Broadcast Encryption – an overview Niv Gilboa – BGU 1

Definition (FN93) 2 Broadcaster u1u1 unun u2u2 u3u3 M E(M) … Users: U={u 1,…,u n } R, users don’t get M, even with collusion. |R|=r S, users get M. |S|=n-r

Usage r Broadcast TV r Content distribution  Mobile content  DVD r Multi-user file systems 3

Pay TV r Beginnings  1980’s  Subscriptions instead of advertising  TV content costs money! r Threat: a subset of users in U distribute M to u’  R r [FN93] and all subsequent papers only consider users in R as a threat. 4

Straightforward Solution I 5 BroadcasterInitialization u1u1 unun u2u2 … u3u3 k1k1 k2k2 knkn k3k3 Private channels k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n

Straightforward Solution II 6 BroadcasterBroadcast I: key u1u1 unun u2u2 … u3u3 Broadcast channel k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n E ki 1 (key), E ki 2 (key), …,  i, i  S key Broadcast II: content E key (content)

Diverging concerns r Media distribution (practice)  Users in S can provide key / content to users in R r Broadcast encryption (theory)  Separation between key and content is not important and is obvious  Straightforward solution is trivial Message length – O(n-r) Storage – O(1) for user, O(n-r) for broadcaster (or O(1) + PRF) Revocation for free  Better solutions can be found 7

Beyond Cryptography r Media distribution to “secure devices”  Smart cards  Secure hardware of various types  Obfuscated code r The rest of the talk will focus on broadcast encryption 8

Limited collusion r The assumption is that only up to t users in R collude r Original [FN93] paper r Public key papers [CMN99], [NP00] r Reasonable assumption, but results are not better than fully collusion-resistant schemes 9

Logical Key Hierarchy [W97, WGL98] r Users are arranged in balanced binary tree r Each user is a leaf r Each node is associated with a key r Each user has log n keys on path from leaf to root r Users have dynamic state r Revocation of node x  Bottom up update  Encrypt node key with children keys: single key for parent of x, both keys for higher nodes 10

LKH (cont.) r Broadcast:  Encrypt message with root key r Complexity  Broadcast message length – O(1)  Storage – O(log n) for user, O(1) + PRF for broadcaster  Revocation – O(log n) time per user 11

User dynamic state 12 Dynamic stateStateless ConnectionAlways on / updates from broadcaster Connect when needed Revocation Revoke and forgetMaintain revocation ImplementationMore complexSimpler

Subset cover schemes r Several works: starting with [NNL01], improved in [HS02], [GST04] r Stateless schemes r B  2 U, a key k i is associated with every b i  B r User u has keys of every b such that u  b r Broadcast and revocation  Broadcaster finds {b 1,…,b m }  B, such that U i b i =S  Broadcaster sends E ki (M) for every i=1,…,m 13

Subset cover (cont.) r Message length – m r Storage – broadcaster |B|, user u stores number of sets b s.t. u  b r Example – same data structure as LKH  Message length – m=rlog(n/r)  Storage – broadcaster O(1)+PRF, user O(log n) r Better data structures shave the log n/r factor 14

Public keys r Advantage of public key systems:  Any user can encrypt messages  Sometimes that’s a disadvantage r Any symmetric key scheme can be turned into a private/public key scheme r Slight problem  In the simplest transformation the broadcaster key has to be large (O(n) or O(n-r)) r Bilinear maps to the rescue! HIBE [DF02] and others. 15

Example [LSW10] r Public key r Stateless r Revocation and broadcast in O(r) r Storage for broadcaster and user O(1) r Specific hardness assumptions! O(1) here is actually quite similar to O(log n) in previous solutions. 16

LSW10 (cont.) r Two groups G, G 1 of size p, e:GXG  G 1 s.t. e(g a,g b )=e(g,g) ab r Discrete log and variations of DDH are assumed to be hard in G and G 1 r General parameters: g, h  G, a, b  {0,…,p-1} r Public key: {g, g b, g b 2, h b, e(g,g) a r Private key: t  {0,…,p-1}, D 0 =g  g b 2 t, D 1 =(g bID h) t, D 2 =g -t 17

LSW10 (cont.) r Encryption: assume that R={1,…,r}  Choose random s and divide it into r shares s 1 +…+s r =s mod p  C’=e(g,g) ab M, C 0 =g s  For i=1,…,r, C i1 =g bs i, C i2 =(g b 2 ID i h b ) s i r Decryption: compute e(C 0, D 0 ) by YZ, where  Y=e(D 1,  i (C i1 ) 1/(ID-IDi) )  Z=e(D 2,  i (C i2 ) 1/(ID-IDi) ) 18

What’s still open? r Stateful?  A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation r Very large r  We would like schemes that are flexible between r and n-r. An example is [BGW05], but the message size*public key~n r Closing the gap between theory and practice 19