A user key management method for a broadcast encryption includes assigning node path identifiers (IDs) to nodes arranged in sequence; assigning random seed value keys to the nodes according to the node path IDs; generating key values by repeatedly applying a hash function to the assigned random seed value keys; and assigning the generated key values to the nodes in sequence. Accordingly, it is possible to reduce the transmission overhead that is most important matter in the broadcast encryption to less than the number of the revoked users. Further, there is an advantage that the transmission overhead of the exemplary embodiments of the present invention is remarkably reduced compared with the Subset Difference method.

PTO Wrapper PDF
Dossier Espace Google
Patent
   RE45191
Priority
Nov 12 2004
Filed
Apr 18 2013
Issued
Oct 14 2014
Expiry
Nov 14 2025
Inventors
Park, Sung…
Assg.orig
Samsung El…
Assg.curr
Samsung El…
Entity
Large
Referenced by
0
References
13
Maint.:
all paid
First Modified Exemp…
Second Modified Exem…
Third Modified Exemp…
Fourth Modified Exem…
Fifth Modified Exemp…
42. A key assigning method comprising:
assigning node path identifiers (IDs) to group nodes which are arranged in sequence;
assigning a random seed to one of a plurality of keys of a node of the group; and
assigning results of applying a hash function a different number of times to seeds assigned to remaining nodes of the group, to remaining keys of the node of the group.
0. 47. A key assigning method comprising:
assigning node path identifiers (IDs) to group nodes arranged in sequence;
assigning a seed to one of keys of a node of the group nodes according to the node paths IDs; and
assigning results to remaining keys of the node of the group nodes, wherein the results indicate a hash function applied a number of times to seeds assigned to remaining nodes.
43. An encryption method comprising:
identifying consecutive approved nodes from among a plurality of nodes arranged in sequence, as an interval;
determining a key to which a hash function is applied (n−1) times to a seed assigned to a first node of the nodes included in the interval, wherein n is a number of the consecutive nodes included in the interval; and
encrypting another key with the determined key.
1. A method of managing a user key for a broadcast encryption, the method comprising:
assigning node path identifiers (IDs) to nodes which are arranged in sequence;
assigning random seed value keys to the nodes according to the node path IDs;
generating key values by repeatedly applying a hash function to the assigned random seed value keys; and
assigning the generated key values to the nodes in sequence.
0. 48. An encryption method comprising:
identifying as an interval consecutive approved nodes from among nodes arranged in sequence;
determining a key to which a hash function is applied a number of times to a seed assigned to a first node of the nodes in the interval, wherein the number is one less a number of the consecutive nodes included in the interval; and
encrypting another key with the determined key.
10. A method of managing a user key for a broadcast encryption, the method comprising:
assigning node path identifiers (IDs) to nodes configured as a circular group;
assigning random seed value keys to the nodes according to the node path IDs;
generating key values by repeatedly applying a hash function to the assigned random seed value keys; and
assigning the generated key values to the nodes in a cyclic way.
0. 50. An encryption method comprising:
receiving a first key encrypted with a second key to which a hash function is applied a number times to a seed assigned to a first node in an interval comprising consecutive approved nodes from among nodes arranged in sequence, wherein the number is one less a number of the consecutive nodes included in the interval; and
computing the second key to decode the encrypted first key.
24. A key assigning method comprising:
assigning node path identifiers (IDs) to nodes which are arranged in sequence;
a first assigning of a first seed to one of a plurality of first keys of a first node in a first group; and
a second assigning of a result of applying a hash function at least once to a second seed assigned to a second node in the first group, to another one of the plurality of first keys of the first node in the first group.
45. An encryption method comprising:
receiving a first key encrypted with a second key to which a hash function is applied (n−1) times to a seed assigned to a first node in an interval which includes consecutive approved nodes from among a plurality of nodes arranged in sequence, wherein n is a number of the consecutive nodes included in the interval;
computing the second key which encrypted the first key; and
decoding the encrypted first key with the computed second key.
41. A key assigning method comprising:
assigning node path identifiers (IDs) to group nodes which are arranged in sequence;
a first assigning of a random seed to one of a plurality of keys of a node of the group;
a second assigning of results of applying a hash function a different number of times to seeds assigned to remaining nodes of the group, to remaining keys of the plurality of keys of the node of the group; and
performing the first assigning and the second assigning for the remaining nodes of the group.
33. A key assigning method comprising:
a first assigning of a first seed to one of a plurality of first keys of a first node in a first group; and
a second assigning of a result of applying a hash function at least once to a second seed assigned to a second node in the first group, to another one of the plurality of first keys of the first node in the first group,
wherein the first group consists of t nodes, the first node is an ath node in the first group, the second node is a bth node in the first group, and the second assigning comprises applying the hash function [(a+t−b)mod t] times to the second seed.
19. A method of managing a user key for a broadcast encryption, the method comprising:
assigning random seed value keys to nodes configured as a circular group;
generating first key values by repeatedly applying a first hash function to the assigned random seed value keys;
assigning the first key values to the nodes in a cyclic way;
setting special nodes in a certain interval among the nodes;
assigning random special seed value keys to the special nodes;
generating second key values by repeatedly applying a second hash function to the assigned random seed value keys; and
assigning the second key values to the special nodes in a cyclic way.
5. A method of managing a user key for a broadcast encryption, the method comprising:
assigning random seed value keys to nodes which are sequentially arranged;
generating first key values by repeatedly applying a first hash function to the assigned random seed value keys;
assigning the first key values to the nodes in sequence;
setting special nodes in a certain interval among the nodes which are sequentially arranged;
assigning special seed value keys to the special nodes;
generating second key values by repeatedly applying a second hash function to the assigned special seed value keys; and
assigning the second key values to the special nodes in sequence.
37. A key assigning method comprising:
a first assigning of a first seed to one of a plurality of first keys of a first node in a first group;
