A conditional access system with revocation for mobile pay-TV systems revisited

Information Processing Letters 147 (2019) 6–9

Contents lists available atScienceDirect

Information

Processing

Letters

www.elsevier.com/locate/ipl

A

conditional

access

system

with

revocation

for

mobile

pay-TV

systems

revisited

Alfredo Rial

UniversityofLuxembourg,Luxembourg

a

r

t

i

c

l

e

i

n

f

o

a

b

s

t

r

a

c

t

Articlehistory:

Received1February2018

Receivedinrevisedform25January2019 Accepted24February2019

Availableonline5March2019 CommunicatedbyLucaViganò

Keywords:

Attribute-basedencryption Broadcastencryption Cryptography

In pay-TV, conditional access systems (CAS) are used by a rights issuer to guarantee that only authorized subscribers gain access to TV channels. A CAS scheme that applies attribute-based access control through attribute-based encryption (ABE) with revocation was proposed by Yeh and Huang (2013) [1]. Yeh and Huang extend an existing ABE scheme with a revocation mechanism. We show that the CAS by Yeh and Huang has security and efficiency problems. Particularly, we show that the revocation mechanism proposed by Yeh and Huang is vulnerable to collusion attacks.

©2019 Elsevier B.V. All rights reserved.

1. Introduction

The CAS by Yeh and Huang [1] is based on the key-policy ABEscheme(KPABE) in [2].Yeh andHuang extend thisschemewitharevocationmechanism.InSection2,we recallKPABE.InSection3,werecalltheCASin [1].We dis-cussitsefficiencyandsecurityproblemsinSection4.

2. Technicalbackground

We refer to [2] for a descriptionof bilinearmaps and ofaccessstructuresandaccesstrees.

Key-policy attribute-based encryption. Let

S

be thesetofall attributes.Let

Q

bethesetofallaccessstructuresthatare allowed over

S

.Wedenoteby

A

 P

thefactthata setof attributes

A

satisfies theaccess structure

P

.A key-policy attribute-based encryption(KPABE)scheme [2] consistsof the algorithms

(

ABESetup

,

ABEKeyGen

,

ABEEnc

,

ABEDec

)

. The key generation center (

KGC

) executes ABESetup

(

1k

)

to output public parameters par and master secret key

msk. A user

U

withaccessstructure

P ∈ Q

queries

KGC

,

E-mailaddress:alfredo.rial@uni.lu.

which runs ABEKeyGen

(

msk

,

P)

and returns secret key

sk_P. On input message m and set of attributes

A ∈ S

, ABEEnc

(

par

,

m

,

A)

computesciphertext

ct,

whichcanonly be decryptedbya user

U

that possesses anaccess struc-ture

P

satisfied by

A

(ct implicitlycontains

A

). Oninput ciphertext

ct and

secretkey

sk

P,ABEDecoutputsmessage

m if

A

satisfies

P

.

3. ConditionalaccesssystembyYehandHuang

The scheme proposed in [1] consists of an initializa-tion phase,a subscriber registrationphase, a rights

man-agement phase, and a subscriber revocation phase. (We

note that thekey streamandtraffic encryptionlayers re-mainunchangedwithrespecttotheDVB-Hstandard.)The scheme in [1] is based on the KPABE scheme in [2] and addstoitsupportforrevocation.Inthefollowing descrip-tion, we use boxes to highlight those elements that are added to the scheme in [2] in order to support revoca-tion.

Initialization phase. The rightsissuer(RI)executesthesetup algorithm ofthe KPABE scheme to getthe public param-eters and the master secret key. Let

S

be the set of all

https://doi.org/10.1016/j.ipl.2019.02.010

A. Rial / Information Processing Letters 147 (2019) 6–9 7

attributes andlet 2N be the maximum numberof users. AlgorithmABESetup

(

1k

₎

_{worksasfollows.}

1. Run

(

p

,

G, G

t

,

e

,

g

)

←

G(

1k

)

.

2. Pickrandom y

← Z

p.

3. Forall j

∈ S

,pickrandom

t

j

← Z

pandcompute

T

j

←

gtj_.

4. Pick random

τ

← Z

p and compute W

←

gτ .

5. Pick random

ϒ

← Z

p.

6. For i=1 to N, pick ci,di← Zpand set hi,0←gciand hi,1←gdi.

7. Settheparameters

par

← (

p

,

G,

G

t

,

e

,

g

,

{

Tj

}

j∈S

,

W

,

{

hi,0

,

hi,1}N_i=1

)

.1

8. Setthemastersecretkey

msk

← (

y

,

{

tj

}

j∈S

,

τ

,

ϒ,

{

hi,0

,

hi,1}Ni=1

)

.2

9. Outputthe mastersecretkey msk and thepublic pa-rameters

par.

