Upload
homer
View
55
Download
0
Embed Size (px)
DESCRIPTION
Broadcast Encryption Amos Fiat & Moni Naor. Presented By Gayathri VS. Outline. The Problem Zero Message Schemes Basic Scheme 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theory Low-Memory k-resilient schemes. The Problem. - PowerPoint PPT Presentation
Citation preview
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
Broadcast EncryptionAmos Fiat & Moni Naor
Presented ByGayathri VS
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The ProblemZero Message Schemes Basic Scheme 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes
Outline
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
3Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Problem
• The System consists of broadcasting center set U of n users . • key is distributed to users upon
joining the system.• securely transmit data to a
randomly changing privileged subset of users out of the set S
• Any Coalition of k users from the universe , who are not part of the privileged set should not be able to decrypt the message.(Scheme is k-resilient).
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
4Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
U is the universe consisting of n usersP is privileged subsetS is any subset trying to learn the secret (S ∩ P
= NULL)|S| is size of subset SKs is key common to subset S
Notations
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
5Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Scheme is resilient if for all subset S ( S ∩ P = NULL , where P U is privileged set ) S cannot ⊂learn secret common to P.
Scheme is k-resilient if |S| <= k.Scheme is (k,p) random resilient if any
randomly selected Subset is k-resilient with probability (1-p)
Security Definitions
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
6Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Solution 1 :
Obvious Solution
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
7Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Solution 2 :
Obvious Solution
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
8Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Solution 1 : Each user is assigned a unique key 1 key per user & O(n) messages Solution 2 : Each subset gets a unique key 2n-1 keys per user & O(1) message
For any arbitrary subset , we have two choices for X2 .. Xn . (they may or may not be present in that subset)
Total number of subset which contains x1
1.2.2…2 = 2n-1
Obvious Solutions – Performance
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
9Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The Goal is the optimize
a) number of transmissions sent by the center to create the common secret
b) Number of keys each user stores
c) Computational effort in retrieving the common key by the members of the privileged class.
Problem Statement .. Revisited
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
10Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The ProblemZero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes
Outline
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
11Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center
The privileged set can be identified by sending a relatively short transmission. This is ‘set identification transmission’ ( different from
the broadcast encryption transmission )
Zero Message Schemes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
12Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
For every set S U where 0 ≤ |S| ≤ k , Assign key K⊂ s
Distribute Ks to all users x U – S⊂U = { a, b, c } . Here n=3. Let k be 2
KEY DISTIBUTION :S = {a, b, c, {a,b}, {a,c}, {b,c}} Ks = {Ka, Kb, Kc, Kab ,Kac ,Kbc }User a has Kb, Kc, Kbc
User b has Ka, Kc, Kac User c has Ka, Kb, Kab
BASIC SCHEME
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
13Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys KS where S U – P⊂
If P = { a,b } then K = XOR KS where S U – P⊂ Here S is c so K = KC
RESILENCY : Every possible set S U – P 0 ≤ |S| ≤ k will miss the key K⊂ S and cannot decrypt the message sent by the center.
NUMBER OF MESSAGES ,KEYS : Number of keys per each User : Σ I = 0 to k (n)_C_i For the above scheme to be 1-resilient each user should store (n+1) keys For the above scheme to be n-resilient each user should store 2n-1 keys
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
14Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
O(n) keys in previous scheme can be reduced to keys if keys are pseudo-randomly generated
Let f: {0,1}l -> {0,1}2l be a pseudo-random generator (the length of the output of is twice the length of the input).
Users are on the leaf of the balanced binary tree.The root is labeled with the common seed from
Set {0,1}l
1-resilient scheme based on one-way function
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
15Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
apply the pseudo-random generators to the root label .Assign the left half (first bits) to be the label of the left subtree while the right half (last bits) is the label of the right subtree. User x should get all leaf labels except his. To
achieve this , we remove the path from x to the root ,which is a forest on log n labels.
Every x U can use the log n values that he got ∈ ⌈ ⌉and generate all leaf labels except his own.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
16Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
17Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The center chooses a random hard to factor composite N= P.Q where P and Q are primes.