a second assigning of a result of applying a hash function at least once to a second seed assigned to a second node in the first group, to another one of the plurality of first keys of the first node in the first group;
a third assigning of the second seed to one of second keys of the second node; and
a fourth assigning of a result of applying the hash function at least once to the first seed assigned to the first node, to another one of the second keys of the second node,
wherein the first group consists of t nodes, the first node is an ath node in the first group, the second node is a bth node in the first group, and the fourth assigning comprises applying the hash function [(b+t−a)mod t] times to the first seed.
2. The method of claim 1, wherein an encryption key for an interval formed with N-ary nodes which are arranged in sequence is generated by repeatedly applying the hash function N−1 times to a seed value key which is assigned to a first node in the interval.
3. The method of claim 2, wherein the interval is a set of consecutive non-revoked nodes.
4. The method of claim 2, wherein the interval includes more than one revoked node and an independent hash function is applied to the revoked node.
6. The method of claim 5, wherein, when a special node key K is assigned to a first special node of the special nodes, a second key value which is obtained by applying the second hash function to the special node key K is assigned to a second special node located away from the first special node in the certain interval.
7. The method of claim 5, wherein an encryption key for an interval formed with N-ary nodes which are arranged in sequence is generated by repeatedly applying the hash function N−1 times to a seed value key which is assigned to a first node in the certain interval.
8. The method of claim 7, wherein the certain interval is a set of consecutive non-revoked nodes.
9. The method of claim 7, wherein the interval includes more than one revoked node and an independent hash function is applied to the revoked node.
11. The method of claim 10, wherein an encryption key for a cyclic interval constructed with N-ary nodes in the circular group is generated by repeatedly applying the hash function N−1 times to a seed value key which is assigned to a first node in the interval.
12. The method of claim 11, wherein the cyclic interval is a set of consecutive non-revoked nodes.
13. The method of claim 10, wherein a layered structure of circular groups is formed by linking nodes configuring a new circular group below each node configuring the circular group.
14. The method of claim 13, wherein the layered structure has 16 layers.
15. The method of claim 13, wherein a number of nodes in the circular groups is identical.
16. The method of claim 13, wherein a node having at least one revoked node is regarded as a revoked node in the layered structure.
17. The method of claim 10, wherein the cyclic interval formed with the N-ary nodes in the circular group includes more than one revoked node and an independent hash function is applied to the revoked node.
18. The method of claim 10, wherein N-ary nodes form the circular group and are assigned the node path IDs from 0 to N−1.
20. The method of claim 19, wherein, if a special node key K is assigned to a first special node of the special nodes, a second key value which is obtained by applying the second hash function to the special node key K is assigned to a second special node located away from the first special node at the certain interval.
21. The method of claim 19, wherein an encryption key for an interval formed with N-ary nodes which are arranged in sequence is generated by repeatedly applying the hash function N−1 times to a seed value key which is assigned to a first node in the interval.
22. The method of claim 21, wherein the cyclic interval is a set of consecutive non-revoked nodes.
23. The method of claim 21, wherein the cyclic interval includes more than one revoked node and an independent hash function is applied to the revoked node.
25. The method of claim 24, wherein the first seed and the second seed are randomly generated and are independent from one another.
26. The method of claim 24, wherein the hash function is HBES SHA-1.
27. The method of claim 24, wherein the first group consists of t nodes, the first node is arranged at a first position in the first group, the second node is arranged at a second position in the first group, and the second assigning comprises applying the hash function (t−1) times to the second seed.
28. The method of claim 24, wherein the first node and the second node in the first group have a same parent node.
29. The method of claim 24, further comprising performing the first assigning and the second assigning to other groups different from the first group.
30. The method of claim 29, wherein the first group and the other groups are arranged in a layered tree structure.
31. The method of claim 30, wherein the tree structure consists of 16 layers.
32. The method of claim 30, wherein a leaf node of the layered tree structure has a key set comprising keys assigned to the leaf node and keys assigned to a parent node of the leaf node.
34. The method of claim 33, further comprising a third assigning of a result of applying the hash function at least once to a third seed assigned to a third node in the first group, to another one of the plurality of first keys of the first node.
35. The method of claim 34, wherein the third node is a cth node in the first group, and the third assigning comprises applying the hash function [(a+t−c)mod t] times to the third seed.
36. The method of claim 35, wherein the first group consists of t nodes, the first node is arranged at a first position in the first group, the second node is arranged at a second position in the first group, the third node is arranged at a third position in the first group, the second assigning comprises applying the hash function (t−1) times to the second seed, and the third assigning comprises applying the hash function (t−2) times to the third seed.
38. The method of claim 37, wherein the first group consists of t nodes, the first node is arranged at a first position in the first group, the second node is arranged at a second position node in the first group, and the fourth assigning comprises applying the hash function once to the first seed.
39. The method of claim 37, further comprising:
a fifth assigning of a result of applying the hash function at least once to a third seed assigned to a third node in the first group, to other one of the second keys of the second node.
40. The method of claim 39, wherein the third node is a cth node in the first group, and the fifth assigning comprises applying the hash function [(b+t−c)mod t] times to the third seed.
44. The encryption method of claim 43, further comprising:
transmitting the encrypted another key to one of consecutive approved nodes of another interval.
46. The encryption method of claim 45, wherein the receiving comprises receiving the first key encrypted with the second key at a node of another interval comprising consecutive approved nodes of the plurality of nodes.
0. 49. The method of claim 48, further comprising:
transmitting the encrypted another key to one of consecutive approved nodes of another interval.
0. 51. The method of claim 50, wherein the receiving comprises receiving the first key encrypted with the second key at a node of another interval comprising consecutive approved nodes of the nodes.

