Information Processing Letters 147 (2019) 6–9
Contents lists available atScienceDirect
Information
Processing
Letters
www.elsevier.com/locate/ipl
A
conditional
access
system
with
revocation
for
mobile
pay-TV
systems
revisited
Alfredo Rial
UniversityofLuxembourg,Luxembourg
a
r
t
i
c
l
e
i
n
f
o
a
b
s
t
r
a
c
t
Articlehistory:
Received1February2018
Receivedinrevisedform25January2019 Accepted24February2019
Availableonline5March2019 CommunicatedbyLucaViganò
Keywords:
Attribute-basedencryption Broadcastencryption Cryptography
In pay-TV, conditional access systems (CAS) are used by a rights issuer to guarantee that only authorized subscribers gain access to TV channels. A CAS scheme that applies attribute-based access control through attribute-based encryption (ABE) with revocation was proposed by Yeh and Huang (2013) [1]. Yeh and Huang extend an existing ABE scheme with a revocation mechanism. We show that the CAS by Yeh and Huang has security and efficiency problems. Particularly, we show that the revocation mechanism proposed by Yeh and Huang is vulnerable to collusion attacks.
©2019 Elsevier B.V. All rights reserved.
1. Introduction
The CAS by Yeh and Huang [1] is based on the key-policy ABEscheme(KPABE) in [2].Yeh andHuang extend thisschemewitharevocationmechanism.InSection2,we recallKPABE.InSection3,werecalltheCASin [1].We dis-cussitsefficiencyandsecurityproblemsinSection4.
2. Technicalbackground
We refer to [2] for a descriptionof bilinearmaps and ofaccessstructuresandaccesstrees.
Key-policy attribute-based encryption. Let
S
be thesetofall attributes.LetQ
bethesetofallaccessstructuresthatare allowed overS
.WedenotebyA
P
thefactthata setof attributesA
satisfies theaccess structureP
.A key-policy attribute-based encryption(KPABE)scheme [2] consistsof the algorithms(
ABESetup,
ABEKeyGen,
ABEEnc,
ABEDec)
. The key generation center (KGC
) executes ABESetup(
1k)
to output public parameters par and master secret key
msk. A user
U
withaccessstructureP ∈ Q
queriesKGC
,E-mailaddress:alfredo.rial@uni.lu.
which runs ABEKeyGen
(
msk,
P)
and returns secret keyskP. On input message m and set of attributes
A ∈ S
, ABEEnc(
par,
m,
A)
computesciphertextct,
whichcanonly be decryptedbya userU
that possesses anaccess struc-tureP
satisfied byA
(ct implicitlycontainsA
). Oninput ciphertextct and
secretkeysk
P,ABEDecoutputsmessagem if
A
satisfiesP
.3. ConditionalaccesssystembyYehandHuang
The scheme proposed in [1] consists of an initializa-tion phase,a subscriber registrationphase, a rights
man-agement phase, and a subscriber revocation phase. (We
note that thekey streamandtraffic encryptionlayers re-mainunchangedwithrespecttotheDVB-Hstandard.)The scheme in [1] is based on the KPABE scheme in [2] and addstoitsupportforrevocation.Inthefollowing descrip-tion, we use boxes to highlight those elements that are added to the scheme in [2] in order to support revoca-tion.
Initialization phase. The rightsissuer(RI)executesthesetup algorithm ofthe KPABE scheme to getthe public param-eters and the master secret key. Let
S
be the set of allhttps://doi.org/10.1016/j.ipl.2019.02.010
A. Rial / Information Processing Letters 147 (2019) 6–9 7
attributes andlet 2N be the maximum numberof users. AlgorithmABESetup
(
1k)
worksasfollows.1. Run
(
p,
G, G
t,
e,
g)
←
G(
1k)
.2. Pickrandom y
← Z
p.3. Forall j
∈ S
,pickrandomt
j← Z
pandcomputeT
j←
gtj.4. Pick random
τ
← Z
p and compute W←
gτ .5. Pick random
ϒ
← Z
p.6. For i=1 to N, pick ci,di← Zpand set hi,0←gciand hi,1←gdi.
7. Settheparameters
par
← (
p,
G,
G
t,
e,
g,
{
Tj}
j∈S,
W,
{
hi,0,
hi,1}Ni=1)
.18. Setthemastersecretkey
msk
← (
y,
{
tj}
j∈S,
τ
,
ϒ,
{
hi,0,
hi,1}Ni=1)
.29. Outputthe mastersecretkey msk and thepublic pa-rameters
par.
