Realizing Massive-Scale Conditional Access Systems Through - - PowerPoint PPT Presentation

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

฀฀฀฀ ฀

• ฀฀฀฀

฀฀฀฀฀ ฀฀฀฀฀฀

Realizing Massive-Scale Conditional Access Systems Through Attribute-Based Cryptosystems

Patrick Traynor, Kevin Butler, William Enck and Patrick McDaniel NDSS Symposium February 11, 2008

1

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

The Y100 Phenomenon

2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

The Y100 Phenomenon

2

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

The Coming Wave

• The number and variety of Conditional Access (CA)

systems are increasing.

• IPtv
• Satellite Radio
• “Premium” Streaming Audio
• Security in these systems is often proprietary or

requires dedicated hardware.

• A solution for general purpose computing platforms

is needed...

3

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Goals

• Provide an easily manageable broadcast encryption

mechanism to regulate access to the expanding set of CA systems.

• Demonstrate that Attribute-Based Cryptosystems are

capable of enabling real systems, especially those at massive scale.

4

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Broadcast Encryption

• Allows access management without requiring

two-way communication.

• Techniques such as LKH and NNL trees dominate

cable television.

• Boneh et al proposed an efficient pairing-based

construction that grows linearly with the number of users.

5

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Attribute-Based Encryption

• Sahai-Waters Construction (Eurocrypt’05)
• Generalization of Identity-Based Encryption
• Anyone with k-out-of-n attributes can decrypt a ciphertext
• Random Oracle Construction (CCS’06)
• Properly tuned, can reduce the cost of encryption 98%.
• We can use this construction to simple boolean

conjunction and disjunction:

6

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Attribute-Based Encryption

• Sahai-Waters Construction (Eurocrypt’05)
• Generalization of Identity-Based Encryption
• Anyone with k-out-of-n attributes can decrypt a ciphertext
• Random Oracle Construction (CCS’06)
• Properly tuned, can reduce the cost of encryption 98%.
• We can use this construction to simple boolean

conjunction and disjunction:

6

Tall ∧ Dark ∧ Handsome

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Attribute-Based Encryption

• Sahai-Waters Construction (Eurocrypt’05)
• Generalization of Identity-Based Encryption
• Anyone with k-out-of-n attributes can decrypt a ciphertext
• Random Oracle Construction (CCS’06)
• Properly tuned, can reduce the cost of encryption 98%.
• We can use this construction to simple boolean

conjunction and disjunction:

6

Tall ∧ Dark ∧ Handsome

Alice ∨ Bob ∨ Carol

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

ABE Details

• Uses bilinear maps on elements of elliptic curves:
• Construction works by computing efficient bilinear

map between k-out-of-n attributes.

• Interpolation using Shamir’s Secret Sharing.
• Accordingly, encryption is a function of n and

decryption is a function of k.

• At least on paper...

7

e : G1 × G2 → GT

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Bob Alice

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Bob Alice

1-out-of-n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

An Example

8

Bob Alice n-1

. . .

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Scaling

• As expected, MNT curves perform encryption faster.
• Contrary to previous work, MNT curves perform

decryption faster than SS when the n > 1000.

9

500 1000 1500 2000 2500 20000 40000 60000 80000 100000

Time (s) Number of Attributes MNT Supersingular

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 20000 40000 60000 80000 100000

Time (s) Number of Attributes MNT Supersingular

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Scaling

• As expected, MNT curves perform encryption faster.
• Contrary to previous work, MNT curves perform

decryption faster than SS when the n > 1000.

9

500 1000 1500 2000 2500 20000 40000 60000 80000 100000

Time (s) Number of Attributes MNT Supersingular

0.1 0.2 0.3 0.4 0.5 0.6 0.7 0.8 20000 40000 60000 80000 100000

Time (s) Number of Attributes MNT Supersingular

E = 2.2214 × 10−3n + 0.01804 r2 = 0.99999997 D = 3.5159 × 10−6n + 0.033791 r2 = 0.9999992

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Performance

• Even with the random oracle construction, the

performance of the primitives is too slow.

• Adding one new user to a group of 1,000,000 takes

approximately 37 minutes.

• This makes changing the content encryption key

impossible during short programs (e.g., half-hour TV shows)

• A faster access structure is therefore

necessary.

10

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

...

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

...

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ...

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ...

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ...

User Cryptosystem

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ... . . .

User Cryptosystem

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ... . . .

Content Cryptosystem User Cryptosystem

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ... . . .

Content Cryptosystem User Cryptosystem

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ... . . .

Content Cryptosystem User Cryptosystem

n′ n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Tiered Construction

11

... ... . . . ... . . .

Content Cryptosystem User Cryptosystem

n′

Symmetric Content Key

n

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Traffic Model: PPV

• Pay Per

View (PPV) programs exhibit two types of joins: impulse and pre-pay.

