TY - JOUR

T1 - Improved efficiency for revocation schemes via Newton interpolation

AU - Kogan, Noam

AU - Tassa, Tamir

PY - 2006

Y1 - 2006

N2 - We present a novel way to implement the secret-sharing-based family of revocation schemes of Naor and Pinkas [2003]. The basic scheme of [Naor and Pinkas 2000] uses Shamir's polynomial secret-sharing to revoke up to r users, where r is the degree of the secret-sharing polynomial, and it is information theoretically secure against coalitions of up to r collaborators. The nonrevoked users use Lagrange interpolation in order to compute the new key. Our basic scheme uses a novel modification of Shamir's polynomial secret-sharing: The secret equals the leading coefficient of the polynomial (as opposed to the free coefficient as in the original scheme) and the polynomial is reconstructed by Newton interpolation (rather than Lagrange interpolation). Comparing our scheme to one variant of the Naor - Pinkas scheme, we offer revocation messages that are shorter by a factor of almost 2, while the computation cost at the user end is smaller by a constant factor of approximately 13/2. Comparing to a second variant of the Naor - Pinkas scheme, our scheme offers a reduction of O(r) in the computation cost at the user end, without affecting any of the other performance parameters. We then extend our basic scheme to perform multiround revocation for stateless and stateful receivers, along the lines offered by Naor and Pinkas [2000] and Kogan et al. [2003]. We show that using Newton rather than Lagrange interpolants enables a significantly more efficient transmission of the new revocation message and shorter response time for each round. Pay TV systems that implement broadcast encryption techniques can benefit significantly from the improved efficiency offered by our revocation schemes.

AB - We present a novel way to implement the secret-sharing-based family of revocation schemes of Naor and Pinkas [2003]. The basic scheme of [Naor and Pinkas 2000] uses Shamir's polynomial secret-sharing to revoke up to r users, where r is the degree of the secret-sharing polynomial, and it is information theoretically secure against coalitions of up to r collaborators. The nonrevoked users use Lagrange interpolation in order to compute the new key. Our basic scheme uses a novel modification of Shamir's polynomial secret-sharing: The secret equals the leading coefficient of the polynomial (as opposed to the free coefficient as in the original scheme) and the polynomial is reconstructed by Newton interpolation (rather than Lagrange interpolation). Comparing our scheme to one variant of the Naor - Pinkas scheme, we offer revocation messages that are shorter by a factor of almost 2, while the computation cost at the user end is smaller by a constant factor of approximately 13/2. Comparing to a second variant of the Naor - Pinkas scheme, our scheme offers a reduction of O(r) in the computation cost at the user end, without affecting any of the other performance parameters. We then extend our basic scheme to perform multiround revocation for stateless and stateful receivers, along the lines offered by Naor and Pinkas [2000] and Kogan et al. [2003]. We show that using Newton rather than Lagrange interpolants enables a significantly more efficient transmission of the new revocation message and shorter response time for each round. Pay TV systems that implement broadcast encryption techniques can benefit significantly from the improved efficiency offered by our revocation schemes.

KW - Broadcast encryption

KW - Newton interpolation

KW - Secret sharing

KW - User revocation

UR - http://www.scopus.com/inward/record.url?scp=33845538766&partnerID=8YFLogxK

U2 - 10.1145/1187441.1187444

DO - 10.1145/1187441.1187444

M3 - ???researchoutput.researchoutputtypes.contributiontojournal.article???

AN - SCOPUS:33845538766

SN - 1094-9224

VL - 9

SP - 461

EP - 486

JO - ACM Transactions on Information and System Security

JF - ACM Transactions on Information and System Security

IS - 4

ER -