400 likes | 797 Views
Broadcast Encryption Amos Fiat & Moni Naor. Presented By Gayathri VS. Outline. The Problem Zero Message Schemes Basic Scheme 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theory Low-Memory k-resilient schemes. The Problem.
E N D
Broadcast EncryptionAmos Fiat & MoniNaor Presented By Gayathri VS
Outline • The Problem • Zero Message Schemes Basic Scheme 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theory • Low-Memory k-resilient schemes
The Problem • The System consists of • broadcasting center • set U of n users . • key is distributed to users upon joining the system. • securely transmit data to a randomly changing privileged subset of users out of the set S • Any Coalition of k users from the universe , who are not part of the privileged set should not be able to decrypt the message.(Scheme is k-resilient).
Notations • U is the universe consisting of n users • P is privileged subset • S is any subset trying to learn the secret (S ∩ P = NULL) • |S| is size of subset S • Ks is key common to subset S
Security Definitions • Scheme is resilient if for all subset S ( S ∩ P = NULL , where P ⊂ U is privileged set ) S cannot learn secret common to P. • Scheme is k-resilient if |S| <= k. • Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p)
Obvious Solution • Solution 1 :
Obvious Solution • Solution 2 :
Obvious Solutions – Performance • Solution 1 : Each user is assigned a unique key 1 key per user & O(n) messages • Solution 2 : Each subset gets a unique key 2n-1 keys per user & O(1) message • Forany arbitrary subset , we have two choices for X2 .. Xn. (they may or may not be present in that subset) Total number of subset which contains x1 1.2.2…2 = 2n-1
Problem Statement .. Revisited • The Goal is the optimize a) number of transmissions sent by the center to create the common secret b) Number of keys each user stores c) Computational effort in retrieving the common key by the members of the privileged class.
Outline • The Problem • Zero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theory • Low-Memory k-resilient schemes
Zero Message Schemes • Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center • The privileged set can be identified by sending a relatively short transmission. This is ‘set identification transmission’ ( different from the broadcast encryption transmission )
BASIC SCHEME • For every set S ⊂ U where 0 ≤ |S| ≤ k , Assign key Ks • Distribute Ksto all users x ⊂ U – S U = { a, b, c } . Here n=3. Let k be 2 KEY DISTIBUTION : S = {a, b, c, {a,b}, {a,c}, {b,c}} Ks = {Ka, Kb, Kc, Kab ,Kac ,Kbc } User a has Kb, Kc, Kbc User b has Ka, Kc, Kac User c has Ka, Kb, Kab
ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys KS where S ⊂ U – P • If P = { a,b } then K = XOR KS where S ⊂ U – P Here S is c so K = KC • RESILENCY : Every possible set S ⊂ U – P 0 ≤ |S| ≤ k will miss the key KS and cannot decrypt the message sent by the center. • NUMBER OF MESSAGES ,KEYS : Number of keys per each User : ΣI=0tok (n)_C_i • For the above scheme to be 1-resilient each user should store (n+1) keys • For the above scheme to be n-resilient each user should store 2n-1 keys
1-resilient scheme based on one-way function • O(n) keys in previous scheme can be reduced to keys if keys are pseudo-randomly generated • Let f: {0,1}l -> {0,1}2l be a pseudo-random generator (the length of the output of is twice the length of the input). • Users are on the leaf of the balanced binary tree. • The root is labeled with the common seed from Set {0,1}l
apply the pseudo-random generators to the root label .Assign the left half (first bits) to be the label of the left subtree while the right half (last bits) is the label of the right subtree. • User x should get all leaf labels except his. To achieve this , we remove the path from x to the root ,which is a forest on log n labels. • Every x ∈ U can use the ⌈log n⌉ values that he got and generate all leaf labels except his own.
A 1-resilient scheme based on Computational Number Theoretic Assumptions • The center chooses a random hard to factor composite N= P.Q where P and Q are primes. • It also chooses a secret valueg of high index. • Each user i∈ U is assigned gi= gpi . gcd(pi,pj) = 1 , for I ≠ j • The common key for P ⊂ U is gT= gPTmod N where PT = Πi∈Ppi • Each user i∈ P can compute gTby gixmod N where X= Πi∈(P-i) pi
Outline • The Problem • Zero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theory • Low-Memory k-resilient schemes One Level Schemes Multi Level Schemes
Low Memory-Resilient Schemes • The zero message 1-resilient schemes requires for k>1 memory which is exponential in k • Low-memory k-resilient schemes can be built from 1-resilient • Let w denote the number of keys that a user is required to store in the 1-resilient scheme w = n+1 if no cryptographic assumptions are made, w = ceil(log n) if we assume that one-way functions exists and w =1 if we assume that it is hard to extract roots modulo a composite. • efficiency of the schemes is how many w’s they require.