It also chooses a secret value g of high index.Each user i U is assigned g∈ i = gpi .
gcd(pi,pj) = 1 , for I ≠ jThe common key for P U is g⊂ T = gPTmod N where
PT = Πi P ∈ piEach user i P can compute g∈ T by gi
xmod N where X = Πi (P-i) ∈ pi
A 1-resilient scheme based on Computational Number Theoretic Assumptions
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
18Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
SCHEME NO OF KEYS/USER
MESSAGE LENGTH
RESILIENCY ASSUMPTION
TRIVIAL SOLUTION-1
1 O(n) any Nothing
TRIVIAL SOLUTION-2
2n-1 1 Any Nothing
BASIC SCHEME ΣK (n)Ck 1 K Nothing
BASIC SCHEME (k=1)
O(n) 1 1 Nothing
BASIC SCHEME(K=N-1)
O(2n) 1 N nothing
1-resilant using PRG
Ceil(log n) 1 1 One-way functions and hence PRG exist
1-resilent using number theory
1 1 1 Root extraction is hard
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
19Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The ProblemZero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes One Level Schemes Multi Level Schemes
Outline
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
20Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
The zero message 1-resilient schemes requires for k>1 memory which is exponential in k
Low-memory k-resilient schemes can be built from 1-resilient
Let w denote the number of keys that a user is required to store in the 1-resilient scheme
w = n+1 if no cryptographic assumptions are made, w = ceil(log n) if we assume that one-way functions exists and w =1 if we assume that it is hard to extract roots modulo a composite. efficiency of the schemes is how many w’s they require.
Low Memory-Resilient Schemes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
21Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
1. f1 , f2 …. fl is a family of function denoted by fi : U → {1,...,m}, 1 ≤ i ≤ l2. For every group S U, |S|=k there exists ⊂
some function fi that is 1-1 on S all x,y in S fi(x) ≠ fi(y){fi} contains perfect hash function for all subsets of size k in U when mapped to range {1,2..m}
One Level Scheme
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
22Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
One Level Scheme – Key Distribution
1 2 N user
1 R(1,f1(1)) R(1,f1(2)) R(1,f1(n))
2 R(2,f2(1)) R(2,f2(2)) R(2,f2(n))
L R(L,fl(1)) R(L,fL(2)) R(L,fL(n))
1. {R(i, j)}1≤i≤l,1≤j≤m are independent 1- resilient schemes2. Each user x U gets the keys associated with the scheme R(i,fi(x)) 1 ≤ i ∈
≤ l.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
23Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
1. To transmit M to T U, the center breaks M into l random shares ⊂such that M = M1 XOR M2 XOR … Ml
2. For 1 ≤ i ≤ l the center transmits Mi in m distinct messages using R(i,j) j=1,2..m where j=fi(x) for all x in P.
3. Every x T may recover Mi, 1 ≤ i ≤ l, from R(I,j) where j = fi(x), ∈and then add them up to get M.
If x1 is part of P , M1 – R(1,f1(x1) ) M2 – R(2,f2(x1) ) … ML - R(l , fl(x1)
One Level Schemes – Encryption and Decryption
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
24Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
One Level Scheme - Storage
1 2 N user
1 R(1,f1(1)) R(1,f1(2)) R(1,f1(n))
2 R(2,f2(1)) R(2,f2(2)) R(2,f2(n))
L R(L,fl(1)) R(L,fL(2)) R(L,fL(n))
M1 --- R(1,f1(1)) R(1,f1(2))
M2 R(2,f2(1)) R(2,f2(2))
ML R(L,fL(1)) R(L,fL(2))
Storage per user: l times that of the 1- resilient scheme.Length of transmission: l · m messages
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
25Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Claim: The scheme is k-resilient.Let S be a coalition of size |S| ≤ k. There exists fi that is 1-1 on S. Mi is the message transmitted using fi. Mi is
delivered in m independent transmissions. There can be at most only one x S for which ∈ fi(x) = j who has the keys of that scheme.However R(i, j) is 1-resilient and hence that single
user cannot recover Mi and hence M.