Further, the keys assigned to the respective nodes according to the Equation 1 are the same as in the table shown in FIG. 7. FIG. 7 is a view showing the keys assigned to each node on a straight line structure in accordance with an exemplary embodiment of the present invention. Referring to FIG. 7, it can be understood that a user uc is assigned c-ary keys, the keys 701 in FIG. 7.

Further, in the present invention, a scheme where all of the users are divided into at least one subset can be considered, and a session key is transmitted to each subset along with a message in this scheme.

FIG. 8 is a flow chart showing a procedure of transmitting a session key to an interval between two revoked users in accordance with an exemplary embodiment of the present invention. Referring to FIG. 8, a set of consecutive users put on between the revoked users is defined as an interval to transmit a session key (S801). Next, the session key is transmitted to each interval corresponding to each subset (S802).

At this time, one interval is set between two revoked users except for the case that the revoked users are consecutively arranged. Thus, it is possible to transmit the session keys to (r+1) intervals at most. However, when a maximum length of the interval is c, the transmission overhead becomes much greater in the interval longer than c.

Descriptions are now made on an exemplary method of setting an interval where privileged users are consecutively arranged. In a case that users U1 through U10 are present and the user U5 is a revoked user, with the maximum length of the interval limited to 5, one interval from U1 to U4 and another interval from U6 to U10 are established.

In a case that users U1 through U10 are present and the users U1 and U10 are revoked users, with the maximum length of the interval limited to 5, one interval from U2 to U6 and another interval from U7 to U9 are established

FIG. 9 is a view showing a definition of an interval in a straight line structure in accordance with an exemplary embodiment of the present invention. Referring to FIG. 9, a set of consecutive privileged users positioned between two revoked users 901 and 903 is defined as an interval 902.

Meanwhile, after the interval is set as described above, a one-way key chain starting from the node key Ki of the user Ui is located (S803). Next, the session key SK is encrypted using the last key h(s)(Ki) of the located one-way key chain and then transmitted to the corresponding interval (S804). At last, the encrypted message is transmitted (S805).

The method will be more detailed below. In order to transmit the session key SK to an interval {ui, ui+1, ui+2, . . . , ui+s} (here, the s is less than the c), the center uses the one-way key chain starting from the node key Ki of the user ui. The session key SK is encrypted by using the key h(s)(Ki) in the one-way key chain starting from the node key Ki, wherein the key h(s)(Ki) corresponds to the user ui+s and the encrypted session key is transmitted to the interval. That is, when E(K, M) is a secret key encryption algorithm with a key K, the message E(h(s)(Ki), SK) is transmitted to all of the users.

A user capable of decrypting the transmitted message based on keys previously allocated thereto as descried above is only the user who can obtain the key h(s)(Ki). Accordingly, only the users in the interval {ui, ui+1, ui+2, . . . , ui+s} can obtain the corresponding keys.

That is, since the user in the interval knows one key in the one-way key chain starting from the key Ki and the key is positioned in the left side of the h(s)(Ki), the user can obtain the h(s)(Ki) by applying the one-way function h to his/her key.

In contrast, users in the left side of the interval among the users who are not in the interval cannot obtain a key related to the key Ki, so that they cannot obtain the key h(s)(Ki). Further, even though users in the right side of the interval may obtain some keys in the one-way key chain, they cannot obtain keys positioned in the left side of the one-way key chain due to uni-directionality of the one-way function.

Thus, although certain traitors who are not in the corresponding interval collude, it is impossible that they obtain the key h(s)(Ki). Accordingly, they can not decrypt the session key.

FIG. 10 is a view showing a method of transmitting a session key to an interval in a straight line structure in accordance with an exemplary embodiment of the present invention. Referring to FIG. 10, it is possible to simultaneously transmit the session key SK to the users in the interval in accordance with an exemplary embodiment of the present invention.