One Level Scheme • f1 , f2 …. fl is a family of function denoted by fi : U → {1,...,m}, 1 ≤ i ≤ l • For every group S ⊂ U, |S|=k there exists some function fi that is 1-1 on S all x,y in S fi(x) ≠ fi(y) {fi} contains perfect hash function for all subsets of size k in U when mapped to range {1,2..m}
One Level Scheme – Key Distribution {R(i, j)}1≤i≤l,1≤j≤m are independent 1- resilient schemes Each user x ∈ U gets the keys associated with the scheme R(i,fi(x)) 1 ≤ i ≤ l.
One Level Schemes – Encryption and Decryption • To transmit M to T ⊂ U, the center breaks M into l random sharessuch that M = M1 XOR M2 XOR … Ml • For 1 ≤ i ≤ l the center transmits Miin m distinct messages using R(i,j) j=1,2..m where j=fi(x) for all x in P. • Every x ∈ T may recover Mi, 1 ≤ i ≤ l, from R(I,j) where j = fi(x), and then add them up to get M. If x1 is part of P , M1 – R(1,f1(x1) ) M2 – R(2,f2(x1) ) … ML - R(l , fl(x1)
One Level Scheme - Resiliency Claim: The scheme is k-resilient. • Let S be a coalition of size |S| ≤ k. • There exists fithat is 1-1 on S. • Mi is the message transmitted using fi. Miis delivered in m independent transmissions. • There can be at most only one x ∈ S for which fi(x) = j who has the keys of that scheme. • However R(i, j)is 1-resilient and hence that single user cannot recover Mi and hence M.
One Level Scheme – Idea • use a perfect family of hash functions • send a “share” of the secretM corresponding to each hash function. • Each share is broadcasted with different encryptions. • The privileged users can decrypt these messages and any colluding set of at most k users cannot obtain at least one of the shares • no information about M is revealed if we miss even one of the shares.
Setting Parameters • Set m = 2k2, l = k log n • Theorem: There exists a k-resilient scheme that requires the users to store O(k log n · w) keys and the center to broadcast O(k3log n) messages. The scheme may be constructed at random with arbitrarily high probability. • Probability that a random fi is not 1-1 on S is ((kC2).2m-1)/ 2m = (kC2).(1/m) = k(k-1)/2m = ¼ - 1/4k ≤ ¼ • Given the family of function f1 ,f2 .. fl Prob(No fi is 1-1 on S ) = 1/4L=1/22L = 1/n2k (l = klogn ; 2l = 2klogn ; 2l = log n2k ;n2k = 22l) • Prob ( Some fi is 1-1 on S ) = ( 1 – n-2k) • Prob ( there exists fi is 1-1 on all S of size k) >= (1-n-2k)t , where t = n_C_k >= 1 – n-k
Setting Parameters Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p) P(that for all subset of size k , there exists fi is 1-1 on S ) ≥ 1−p For (k,p) random resiliency substitute l = log(1/p) Theorem : (k,p)-resilient scheme requires the users to store O(log(1/p) · w) keys and the center should broadcast O(k2log(1/p)) messages.
Multi Level Schemes • Multi-level schemes, like the one-level ones, convert 1-resilient schemes to k-resilient ones. • The ”multi-levelness” comes through the R(i, j)s that are sets of 1-resilient schemes. • It decrease the length of transmission at the expense of more storage at the user.
Multi-Level Scheme Key Distribution Every user x in U , for every 1≤i ≤l and for every 1≤r ≤w , receives keys associated with the scheme R(i,fi(x),r) For every Subset of size k , there exists for some 1≤i ≤l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S , fi(x) = j )
Multi Level Scheme – Encryption and Decryption . • To transmit M to T ⊂ U, the center breaks M randomly into l shares, such that M = M1 XOR M2 XOR .. Ml • Each Mi is broken into w shares for each j. M1(i,j) M2(i,j)…. Mw(i,j) • For 1≤i≤l and 1≤r≤w Mr(i,j) is broadcasted to Privileged subset {x∈T :fi(x)=j} • For any subset of size k , by assumption there is an i and for all j in that I scheme w is resilient to x in S with fi(x) = j Storage per user: l · w timesthat of the 1-resilient scheme. Length of transmission: l · m · w timesthat of the 1-resilient scheme.
Set L = 2k.log n , m = k/log k , w = log k + 1,t = 2elog k • There exists ak-resilient scheme that requires each user to store O(k.log k. log n.w) keys and the center to broadcast O(k2log2klogn) messages. Moreover, the scheme can be constructed effectively with high probability • there exists a (k,p) random-resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog2klog(1/p)) messages. Moreover, the scheme can be constructed effectively with high probability