Secure Broadcast Systems and Perspective on Pairings - PowerPoint PPT Presentation

About This Presentation

Title:

Secure Broadcast Systems and Perspective on Pairings

Description:

Broadcast Systems. Distribute content to a large set of users. Commercial Content Distribution ... from creating devices that access the original broadcast. 17 ... – PowerPoint PPT presentation

Number of Views:53

Avg rating:3.0/5.0

Slides: 48

Provided by: danb180

Learn more at: https://www.cs.utexas.edu

Category:

more less

Transcript and Presenter's Notes

Title: Secure Broadcast Systems and Perspective on Pairings

1
Secure Broadcast Systemsand Perspective on
Pairings
Brent Waters Joint work with Dan Boneh, Craig
Gentry, and Amit Sahai
2
Broadcast Systems
Distribute content to a large set of users

Commercial Content Distribution
File systems
Military Grade GPS
Multicast IP

3
Broadcast Encryption FN93

Encrypt to arbitrary subsets S.
Collusion resistance
secure even if all users in Sc collude.

d1
CT EM,S
d2
S ? 1,,n
d3
4
App Encrypted File Systems

Broadcast to small sets S ltlt n
Best construction trivial.
CTO(S) , privO(1)
Examples EFS.

MS Knowledge BaseEFS has a limit of 256KB in
the file header for the EFS metadata. This limits
the number of individual entries for file sharing
to a maximum of 800 users.
EPKBKF
EPKAKF
File FEKFF
5
Broadcast Encryption

Public-key BE system
Setup(n) outputs private keys d1 , , dn
and public-key PK.
Encrypt(S, PK, M)
Encrypt M for users S ? 1, , n
Output ciphertext CT.
Decrypt(CT, S, j, dj, PK) If j ? S,
output M.
Note broadcast contains ( S, CT )

6
Previous Solutions

t-Collusion resistant schemes FN93
Resistant to t-colluders
CT O(t2?log n) priv O(t?log n)
Attacker knows t
Broadcast to large sets NNL,HS,GST
CT O(r) privO(log n)
Useful if small number of revoked players
Ciphertexts are multiplied security parameter ?

7
Overview
n
0
8
Broadcast Encryption Security

Semantic security when users collude. (static
adversary)
Def Alg. A ?-breaks BE sem. sec. if
Prbb gt ½ ?

Challenger
Attacker
RunSetup(n)
b?0,1
9
Bilinear Maps

G , GT finite cyclic groups of prime order p.
Def An admissible bilinear map e G?G ? GT
is
Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
g?G
Efficiently computable.

10
Broadcast System BGW05

Setup(n) g ? G , ?, ? ? Zp, gk
g(?k)
PK ( g, g1, g2, , gn , gn2 , , g2n
, vg? ) ? G2n1
For u1,,n set Ku (gu)? ? G
Encrypt(S, PK, M) t ? Zp
CT ( gt , (v ? ?j?S gn1-j)t ,
M?e(gn,g1)t )
Decrypt(CT, S, u,Ku, PK) CT (C0, C1, C2)
Fact e( gu, C1 ) / e( Ku?? gn1-ju , C0
) e(gn,g1)t

j?Sj?u
11
Security Theorem

Thm
? t-time alg. that ?-breaks static BE security
in G
?
? t-time alg. that ?-solves bilinear n-DDHE in
G.

Open problem adaptive security with similar
params.
New BW06 adaptive security with O(?n)
size CT

12
Apps Sharing in Enc. File System

Store PK on file system. n216 ?
PK1.2MB
File header ( S, ES,PK,KF )
Sharing among 800 users
800?2 40 1640 bytes ltlt 256KB
Each user obtains priv-key duid ? G from
admin.
Admin only stores ? ? Zq

S ? 1, , n
40 bytes
13
Summary of Broadcast Enc.

New public-key broadcast encryption systems
Full collusion resistance. Constant size priv
key.
System 1 CT O(1) PK O(n)
System 2 CT O(?n) PK O(?n)
Description of set, S, is now dominant term

14
Tracing Pirate DevicesCFN94

Attacker creates pirated device
Want to trace origin of device

15
T.T a popular problem
32 papers from 49 authors
16
FAQ-1 The Content can be Copied?

DRM- Impossibility Argument
Protecting the service
Goal Stop attacker from creating devices that
access the original broadcast

17
FAQ 2-Why black-box tracing? BF99
K1
D
K3
KJWNFDRIJ
K2

D may contain unrecognized keys, is
obfuscated, or tamper resistant.
All we know
Pr M ? G, C ? Encrypt (PK, M) D(C)M
gt 1-?

