Embed Size (px)
DESCRIPTION
collusion resistant broadcast encryption
Citation preview
1
Collusion Resistant Broadcast Encryption With Short Ciphertexts
and Private Keys
Dan Boneh, Craig Gentry, and Brent Waters
2
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance:•secure even if all users in Sc collude.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
3
Broadcast Encryption
Public-key BE system:
•Setup(n): outputs private keys d1 , …, dn
and public-key PK.
•Encrypt(S, PK, M):Encrypt M for users S {1, …,
n}Output ciphertext CT.
•Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
4
Trivial Solutions
Small private key, large ciphertext.
•Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)
Large private keys, small ciphertexts
•Unique key KS for every subset S {1, …, n}
•User j’s priv-key: dj = { KS | jS }
|CT| = O(1) |priv| = O(2n)
5
Outline
Previous work
Security Definitions
Overview scheme
Applications
Conclusions
6
Previous Solutions
t-Collusion resistant schemes [FN’93]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t
Broadcast to large sets [NNL,HS,GST]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players
7
Summary
CT Size Priv-key size
Small sets: trivial O(|S|) O(1)
Large sets: NNL,HS,GST O(n-|S|) O(log n)
Any set (new):
BGW ’05 O(1) O(1)
… but, O(n) size public key.
BGW ‘05 O(n) O(1)
… O(n) size public key.
EFS, Email DVD’sSubs. Service0 n
8
Broadcast Encryption Security Semantic security when users collude. (static adversary)
Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +
(t,)-security: no t-time alg. can -break BE sem. sec.
Ch
alle
ng
er
RunSetup(n) A
ttacke
r
PK, { dj | j S }
m0, m1 G
b’ {0,1}
C* = Enc( S, PK, mb)b{0,1}
S {1, …, n }
9
Bilinear Maps
G , GT : finite cyclic groups of prime order p.
Def: An admissible bilinear map e: GG
GT is:
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Non-degenerate: g generates G e(g,g) generates GT .
– Efficiently computable.
10
Broadcast System
Setup(n): g G , , Zp, gk = g(k)
PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )
G2n+1
For k=1,…,n set: dk = (gk) G
Encrypt(S, PK, M): t Zp
CT = ( gt , (v jS gn+1-j)
t , Me(gn,g1)
t )
Decrypt(CT, S, k,dk, PK): CT = (C0, C1, C2)
Fact: e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1)tjS
jk
11
Security Theorem
Thm:
t-time alg. that -breaks BE sem. sec. in G
t-time alg. that -solves bilinear n-DDHE in G.
~
12
App : Encrypted File Systems
Broadcast to small sets: |S| << n
Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)
Examples: EFS.
File F
EKF[F]
EPKA[KF]
EPKC[KF]
MS Knowledge Base:EFS has a limit of 256KB in the file
header for the EFS metadata. This limits
the number of individual entries for
file sharing to a maximum of 800
users.
Header< 256K EPKB
[KF]
13
Apps: Sharing in Enc. File System
Store PK on file system. n=216 |PK|=1.2MB
File header: ( [S], E[S,PK,KF] )
Sharing among “800” users:
•8002 + 40 = 1640 bytes << 256KB
Each user obtains priv-key duid G from admin.
•Admin only stores Zq
File F
EKF[F]
[S]
E[S,PK,KF]Hdr
S {1, …, n }
40 bytes
14
Incremental file sharing
File hdr: ( [S], gt , (v jS gn+1-j)
t )
To grant user u access to file F,
owner does: C1 C1 (gn+1-u)t
File owner: instead of storing t for
every file do: t PRFKO (NonceF )
File F
EKF[F]
[S]
E[S,PK,KF]
NonceF
Hdr
C0 C1
15
App: secure email lists
Set n=216. Let gk = g(k)
Suppose (g, g1, g2,…, gn, gn+2,…, g2n) are global (1.2MB)
Simple encrypted email lists:
• ListA: PKA = (vA = gA) ; ListB: PKB = (vB = g
B)
•When new user joins ListA do:
– Assign new index 1 k 216 , give key dk = (gk)
A
•Encrypt msgs to ListA using B.E. for current members.
Much simpler than existing techniques (e.g. LKH)
16
Summary and Open Problems
New public-key broadcast encryption systems:
•Full collusion resistance. Constant size priv key.
•System 1: |CT| = O(1) |PK| = O(n)
•System 2: |CT| = O(n) |PK| = O(n)
Open problems:
•Reduce public key size. Weaker assumption.
•Security against adaptive adversary.
•Tracing traitors with same parameters.
17
Apps: Content Protection
DVD content protection: n = 232. r – revoked.•No room for PK in player.•Store ( [S], CT, PK) on each DVD disk. •Goal: minimize |CT|+|PK| n system
Using n system: |PK|=O(n) , |CT|=O(n) :
|DVD-hdr| = |PK|+|CT|+|[S]| = 5MB + (4r bytes)
NNL-type: |DVD-hdr| = |CT|+|[S]| = (36r bytes)
4216 G.E.
18
App : Content Protection
DVD Content Protection. n = 232
•DVD player i ships with private key di
•DVD disks encrypted to unrevoked players.
Broadcast to large sets: |S| = n-r where r << n.
d1 d2 d3 d4