Theelements

(

y

,

{

tj

}

j∈S

)

inthemastersecretkeyandthe elements

(

p

,

G, G

t

,

e

,

g

,

{

Tj

}

j∈S

)

in the public parameters

arethoseofGoyaletal.’sKPABE scheme [2].Theremaining elementsareaddedbyYehandHuanginordertosupport revocation.

Subscriber registration phase. A subscriber possesses a set of attributesor characteristics,such as ageand subscrip-tion category.Given thoseattributes, RI constructsan ac-cess structure

P

. Then RI runs the key generation

algo-rithm ofthe KPABEscheme on input

P

inorder to

com-pute a key that allows the subscriber to obtain all the right objects (RO) that match her age and subscription category. Algorithm ABEKeyGen alsoreceives asinput an n-bit revocation number Xn−1Xn−2

· · ·

X0, which mustbe unique for each subscriber. ABEKeyGen

(

msk

,

P)

worksas follows.

1. Pick random



← Z

p and compute WD

←

g(y−)/τ .

2. For eachnode

x in

thetree

T

thatdefines

P

,choose a polynomial qx of degree dx

=

kx

−

1, where kx is

the threshold value of x. Polynomials qx are

cho-sen in a top-down manner, starting from the root

node R. Set qR

(

0

)

= 

. (In Goyal et al., qR

(

0

)

=

y.

In Yeh and Huang, an additional element WD is

in-cluded in thekey, which dependson both y and



.

WD is thekey element that isupdated whena sub-scriberis revoked.) Chooseother dR points randomly

to define qR completely. For any other node x, set qx

(

0

)

←

qparent(x)

(

index

(

x

))

andchooseother

d

x points

randomlytodefine

q

x completely.

3. Let

Y be

thesetofleaf nodesin

T

.Compute

{

Dj

←

gqj(0)/ti

}

_j∈Y.

1 _{We notethatthe schemebyGoyal etal. [2] includesanelement} e(g,g)y _{inthepublic parameters.Thiselementis notincluded inthe}

publicparametersinYehandHuang [1] becausetherightsissueristhe onlypartythatneedstocomputeciphertextsandtherightsissuerhas knowledgeofthemastersecretkey,whichincludesy.

2 _{InYehandHuang [1],ϒisincludedneitherinmsk norinpar.}

4. Choose a value q1

(

0

)

.

5. For i∈ [0,N−1], DRi←g(q1(0)ϒ)/ciif Xi=0 else DRi←g(q1(0)ϒ)/di.

6. Setthesecretkeyas

sk_P

← ({

Dj

}

j∈Y

,

WD

,

{

DRi

}

iN=−01

,

q1

(

0

)

−1

)

.3

The elements

{

Dj

}

j∈Y are those of the secretkey inthe

schemeby Goyalet al. [2]. The elements

(

WD

,

{

DRi

}

N_i=−₀1

,

q1

(

0

)

−1

)

areaddedbyYehandHuanginordertosupport revocation.

Rights management phase. RI creates a right object (RO) that consists of the service encryption key (SEK), a set of attributes

A

, and related parameters, such as a time

stamp. RI encrypts the right object RO by running the

encryption algorithm of the KPABE scheme on input

A

.

ABEEnc

(

par

,

R O

,

A)

worksasfollows.

1. Pick random r

← Z

p, compute E

←

R O

· (

g

,

g

)

yr

(here, y is takenfromthemastersecretkey)and, for all j

∈ A

,compute

E

j

←

Trj.

2. Compute gr.

3. Settheciphertext

ct

← (A,

{

Ej

}

j∈A

,

E



,

gr

₎

_.

The elements

(

A,

{

Ej

}

j∈A

,

E

)

form the ciphertext in the schemebyGoyaletal. [2].Thevalue

g

r_{isincludedbyYeh}

andHuang [1] in order to allow decrypting the message alongwiththenewvalue

WD in

thesecretkey.

RIbroadcaststheciphertext to thesubscribers. A sub-scriber decrypts the ciphertext by using the decryption algorithm ABEDec

(

par

,

ct

,

sk_P

)

. Ifthe policy

P

associated with sk_P is satisfied by the set of attributes

A

in ct,

ABEDec first computes A

=

e

(

g

,

g

)

r and finally outputs

R O

=

E

/(

e

(

WD

,

W

r

₎

_A

₎

_{.The decryption algorithm inYeh}

and Huang follows that of Goyal et al. The only differ-ence is the last equation R O

=

E

/(

e

(

WD

,

Wr

)

A

)

, which includestheadditionalpairingoperation

e

(

WD

,

Wr

)

.