R
R
18
Formally Secure TT systems

(1) Semantically secure, and (2) Traceable

Challenger
Attacker
Adversary wins if (1) PrD(C)M gt 1-?,
and (2) i ? S
19
Brute Force System

Setup (n) Generate n PKE pairs (PKi, Ki)
Output private keys K1 , , Kn PK ? (PK1,
, PKn) , TK ? PK .
Encrypt (PK, M) C ? ( EPK1(M), , EPKn(M)
)
Tracing next slide.
This is the best known TT system secure under
arbitrary collusion.
until now

20
TraceD(PK) BF99, NNL00, KY02

For i 1, , n1 define for M ? G
pi Pr D( EPK1(?), , EPKi-1(?), EPKi(M),
, EPKn(M) ) M
Then p1 gt 1- ? pn1 ? 0
1-? pn1 p1 ? pi1 pi ?
? pi1 pi
? Exists i?1,,n s.t. pi1 pi
? (1- ?)/n
? User i must be one of the pirates.

R
21
Security Theorem
?

Tracing algorithm estimates pi - pi lt
(1-?)/4n
Need O(n2) samples per pi. (D
stateless)
Cubic time tracing.
Can be improved to quadratic in S .
Thm
underlying PKE system is semantically secure
?
No eff. adv wins tracing game with non-neg adv.

22
Abstracting the Idea BSW06

Properties needed
For i 1 , , n1 need to encrypt M so
Without Ki adversary cannot distinguish
Enc(i, PK, M) from Enc(i1, PK, M)

n
1
i-1
i
users cannot decrypt
users can decrypt
23
Private Linear Broadcast Enc (PLBE)

Setup(n) outputs private keys K1 , , Kn
and public-key PK.
Encrypt( u, PK, M)
Encrypt M for users u, u1, , n
Output ciphertext CT.
Decrypt(CT, j, Kj, PK) If j ? u, output
M
Broadcast-Encrypt(PK,M) Encrypt( 1, PK, M)
Note slightly more complicated defs in
BSW06

24
Security definition

Message hiding given all private keys
Encrypt( n1 , M, PK) ?P Encrypt( n1 ,
?, PK)
Index hiding for u 1, , n

Challenger
Attacker
RunSetup(n)
b?0,1
25
Results

Thm Secure PLBE ? Secure TT
Same size CT and priv-keys
(black-box and publicly traceable)
New PLBE system
CT-size O(?n) priv-key size
O(1)
enc-time O(?n) dec-time O(1)

26
?n PLBE Construction hints

Arrange users in matrix
Key for user (x,y)
Kx,y
CT one tuple per row, one tuple per col.
size O(?n)
CT to position (i,j)
User (x,y) can dec. if
(x gt i) OR (xi) AND (y ? j)

n36 users
Encrypt to postion (4,3)
27
Bilinear groups of order Npq BGN05

G group of order Npq. (p,q)
secret.
bilinear map e G ? G ? GT
G Gp ? Gq . gp gq ? Gp
gq gp ? Gq
Facts h ? G ? h (gq)a ? (gp)b
e( gp , gq ) e(gp , gq) e(g,g)N 1
e( gp , h ) e( gp , gp)b !!

28
A ?n size PLBE

Ciphertext ( C1, , C?n, R1, , R?n )
User (x,y) must pair Rx and Cy to decrypt

Well-formed
Malformed/Random
Zero
29
Trace and Revoke BW06

What happens when catch traitor?
Torture?
Re-do system?
Want Broadcast and Tracing simultaneously
Trivial Combination does not work
BW06
Combined ideas
Bonus Adaptive Security Better Assumptions

30
Trace and Revoke
31
TRA simple Combination?
Encrypt
B.E
T.T.
Decrypt
32
A simple Attack

2 colluders split duties
Catch same one over and over (box still works)

33
Our Approach (Intuition)

Cant allow attackers to separate systems
In general hard to combine
BGW05 (Broadcast) and BSW06(Traitor Tracing) both
algebraic
Multiply private keys together so cant separate
Not so easy needed different B.E. scheme

34
Summary

New results BGW05, BSW06, BW06
Full collusion resistance
B.E O(1) CT, O(1) priv-keys but O(n) PK
T.T O(?n) CT, O(1) priv-keys.
T.R. O(?n) CT, O(?n) priv-keys.

? FCR
35
Open Problems
? FCR

Broadcast
Constant size everything (CT, pub/priv keys)
Same params with adaptive security
Traitor Tracing
Private linear B.E. with O(log n) CT.
Private B.E. from Linear Assumption

36
Pairings from the Outside
Identity-based encryption BF01

Efficient Selective-ID Secure IBE without Random
Oracles BB04a
Secure IBE without Random Oracles BB04a
Efficient IBE without Random Oracles W05
Practical IBE without Random Oracles Gen06

A ID-Based Deniable Authentication Protocol on
pairings
37
Organizing Contributions (My View)

Identity-Based Encryption
Signatures ??
Slightly 2-Homomorphic
NIZKs
Broadcast and Tracing

38
IBE BF01

IBE BF01 Public key encryption scheme where
public key is an arbitrary string (ID).
Examples users e-mail address

Is regular PKI good enough?
Alice does not access a PKI
CA/PKG
master-key
Authority is offline
39
Idea is Bigger
CA/PKG
master-key
Authority is offline
40
Health Records
Weight125 Height 54 Age 46 Blood Pressure
125 Partners
If Weight/Height gt30 AND Age gt 45 Output Blood
Pressure
No analogous PKI solution
CA/PKG
master-key
Authority is offline
41
IBE Class