470 likes | 560 Views
Secure Broadcast Systems and Perspective on Pairings. Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai. Broadcast Systems. Distribute content to a large set of users. Commercial Content Distribution File systems Military Grade GPS Multicast IP.
E N D
Secure Broadcast Systemsand Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai
Broadcast Systems Distribute content to a large set of users • Commercial Content Distribution • File systems • Military Grade GPS • Multicast IP
Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S {1,…,n} d3
EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]
Broadcast Encryption • Public-key BE system: • Setup(n): outputs private keys d1 , …, dn and public-key PK. • Encrypt(S, PK, M): Encrypt M for users S {1, …, n} Output ciphertext CT. • Decrypt(CT, S, j, dj, PK): If j S, output M. • Note: broadcast contains ( [S], CT )
Previous Solutions • t-Collusion resistant schemes [FN’93…] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST…] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players • Ciphertexts are multiplied security parameter
EFS, Email Subs. Service DVD’s Overview n 0
S {1, …, n } PK, { dj| j S } m0, m1 G C* = Enc( S, PK, mb) b’ {0,1} Broadcast Encryption Security • Semantic security when users collude. (static adversary) • Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ + Challenger Attacker RunSetup(n) b{0,1}
Bilinear Maps • G , GT : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG GTis: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable.
Broadcast System [BGW’05] • Setup(n): g G , , Zp, gk = g(k) PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g ) G2n+1 For u=1,…,n set: Ku = (gu) G • Encrypt(S, PK, M): t Zp CT = ( gt , (v jS gn+1-j)t , Me(gn,g1)t ) • Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2) Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)t jSju
Security Theorem • Thm: t-time alg. that -breaks staticBE security in G t-time alg. that -solves bilinear n-DDHE in G. ~ • Open problem: adaptive security with similar params. • New [BW’06]: adaptive security with O(n) – size CT
[S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB • Each user obtains priv-key duid G from admin. • Admin only stores Zq S {1, …, n } 40 bytes
Summary of Broadcast Enc. • New public-key broadcast encryption systems: • Full collusion resistance. Constant size priv key. • System 1: |CT| = O(1) |PK| = O(n) • System 2: |CT| = O(n) |PK| = O(n) • Description of set, |S|, is now dominant term
Tracing Pirate Devices[CFN’94] • Attacker creates “pirated device” • Want to trace origin of device
T.T: a popular problem 32 papers from 49 authors
FAQ-1 “The Content can be Copied?” • DRM- Impossibility Argument • Protecting the service • Goal: Stop attacker from creating devices that access the original broadcast
FAQ 2-Why black-box tracing? [BF’99] • D: may contain unrecognized keys, is obfuscated, or tamper resistant. • All we know: Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1- K1 D: K3 K$*JWNFD&RIJ$ K2 R R
S {1, …, n } PK, TK, { Kj| j S} RunSetup(n) Pirate Decoder D TraceD( TK ) i {1,…,n} Formally: Secure TT systems • (1) Semantically secure, and (2) Traceable: Challenger Attacker Adversary wins if: (1) Pr[D(C)=M] > 1-, and (2) i S
Brute Force System • Setup (n): Generate n PKE pairs (PKi, Ki) Output private keys K1 , …, KnPK (PK1, …, PKn) , TK PK . • Encrypt (PK, M): C ( EPK1(M), …, EPKn(M) ) • Tracing: next slide. • This is the best known TT system secure under arbitrary collusion. … until now
n n i=1 i=1 TraceD(PK): [BF99, NNL00, KY02] R • For i = 1, …, n+1 define for M G : pi := Pr[D( EPK1(), …, EPKi-1(), EPKi(M), …, EPKn(M) ) = M] • Then: p1 > 1- ; pn+1 0 • 1- = |pn+1 – p1 | = | pi+1 – pi| |pi+1 – pi| Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n User i must be one of the pirates.
Security Theorem • Tracing algorithm estimates: | pi - pi | < (1-)/4n • Need O(n2) samples per pi. (D – stateless) • Cubic time tracing. • Can be improved to quadratic in |S| . • Thm: underlying PKE system is semantically secure No eff. adv wins tracing game with non-neg adv.