That is, assuming that revoked users are positioned on (i−1)-th node 1001 and (i+t+1)-th node 1005, respectively and (t+1) consecutive privileged users 1002, 1003 and 1004 are positioned between the two revoked users, it is possible to transmit only one secret key for only the privileged users. That is, assuming that E(K, m) is a secret key encryption scheme having K as a key, a header of the session key for the users ui, . . . , ui+1 can be expressed as Equation 2 below.
Header=E(h(t)(Ki),SK)   Equation 2

FIG. 11 is a flow chart showing a procedure that users on each node decrypt data by using the session key received from the center with an exemplary embodiment of the present invention. Referring to FIG. 11, the only privileged users can decrypt the received data using the keys transmitted from the center according to the method described above. That is, when each user who received the message including the encrypted header is in the corresponding interval (S1102), the user performs decryption by operating the h(s)(Ki) using his/her own key (S1103). On the contrary, each user who is not in the corresponding interval can not decrypt the received data since they can not operate h(s)(Ki) (S1104).

In more detail, in FIG. 10, the users positioned in the left side of the i-th node 1002 cannot obtain the key h(i+t)(Ki) since they cannot obtain the key Ki. Further, while the users positioned in the right side of the (i+t) node can obtain the keys of rightward part of the one-way key chain starting from the key Ki, they cannot obtain the key h(i+t)(Ki) due to the uni-directional property of the one-way hash function.

On the other hand, all of the privileged users in the interval can obtain the key h(i+t)(Ki) by repeatedly applying the one-way function h to the key derived based on the key Ki among their own keys.

Meanwhile, in a case that there are N total users including r revoked users, the transmission overhead can yield as follows.

First of all, each of the users should store c or less keys. At this time, the transmission overhead is {r+(N−2r)/c} keys in the worst case. This case occurs when all of the revoked users are gathered in one portion on the straight line and the privileged users are gathered only in the other portion. The transmission overhead decreases when two or more revoked users consecutively are positioned. Accordingly, the case that revoked users and privileged users are positioned alternately should be considered. At this time, N/c is additionally needed since the maximum length of the interval to which keys can be transmitted by one transmission is set to c.

Further, the computation overhead of the users becomes operations of maximum c times for the one-way function and one operation of the secret key algorithm. In a case that N=1,000,000 and r=50,000, the computation overhead is obtained as shown in Table 1 below.

TABLE 1
Transmission overhead
C (Storage cost) (worst case) Ratio
 50 50,000 + 18,000 1.36r
100 50,000 + 9,000  1.18r
200(about 3K) 50,000 + 4,500  1.09r

Hereinafter, modifications of the basic exemplary embodiment of the present invention will be described below. In the basic exemplary embodiment, since as the length of the interval is limited to c, there is a problem that the transmission overhead becomes greater than r. Accordingly, a first modified exemplary embodiment is based on an idea that an interval is set to have a longer length than c, thereby transmitting keys to a longer interval by one transmission.

Further, a second modified exemplary embodiment applies a new one-way function to the node of the revoked user in order to reduce the transmission overhead to less than r. Still further, a third modified exemplary embodiment is a method derived by combining the first and second modified exemplary embodiments.

First Modified Exemplary Embodiment

In the basic exemplary embodiment described above, the transmission overhead is greater than r because the length of an interval is limited to c. Accordingly, to reduce the transmission overhead to as much as r, the first modified exemplary embodiment, which transmit the keys by one transmission to a longer interval than c is proposed.

In the first modified exemplary embodiment of the present invention, special nodes are set in a certain interval, for example, for every 3-th node. Then, special seed value keys randomly selected and different from the existing seed value keys are assigned to the respective special nodes, and a special node chain starting from one special node key is constructed.

FIG. 12 is a view showing definition of the special nodes in the straight line structure in accordance with the first modified exemplary embodiment of the present invention. Referring to FIG. 12, the special nodes 1201, 1202 and 1203 are set for every c-th node. The special nodes 1201, 1202 and 1203 are assigned new special seed value keys, respectively, and a one-way key chain having the length c×c2 is constructed by applying the keys.

In more detail, new special seed value keys are randomly selected and assigned to the special nodes 1201, 1202 and 1203, respectively, and a special node chain starting from each special node is constructed for the respective special seed value keys by applying a new one-way hash function.

At this time, the special node chain has the length c×c2, where c2 is a new constant. Hereinafter, a method of assigning keys to all of the nodes, respectively, by using the constructed special node chain.

FIG. 13 shows a method of assigning the keys to the corresponding nodes on the straight line structure in accordance with the first modified exemplary embodiment of the present invention. A method of constructing a key chain in the first modified exemplary embodiment is basically the same as that of the basic exemplary embodiment described above. Assuming that an interval {ui, ui+1, ui+2, . . . , ui+s} starts at a special node and is arranged on the straight line in a range which is beyond the length c, key assignment to this interval is performed by the special node key chain starting from the key of the node ui. In this modified exemplary embodiment, a scheme for encrypting the SK is the same as that of the basic exemplary embodiment of the present invention. That is, the SK is encrypted using the key corresponding to the node ui+s among the keys in the special node key chain starting from the key of the ui and then transmitted to each node in the interval {ui, ui+1, ui+2, . . . , ui+s}.