Theelements
(
y,
{
tj}
j∈S)
inthemastersecretkeyandthe elements(
p,
G, G
t,
e,
g,
{
Tj}
j∈S)
in the public parametersarethoseofGoyaletal.’sKPABE scheme [2].Theremaining elementsareaddedbyYehandHuanginordertosupport revocation.
Subscriber registration phase. A subscriber possesses a set of attributesor characteristics,such as ageand subscrip-tion category.Given thoseattributes, RI constructsan ac-cess structure
P
. Then RI runs the key generationalgo-rithm ofthe KPABEscheme on input
P
inorder tocom-pute a key that allows the subscriber to obtain all the right objects (RO) that match her age and subscription category. Algorithm ABEKeyGen alsoreceives asinput an n-bit revocation number Xn−1Xn−2
· · ·
X0, which mustbe unique for each subscriber. ABEKeyGen(
msk,
P)
worksas follows.1. Pick random
← Z
p and compute WD←
g(y−)/τ .2. For eachnode
x in
thetreeT
thatdefinesP
,choose a polynomial qx of degree dx=
kx−
1, where kx isthe threshold value of x. Polynomials qx are
cho-sen in a top-down manner, starting from the root
node R. Set qR
(
0)
=
. (In Goyal et al., qR(
0)
=
y.In Yeh and Huang, an additional element WD is
in-cluded in thekey, which dependson both y and
.
WD is thekey element that isupdated whena sub-scriberis revoked.) Chooseother dR points randomly
to define qR completely. For any other node x, set qx
(
0)
←
qparent(x)(
index(
x))
andchooseotherd
x pointsrandomlytodefine
q
x completely.3. Let
Y be
thesetofleaf nodesinT
.Compute{
Dj←
gqj(0)/ti}
j∈Y.1 We notethatthe schemebyGoyal etal. [2] includesanelement e(g,g)y inthepublic parameters.Thiselementis notincluded inthe
publicparametersinYehandHuang [1] becausetherightsissueristhe onlypartythatneedstocomputeciphertextsandtherightsissuerhas knowledgeofthemastersecretkey,whichincludesy.
2 InYehandHuang [1],ϒisincludedneitherinmsk norinpar.
4. Choose a value q1
(
0)
.5. For i∈ [0,N−1], DRi←g(q1(0)ϒ)/ciif Xi=0 else DRi←g(q1(0)ϒ)/di.
6. Setthesecretkeyas
skP
← ({
Dj}
j∈Y,
WD,
{
DRi}
iN=−01,
q1(
0)
−1)
.3The elements
{
Dj}
j∈Y are those of the secretkey intheschemeby Goyalet al. [2]. The elements
(
WD,
{
DRi}
Ni=−01,
q1(
0)
−1)
areaddedbyYehandHuanginordertosupport revocation.Rights management phase. RI creates a right object (RO) that consists of the service encryption key (SEK), a set of attributes
A
, and related parameters, such as a timestamp. RI encrypts the right object RO by running the
encryption algorithm of the KPABE scheme on input
A
.ABEEnc
(
par,
R O,
A)
worksasfollows.1. Pick random r
← Z
p, compute E←
R O· (
g,
g
)
yr(here, y is takenfromthemastersecretkey)and, for all j
∈ A
,computeE
j←
Trj.2. Compute gr.
3. Settheciphertext
ct
← (A,
{
Ej}
j∈A,
E
,
gr)
.The elements
(
A,
{
Ej}
j∈A,
E)
form the ciphertext in the schemebyGoyaletal. [2].Thevalueg
risincludedbyYehandHuang [1] in order to allow decrypting the message alongwiththenewvalue
WD in
thesecretkey.RIbroadcaststheciphertext to thesubscribers. A sub-scriber decrypts the ciphertext by using the decryption algorithm ABEDec
(
par,
ct,
skP)
. Ifthe policyP
associated with skP is satisfied by the set of attributesA
in ct,ABEDec first computes A
=
e(
g,
g)
r and finally outputsR O
=
E/(
e(
WD,
W
r)
A)
.The decryption algorithm inYehand Huang follows that of Goyal et al. The only differ-ence is the last equation R O
=
E/(
e(
WD,
Wr)
A)
, which includestheadditionalpairingoperatione
(
WD,
Wr)
.Subscriber revocation phase. The followingrevocation mech-anism is proposed by Yeh and Huang [1]. To revoke the subscriberwithrevocationnumberXn−1Xn−2
· · ·
X0,RIand thesubscribersexecute aprotocolby means ofwhich R Iupdatesthe value y in the master secret key, while the
non-revoked subscribers update the value WD in their
respective secret keys. First, R I executes the following steps.
