180 likes | 287 Views
Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Key s. Dan Boneh, Craig Gentry, and Brent Waters. Broadcast Encryption [FN’93]. Encrypt to arbitrary subsets S. Collusion resistance : secure even if all users in S c collude. d 1. CT = E[M,S]. d 2.
E N D
Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters
Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S {1,…,n} d3
Broadcast Encryption • Public-key BE system: • Setup(n): outputs private keys d1 , …, dn and public-key PK. • Encrypt(S, PK, M): Encrypt M for users S {1, …, n} Output ciphertext CT. • Decrypt(CT, S, j, dj, PK): If j S, output M. • Note: broadcast contains ( [S], CT )
Trivial Solutions • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1) • Large private keys, small ciphertexts • Unique key KS for every subset S {1, …, n} • User j’s priv-key: dj = { KS | jS } |CT| = O(1) |priv| = O(2n)
Outline • Previous work • Security Definitions • Overview scheme • Applications • Conclusions
Previous Solutions • t-Collusion resistant schemes [FN’93] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players
EFS, Email Subs. Service DVD’s Summary n 0
S {1, …, n } PK, { dj| j S } m0, m1 G C* = Enc( S, PK, mb) b’ {0,1} Broadcast Encryption Security • Semantic security when users collude. (static adversary) • Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ + • (t,)-security: no t-time alg. can -break BE sem. sec. Challenger Attacker RunSetup(n) b{0,1}
Bilinear Maps • G , GT : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG GTis: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Non-degenerate:g generates G e(g,g) generates GT . • Efficiently computable.
Broadcast System • Setup(n): g G , , Zp, gk = g(k) PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g ) G2n+1 For k=1,…,n set: dk = (gk) G • Encrypt(S, PK, M): t Zp CT = ( gt , (v jS gn+1-j)t , Me(gn,g1)t ) • Decrypt(CT, S, k,dk, PK): CT = (C0, C1, C2) Fact: e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1)t jSjk
Security Theorem • Thm: t-time alg. that -breaks BE sem. sec. in G t-time alg. that -solves bilinear n-DDHE in G. ~
EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]
[S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB • Each user obtains priv-key duid G from admin. • Admin only stores Zq S {1, …, n } 40 bytes
C0 C1 [S] E[S,PK,KF] NonceF Hdr File FEKF[F] Incremental file sharing • File hdr: ([S], gt , (v jS gn+1-j)t) • To grant user u access to file F, owner does: C1 C1 (gn+1-u)t • File owner: instead of storing t for every file do: t PRFKO (NonceF )
App: secure email lists • Set n=216. Let gk = g(k)Suppose (g, g1, g2,…, gn, gn+2,…, g2n) are global (1.2MB) • Simple encrypted email lists: • ListA: PKA = (vA = gA) ; ListB: PKB = (vB = gB) • When new user joins ListA do: • Assign new index 1 k 216,give key dk = (gk)A • Encrypt msgs to ListA using B.E. for current members. • Much simpler than existing techniques (e.g. LKH)
Summary and Open Problems • New public-key broadcast encryption systems: • Full collusion resistance. Constant size priv key. • System 1: |CT| = O(1) |PK| = O(n) • System 2: |CT| = O(n) |PK| = O(n) • Open problems: • Reduce public key size. Weaker assumption. • Security against adaptive adversary. • Tracing traitors with same parameters.
4216 G.E. Apps: Content Protection • DVD content protection: n = 232. r – revoked. • No room for PK in player. • Store ( [S], CT, PK) on each DVD disk. • Goal: minimize |CT|+|PK| n system • Using n system: |PK|=O(n) , |CT|=O(n) : |DVD-hdr| = |PK|+|CT|+|[S]| = 5MB + (4r bytes) • NNL-type: |DVD-hdr| = |CT|+|[S]| = (36r bytes)
App : Content Protection • DVD Content Protection. n = 232 • DVD player i ships with private key di • DVD disks encrypted to unrevoked players. • Broadcast to large sets: |S| = n-r where r << n. d1 d2 d3 d4