• There are no leaves - users purchase entire programs.
• We use well-known ratings to make results realistic:
• PPV Boxing (400k) and Tyson vs Holyfield II (1.99M)

12

40000 45000 50000 55000 60000 500 1000 1500 2000 2500 3000 3500 5 10 15 20 Membership Size Number Joins (per/second) Time (seconds) Pay-per-view Impulse (steady state vieweship 50,000) Group Size Joins 380000 400000 420000 440000 460000 480000 500000 500 1000 1500 2000 2500 3000 3500 20 40 60 80 100 Membership Size Number Joins (per/second) Time (seconds) Pay-per-view Pre-pay (steady state vieweship 400,000) Group Size Joins

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

How Many Processors?

• Extra processors help the system reach quiescence

faster as joins are parallelized.

• After quiescence, however, extra processors lay idle.
• If steady state joins are less than ~400/minute, one

processor is more than sufficient.

13

0.1 1 10 100 1000 200 400 600 800 1000 Average Operation Latency (seconds) Time (seconds) Join - 1 Join - 5 Join - 10 Join - 15

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Group Size?

• Larger user groups yield higher latencies throughout

the initial surge and quiescence.

• There is no advantage to using large user groups.

14

2 4 6 8 10 12 14 500 1000 1500 2000 2500 3000 3500 4000

Average Operation Latency (seconds) Time (seconds) Join - 1,000 Join - 5,000

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Traffic Model: Satellite Radio

• Satellite Radio users purchase subscriptions.
• Joins and leaves happen at any time (macro-scale).
• We use Sirius Satellite Radio quarterly reports.
• 6 million users with 2.8% join and 2% leave rates.

15

5.9e+06 5.95e+06 6e+06 6.05e+06 6.1e+06 500 1000 1500 2000 2500 3000 3500 2 4 6 8 10 Membership Size Number Joins/Leaves (per/second) Time (seconds) Radio (steady state vieweship 6,000,000) Group Size Leaves Joins

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Improving Performance

• Performance gains can be achieved both by adding

processors and increasing the size of n′.

• The use of 100 processors and n′=100 makes such

systems efficient.

16 200 400 600 800 1000 1200 1400 1500 2000 2500 3000 3500 4000

Average Operation Latency (seconds) Time (seconds) Join Leave

1 1.5 2 2.5 3 3.5 4 4.5 1500 2000 2500 3000 3500 4000

Average Operation Latency (seconds) Time (seconds) Join Leave

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Traffic Model: IPtv

• Attempts to model a “Pay-Per-Channel” scenario.
• We use Nielsen Ratings for popular programs as the

source of our data.

• The Tonight Show: 5.22 million
• American Idol: 26.9 million
• 2% join and leave rates throughout.

17

5.12e+06 5.14e+06 5.16e+06 5.18e+06 5.2e+06 500 1000 1500 2000 2500 3000 3500 100 200 300 400 500 Membership Size Number Joins/Leaves (per/second) Time (seconds) Set-top (steady state vieweship 5,200,000) Group Size Leaves Joins

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Taxing the Scheduler

• To simplify management, we performed leaves before

joins.

• Joins unfortunately became delayed by massive leaves.
• Even in this worst case scenario, performance is

reasonable.

18 1 2 3 4 5 6 7 8 9 10 11 500 1000 1500 2000 2500 3000 3500 4000

Average Operation Latency (seconds) Time (seconds) Join Leave

2 4 6 8 10 12 14 500 1000 1500 2000 2500 3000 3500 4000

Average Operation Latency (seconds) Time (seconds) Join Leave

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Lessons Learned

• ABE constructions can be made efficient enough to

support massive-scale systems.

• ...if you design carefully...
• Let the system do batching.
• Be aware of key exhaustion for massive systems.

19

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Future Work

• Reduce bandwidth using more compact attribute

representation.

• Develop/Incorporate smart grouping strategies to

lessen the cost of leaves.

• Compare delayed leave strategy to better understand

hardware tradeoffs.

20

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Y100 (redux)

21

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Questions

Patrick Traynor traynor@cse.psu.edu http://www.patricktraynor.org

22

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Joins and Leaves

• A user joining the system requires a single encryption

in the user cryptosystem.

• A leave/eviction requires two operations:
• Generation of a new group attribute.
• Encryption of that attribute in the user cryptosystem.
• Current users are not affected by joins, but must

rekey on leaves.

23

Systems and Internet Infrastructure Security (SIIS) Laboratory Page

Sizing n′ For Performance

• We want the size of the content cryptosystem to be

bound by the performance requirements of our system.

• We experiment with the size of the content

cryptosystem under 1,000 unique groups.

• Cost of Crypto Operations:
• Encryption: 2.24 seconds
• Decryption: 33 ms

24