Referring to FIG. 13, when the first special node 1301, the c-th node, is assigned a special node key K, the second special node 1305, the 2c-th node, is assigned a special node key h2(K) 1310 obtained by operating a one-way function h2 1309 with the special node key K. In the same manner, the third special node 1307, the 3c-th node, is assigned a special node key h2(2)(K) 1312 obtained by operating the one-way function h2 1309 twice with the special node key K.

Accordingly, the (c+1)-th node 1202 is assigned the key h(K) obtained operating the one-way function h with the special seed value key K, and the (c+2)-th node 1303 is assigned the key h(2)(K) obtained by operating the one-way function h with the special seed value key K twice. In the same manner, the (2c+1)-th node 1306 is assigned the key h(h2(K)) obtained by operating the one-way function h with the special seed value key h2(K) 1310 of the 2c-th node 1305. The (3c+1)-th node 1308 is assigned the key h(h2(2)(K)) obtained by operating the one-way function h with the special seed value key h2(2)(K) 1312 of the 3c-th node 1307.

At this time, the (c+t)-th user stores his/her seed value key along with the key h2(K) when 1≦t≦c. Accordingly, each node should store total c2 keys additionally.

As described above, in the first modified exemplary embodiment of the present invention, the number of the keys to be stored in each the node increases but the size of the session key to be transmitted by a center decreases.

FIG. 14 shows a method of dividing an interval to transmit a session key in accordance with the first modified exemplary embodiment of the present invention. Referring to FIG. 14, in a case that a number of privileged users are consecutively arranged, they can be divided into only two intervals 1401 and 1402 to be provided with the session key.

FIG. 15 shows a method of transmitting a session key to a plurality of intervals in accordance with the first modified exemplary embodiment of the present invention. Referring to FIG. 15, in a case that the privileged users are divided into four intervals 1501, 1502, 1503 and 1504, the session key is constructed like E(h(2)h2(2)(K), SK) so that only the privileged users can decrypt the session key.

Accordingly, the computation overhead can be reduced by applying the function h2 in accordance with the first modified exemplary embodiment of the present invention. That is, maximum (c+c2) times of computations of the one-way function are needed.

According to the first modified exemplary embodiment described above, although the storage overhead of the user increases somewhat compared with the basic exemplary embodiment, it is possible to remarkably reduce the transmission overhead if the number of the revoked users is not so many.

Second Modified Exemplary Embodiment

According to the first modified exemplary embodiment, it is possible to obtain the transmission overhead which is approximately the same as r. That method shows the best result in the transmission overhead among the currently known methods such as the SD method with the transmission overhead of 2r−1. A second modified exemplary embodiment to be described hereinafter can reduce the transmission overhead to as much as less than r.

The basic concept of the second modified exemplary embodiment is as follows. In a case that a set of users positioned between two revoked users is regarded as an interval, the total number of intervals can never be below r in the worse case. In such cases, since one transmission should be made for each interval, it is impossible that the transmission overhead becomes less than r. Thus, it is necessary to alter a method of defining an interval.

Accordingly, a transmission interval can be set by including more than one revoked user in the second modified exemplary embodiment of the present invention. The following description provides an example where an interval can include one revoked user. Although in the example of the second modified exemplary embodiment, an interval with only one revoked user is disclosed, but it is beyond doubt that an interval with more than one revoked user can be considered. If one interval includes total 3 revoked users, it is possible to reduce the transmission overhead down to r/2 in an ideal case.

FIG. 16 shows a method of defining an interval in accordance with the second modified exemplary embodiment of the present invention. According to the second modified exemplary embodiment of the present invention, since the interval is set to include revoked users, the transmission overhead decreases and the storage overhead increases. That is, it is possible to transmit a session key to the interval between two revoked users at a time.

If an interval includes one revoked user, two cases can be considered as shown in FIG. 16. In the case (1) in FIG. 16, the key transmission can be performed as disclosed in the basic exemplary embodiment. In the case (2) in FIG. 16, however, a key transmission procedure follows the second modified exemplary embodiment of the present invention.

The transmission of a session key for the interval as in the second case (2) is performed as follows. At this time, a new one-way hash function g is required in accordance with the second modified exemplary embodiment of the present invention. That is, assuming that the interval {ui, ui+1, ui+2, . . . , ui+s} includes a revoked user ui+j, here the length of an interval can not exceed c, the center encrypts the session key SK using the key h(s−j)gh(j−2)(Ki).

FIG. 16 illustrates an example of the interval with only one revoked user. However, as mentioned above, this second modified exemplary embodiment as illustrated in FIG. 16 can be applied to the case that an interval includes two or more revoked users.

FIG. 17 shows method of assigning keys to corresponding nodes 1701 through 1708 on a straight line structure in accordance with the second modified exemplary embodiment of the present invention. Referring to FIG. 17, until revoked users corresponding to the nodes 1702, 1703 and 1704 are found, a one-way key chain are modified by applying the one-way hash function h in the right direction along the one-way key chain. At the node 1705 of the revoked user ui+j, another one-way hash function g, rather than the one-way hash function h, is applied to modify the one-way key chain.

After the revoked users 1706 and 1707, the one-way key chain is constructed by generating key values using one-way hash function h again. For the transmission, the session key SK is encrypted with the key corresponding to the node of the last user.