1. Pick y
← Z
p, computey
←
y−
y and W←
gy/τ .43 Wenotethatthevalueq
1(0)isunnecessary.Onecansimplycompute DRi←gϒ/ci,ifXi=0,orDRi←gϒ/di,ifXi=1.
4 Wenotethat [1] says“generate thenew publicparameter W←
gy/τ toreplaceW”.Thisisamistake.If WreplacesW inthepublic
8 A. Rial / Information Processing Letters 147 (2019) 6–9
2. Pickrandom
r
← Z
p,computeR E
←
We(
g,
g)
ϒrand,for
i
=
0 toN
−
1,compute R Ei←
hri, ¯Xi,where X
¯
i←
1
−
Xi.3. Setaciphertext
ct
← ( ¯
Xn−1X¯
n−2· · · ¯
X0,
R E
,
{
R Ei}
iN=−01)
.RI broadcasts the ciphertext ct to the subscribers. As
can be seen, only the revoked subscriber is unable to
decrypt the ciphertext. The reason is that the revoked
subscriber has a secret key for the revocation number
Xn−1Xn−2
· · ·
X0 andnone of the bits in Xn−1Xn−2· · ·
X0 matches a bit in X¯
n−1X¯
n−2· · · ¯
X0. However, becausere-vocation numbers are unique for each subscribers, for
the non-revoked subscribersthereisatleast onebit that matches. A non-revoked subscriber decrypts the cipher-text asfollows.First,find a bit Xi such that Xi
= ¯
Xi andtake the element DRi of the secret key. Then compute
W
←
R E/
e(
D Ri,
q1(
0)
−1R Ei)
.AfterretrievingW
,anon-revoked subscribercomputes WD
←
WD·
W=
g(y−)/τtoupdatehersecretkey.
4. DiscussionoftheCASproposedbyYehandHuang
Collusion-resistance. Yeh andHuangdefine
collusion-resis-tance as follows: “A subscriber cannot cooperate with
other subscriberstopromotehisownprivileges.”This ba-sically meansthat twoormorecolludingsubscribersthat holdsecretkeysfortheKPABE schemeshouldnotbeable to decrypt anyciphertextthat anyofthem isnot ableto decrypt on their own. I.e., the colluding subscribers are not able tocombine their secretkeys insuch a waythat theyareabletodecryptciphertextsthatnoneofthemcan decryptindividually.TheKPABE schemein [2] is collusion-resistant.
However, we show that the KPABE with revocation
scheme proposed by Yeh andHuang in [1] is vulnerable to collusion attacks.In the revocation methodin [1], the rightsissuerRIproduceskeyupdatematerialthatis broad-casttoallthenon-revokedsubscribers.Theschemein [1] effectivelypreventstherevokedsubscriberfromretrieving keyupdatematerial.However,itdoesnotensurethata re-vokedsubscriberandanon-revokedonecannotcolludeto decrypt ciphertexts that they are not able to decrypt on theirown.
Let us show this through an example with two
sub-scribers S1 and S2 andthreesubscriberattributesor cat-egories
c
1,c
2 andc
3. S1 (resp.S2) possessesasecretkey that allows her toobtainrightobjects ROforcategoryc
1 (resp.c
2).Collusion-resistanceoftheKPABE schemein [2] ensures that,ifS1 and S2 collude,theyareabletoobtain rightobjectsforcategoriesc
1andc
2becausetheyareable to dothat withoutcolluding,butthey arenotableto ob-tainrightobjectsforcategoryc
3.Atsomepoint,subscriber S2 isrevokedbytherightsissuer.Afterrevocation,S
1 up-dates her key andis still able to obtain right objects for categoryc
1.S
2isnotabletoupdateherkeyandisunable todecryptanything.However,ifS
1andS
2collude, S1can give S2 thekeyupdatematerial,andthentheycanobtain againrightobjectsforcategoryc
2.Thisviolates collusion-resistance because,after S2 isrevoked, neither S1 nor S2 are able to obtain right objects for category c2 on theirown. The figure below describes the attack in the
sub-scriberrevocationphase.