Subscriber revocation phase. The followingrevocation mech-anism is proposed by Yeh and Huang [1]. To revoke the subscriberwithrevocationnumberXn−1Xn−2

· · ·

X0,RIand thesubscribersexecute aprotocolby means ofwhich R I

updatesthe value y in the master secret key, while the

non-revoked subscribers update the value WD in their

respective secret keys. First, R I executes the following steps.

1. Pick y

← Z

p, compute



y

←

y

−

y and W

←

gy/τ .4

3 _{Wenotethatthevalueq}

1(0)isunnecessary.Onecansimplycompute DRi←gϒ/ci,ifXi=0,orDRi←gϒ/di,ifXi=1.

4 _{Wenotethat [1] says“generate thenew publicparameter W}_←

gy/τ _{toreplaceW”.Thisisamistake.If W}_{replacesW inthepublic}

8 A. Rial / Information Processing Letters 147 (2019) 6–9

2. Pickrandom

r

← Z

p,compute

R E



←

We

(

g

,

g

)

ϒrand,

for

i

=

0 to

N

−

1,compute R Ei

←

hr_{i, ¯X}

i,where X

¯

i

←

1

−

Xi.

3. Setaciphertext

ct

← ( ¯

Xn−1X

¯

n−2

· · · ¯

X0

,

R E



,

{

R Ei

}

_iN₌−₀1

)

.

RI broadcasts the ciphertext ct to the subscribers. As

can be seen, only the revoked subscriber is unable to

decrypt the ciphertext. The reason is that the revoked

subscriber has a secret key for the revocation number

Xn−1Xn−2

· · ·

X0 andnone of the bits in Xn−1Xn−2

· · ·

X0 matches a bit in X

¯

n−1X

¯

n−2

· · · ¯

X0. However, because

re-vocation numbers are unique for each subscribers, for

the non-revoked subscribersthereisatleast onebit that matches. A non-revoked subscriber decrypts the cipher-text asfollows.First,find a bit Xi such that Xi

= ¯

Xi and

take the element DRi of the secret key. Then compute

W

←

R E

/

e

(

D Ri

,

q1

(

0

)

−1R Ei

)

.Afterretrieving

W

,a

non-revoked subscribercomputes WD

←

WD

·

W

=

g(y−)/τ

toupdatehersecretkey.

4. DiscussionoftheCASproposedbyYehandHuang

Collusion-resistance. Yeh andHuangdefine

collusion-resis-tance as follows: “A subscriber cannot cooperate with

other subscriberstopromotehisownprivileges.”This ba-sically meansthat twoormorecolludingsubscribersthat holdsecretkeysfortheKPABE schemeshouldnotbeable to decrypt anyciphertextthat anyofthem isnot ableto decrypt on their own. I.e., the colluding subscribers are not able tocombine their secretkeys insuch a waythat theyareabletodecryptciphertextsthatnoneofthemcan decryptindividually.TheKPABE schemein [2] is collusion-resistant.

However, we show that the KPABE with revocation

scheme proposed by Yeh andHuang in [1] is vulnerable to collusion attacks.In the revocation methodin [1], the rightsissuerRIproduceskeyupdatematerialthatis broad-casttoallthenon-revokedsubscribers.Theschemein [1] effectivelypreventstherevokedsubscriberfromretrieving keyupdatematerial.However,itdoesnotensurethata re-vokedsubscriberandanon-revokedonecannotcolludeto decrypt ciphertexts that they are not able to decrypt on theirown.

Let us show this through an example with two

sub-scribers S1 and S2 andthreesubscriberattributesor cat-egories

c

1,

c

2 and

c

3. S1 (resp.S2) possessesasecretkey that allows her toobtainrightobjects ROforcategory

c

1 (resp.

c

2).Collusion-resistanceoftheKPABE schemein [2] ensures that,ifS1 and S2 collude,theyareabletoobtain rightobjectsforcategories

c

1and

c

2becausetheyareable to dothat withoutcolluding,butthey arenotableto ob-tainrightobjectsforcategory

c

3.Atsomepoint,subscriber S2 isrevokedbytherightsissuer.Afterrevocation,

S

1 up-dates her key andis still able to obtain right objects for category

c

1.

S

2isnotabletoupdateherkeyandisunable todecryptanything.However,if

S

1and

S

2collude, S1can give S2 thekeyupdatematerial,andthentheycanobtain againrightobjectsforcategory

c

2.Thisviolates collusion-resistance because,after S2 isrevoked, neither S1 nor S2 are able to obtain right objects for category c2 on their

own. The figure below describes the attack in the

sub-scriberrevocationphase.