At this time, since the two one-way functions h and g are publicly known, users positioned in the left side of the revoked user can easily compute the key used for encryption. However, the revoked user ui+j can not compute the subsequent keys because the revoked user does not know the key hg(j−1)(Ki). That is why the center keeps the key hg(j−1)(Ki) secret.

Meanwhile, users positioned in the right side of the revoked user have to additionally store the key corresponding to their positions in the key chain, respectively. At this time, in a case that the length of the interval is set to c, the number of the interval is 1+2+3+. . . +(c−2). That is, each user has to store (c−1)(c−2)/2 keys additionally.

In the second modified exemplary embodiment of the present invention described above, although the total storage overhead is c+(c−1)(c−2)/2, i.e. O(c2), but the transmission overhead is r/2+(N−2r)/c. That is, while the basic exemplary embodiment has the transmission overhead of r+(N−2r)/c, this second modified exemplary embodiment has the transmission overhead of r/2+(N−2r)/c at most. Further, the computation overhead becomes the maximum c times of computations of one-way function like the basic exemplary embodiment.

In the case of N=1,000,000 and r=50,000, the computation and transmission overheads are as in Table 2.

TABLE 2
Transmission
c Storage overhead overhead (worst case) Ratio
64 1,955 25,000 + 14,000 0.78r
100 4,951 25,000 + 9,000  0.68r

Referring to Table 2, although the first term r in the transmission overhead of the basic exemplary embodiment is remarkably reduced to π/2 in this exemplary embodiment, the second term (N−2r)/c in the transmission overhead increases.

Meanwhile, the method of the second modified exemplary embodiment described above can extend to general cases. That is, as the storage overhead increases to O(c3), the key transmission can be implemented to transmit the key to an interval including three revoked users at a time. Accordingly, the method can also be applied to the interval including a plurality of revoked users as well as one revoked user as described above.

Third Modified Exemplary Embodiment

A third modified exemplary embodiment of the present invention is derived by combining the first and second modified exemplary embodiments. In this case, it is the worst case when every interval having a length c includes one revoked user. In a case that an interval having the length less than c includes two or more revoked users, the transmission for the two revoked users can be carried out at a time by using the second modified described above. The transmission overhead and storage overhead in such worst case are r/2+(N−2r)/2(c−2) and c+c2+(c−1)(c−2)/2, respectively.

The transmission overhead r/2+(N−2r)/2(c−2) can be applied to the case that r is greater than N/c. If r is smaller than N/c, different results are obtained. For example, assuming that r equals zero, the transmission overhead becomes N/(c×c2). At this time, as r gradually increases, the transmission is needed once for the interval including the revoked users and having the length c. Further, since the method of the first modified exemplary embodiment is applied to the other intervals, the transmission overhead becomes approximately r+(N−cr)/(c×c2).

That is, the transmission overhead forms a straight line with the initial value of N/(c×c2) and the slope of value 2. The transmission overhead increases along the straight line and then changes to r/2+(N−2r)/2(c−2) when r is N/c which is the turning point.

According to the third modified exemplary embodiment, although the storage overhead of the user increases somewhat in comparison with the basic exemplary embodiment, it is possible to remarkably reduce the transmission overhead in a case that the number of the revoked users is not so many.

Fourth Modified Exemplary Embodiment

The fourth modified exemplary embodiment of the present invention proposes a method for applying the basic exemplary embodiment of the straight line structure and the first to third modified exemplary embodiments into a circular structure.

First, it is possible to easily reconstruct the straight line structure in the exemplary embodiments described above into a circular structure. That is, considering a straight line L including N users from u1 to uN, the straight line structure turns into a circular structure by connecting both ends of the straight line L.

All of the method of defining the interval described above will be applied to this circular structure. For example, a one-way key chain starting from a user uN can be constructed.

In the basic exemplary embodiment having the straight line structure described above, the one-way key chain starting from the user uN may have one key KN,N. Meanwhile, the one-way key chains starting from the user uN have c-ary keys as expressed in Equation 3 because one-way key chains continue by gluing the user uN with the user u1 in the circular structure.
KN,N, KN,1, KN,2, KN,3, . . . KN,c−1   Equation 3

By generalizing the Equation 3, the one-way key chain starting from the user ui can be expressed as Equation 4.
Ki,i, Ki,i+,1(mod N), . . . , Ki,i+c−1(mod N)   Equation 4

Specifically, in the fourth modified exemplary embodiment, provided that the maximum length of the interval consisting of the consecutive privileged users is c, each user stores one to c-ary keys depending on the location of the user in the straight line structure, whereas each user stores c-ary keys in the circular structure.

FIG. 18 depicts a method of assigning keys to each node on a circular structure in accordance with the fourth modified exemplary embodiment of the present invention. Referring to FIG. 18, in the fourth modified exemplary embodiment of the present invention, provided that 10 nodes form a circular group and the maximum length of an interval consisting of consecutive privileged users is 5, each node stores five keys.

As the length of the interval is set to c as mentioned in the first modified exemplary embodiment, to prevent the transmission overhead from exceeding r, it is possible to apply the method of transmitting the key values to the long interval at one time in the circular structure.