•
RI broadcasts the ciphertext ct← ( ¯
Xn−1X¯
n−2· · · ¯
X0,
R E,
{
R Ei}
Ni=−01)
.•
A non-revoked subscriber S1 computes W←
R E/
e(
D Ri,
q1(
0)
−1R Ei)
byusingDR
ifori such
that Xi=
¯
Xi.•
S1 sendsW
toa revokedsubscriberS
2 withwhom S1 colludes.•
S2 computes WD←
WD·
W=
g(y−)/
τ to update her secretkey. Thanks to that, S2 can decrypt asif S2 wasnotrevoked.
To illustrate that this is a serious security flaw, let us point out that a trivial (albeit inefficient) revocation
method does not suffer from this problem. Consider a
trivialrevocationmethodwhere,whenasubscriber is re-voked,therightsissuerrunsagainthesetup algorithmof
theKPABE schemetocomputenewpublicparametersand
a newmastersecretkey, anduses thismastersecret key to compute newsecretkeys forall the non-revoked sub-scribers.Ascanbeseen,withthisrevocationmethod,after
S2 isrevoked, S1 and S2 are notableto obtainright ob-jectsforcategory
c
2.The reasonisthattheoldsecretkey ofS
2 isnowuselessbecausetheparametersoftheKPABE schemehavechanged.Inconclusion,theCASproposedby YehandHuangisnotcollusion-resistant.Non-repudiation. Yeh andHuangdefinenon-repudiationas follows:“Toensurevideocontentvalidity andquality, the video server shouldnot denythat the video contents are delivered from it.” Non-repudiation basically impliesthat the integrity and origin of received data can be verified andthatthesenderofthedatacannotdenybeingthe orig-inator.
Yeh and Huang claim that their CAS provides
non-repudiation. Theirargument basically statesthat, because RI is the only party that knows the values
(
y,
ϒ)
in the master secret key, RI is the only party able to compute valid ciphertexts that encrypt right objects and valid ci-phertexts thatencrypt keyupdate material.Consequently, Yeh andHuangconclude that,ifa subscriber possessesa validciphertext,then RIisnot abletodenythathe com-putedandsentthatciphertext.As can be seen, this argument is not valid. First,
an adversary eavesdropping the network can get a
ci-phertext sent by RI, and forward it to subscribers at a later stage. Moreover, the adversary can modify the
en-crypted message before forwarding the ciphertext. For
example, if the adversary wishes to modify a ciphertext
ct
← (A,
{
Ej}
j∈A,
E
,
gr)
(where E←
R O· (
g,
g)
yr) thatencrypts R O to a ciphertext that encrypts R O
·
M, the adversary simply replaces E by E·
M. An adversarialsubscriber can also modify the message encrypted in a
ciphertext received fromRI byusing thesame technique. Therefore, RI is able to deny that he computed a given validciphertext.Inconclusion,the CASofYehandHuang
does not provide non-repudiation. The figure below
A. Rial / Information Processing Letters 147 (2019) 6–9 9
•
A malicious RI broadcasts a ciphertext ct← (A,
{
Ej}
j∈A,
E
,
gr)
, where E←
R O· (
g,
g
)
yr iscom-putedoninputanincorrectRO.
•
Anhonest subscriber S decrypts theciphertext and obtains the incorrectRO. S accuses RI of sending a ciphertextct that
encryptsanincorrectRO.•
R I claims ct was modified byan adversary that setE
←
E·
M for someM.
•
S is unabletoprovethatR I indeed
sentct.
Direct revocation vs indirect revocation. There aretwo revoca-tionmethodsforattribute-basedencryption:direct [3] and indirect [4].Inanindirectrevocationmethod,thekey gen-erationcenter,i.e.,thetrustedpartythatkeepsthemaster
secret key and computes keys for users, computes and
publishes key update material so that only non-revoked userscanupdate theirkeys. Theadvantageofindirect re-vocationisthatthesenders, i.e.,thepartiesthatcompute ciphertexts, do not needto knowthe revocationlist. The disadvantageof theindirectrevocationmethodis thatall thenon-revokedusersneedtoupdatetheirkeys.
Inadirectrevocationmethod,senderscompute cipher-textsthatrevokedusersarenotabletodecrypt.Inorderto dothat,sendersneedtoknowtherevocationlist,butkey updatesarenotrequired.Inmanyapplications,sendersdo not knowthe revocationlist,andthus onlyindirect revo-cationcanbeapplied.However,inCAS,theonlysenderis the rightsissuer,andthe rightsissuerknowsthe revoca-tionlist.Therefore,inCAS, directrevocationmethods can beappliedandthenkeyupdatesarenotneeded.
