Improved efficiency for revocation schemes via Newton interpolation

Abstract

We present a novel way to implement the secret-sharing-based family of revocation schemes of Naor and Pinkas [2003]. The basic scheme of [Naor and Pinkas 2000] uses Shamir's polynomial secret-sharing to revoke up to r users, where r is the degree of the secret-sharing polynomial, and it is information theoretically secure against coalitions of up to r collaborators. The nonrevoked users use Lagrange interpolation in order to compute the new key. Our basic scheme uses a novel modification of Shamir's polynomial secret-sharing: The secret equals the leading coefficient of the polynomial (as opposed to the free coefficient as in the original scheme) and the polynomial is reconstructed by Newton interpolation (rather than Lagrange interpolation). Comparing our scheme to one variant of the Naor--Pinkas scheme, we offer revocation messages that are shorter by a factor of almost 2, while the computation cost at the user end is smaller by a constant factor of approximately 13/2. Comparing to a second variant of the Naor--Pinkas scheme, our scheme offers a reduction of O ( r ) in the computation cost at the user end, without affecting any of the other performance parameters. We then extend our basic scheme to perform multiround revocation for stateless and stateful receivers, along the lines offered by Naor and Pinkas [2000] and Kogan et al. [2003]. We show that using Newton rather than Lagrange interpolants enables a significantly more efficient transmission of the new revocation message and shorter response time for each round. Pay TV systems that implement broadcast encryption techniques can benefit significantly from the improved efficiency offered by our revocation schemes.