Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys PowerPoint PPT Presentation

presentation player overlay
About This Presentation
Transcript and Presenter's Notes

Title: Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys


1
Collusion Resistant Broadcast Encryption With
Short Ciphertexts and Private Keys
Dan Boneh, Craig Gentry, and Brent Waters
2
Broadcast Encryption FN93
  • Encrypt to arbitrary subsets S.
  • Collusion resistance
  • secure even if all users in Sc collude.

d1
CT EM,S
d2
S ? 1,,n
d3
3
Broadcast Encryption
  • Public-key BE system
  • Setup(n) outputs private keys d1 , , dn
  • and public-key PK.
  • Encrypt(S, PK, M)
  • Encrypt M for users S ? 1, , n
  • Output ciphertext CT.
  • Decrypt(CT, S, j, dj, PK) If j ? S,
    output M.
  • Note broadcast contains ( S, CT )

4
Trivial Solutions
  • Small private key, large ciphertext.
  • Every user j has unique private key dj .
  • CT EdjM j?S
  • CT O(S) priv O(1)
  • Large private keys, small ciphertexts
  • Unique key KS for every subset S ? 1, ,
    n
  • User js priv-key dj KS j?S
  • CT O(1) priv O(2n)

5
Outline
  • Previous work
  • Security Definitions
  • Overview scheme
  • Applications
  • Conclusions

6
Previous Solutions
  • t-Collusion resistant schemes FN93
  • Resistant to t-colluders
  • CT O(t2?log n) priv O(t?log n)
  • Attacker knows t
  • Broadcast to large sets NNL,HS,GST
  • CT O(r) privO(log n)
  • Useful if small number of revoked players

7
Summary
n
0
CT Size Priv-key size
Small sets trivial O(S) O(1)
Large sets NNL,HS,GST O(n-S) O(log n)
Any set (new) BGW 05 O(1) O(1)
Any set (new) but, O(n) size public key. but, O(n) size public key. but, O(n) size public key.
BGW 05 O(?n) O(1)
O(?n) size public key. O(?n) size public key. O(?n) size public key.
8
Broadcast Encryption Security
  • Semantic security when users collude. (static
    adversary)
  • Def Alg. A ?-breaks BE sem. sec. if
    Prbb gt ½ ?
  • (t,?)-security no t-time alg. can ?-break BE
    sem. sec.

Challenger
Attacker
RunSetup(n)
b?0,1
9
Bilinear Maps
  • G , GT finite cyclic groups of prime order p.
  • Def An admissible bilinear map e G?G ? GT
    is
  • Bilinear e(ga, gb) e(g,g)ab ?a,b?Z,
    g?G
  • Non-degenerate g generates G ?
    e(g,g) generates GT .
  • Efficiently computable.

10
Broadcast System
  • Setup(n) g ? G , ?, ? ? Zp, gk
    g(?k)
  • PK ( g, g1, g2, , gn , gn2 , , g2n
    , vg? ) ? G2n1
  • For k1,,n set dk (gk)? ? G
  • Encrypt(S, PK, M) t ? Zp
  • CT ( gt , (v ? ?j?S gn1-j)t ,
    M?e(gn,g1)t )
  • Decrypt(CT, S, k,dk, PK) CT (C0, C1, C2)
  • Fact e( gk, C1 ) / e( dk?? gn1-jk , C0
    ) e(gn,g1)t

j?Sj?k
11
Security Theorem
  • Thm
  • ? t-time alg. that ?-breaks BE sem. sec. in G
  • ?
  • ? t-time alg. that ?-solves bilinear n-DDHE in
    G.


12
App Encrypted File Systems
  • Broadcast to small sets S ltlt n
  • Best construction trivial.
    CTO(S) , privO(1)
  • Examples EFS.

MS Knowledge BaseEFS has a limit of 256KB in
the file header for the EFS metadata. This limits
the number of individual entries for file sharing
to a maximum of 800 users.
EPKBKF
EPKAKF
File FEKFF
13
Apps Sharing in Enc. File System
  • Store PK on file system. n216 ?
    PK1.2MB
  • File header ( S, ES,PK,KF )
  • Sharing among 800 users
  • 800?2 40 1640 bytes ltlt 256KB
  • Each user obtains priv-key duid ? G from
    admin.
  • Admin only stores ? ? Zq

S ? 1, , n
40 bytes
14
Incremental file sharing
  • File hdr ( S, gt , (v ? ?j?S
    gn1-j)t )
  • To grant user u access to file F,
  • owner does C1 ? C1 ? (gn1-u)t
  • File owner instead of storing t for every
    file do t ? PRFKO (NonceF )

15
App secure email lists
  • Set n216. Let gk g(?k)Suppose
    (g, g1, g2,, gn, gn2,, g2n) are global
    (1.2MB)
  • Simple encrypted email lists
  • ListA PKA (vA g?A) ListB
    PKB (vB g?B)
  • When new user joins ListA do
  • Assign new index 1 ? k ? 216 , give key
    dk (gk) ?A
  • Encrypt msgs to ListA using B.E. for current
    members.
  • Much simpler than existing techniques (e.g. LKH)

16
Summary and Open Problems
  • New public-key broadcast encryption systems
  • Full collusion resistance. Constant size priv
    key.
  • System 1 CT O(1) PK O(n)
  • System 2 CT O(?n) PK O(?n)
  • Open problems
  • Reduce public key size. Weaker assumption.
  • Security against adaptive adversary.
  • Tracing traitors with same parameters.

17
Apps Content Protection
  • DVD content protection n 232. r
    revoked.
  • No room for PK in player.
  • Store ( S, CT, PK) on each DVD disk.
  • Goal minimize CTPK ? ?n system
  • Using ?n system PKO(?n) , CTO(?n)
  • DVD-hdr PKCTS 5MB (4?r
    bytes)
  • NNL-type DVD-hdr CTS (36?r
    bytes)

18
App Content Protection
  • DVD Content Protection. n 232
  • DVD player i ships with private key di
  • DVD disks encrypted to unrevoked players.
  • Broadcast to large sets S n-r where r
    ltlt n.

d1
d2
d3
d4
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2026 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The : "Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!