The CAS proposed by Yeh and Huang uses an
indi-rect revocationmethodwherenon-revoked usersneed to update their keys. We note that direct revocation meth-ods avoid the need of updating keys. For instance, in a CAS that uses identity-based broadcast encryption [5] or attribute-based broadcast encryption [3], ciphertextsthat encrypttherightobjectare computedoninputthelistof subscribers. When a subscriber is revoked, the rights is-suersimply removesthe subscriber fromthe list.Thanks tothat,revokedsubscribersarenotabletodecryptthe ci-phertextandobtaintheRO.
User-based vs attribute-based access control. Attribute-based
access control allows a party to describe an access con-trol policy that defines the attributes that a user must possessin order to be granted access to a serviceor re-source. In settings where the party aiming at controlling accessto theservicedoesnot knowthe identitiesor the attributesoftheusersthatmayattemptto gainaccessto it, attribute-based encryption isadequate for implement-ingattribute-basedaccesscontrol.
However, in a CAS for pay-TV, RI usually knows the
identities and the attributes of all the parties that may wantto accessTV broadcastsbecausethose parties must subscribeandpayafee.(Althoughitwould bepossibleto
designa CASschemethattriestoprovideuseranonymity
by using anonymous payment methods and anonymous
communicationnetworks, thisis not done inpractice for efficiency and usability reasons.) In the CAS by Yeh and Huang, RI learns the identities and the attributes of the subscribers during the subscriber registration phase. The identity is learnt to assign a unique revocation number. Theattributesarelearnttocomputethesecretkeyforthe subscriber.
Therefore,becauseRI knowstheidentitiesandthe at-tributesof thesubscribers, RI can decide whethera sub-scriberisentitledtoobtainagivenRObysimplychecking himself whether the subscriber’s attributes fulfill the ac-cesscontrol policy forthat RO. This allows RI to replace attribute-based encryption by an encryption scheme for user-basedaccesscontrol,whichcanbeinstantiatedmore efficiently.Inuser-basedaccesscontrol,thepartythat con-trolsaccesstoaservicesimplymakesalistofalltheusers thatmustbe grantedaccess. InCAS,foreach rightobject (RO),RIcanmakealistoftheidentitiesofthesubscribers thatareentitledtoobtainthatRO.
InaCASthat usesidentity-basedbroadcastencryption (IBBE),foreach RO,RImakesalistofsubscribersthatare allowed to obtain it. Remarkably, the attribute-based ac-cess control functionality is enhanced, because, while in
the CAS proposed by Yeh andHuang the class of access
control policiesthat can be applied is restrictedto those
supported by the KPABE scheme used as building block,
now RI can apply any access control policy on the sub-scriber’sattributes.
In comparison to attribute-based access control,
user-based access control allows more efficient
implemen-tations. In fact, IBBE can be realized more efficiently
than ABE. Therefore, for the sake of efficiency, encryp-tionschemes for user-basedaccesscontrol are preferable whenevertheycanbeused,i.e.,whenthepartyincharge ofcontrollingaccesstoaserviceknowstheidentitiesand theattributesofalltheusersoftheservice.
References
[1]L.-Y.Yeh,J.-L.Huang,Aconditionalaccesssystemwithefficientkey distributionandrevocation for mobile pay-TVsystems,ACMTrans. Multimed.Comput.Commun.Appl.(TOMCCAP)9 (3)(2013)18. [2]V.Goyal,O.Pandey,A.Sahai,B.Waters,Attribute-basedencryption
forfine-grainedaccesscontrolofencrypteddata,in:Proceedingsof the13thACMConferenceonComputerandCommunicationsSecurity, ACM,2006,pp. 89–98.
[3]N.Attrapadung, H. Imai,Conjunctive broadcastand attribute-based encryption, in: Pairing-Based Cryptography–Pairing 2009, Springer, 2009,pp. 248–265.
[4]A.Boldyreva,V.Goyal,V.Kumar,Identity-basedencryptionwith ef-ficientrevocation,in:Proceedings ofthe 15thACM Conferenceon ComputerandCommunicationsSecurity,2008,pp. 417–426. [5]C.Delerablée,Identity-basedbroadcastencryptionwithconstantsize