1 / 47

Secure Broadcast Systems and Perspective on Pairings

Secure Broadcast Systems and Perspective on Pairings. Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai. Broadcast Systems. Distribute content to a large set of users. Commercial Content Distribution File systems Military Grade GPS Multicast IP.

Download Presentation

Secure Broadcast Systems and Perspective on Pairings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Secure Broadcast Systemsand Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai

  2. Broadcast Systems Distribute content to a large set of users • Commercial Content Distribution • File systems • Military Grade GPS • Multicast IP

  3. Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S  {1,…,n} d3

  4. EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]

  5. Broadcast Encryption • Public-key BE system: • Setup(n): outputs private keys d1 , …, dn and public-key PK. • Encrypt(S, PK, M): Encrypt M for users S  {1, …, n} Output ciphertext CT. • Decrypt(CT, S, j, dj, PK): If j  S, output M. • Note: broadcast contains ( [S], CT )

  6. Previous Solutions • t-Collusion resistant schemes [FN’93…] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST…] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players • Ciphertexts are multiplied security parameter 

  7. EFS, Email Subs. Service DVD’s Overview n 0

  8. S  {1, …, n } PK, { dj| j  S } m0, m1  G C* = Enc( S, PK, mb) b’  {0,1} Broadcast Encryption Security • Semantic security when users collude. (static adversary) • Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +  Challenger Attacker RunSetup(n) b{0,1}

  9. Bilinear Maps • G , GT : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG GTis: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable.

  10. Broadcast System [BGW’05] • Setup(n): g  G , ,   Zp, gk = g(k) PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )  G2n+1 For u=1,…,n set: Ku = (gu)  G • Encrypt(S, PK, M): t  Zp CT = ( gt , (v  jS gn+1-j)t , Me(gn,g1)t ) • Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2) Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)t jSju

  11. Security Theorem • Thm:  t-time alg. that -breaks staticBE security in G   t-time alg. that -solves bilinear n-DDHE in G. ~ • Open problem: adaptive security with similar params. • New [BW’06]: adaptive security with O(n) – size CT

  12. [S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB • Each user obtains priv-key duid  G from admin. • Admin only stores   Zq S  {1, …, n } 40 bytes

  13. Summary of Broadcast Enc. • New public-key broadcast encryption systems: • Full collusion resistance. Constant size priv key. • System 1: |CT| = O(1) |PK| = O(n) • System 2: |CT| = O(n) |PK| = O(n) • Description of set, |S|, is now dominant term

  14. Tracing Pirate Devices[CFN’94] • Attacker creates “pirated device” • Want to trace origin of device

  15. T.T: a popular problem 32 papers from 49 authors

  16. FAQ-1 “The Content can be Copied?” • DRM- Impossibility Argument • Protecting the service • Goal: Stop attacker from creating devices that access the original broadcast

  17. FAQ 2-Why black-box tracing? [BF’99] • D: may contain unrecognized keys, is obfuscated, or tamper resistant. • All we know: Pr[ M  G, C  Encrypt (PK, M) : D(C)=M] > 1- K1 D: K3 K$*JWNFD&RIJ$ K2 R R

  18. S  {1, …, n } PK, TK, { Kj| j  S} RunSetup(n) Pirate Decoder D TraceD( TK ) i  {1,…,n} Formally: Secure TT systems • (1) Semantically secure, and (2) Traceable: Challenger Attacker Adversary wins if: (1) Pr[D(C)=M] > 1-, and (2) i  S

  19. Brute Force System • Setup (n): Generate n PKE pairs (PKi, Ki) Output private keys K1 , …, KnPK (PK1, …, PKn) , TK PK . • Encrypt (PK, M): C  ( EPK1(M), …, EPKn(M) ) • Tracing: next slide. • This is the best known TT system secure under arbitrary collusion. … until now

  20. n n i=1 i=1 TraceD(PK): [BF99, NNL00, KY02] R • For i = 1, …, n+1 define for M  G : pi := Pr[D( EPK1(), …, EPKi-1(), EPKi(M), …, EPKn(M) ) = M] • Then: p1 > 1-  ; pn+1  0 • 1- = |pn+1 – p1 | = | pi+1 – pi|   |pi+1 – pi|  Exists i{1,…,n} s.t. | pi+1 – pi |  (1- )/n User i must be one of the pirates.

  21. Security Theorem  • Tracing algorithm estimates: | pi - pi | < (1-)/4n • Need O(n2) samples per pi. (D – stateless) • Cubic time tracing. • Can be improved to quadratic in |S| . • Thm: underlying PKE system is semantically secure  No eff. adv wins tracing game with non-neg adv.