•

RI broadcasts the ciphertext ct

← ( ¯

Xn−1X

¯

n−2

· · · ¯

X0

,

R E

,

{

R Ei

}

Ni=−01

)

.

•

A non-revoked subscriber S1 computes W

←

R E

/

e

(

D Ri

,

q1

(

0

)

−1R Ei

)

byusing

DR

ifor

i such

that Xi

=

¯

Xi.

•

S1 sends

W

 toa revokedsubscriber

S

2 withwhom S1 colludes.

•

S2 computes WD

←

WD

·

W

=

g(y

_−)/

τ to update her secretkey. Thanks to that, S2 can decrypt asif S2 wasnotrevoked.

To illustrate that this is a serious security flaw, let us point out that a trivial (albeit inefficient) revocation

method does not suffer from this problem. Consider a

trivialrevocationmethodwhere,whenasubscriber is re-voked,therightsissuerrunsagainthesetup algorithmof

theKPABE schemetocomputenewpublicparametersand

a newmastersecretkey, anduses thismastersecret key to compute newsecretkeys forall the non-revoked sub-scribers.Ascanbeseen,withthisrevocationmethod,after

S2 isrevoked, S1 and S2 are notableto obtainright ob-jectsforcategory

c

2.The reasonisthattheoldsecretkey of

S

2 isnowuselessbecausetheparametersoftheKPABE schemehavechanged.Inconclusion,theCASproposedby YehandHuangisnotcollusion-resistant.

Non-repudiation. Yeh andHuangdefinenon-repudiationas follows:“Toensurevideocontentvalidity andquality, the video server shouldnot denythat the video contents are delivered from it.” Non-repudiation basically impliesthat the integrity and origin of received data can be verified andthatthesenderofthedatacannotdenybeingthe orig-inator.

Yeh and Huang claim that their CAS provides

non-repudiation. Theirargument basically statesthat, because RI is the only party that knows the values

(

y

,

ϒ)

in the master secret key, RI is the only party able to compute valid ciphertexts that encrypt right objects and valid ci-phertexts thatencrypt keyupdate material.Consequently, Yeh andHuangconclude that,ifa subscriber possessesa validciphertext,then RIisnot abletodenythathe com-putedandsentthatciphertext.

As can be seen, this argument is not valid. First,

an adversary eavesdropping the network can get a

ci-phertext sent by RI, and forward it to subscribers at a later stage. Moreover, the adversary can modify the

en-crypted message before forwarding the ciphertext. For

example, if the adversary wishes to modify a ciphertext

ct

← (A,

{

Ej

}

j∈A

,

E



,

gr

)

(where E

←

R O

· (

g

,

g

)

yr) that

encrypts R O to a ciphertext that encrypts R O

·

M, the adversary simply replaces E by E

·

M. An adversarial

subscriber can also modify the message encrypted in a

ciphertext received fromRI byusing thesame technique. Therefore, RI is able to deny that he computed a given validciphertext.Inconclusion,the CASofYehandHuang

does not provide non-repudiation. The figure below

A. Rial / Information Processing Letters 147 (2019) 6–9 9

•

A malicious RI broadcasts a ciphertext ct

← (A,

{

Ej

}

j∈A

,

E



,

gr

)

, where E

←

R O

· (

g

,

g

)

yr is

com-putedoninputanincorrectRO.

•

Anhonest subscriber S decrypts theciphertext and obtains the incorrectRO. S accuses RI of sending a ciphertext

ct that

encryptsanincorrectRO.

•

R I claims ct was modified byan adversary that set

E

←

E

·

M for some

M.

•

S is unabletoprovethat

R I indeed

sent

ct.

Direct revocation vs indirect revocation. There aretwo revoca-tionmethodsforattribute-basedencryption:direct [3] and indirect [4].Inanindirectrevocationmethod,thekey gen-erationcenter,i.e.,thetrustedpartythatkeepsthemaster

secret key and computes keys for users, computes and

publishes key update material so that only non-revoked userscanupdate theirkeys. Theadvantageofindirect re-vocationisthatthesenders, i.e.,thepartiesthatcompute ciphertexts, do not needto knowthe revocationlist. The disadvantageof theindirectrevocationmethodis thatall thenon-revokedusersneedtoupdatetheirkeys.

