Efficient broadcast encryption with user profiles
Introduction
Broadcast encryption (BE) enables secure transmission of data to a large set of users such that only an authorized subset can decrypt it. It has a wide range of applications including pay-TV, content protection, secure audio streaming and Internet multicasting.
The users of a BE system are given a set of pre-installed, long-term keys, typically in a set-top box. These keys are later used to encrypt the broadcast sessions such that only the authorized user set, i.e., the users with the appropriate long-term keys, can decrypt the broadcast. The users who are authorized to receive a particular broadcast are called privileged (or subscriber) whereas the remaining non-authorized users are called revoked (or non-subscriber). In certain cases, a number of non-subscribers can be allowed to decrypt the broadcast in order to reduce the overall cost of the system. Such users are called free riders.
The particular design of a BE system varies according to the system characteristics, such as the size of the user domain, required security level, available bandwidth, and hardware capabilities. In the traditional setting, the amount of long-term storage is very limited as it has to be tamper resistant, the communication channel is one way, and the devices are stateless in the sense that no additional long-term storage is possible.
Two important performance parameters in evaluating a BE system are the key storage and transmission overheads incurred. The complete subtree (CS) and subset difference (SD) schemes of Naor et al. [20] are among the most well-known BE schemes today. Some of the theoretically most efficient BE schemes are obtained by the SD scheme and its variants [13], [12]. The SD scheme has recently gained popularity in applications as well and is included in the next-generation DVD standard [1].
Despite recent advances in the technology, such as the availability of two-way communication channels, have reduced the pay-per-view TV systems’ reliance on BE schemes, new application areas have emerged that greatly benefit from BE, such as content protection [18], [24], multicasting promotional material and low cost pay-per-view events [2], multi-certificate revocation/validation [3] and dynamic group key management [25], [26], [6], [7], [19].
User profiling is the concept of monitoring data on preferences and interests of the users in the system in order to serve them more effectively. It is broadly used in various areas such as web mining [16] and broadcasting and multicasting [9], [15], [17].
In the BE literature, traditionally, the users are assumed to be identical in the sense that they are taken to be equally likely to be interested in any particular broadcast. However, in practice every user has a certain type of interest, some being more interested in sport events, some in movies, some in entertainment, etc. If these user profiles are taken into account, they can provide some critical information to optimize the operations of a BE system.
In this paper, we study the problem of achieving a more efficient BE system in the presence of provided user preference information. Our approach works by constructing the subset structure of a CS or SD system according to the given set of subscriber profiles. We first analyze the relationship between the transmission overhead of a BE scheme and the distribution of the user profiles. After proving several key results, we give two optimal algorithms for the CS scheme with one broadcast type. Then we generalize our approach by proposing a similarity metric for the CS and SD schemes with multiple broadcast types. Theoretical and experimental results show that the approach can significantly reduce the transmission overhead of the CS-based and SD-based BE schemes. This reduction can especially be remarkable when the proposed approach is used in conjunction with an optimal free rider assignment [4], [22].
The rest of the paper is organized as follows: After summarizing the related work in Section 2, we give an overview of the CS and SD schemes in Section 3. We analyze the average transmission cost of the CS and SD trees according to the user profiles in Section 4 and we prove several results on the optimality conditions in Section 5. We present our optimization algorithms in Section 6 and present the experimental results in Section 7. We discuss the application of user profiling with free riders and present further experimental results for various free rider assignments in Section 8. Section 9 concludes the paper.
Section snippets
Background
After Berkovits [5] introduced the idea of BE in 1991, Fiat and Naor [11] presented their model which is the first formal work in the area. They introduced the resiliency concept, and defined k-resilience to mean being resilient against a coalition of up to k revoked users. Their best scheme required every user to store keys and the center to broadcast messages where n is the total number of users.
After these works, Naor et al. proposed two subset–cover schemes, the
Subset–cover framework and the CS and SD schemes
A subset–cover BE scheme first generates a collection of subsets from the user set and associates a different long-term key with each subset. Then, every user in the system is installed with the long-term keys of the subsets he is included in.
