1 / 19

Broadcast Encryption – an overview

Broadcast Encryption – an overview. Niv Gilboa – BGU. Definition (FN93). E(M). Broadcaster. M. u 1. R, users don’t get M, even with collusion. |R|=r. u 2. S, users get M. |S|=n-r. …. u n. u 3. Users: U={u 1 ,…,u n }. Usage. Broadcast TV Content distribution Mobile content DVD

emelda
Download Presentation

Broadcast Encryption – an overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Broadcast Encryption – an overview NivGilboa – BGU

  2. Definition (FN93) E(M) Broadcaster M u1 R, users don’t get M, even with collusion. |R|=r u2 S, users get M. |S|=n-r … un u3 Users: U={u1,…,un}

  3. Usage • Broadcast TV • Content distribution • Mobile content • DVD • Multi-user file systems

  4. Pay TV • Beginnings • 1980’s • Subscriptions instead of advertising • TV content costs money! • Threat: a subset of users in U distribute M to u’R • [FN93] and all subsequent papers only consider users in R as a threat.

  5. Straightforward Solution I k1,k2, k3, …,kn Broadcaster Initialization Private channels kn k1 k2 k3 … un u3 u2 u1 k1 k3 k2 kn

  6. Straightforward Solution II k1,k2, k3, …,kn Broadcaster Broadcast I: key Broadcast II: content Ekey(content) Eki1(key), Eki2(key), …, i, iS Broadcast channel … un u3 u2 u1 k1 k3 k2 kn key key key key

  7. Diverging concerns • Media distribution (practice) • Users in S can provide key / content to users in R • Broadcast encryption (theory) • Separation between key and content is not important and is obvious • Straightforward solution is trivial • Message length – O(n-r) • Storage – O(1) for user, O(n-r) for broadcaster (or O(1) + PRF) • Revocation for free • Better solutions can be found

  8. Beyond Cryptography • Media distribution to “secure devices” • Smart cards • Secure hardware of various types • Obfuscated code • The rest of the talk will focus on broadcast encryption

  9. Limited collusion • The assumption is that only up to t users in R collude • Original [FN93] paper • Public key papers [CMN99], [NP00] • Reasonable assumption, but results are not better than fully collusion-resistant schemes

  10. Logical Key Hierarchy [W97, WGL98] • Users are arranged in balanced binary tree • Each user is a leaf • Each node is associated with a key • Each user has log n keys on path from leaf to root • Users have dynamic state • Revocation of node x • Bottom up update • Encrypt node key with children keys: single key for parent of x, both keys for higher nodes

  11. LKH (cont.) • Broadcast: • Encrypt message with root key • Complexity • Broadcast message length – O(1) • Storage – O(log n) for user, O(1) + PRF for broadcaster • Revocation – O(log n) time per user

  12. User dynamic state

  13. Subset cover schemes • Several works: starting with [NNL01], improved in [HS02], [GST04] • Stateless schemes • B2U, a key ki is associated with every biB • User u has keys of every b such that ub • Broadcast and revocation • Broadcaster finds {b1,…,bm}B, such that Uibi=S • Broadcaster sends Eki(M) for every i=1,…,m

  14. Subset cover (cont.) • Message length – m • Storage – broadcaster |B|, user u stores number of sets b s.t.ub • Example – same data structure as LKH • Message length – m=rlog(n/r) • Storage – broadcaster O(1)+PRF, user O(log n) • Better data structures shave the log n/r factor

  15. Public keys • Advantage of public key systems: • Any user can encrypt messages • Sometimes that’s a disadvantage • Any symmetric key scheme can be turned into a private/public key scheme • Slight problem • In the simplest transformation the broadcaster key has to be large (O(n) or O(n-r)) • Bilinear maps to the rescue! HIBE [DF02] and others.

  16. Example [LSW10] • Public key • Stateless • Revocation and broadcast in O(r) • Storage for broadcaster and user O(1) • Specific hardness assumptions! O(1) here is actually quite similar to O(log n) in previous solutions.

  17. LSW10 (cont.) • Two groups G, G1 of size p, e:GXGG1s.t. e(ga,gb)=e(g,g)ab • Discrete log and variations of DDH are assumed to be hard in G and G1 • General parameters: g, hG, a, b{0,…,p-1} • Public key: {g, gb, gb2, hb, e(g,g)a • Private key: t{0,…,p-1}, D0=ggb2t,D1=(gbIDh)t, D2=g-t

  18. LSW10 (cont.) • Encryption: assume that R={1,…,r} • Choose random s and divide it into r shares s1+…+sr=s mod p • C’=e(g,g)abM, C0=gs • For i=1,…,r, Ci1=gbsi, Ci2=(gb2IDihb)si • Decryption: compute e(C0, D0) by YZ, where • Y=e(D1, i(Ci1)1/(ID-IDi)) • Z=e(D2, i(Ci2)1/(ID-IDi))

  19. What’s still open? • Stateful? • A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation • Very large r • We would like schemes that are flexible between r and n-r. An example is [BGW05], but the message size*public key~n • Closing the gap between theory and practice

More Related