A Fully Collusion Resistant Broadcast, Trace and Revoke System

1. A Fully Collusion Resistant Broadcast, Trace and Revoke System Dan Boneh Stanford Brent Waters SRI International

2. Broadcast Systems Distribute content to a large set of users • Commercial Content Distribution • File systems • Military Grade GPS • Multicast IP

3. Trace & Revoke: A Tale of Two Problems • Broadcast Encryption: Encrypt Messages M, to subset S of receivers • Traitor Tracing: Trace Orgin of Pirate boxes • Trace & Revoke: Trace pirate box, remove from set of receivers • This talk: Overview both, show challenges • Light on mathematical details

4. Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S  {1,…,n} d3

5. A Trivial Solution • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1) • Challenge: Get small ciphertext size

6. EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]

7. Previous Solutions • t-Collusion resistant schemes [FN’93…] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST…] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players

8. Previous Solutions • Fully-Collusion resistant schemes [BGW’06] • Resistant to any # of colluders • |CT| = O(1) |priv| = O(1) |pub| = O(n) • Algebraically-based / Uses Bilinear Groups • Ciphertexts are multiplied security parameter  FCR

9. [S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB S  {1, …, n } 40 bytes

10. Tracing Pirate Devices[CFN’94] • Attacker creates “pirated device” • Want to trace origin of device

11. FAQ-1 “The Content can be Copied?” • DRM- Impossibility Argument • Protecting the service • Goal: Stop attacker from creating devices that access the original broadcast

12. FAQ 2-Why black-box tracing? [BF’99] • D: may contain unrecognized keys, is obfuscated, or tamper resistant. • All we know: Pr[ M  G, C  Encrypt (PK, M) : D(C)=M] > 1- K1 D: K3 K$*JWNFD&RIJ$ K2 R R

13. Previous Solutions • t-Collusion resistant schemes [CFN’93…] • Resistant to t-colluders • Attacker knows t • Fully-Collusion resistant schemes [BSW’06] • Resistant to any # of colluders • |CT| = O(n) |priv| = O(1) • Algebraically-based / Uses Bilinear Groups

14. Trace and Revoke (This Work) • What happens when catch traitor? • Torture? • Re-do system? • Want Broadcast and Tracing simultaneously

15. Trace and Revoke

16. BE TT M R M-R R M-R M T&R=A simple Combination? Encrypt B.E T.T. Decrypt

17. BE TT M R M-R B.E T.T. R M-R M A simple Attack • 2 colluders split duties • Catch same one over and over (box still works)

18. Our Approach (Intuition) • Can’t allow attackers to “separate” systems • In general hard to combine • BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic • Multiply private keys together so can’t separate • Not so easy… needed different B.E. scheme

19. Summary FCR • T.R.:O(n) CT, O(n) priv-keys. • Public Key Tracing • Secure even if tracing key lost • “Adaptive Security” • Open: Better Parameters:

20. THE END