To broadcast a message to a privileged user set P, the sender finds a cover C from the subset collection such thatand encrypts the message using the keys of the subsets in C. The number of subsets in C, i.e., , is called the transmission cost
Broadcast encryption with user profiles
As noted in Section 2, the original CS and SD schemes treat the users identically when organizing the key distribution tree. However, if we have information about the user preferences and interests, we can use this information to group similar users together and make the BE scheme more efficient by constructing the subsets in a more clever way.
Consider a system supporting b different types of broadcasts where type j has a broadcast probability of and . Let denote the
Optimal CS tree construction
In this section, we will give two optimal tree construction algorithms for the unitype CS scheme. We will assume that for users , the subscription probabilities are ; i.e., the users are indexed with respect to their subscription probabilities in decreasing order. We say that a CS tree is optimal if it minimizes the expected cover size.
We will consider the optimal CS tree organization problem for two different settings: First, the CS tree has to be a balanced tree, and
The case of multitype broadcasts
In multitype BE schemes, we cannot simply group the users with respect to their subscription probabilities since there are b different subscription probabilities for each user. Nevertheless, if we place similar users closer in the tree, the number of subtrees containing them will increase, hence smaller covers can be obtained. We will first focus on the probability of two users being interested in a common broadcast. If two users’ probabilities of being interested in the same broadcast are both
Experimental results
We tested the performance of the proposed algorithms against the standard BE approach by running a large number of experiments on synthetically generated user profiles. The user profiles were carefully generated with various characteristics to be representatives of a wide variety of applications.
We experimented with a population of users. Each user profile contains b subscription probabilities for some . For each broadcast type j, the subscription probabilities are randomly
Using similarity approach with free riders
Free riders are the users who are able to decrypt a broadcast session although they are not subscribed to it. Some free riders can be allowed in a BE system in order to lower the transmission cost by relaxing the restriction that the cover must exactly match the privileged user set. Free riders must be assigned carefully in order to reduce the cost effectively. Optimal free rider assignment algorithms for the CS and SD schemes have recently been given by Ramzan and Woodruff [22] and Ak et al.
Conclusion
In this paper, we analyzed the problem of reducing the transmission costs of subset–cover based BE schemes of CS and SD by utilizing information about user interests. We gave optimal algorithms for the CS scheme when only one type of broadcast exists. For the multitype case, we proposed a similarity approach which can be used in both CS and SD schemes. The simulation experiments showed that the proposed algorithms are effective and can provide significant reductions in the transmission
Acknowledgement
This work is supported in part by the Turkish Scientific and Technological Research Agency (TUBİTAK), under Grant No. 108E150.
References (26)
- et al.
Optimal subset-difference broadcast encryption with free riders
Information Sciences
(2009) - et al.
Unconditional secure conference key distribution schemes with disenrollment capability
Information Sciences
(1999) - et al.
All-in-one group-oriented cryptosystem based on bilinear pairing
Information Sciences
(2007) - et al.
Resource-aware protocols for authenticated group key exchange in integrated wired and wireless networks
Information Sciences
(2007) - et al.
Probabilistic optimization techniques for multicast key management
Computer Networks
(2002) - AACS-Advanced Access Content System, 2007....
- et al.
Key management for restricted multicast using broadcast encryption
IEEE/ACM Transactions on Networking
(2000) - W. Aiello, S. Lodha, R. Ostrovsky, Fast digital identity revocation, in: CRYPTO’98, LNCS, vol. 1462, Springer-Verlag,...
- S. Berkovits. How to broadcast a secret, in: EUROCRYPT’91, LNCS, vol. 547, Springer-Verlag, 1991, pp....
- P. D’Arco, A. De Santis, Optimizing SD and LSD in presence of non-uniform probabilities of revocation, in: Proc. of...
Decentralized advertisement recommendation on IPTV
Cited by (0)
- 1
Current Address: CERFACS, 42 avenue Gaspard Coriolis, Toulouse 31057, France.