  22. Linear Broadcast Encryption Private B.E. Abstracting the Idea [BSW’06] Properties needed: • For i = 1 ,… , n+1 need to encrypt M so: • Without Ki adversary cannot distinguish: Enc(i, PK, M) from Enc(i+1, PK, M) n 1 i-1 i users cannot decrypt users can decrypt

  23. Private Linear Broadcast Enc (PLBE) • Setup(n): outputs private keys K1 , …, Kn and public-key PK. • Encrypt( u, PK, M): Encrypt M for users {u, u+1, …, n} Output ciphertext CT. • Decrypt(CT, j, Kj, PK): If j  u, output M • Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M) • Note: slightly more complicated defs in [BSW’06]

  24. PK, { Kj| j  u} m C*  Enc( u+b, PK, m) b’  {0,1} Security definition • Message hiding: given all private keys: Encrypt( n+1 , M, PK) PEncrypt( n+1 , , PK) • Index hiding: for u = 1, … , n : Challenger Attacker RunSetup(n) b{0,1}

  25. Results • Thm: Secure PLBE  Secure TT Same size CT and priv-keys (black-box and publicly traceable) • New PLBE system: CT-size = O(n) ; priv-key size = O(1) enc-time = O(n) ; dec-time = O(1)

  26. n PLBE Construction: hints • Arrange users in matrix • Key for user (x,y): Kx,y • CT: one tuple per row, one tuple per col. size = O(n) • CT to position (i,j): User (x,y) can dec. if (x > i) OR [ (x=i) AND (y  j) ] n=36 users Encrypt to postion (4,3)

  27. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  GT • G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: h  G  h = (gq)a  (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!

  28. A n size PLBE • Ciphertext: ( C1, …, Cn, R1, …, Rn) • User (x,y) must pair Rx and Cy to decrypt Well-formed Malformed/Random Zero

  29. Trace and Revoke [BW06] • What happens when catch traitor? • Torture? • Re-do system? • Want Broadcast and Tracing simultaneously • Trivial Combination does not work • BW06 • Combined ideas • Bonus: Adaptive Security & Better Assumptions

  30. Trace and Revoke

  31. BE TT M R M-R R M-R M T&R=A simple Combination? Encrypt B.E T.T. Decrypt

  32. BE TT M R M-R B.E T.T. R M-R M A simple Attack • 2 colluders split duties • Catch same one over and over (box still works)

  33. Our Approach (Intuition) • Can’t allow attackers to “separate” systems • In general hard to combine • BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic • Multiply private keys together so can’t separate • Not so easy… needed different B.E. scheme

  34. Summary FCR • New results:[BGW’05, BSW’06, BW’06] • Full collusion resistance: • B.E: O(1) CT, O(1) priv-keys … but O(n) PK • T.T: O(n) CT, O(1) priv-keys. • T.R.:O(n) CT, O(n) priv-keys.

  35. Open Problems FCR • Broadcast: • Constant size everything (CT, pub/priv keys) • Same params with adaptive security • Traitor Tracing: • Private linear B.E. with O(log n) CT. • Private B.E. from Linear Assumption

  36. Pairings from the Outside Identity-based encryption [BF01] • Efficient Selective-ID Secure IBE without Random Oracles [BB04a] • Secure IBE without Random Oracles [BB04a] • Efficient IBE without Random Oracles [W05] • Practical IBE without Random Oracles [Gen06] A ID-Based Deniable Authentication Protocol on pairings

  37. Organizing Contributions (My View) • Identity-Based Encryption • Signatures ?? • Slightly 2-Homomorphic • NIZKs • Broadcast and Tracing

  38. I am“bob@stanford.edu” email encrypted using public key: “bob@stanford.edu” Private key IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address Is regular PKI good enough? Alice does not access a PKI CA/PKG Authority is offline master-key

  39. Capability Request Encrypt “Structured” Data Private “Capability” Idea is Bigger CA/PKG Authority is offline master-key

  40. Private “Capability” Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution CA/PKG Authority is offline master-key

  41. IBE Class • IBE [BF01, CHK04, BB04, W05, Gen06] • HIBE[ HL02, GS02] • Searching on Enc. Data[BDOP04, BoyW06, BonW06] • Attribute-Based Enc. [SW05, GPSW06] Trend of Structured Encryptions

  42. NIZKs • Two GOS06 papers • 3 points of interest • Perfect Hiding NIZK, ZAPs (Theoretical) • Most Efficient NIZK (but still bit by bit) • Speak Bilinear Maps “Natively” (cool) Build GroupSigs[BW06], other stuff

  43. An Upcoming Wall? • No 3-Linear Map • Advanced IBE somewhat limited • Traitor Tracing stuck at n • NIZKs kind of done

  44. Some Inspiration Composite Order Groups

  45. THE END

  46. Security Problems 1) Access control of content • Broadcast targeted to certain set • e.g. All paying subscribers 2) Identifying compromised insiders • Clones and distributes pirate decoders • Trace back to attacker

  47. A Trivial Solution • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1)

More Related