Linear Broadcast Encryption Private B.E. Abstracting the Idea [BSW’06] Properties needed: • For i = 1 ,… , n+1 need to encrypt M so: • Without Ki adversary cannot distinguish: Enc(i, PK, M) from Enc(i+1, PK, M) n 1 i-1 i users cannot decrypt users can decrypt
Private Linear Broadcast Enc (PLBE) • Setup(n): outputs private keys K1 , …, Kn and public-key PK. • Encrypt( u, PK, M): Encrypt M for users {u, u+1, …, n} Output ciphertext CT. • Decrypt(CT, j, Kj, PK): If j u, output M • Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M) • Note: slightly more complicated defs in [BSW’06]
PK, { Kj| j u} m C* Enc( u+b, PK, m) b’ {0,1} Security definition • Message hiding: given all private keys: Encrypt( n+1 , M, PK) PEncrypt( n+1 , , PK) • Index hiding: for u = 1, … , n : Challenger Attacker RunSetup(n) b{0,1}
Results • Thm: Secure PLBE Secure TT Same size CT and priv-keys (black-box and publicly traceable) • New PLBE system: CT-size = O(n) ; priv-key size = O(1) enc-time = O(n) ; dec-time = O(1)
n PLBE Construction: hints • Arrange users in matrix • Key for user (x,y): Kx,y • CT: one tuple per row, one tuple per col. size = O(n) • CT to position (i,j): User (x,y) can dec. if (x > i) OR [ (x=i) AND (y j) ] n=36 users Encrypt to postion (4,3)
Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G G GT • G = Gp Gq . gp = gq Gp ; gq = gp Gq • Facts: h G h = (gq)a (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!
A n size PLBE • Ciphertext: ( C1, …, Cn, R1, …, Rn) • User (x,y) must pair Rx and Cy to decrypt Well-formed Malformed/Random Zero
Trace and Revoke [BW06] • What happens when catch traitor? • Torture? • Re-do system? • Want Broadcast and Tracing simultaneously • Trivial Combination does not work • BW06 • Combined ideas • Bonus: Adaptive Security & Better Assumptions
BE TT M R M-R R M-R M T&R=A simple Combination? Encrypt B.E T.T. Decrypt
BE TT M R M-R B.E T.T. R M-R M A simple Attack • 2 colluders split duties • Catch same one over and over (box still works)
Our Approach (Intuition) • Can’t allow attackers to “separate” systems • In general hard to combine • BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic • Multiply private keys together so can’t separate • Not so easy… needed different B.E. scheme
Summary FCR • New results:[BGW’05, BSW’06, BW’06] • Full collusion resistance: • B.E: O(1) CT, O(1) priv-keys … but O(n) PK • T.T: O(n) CT, O(1) priv-keys. • T.R.:O(n) CT, O(n) priv-keys.
Open Problems FCR • Broadcast: • Constant size everything (CT, pub/priv keys) • Same params with adaptive security • Traitor Tracing: • Private linear B.E. with O(log n) CT. • Private B.E. from Linear Assumption
Pairings from the Outside Identity-based encryption [BF01] • Efficient Selective-ID Secure IBE without Random Oracles [BB04a] • Secure IBE without Random Oracles [BB04a] • Efficient IBE without Random Oracles [W05] • Practical IBE without Random Oracles [Gen06] A ID-Based Deniable Authentication Protocol on pairings
Organizing Contributions (My View) • Identity-Based Encryption • Signatures ?? • Slightly 2-Homomorphic • NIZKs • Broadcast and Tracing
I am“bob@stanford.edu” email encrypted using public key: “bob@stanford.edu” Private key IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address Is regular PKI good enough? Alice does not access a PKI CA/PKG Authority is offline master-key
Capability Request Encrypt “Structured” Data Private “Capability” Idea is Bigger CA/PKG Authority is offline master-key
Private “Capability” Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution CA/PKG Authority is offline master-key
IBE Class • IBE [BF01, CHK04, BB04, W05, Gen06] • HIBE[ HL02, GS02] • Searching on Enc. Data[BDOP04, BoyW06, BonW06] • Attribute-Based Enc. [SW05, GPSW06] Trend of Structured Encryptions
NIZKs • Two GOS06 papers • 3 points of interest • Perfect Hiding NIZK, ZAPs (Theoretical) • Most Efficient NIZK (but still bit by bit) • Speak Bilinear Maps “Natively” (cool) Build GroupSigs[BW06], other stuff
An Upcoming Wall? • No 3-Linear Map • Advanced IBE somewhat limited • Traitor Tracing stuck at n • NIZKs kind of done
Some Inspiration Composite Order Groups
Security Problems 1) Access control of content • Broadcast targeted to certain set • e.g. All paying subscribers 2) Identifying compromised insiders • Clones and distributes pirate decoders • Trace back to attacker
A Trivial Solution • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1)