Further, to reduce the transmission overhead less than r as in the second modified exemplary embodiment, the method of applying the new one-way function starting from the position of the revoked users is applicable to the circular structure. Likewise, the third modified exemplary embodiment combining the first and second modified exemplary embodiments is also applicable to the circular structure.

Fifth Modified Exemplary Embodiment

The fifth modified exemplary embodiment of the present invention suggests a layered circular structure.

FIG. 19 shows a layered structure with circular node groups in accordance with an exemplary embodiment of the present invention.

Referring to FIG. 19, each circular node group in the layered structure includes c nodes. Each user corresponds to each leaf, that is, each circular structure, in the layered structure. If the layered structure has 16 levels excluding the root node, the layered structure can correspond to c16 users.

Accordingly, it is possible to construct the circular structures having the key chains described above for all group nodes at the layers. At this time, each user corresponding to each node has all keys assigned to his/her parent node.

In this structure, each node having a child node with at least one revoked user is considered as a revoked node. Accordingly, for the encryption, the center marks the revoked users, first. Thereafter, the center first marks the revoked nodes in the encryption. The center marks the parent nodes of the revoked nodes throughout the layered structure.

Such a procedure is performed up to the root node. If there is at least one revoked node, the root node becomes the revoked node.

After marking the revoked nodes, the center sets intervals in each layer. As shown in FIG. 19, only one node is included above the layer 0. The center sets cyclic intervals in the circular group on the layer 0, and encrypts the session key using interval keys for the set cyclic intervals. Next, the center considers on the layer 1 only the circular groups corresponding to the children of the revoke nodes of the layer 0. Such a procedure is performed as far as the layer 15.

For example, in a case where there is one revoked user in an interval, a revoked node is marked in every layer while marking the revoked users. Further, in the encryption step, since there is a revoked node in the layer 0, the center encrypts the session key with the interval key of the cyclic interval excluding the revoked node. Meanwhile, the center considers only one circular group corresponding to the child of the revoked node in the layer 0 for the layer 1.

Nodes corresponding to the children of the privileged nodes and forming the cyclic group, can obtain the session keys assigned to their parent nodes. Accordingly, the center can complete the encryption for entire layered structure by 16 times of encryptions.

While the fourth modified exemplary embodiment can carry out the encryption for more users and thus requires more keys compared with former exemplary embodiments, it can remarkably reduce the transmission overhead, particularly compared with the second modified exemplary embodiment.

Provided that the layer of the fourth modified exemplary embodiment is a layer k and the number of nodes in each circular group is c, the storage overhead of each user in the fourth modified exemplary embodiment is kc+(c−1)(c−2)/2, and keys increase as many as (k−1)c.

Meanwhile, the transmission overhead becomes about r/2+3N/4c for ck−1/2<r. It can be understood that the fourth modified exemplary embodiment has less transmission overhead than that of the second modified exemplary embodiment for r<N/6.

Further, while the method of the four modified exemplary embodiment described above is applied to the case with the interval including one revoked user (1-punctured), it is obvious that the method can also be applied to the case with the interval including a plurality of revoked users (p-punctured) as described in the second modified exemplary embodiment. Further, it is possible to use the method of setting intervals, each with revoked users, and transmitting session keys with respect to the layered structure with more layers.

Hereinbefore, each of exemplary embodiments in accordance with the present invention has been described. Meanwhile, in practically applying the exemplary embodiments described above to the broadcast encryption, it is hardly considered that all users are joined initially at the same time. That is, the center has to reserve the keys for all potential users to be joined in the future, and some reserved keys corresponding to the potential users should be regarded as revoked. Otherwise, newly joined users can recover messages transmitted previously.

Considering that the transmission overhead depends on the r, it can be much burden on the center.

Accordingly, it is very important to add new keys when they are needed as new users join in the aspect of the transmission overhead instead of presetting the keys corresponding to potential users in advance. The exemplary embodiments proposed above can easily add new nodes at the end of the straight line whenever the new users newly join. At this time, since the computation overhead increases due to selection of several new random keys as many as the number of new subscribers and the increased computation times of the function, adding new users is efficiently capable without affecting existing users' keys.

On the contrary, in the view of replacement of the users, it is related to maintenance of the system as time passes. The nodes that have belonged to the revoked users are permanently kept unused after the users arranged to the nodes are revoked once. Accordingly, in the system of which the transmission overhead depends on the r, the transmission overhead remarkably increases after a long time passes.

In such case, it is necessary to reduce the number of nodes inoperable by deleting the keys of the revoked users, and then arrange new users to the nodes inoperable which have belonged to the revoked users. In the conventional interpolation method, replacement of users can be easily performed but it is very hard issue in the BE scheme based on the layered tree structure. In the case of the SD, to replace only one user, every user keys should be updated since key of the root node should be changed.

Meanwhile, in the exemplary embodiments of the present invention describe above, the user replacement is more capable in comparison with the methods based on the tree structure as the SD and the like. That is, in a case of the basic exemplary embodiment, one user can be replaced by updating keys of 2c total users.

Traitors refer to a privileged user who helps unprivileged users use messages by disclosing his/her secret key. Traitor tracing is an algorithm to locate the privileged user who disclosed his/her key when at least one unprivileged users are found. Various results for such a traitor tracing are known.