Inadirectrevocationmethod,senderscompute cipher-textsthatrevokedusersarenotabletodecrypt.Inorderto dothat,sendersneedtoknowtherevocationlist,butkey updatesarenotrequired.Inmanyapplications,sendersdo not knowthe revocationlist,andthus onlyindirect revo-cationcanbeapplied.However,inCAS,theonlysenderis the rightsissuer,andthe rightsissuerknowsthe revoca-tionlist.Therefore,inCAS, directrevocationmethods can beappliedandthenkeyupdatesarenotneeded.

The CAS proposed by Yeh and Huang uses an

indi-rect revocationmethodwherenon-revoked usersneed to update their keys. We note that direct revocation meth-ods avoid the need of updating keys. For instance, in a CAS that uses identity-based broadcast encryption [5] or attribute-based broadcast encryption [3], ciphertextsthat encrypttherightobjectare computedoninputthelistof subscribers. When a subscriber is revoked, the rights is-suersimply removesthe subscriber fromthe list.Thanks tothat,revokedsubscribersarenotabletodecryptthe ci-phertextandobtaintheRO.

User-based vs attribute-based access control. Attribute-based

access control allows a party to describe an access con-trol policy that defines the attributes that a user must possessin order to be granted access to a serviceor re-source. In settings where the party aiming at controlling accessto theservicedoesnot knowthe identitiesor the attributesoftheusersthatmayattemptto gainaccessto it, attribute-based encryption isadequate for implement-ingattribute-basedaccesscontrol.

However, in a CAS for pay-TV, RI usually knows the

identities and the attributes of all the parties that may wantto accessTV broadcastsbecausethose parties must subscribeandpayafee.(Althoughitwould bepossibleto

designa CASschemethattriestoprovideuseranonymity

by using anonymous payment methods and anonymous

communicationnetworks, thisis not done inpractice for efficiency and usability reasons.) In the CAS by Yeh and Huang, RI learns the identities and the attributes of the subscribers during the subscriber registration phase. The identity is learnt to assign a unique revocation number. Theattributesarelearnttocomputethesecretkeyforthe subscriber.

Therefore,becauseRI knowstheidentitiesandthe at-tributesof thesubscribers, RI can decide whethera sub-scriberisentitledtoobtainagivenRObysimplychecking himself whether the subscriber’s attributes fulfill the ac-cesscontrol policy forthat RO. This allows RI to replace attribute-based encryption by an encryption scheme for user-basedaccesscontrol,whichcanbeinstantiatedmore efficiently.Inuser-basedaccesscontrol,thepartythat con-trolsaccesstoaservicesimplymakesalistofalltheusers thatmustbe grantedaccess. InCAS,foreach rightobject (RO),RIcanmakealistoftheidentitiesofthesubscribers thatareentitledtoobtainthatRO.

InaCASthat usesidentity-basedbroadcastencryption (IBBE),foreach RO,RImakesalistofsubscribersthatare allowed to obtain it. Remarkably, the attribute-based ac-cess control functionality is enhanced, because, while in

the CAS proposed by Yeh andHuang the class of access

control policiesthat can be applied is restrictedto those

supported by the KPABE scheme used as building block,

now RI can apply any access control policy on the sub-scriber’sattributes.

In comparison to attribute-based access control,

user-based access control allows more efficient

implemen-tations. In fact, IBBE can be realized more efficiently

than ABE. Therefore, for the sake of efficiency, encryp-tionschemes for user-basedaccesscontrol are preferable whenevertheycanbeused,i.e.,whenthepartyincharge ofcontrollingaccesstoaserviceknowstheidentitiesand theattributesofalltheusersoftheservice.

References

[1]L.-Y.Yeh,J.-L.Huang,Aconditionalaccesssystemwithefficientkey distributionandrevocation for mobile pay-TVsystems,ACMTrans. Multimed.Comput.Commun.Appl.(TOMCCAP)9 (3)(2013)18. [2]V.Goyal,O.Pandey,A.Sahai,B.Waters,Attribute-basedencryption

forfine-grainedaccesscontrolofencrypteddata,in:Proceedingsof the13thACMConferenceonComputerandCommunicationsSecurity, ACM,2006,pp. 89–98.

[3]N.Attrapadung, H. Imai,Conjunctive broadcastand attribute-based encryption, in: Pairing-Based Cryptography–Pairing 2009, Springer, 2009,pp. 248–265.

[4]A.Boldyreva,V.Goyal,V.Kumar,Identity-basedencryptionwith ef-ficientrevocation,in:Proceedings ofthe 15thACM Conferenceon ComputerandCommunicationsSecurity,2008,pp. 417–426. [5]C.Delerablée,Identity-basedbroadcastencryptionwithconstantsize