One Level Scheme - Resiliency
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
26Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
use a perfect family of hash functions send a “share” of the secret M corresponding to
each hash function. Each share is broadcasted with different
encryptions. The privileged users can decrypt these messages
and any colluding set of at most k users cannot obtain at least one of the shares
no information about M is revealed if we miss even one of the shares.
One Level Scheme – Idea
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
27Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Set m = 2k2, l = k log n Theorem: There exists a k-resilient scheme that requires the users to store O(k log n · w)
keys and the center to broadcast O(k3 log n) messages. The scheme may be constructed at random with arbitrarily high probability.
Probability that a random fi is not 1-1 on S is ((kC2).2m-1)/ 2m = (kC2).(1/m) = k(k-1)/2m = ¼ - 1/4k ≤ ¼ Given the family of function f1 ,f2 .. fl
Prob(No fi is 1-1 on S ) = 1/4L=1/22L = 1/n2k
(l = klogn ; 2l = 2klogn ; 2l = log n2k ;n2k = 22l) Prob ( Some fi is 1-1 on S ) = ( 1 – n-2k) Prob ( there exists fi is 1-1 on all S of size k) >= (1-n-2k)t , where t = n_C_k >= 1 – n-k
Setting Parameters
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
28Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p)P(that for all subset of size k , there exists fi is 1-1 on S ) ≥ 1−pFor (k,p) random resiliency substitute l = log(1/p) Theorem : (k,p)-resilient scheme requires the users to store O(log(1/p) · w) keys and the center should broadcast O(k2 log(1/p)) messages.
Setting Parameters
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
29Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Multi-level schemes, like the one-level ones, convert 1-resilient schemes to k-resilient ones.
The ”multi-levelness” comes through the R(i, j)s that are sets of 1-resilient schemes. It decrease the length of transmission at the
expense of more storage at the user.
Multi Level Schemes
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
30Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
User 1
R(1,f1(1),1) R(1,f1(1),2) … R(1,f1(1),w)
R(2,f2(1),1) R(2,f2(1),2) … R(2,f2(1),w)
R(l,fl(1),1) R(l,fl(1),2) … R(l,fl(1),w)
Multi-Level Scheme Key Distribution
For every Subset of size k , there exists for some 1≤i ≤l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S , fi(x) = j )
Every user x in U , for every 1≤i ≤l and for every 1≤r ≤w , receives keys associated with the scheme R(i,fi(x),r)
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
31Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
.1. To transmit M to T U, the center breaks M randomly into l ⊂
shares, such that M = M1 XOR M2 XOR .. Ml
2. Each Mi is broken into w shares for each j. M1(i,j) M2
(i,j)…. Mw(i,j)
3. For 1≤i≤l and 1≤r≤w Mr(i,j) is broadcasted to Privileged subset
{x T :f∈ i(x)=j} 4. For any subset of size k , by assumption there is an i and for
all j in that I scheme w is resilient to x in S with fi(x) = j Storage per user: l · w times that of the 1-resilient scheme. Length of transmission: l · m · w times that of the 1-resilient scheme.
Multi Level Scheme – Encryption and Decryption
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
32Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Set L = 2k.log n , m = k/log k , w = log k + 1,t = 2elog kThere exists ak-resilient scheme that requires each user
to store O(k.log k. log n.w) keys and the center to broadcast O(k2log2klogn) messages. Moreover, the scheme can be constructed effectively with high probability
there exists a (k,p) random-resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog2klog(1/p)) messages. Moreover, the scheme can be constructed effectively with high probability
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
33Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
SCHEME NO OF KEYS/USER
MESSAGE LENGTH
RESILIENCY ASSUMPTION
BASIC SCHEME ΣK (n)Ck 1 K Nothing
1-resilant using PRG
Ceil(log n) 1 1 One-way functions and hence PRG exist
1-resilent using number theory
1 1 1 Root extraction is hard
One Level Scheme
O(k log n · w) O(k3 log n) k
1-Level (k,p) O(log(1/p) · w) O(k2 log(1/p)) k
Multi-Level O(k log k log n·w)
O(k2 log2 k log n)
k
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Click to edit Master title style
34Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science
Thank You !