It is known that the traitor tracing can basically be used in a case that each user's keys can be discriminated with one another and a new key cannot be derived from many user's keys. Meanwhile, the traitor tracing can be applied in the proposed exemplary embodiments of the present invention described above since they fulfill the conditions of the traitor tracing.

At the same time, it is possible to reduce the number of secret keys of each user to 2 by modifying the basic exemplary embodiment to a method using public keys. The public keys needed in this case are O(c2). Such a modification can be very useful when it is applied to application fields where the size of the pubic key is not limited.

In conclusion, the result of comparing CS and SC methods that are the currently most effective BE scheme among various broadcast encryption methods with the present invention is shown as follows. Here, N=1,000,000 and r=50,000 as is in the result described above.

TABLE 3
Storage Transmission overhead
C C2 overhead (worst case)
Basic exemplary 200 200(2K) 50,000 + 4,500(1.1r)
embodiment
Second modified 64 1,955 25,000 + 14,000(0.78r)
exemplary
embodiment
Third modified 64 20 1,955 25,000 + 7,260(0.64r)
exemplary 100 100 5,151 25,000 + 4,500(0.59r)
embodiment
CS 20 r × (log(N/r)(4r)
SD 200 100,000(2r)

Referring to Table 3, in accordance with the exemplary embodiments of the present invention, it is possible to reduce the transmission overhead that is most important issue in the broadcast encryption to below r. That is, it can be understood that the transmission overhead in the exemplary embodiments of the present invention is remarkably reduced compared with the SD method that is known as the best method currently. At the same time, the exemplary embodiments of the present invention meet many conditions needed to make applications practically as described above.

As described above, according to the present invention, it is possible to reduce the transmission overhead that is most important matter in the broadcast encryption to less than r. Further, there is an advantage that the transmission overhead of the exemplary embodiments of the present invention is remarkably reduced compared with the SD method that is known as the best method currently.

Further, according to the present invention, there is an advantage that it is impossible to derive a new key although many users collude and it is possible to do traitor tracing since keys of the colluded users, which are made by an illegal decoder, is used. Furthermore, it is possible to freely add as many users as desired at the last of the sequence.

The foregoing exemplary embodiments and advantages are merely exemplary and are not to be construed as limiting the present invention. The present teaching can be readily applied to other types of apparatuses. Also, the description of the exemplary embodiments of the present invention is intended to be illustrative, and not to limit the scope of the claims, and many alternatives, modifications, and variations will be apparent to those skilled in the art.

INVENTORS:

Park, Sung-Joon, Kim, Dae-youb, Kim, Hwan-joon, Jin, Weon-il, Kim, Myung-Hwan, Jho, Nam-Su, Cheon, Jung-hee, Yoo, Eun-sun

THIS PATENT IS REFERENCED BY THESE PATENTS:
Patent Priority Assignee Title
THIS PATENT REFERENCES THESE PATENTS:
Patent Priority Assignee Title
5592552, Aug 25 1993 ALGORITHMIC RESEARCH LTD Broadcast encryption
5796839, Oct 16 1995 Sony Corporation Encryption method, encryption apparatus, recording method, decoding method, decoding apparatus and recording medium
6028933, Jun 14 1996 Alcatel-Lucent USA Inc Encrypting method and apparatus enabling multiple access for multiple services and multiple transmission modes over a broadband communication network
6397329, Nov 21 1997 TUMBLEWEED HOLDINGS LLC Method for efficiently revoking digital identities
6735313, May 07 1999 Alcatel-Lucent USA Inc Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
6799270, Oct 30 1998 Citrix Systems, Inc System and method for secure distribution of digital information to a chain of computer system nodes in a network
6816595, Mar 23 1998 International Business Machines Corporation Mini time key creation method and system
7010125, Jan 26 2001 Interntional Business Machines Corporation Method for tracing traitor receivers in a broadcast encryption system
20020133701,
20030044017,
CN1273490,
JP103256,
JP2004527937,
ASSIGNMENT RECORDS    Assignment records on the USPTO
/
Executed onAssignorAssigneeConveyanceFrameReelDoc
Apr 18 2013Samsung Electronics Co., Ltd.(assignment on the face of the patent)
MAINTENANCE FEES AND DATES:    Maintenance records on the USPTO
Date Maintenance Fee Events
Oct 04 2018M1552: Payment of Maintenance Fee, 8th Year, Large Entity.
Oct 05 2022M1553: Payment of Maintenance Fee, 12th Year, Large Entity.


Date Maintenance Schedule
Oct 14 20174 years fee payment window open
Apr 14 20186 months grace period start (w surcharge)
Oct 14 2018patent expiry (for year 4)
Oct 14 20202 years to revive unintentionally abandoned end. (for year 4)
Oct 14 20218 years fee payment window open
Apr 14 20226 months grace period start (w surcharge)
Oct 14 2022patent expiry (for year 8)
Oct 14 20242 years to revive unintentionally abandoned end. (for year 8)
Oct 14 202512 years fee payment window open
Apr 14 20266 months grace period start (w surcharge)
Oct 14 2026patent expiry (for year 12)
Oct 14 20282 years to revive unintentionally abandoned end. (for year 12)