset can decrypt it. It has a wide range of applications including pay-TV, content protection, secure audio streaming and Internet multicasting.

The users of a BE system are given a set of pre-installed, long-term keys, typically in a set-top box. These keys are later used to encrypt the broadcast sessions such that only the authorized user set, i.e., the users with the appropriate long-term keys, can decrypt the broadcast. The users who are authorized to receive a particular broadcast are called privileged (or subscriber) whereas the remaining non-authorized users are called revoked (or non-subscriber). In certain cases, a number of non-subscribers can be allowed to decrypt the broadcast in order to reduce the overall cost of the system. Such users are called free riders.

The particular design of a BE system varies according to the system characteristics, such as the size of the user domain, required security level, available bandwidth, and hardware capabilities. In the traditional setting, the amount of long-term storage is very limited as it has to be tamper resistant, the communication channel is one way, and the devices are stateless in the sense that no additional long-term storage is possible.

Two important performance parameters in evaluating a BE system are the key storage and transmission overheads incurred. The complete subtree (CS) and subset difference (SD) schemes of Naor et al. [20] are among the most well-known BE schemes today. Some of the theoretically most efficient BE schemes are obtained by the SD scheme and its variants [13], [12]. The SD scheme has recently gained popularity in applications as well and is included in the next-generation DVD standard [1].

Despite recent advances in the technology, such as the availability of two-way communication channels, have reduced the pay-per-view TV systems’ reliance on BE schemes, new application areas have emerged that greatly benefit from BE, such as content protection [18], [24], multicasting promotional material and low cost pay-per-view events [2], multi-certificate revocation/validation [3] and dynamic group key management [25], [26], [6], [7], [19].

User profiling is the concept of monitoring data on preferences and interests of the users in the system in order to serve them more effectively. It is broadly used in various areas such as web mining [16] and broadcasting and multicasting [9], [15], [17].

In the BE literature, traditionally, the users are assumed to be identical in the sense that they are taken to be equally likely to be interested in any particular broadcast. However, in practice every user has a certain type of interest, some being more interested in sport events, some in movies, some in entertainment, etc. If these user profiles are taken into account, they can provide some critical information to optimize the operations of a BE system.

In this paper, we study the problem of achieving a more efficient BE system in the presence of provided user preference information. Our approach works by constructing the subset structure of a CS or SD system according to the given set of subscriber profiles. We first analyze the relationship between the transmission overhead of a BE scheme and the distribution of the user profiles. After proving several key results, we give two optimal algorithms for the CS scheme with one broadcast type. Then we generalize our approach by proposing a similarity metric for the CS and SD schemes with multiple broadcast types. Theoretical and experimental results show that the approach can significantly reduce the transmission overhead of the CS-based and SD-based BE schemes. This reduction can especially be remarkable when the proposed approach is used in conjunction with an optimal free rider assignment [4], [22].

The rest of the paper is organized as follows: After summarizing the related work in Section 2, we give an overview of the CS and SD schemes in Section 3. We analyze the average transmission cost of the CS and SD trees according to the user profiles in Section 4 and we prove several results on the optimality conditions in Section 5. We present our optimization algorithms in Section 6 and present the experimental results in Section 7. We discuss the application of user profiling with free riders and present further experimental results for various free rider assignments in Section 8. Section 9 concludes the paper.

Section snippets

Background

After Berkovits [5] introduced the idea of BE in 1991, Fiat and Naor [11] presented their model which is the first formal work in the area. They introduced the resiliency concept, and defined k-resilience to mean being resilient against a coalition of up to k revoked users. Their best scheme required every user to store O(klogklogn) keys and the center to broadcast O(k2log2klogn) messages where n is the total number of users.

After these works, Naor et al. proposed two subset–cover schemes, the

Subset–cover framework and the CS and SD schemes

A subset–cover BE scheme first generates a collection of subsets from the user set and associates a different long-term key with each subset. Then, every user in the system is installed with the long-term keys of the subsets he is included in.

To broadcast a message to a privileged user set P, the sender finds a cover C from the subset collection such thatP=SCSand encrypts the message using the keys of the subsets in C. The number of subsets in C, i.e., |C|, is called the transmission cost

Broadcast encryption with user profiles

As noted in Section 2, the original CS and SD schemes treat the users identically when organizing the key distribution tree. However, if we have information about the user preferences and interests, we can use this information to group similar users together and make the BE scheme more efficient by constructing the subsets in a more clever way.

Consider a system supporting b different types of broadcasts where type j has a broadcast probability of qj and j=1bqj=1. Let pu,j denote the

Optimal CS tree construction

In this section, we will give two optimal tree construction algorithms for the unitype CS scheme. We will assume that for users u1,u2,,un, the subscription probabilities are pu1pu2pun; i.e., the users are indexed with respect to their subscription probabilities in decreasing order. We say that a CS tree is optimal if it minimizes the expected cover size.

We will consider the optimal CS tree organization problem for two different settings: First, the CS tree has to be a balanced tree, and

The case of multitype broadcasts

In multitype BE schemes, we cannot simply group the users with respect to their subscription probabilities since there are b different subscription probabilities for each user. Nevertheless, if we place similar users closer in the tree, the number of subtrees containing them will increase, hence smaller covers can be obtained. We will first focus on the probability of two users being interested in a common broadcast. If two users’ probabilities of being interested in the same broadcast are both

Experimental results

We tested the performance of the proposed algorithms against the standard BE approach by running a large number of experiments on synthetically generated user profiles. The user profiles were carefully generated with various characteristics to be representatives of a wide variety of applications.

We experimented with a population of n=1024 users. Each user profile contains b subscription probabilities for some 1b10. For each broadcast type j, the subscription probabilities pi,j are randomly

Using similarity approach with free riders

Free riders are the users who are able to decrypt a broadcast session although they are not subscribed to it. Some free riders can be allowed in a BE system in order to lower the transmission cost by relaxing the restriction that the cover must exactly match the privileged user set. Free riders must be assigned carefully in order to reduce the cost effectively. Optimal free rider assignment algorithms for the CS and SD schemes have recently been given by Ramzan and Woodruff [22] and Ak et al.

Conclusion

In this paper, we analyzed the problem of reducing the transmission costs of subset–cover based BE schemes of CS and SD by utilizing information about user interests. We gave optimal algorithms for the CS scheme when only one type of broadcast exists. For the multitype case, we proposed a similarity approach which can be used in both CS and SD schemes. The simulation experiments showed that the proposed algorithms are effective and can provide significant reductions in the transmission

Acknowledgement

This work is supported in part by the Turkish Scientific and Technological Research Agency (TUBİTAK), under Grant No. 108E150.

References (26)

  • E. David, S. Kraus, Agents for information broadcasting, in: 6th International Workshop on Intelligent Agents VI, Agent...
  • E. Dees

    Decentralized advertisement recommendation on IPTV

    (2007)
  • A. Fiat, M. Naor, Broadcast encryption, in: CRYPTO’93, LNCS, vol. 773, Springer-Verlag, 1993, pp....
  • Cited by (0)

    1

    Current Address: CERFACS, 42 avenue Gaspard Coriolis, Toulouse 31057, France.

    View full text