realizing massive scale conditional access systems
play

Realizing Massive-Scale Conditional Access Systems Through - PowerPoint PPT Presentation


  1. �������฀฀���฀฀�������� ��������������฀�������� � � �������฀���฀��������฀��������฀������ ����������฀��฀��������฀�������฀���฀����������� ������������฀�����฀�����������฀����������฀����฀฀�� Realizing Massive-Scale Conditional Access Systems Through Attribute-Based Cryptosystems Patrick Traynor, Kevin Butler, William Enck and Patrick McDaniel NDSS Symposium February 11, 2008 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 1

  2. The Y100 Phenomenon Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  3. The Y100 Phenomenon Systems and Internet Infrastructure Security (SIIS) Laboratory Page 2

  4. The Coming Wave • The number and variety of Conditional Access (CA) systems are increasing. ‣ IPtv ‣ Satellite Radio ‣ “Premium” Streaming Audio • Security in these systems is often proprietary or requires dedicated hardware. • A solution for general purpose computing platforms is needed... Systems and Internet Infrastructure Security (SIIS) Laboratory Page 3

  5. Goals • Provide an easily manageable broadcast encryption mechanism to regulate access to the expanding set of CA systems. • Demonstrate that Attribute-Based Cryptosystems are capable of enabling real systems , especially those at massive scale. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 4

  6. Broadcast Encryption • Allows access management without requiring two-way communication. • Techniques such as LKH and NNL trees dominate cable television. • Boneh et al proposed an efficient pairing-based construction that grows linearly with the number of users. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 5

  7. Attribute-Based Encryption • Sahai-Waters Construction (Eurocrypt’05) ‣ Generalization of Identity-Based Encryption ‣ Anyone with k-out-of-n attributes can decrypt a ciphertext • Random Oracle Construction (CCS’06) ‣ Properly tuned, can reduce the cost of encryption 98%. ‣ We can use this construction to simple boolean conjunction and disjunction: Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  8. Attribute-Based Encryption • Sahai-Waters Construction (Eurocrypt’05) ‣ Generalization of Identity-Based Encryption ‣ Anyone with k-out-of-n attributes can decrypt a ciphertext • Random Oracle Construction (CCS’06) ‣ Properly tuned, can reduce the cost of encryption 98%. ‣ We can use this construction to simple boolean conjunction and disjunction: Tall ∧ Dark ∧ Handsome Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  9. Attribute-Based Encryption • Sahai-Waters Construction (Eurocrypt’05) ‣ Generalization of Identity-Based Encryption ‣ Anyone with k-out-of-n attributes can decrypt a ciphertext • Random Oracle Construction (CCS’06) ‣ Properly tuned, can reduce the cost of encryption 98%. ‣ We can use this construction to simple boolean conjunction and disjunction: Tall ∧ Dark ∧ Handsome Alice ∨ Bob ∨ Carol Systems and Internet Infrastructure Security (SIIS) Laboratory Page 6

  10. ABE Details • Uses bilinear maps on elements of elliptic curves: e : G 1 × G 2 → G T • Construction works by computing efficient bilinear map between k-out-of-n attributes. ‣ Interpolation using Shamir’s Secret Sharing. • Accordingly, encryption is a function of n and decryption is a function of k . ‣ At least on paper... Systems and Internet Infrastructure Security (SIIS) Laboratory Page 7

  11. An Example Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  12. An Example Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  13. An Example Alice Bob Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  14. An Example 1-out-of-n Alice Bob Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  15. An Example Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  16. An Example . . . Alice Bob n-1 Systems and Internet Infrastructure Security (SIIS) Laboratory Page 8

