fully collusion resistant traitor tracing with short ciphertexts and private keys
DESCRIPTION
Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys. Dan Boneh, Amit Sahai, and Brent Waters. Broadcast Systems. Distribute content to a large set of users. Commercial Content Distribution File systems Military Grade GPS Multicast IP. - PowerPoint PPT PresentationTRANSCRIPT
1
Fully Collusion Resistant Traitor Tracing with Short
Ciphertexts and Private Keys
Dan Boneh, Amit Sahai, and Brent Waters
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
3
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
4
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
5
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
6
Formally: Secure TT systems
(1) Semantically secure, and (2) Traceable:
Ch
alle
ng
er
Atta
cker
RunSetup(n)
S {1, …, n }
PK, TK, { Kj | j S }
Pirate Decoder D
Adversary wins if: (1) Pr[D(C)=M] > 1-, and
(2) i S
TraceD( TK ) i {1,…,n}
7
Brute Force System
Setup (n): Generate n PKE pairs (PKi, Ki)
Output private keys K1 , …, Kn
PK (PK1, …, PKn) , TK PK .
Encrypt (PK, M): C ( EPK1(M), …, EPKn
(M) )
Tracing: next slide.
This is the best known TT system secure under arbitrary collusion.
… until now
8
TraceD(PK): [BF99, NNL00, KY02]
For i = 1, …, n+1 define for M G :
pi := Pr[ D( EPK1(), …, EPKi-1
(), EPKi(M), …, EPKn
(M) ) =
M ]
Then: p1 > 1- ; pn+1 0
1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |
Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n
User i must be one of the pirates.
i=1
n n
i=1
R
9
Security Theorem
Tracing algorithm estimates: | pi - pi | < (1-)/4n
Need O(n2) samples per pi. (D – stateless)
Cubic time tracing.
• Can be improved to quadratic in |S| .
Thm: underlying PKE system is semantically secure
No eff. adv wins tracing game with non-neg
adv.
10
Abstracting the Idea [BSW’06]
Properties needed:
For i = 1 ,… , n+1 need to encrypt M so:
Without Ki adversary cannot distinguish:
Enc(i, PK, M) from Enc(i+1, PK, M)
1 i-1 i n
users cannot decrypt
users can decrypt
LinearBroadcastEncryption
PrivateB.E.
11
Private Linear Broadcast Enc (PLBE)
•Setup(n): outputs private keys K1 , …, Kn
and public-key PK.
•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.
•Decrypt(CT, j, Kj, PK): If j u, output M
Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)
Note: slightly more complicated defs in [BSW’06]
12
Security definition Message hiding: given all private keys:
Encrypt( n+1 , M, PK) P
Encrypt( n+1 , , PK)
Index hiding: for u = 1, … , n :
Ch
alle
ng
er
Atta
cker
m
b’ {0,1}
C* Enc( u+b, PK, m)b{0,1}
RunSetup(n) PK, { Kj | j u }
13
Results
Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size =
O(1)enc-time = O(n) ; dec-time = O(1)
14
n PLBE Construction: hints Arrange users in matrix
Key for user (x,y):Kx,y Rx Cy
CT: one tuple per row, one tuple per col.size = O(n)
CT to user (i,j): User (x,y) can dec. if
(x > i) OR [ (x=i) AND (y j) ]
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
n=36 users
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
Encrypt to user (4,3)
15
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
16
A n size PLBE
Ciphertext: ( C1, …, Cn, R1, …, Rn )
User (x,y) must pair Rx and Cy to decrypt
Type Gq
Gp
Rx: x < i
Rx: x = i
Rx: x > i
Cy: y < j
Cy: y j
Case Result
x < i No: Rx not well formed
x=i & y < j
No: Cy malformed in Gp
x=i & y j
Yes: both well formed
x > i Yes: indep. of column
Well-formed
Malformed/Random
Zero
17
Summary and Open Problems
New results: [BGW’05, BSW’06, BW’06]
•Full collusion resistance:
• B.E: O(1) CT, O(1) priv-keys … but
O(n) PK
• T.T: O(n) CT, O(1) priv-keys.
• T.R.: O(n) CT, O(n) priv-keys.
Open questions:
•Private linear B.E. with O(log n) CT.
•Private B.E. with short ciphertexts.
FCR
18
THE END
19
BGN encryption
Subgroup assumption: G p Gp
E(m) : r ZN , C gm (gp)r G
•Additive hom: E(m1+m2) = C1 C2 (gp)r
•One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)r
20
Results Thm: Secure PLBE Secure TT
Same size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size = O(1)enc-time = O(n) ; dec-time = O(1)
Applications:
•Tracing Traitors : O(n) CTs and O(1) keys.
•Adaptive BE. (need Augmented PLBE)
•Comparison searches on encrypted data.
21
T.T: a popular problem
O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy
G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas
D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia
G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang
32 papers from 49 authors
22
A Simple System
n users in system, each gets separate key User i gets Ki
Encrypt message to separately to user –lump it• (Use “hybrid encryption” and encrypt an AES
key)
E(K1 , M) E(K2 , M) E(Ki , M) E(Kn , M)… …
i
M
23
Tracing
Let E’(i, M) => Encrypt R to 1,…,i-1 and M to i,…n
E(K1 , R) E(K2 , R) E(Ki-1 , R) E(Kn , M)… …
Pi = prob. pirate device decrypts E’(i,M)
•Can learn Pi’s from probing the device
E(Ki , M)
i Pi
1 100
j
j+1
n+1 0
Device works
Everything Random
100
35User j is an attacker