  17. Scaling 2500 0.8 MNT MNT Supersingular Supersingular 0.7 2000 0.6 0.5 1500 Time (s) Time (s) 0.4 1000 0.3 0.2 500 0.1 0 0 0 20000 40000 60000 80000 100000 0 20000 40000 60000 80000 100000 Number of Attributes Number of Attributes • As expected, MNT curves perform encryption faster. • Contrary to previous work, MNT curves perform decryption faster than SS when the n > 1000. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  18. Scaling 2500 0.8 MNT MNT Supersingular Supersingular 0.7 2000 0.6 0.5 1500 Time (s) Time (s) 0.4 1000 0.3 0.2 500 0.1 0 0 0 20000 40000 60000 80000 100000 0 20000 40000 60000 80000 100000 Number of Attributes Number of Attributes E = 2 . 2214 × 10 − 3 n + 0 . 01804 D = 3 . 5159 × 10 − 6 n + 0 . 033791 r 2 = 0 . 99999997 r 2 = 0 . 9999992 • As expected, MNT curves perform encryption faster. • Contrary to previous work, MNT curves perform decryption faster than SS when the n > 1000. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 9

  19. Performance • Even with the random oracle construction, the performance of the primitives is too slow. • Adding one new user to a group of 1,000,000 takes approximately 37 minutes. ‣ This makes changing the content encryption key impossible during short programs (e.g., half-hour TV shows) • A faster access structure is therefore necessary. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 10

  20. Tiered Construction Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  21. Tiered Construction Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  22. Tiered Construction Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  23. Tiered Construction ... Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  24. Tiered Construction n ... Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  25. Tiered Construction n ... ... Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  26. Tiered Construction n ... ... ... . . . Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  27. Tiered Construction n ... ... ... User . . . Cryptosystem Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  28. Tiered Construction n ... ... ... User . . . Cryptosystem . . . Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  29. Tiered Construction n ... ... ... User . . . Cryptosystem Content . . . Cryptosystem Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  30. Tiered Construction n ... ... ... User . . . Cryptosystem Content . . . Cryptosystem Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  31. Tiered Construction n ... ... ... User . . . Cryptosystem Content . . . Cryptosystem n ′ Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  32. Tiered Construction n ... ... ... User . . . Cryptosystem Content . . . Cryptosystem n ′ Symmetric Content Key Systems and Internet Infrastructure Security (SIIS) Laboratory Page 11

  33. Traffic Model: PPV Pay-per-view Impulse (steady state vieweship 50,000) Pay-per-view Pre-pay (steady state vieweship 400,000) Number Joins (per/second) Number Joins (per/second) 60000 20 500000 100 Membership Size Membership Size Group Size Group Size 480000 80 55000 15 Joins Joins 460000 60 50000 10 440000 40 420000 45000 5 400000 20 380000 40000 0 0 0 500 1000 1500 2000 2500 3000 3500 0 500 1000 1500 2000 2500 3000 3500 Time (seconds) Time (seconds) • Pay Per View (PPV) programs exhibit two types of joins: impulse and pre-pay. ‣ There are no leaves - users purchase entire programs. • We use well-known ratings to make results realistic: ‣ PPV Boxing (400k) and Tyson vs Holyfield II (1.99M) Systems and Internet Infrastructure Security (SIIS) Laboratory Page 12

  34. How Many Processors? 1000 Join - 1 Join - 5 Join - 10 Join - 15 Average Operation Latency (seconds) 100 10 1 0.1 0 200 400 600 800 1000 Time (seconds) • Extra processors help the system reach quiescence faster as joins are parallelized. • After quiescence, however, extra processors lay idle. ‣ If steady state joins are less than ~400/minute, one processor is more than sufficient. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 13

  35. Group Size? Join - 1,000 14 Join - 5,000 12 Average Operation Latency (seconds) 10 8 6 4 2 0 0 500 1000 1500 2000 2500 3000 3500 4000 Time (seconds) • Larger user groups yield higher latencies throughout the initial surge and quiescence. • There is no advantage to using large user groups. Systems and Internet Infrastructure Security (SIIS) Laboratory Page 14

Recommend


More recommend