1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford

2 Broadcast Systems Distribute content to a large set of users Commercial Content Distribution File systems Military Grade GPS Multicast IP

3 Trace & Revoke: A Tale of Two Problems  Broadcast Encryption: Encrypt Messages M, to subset S of receivers  Traitor Tracing: Trace Orgin of Pirate boxes  Trace & Revoke: Trace pirate box, remove from set of receivers  This talk: Overview both, show challenges Light on mathematical details

4 Broadcast Encryption [FN’93]  Encrypt to arbitrary subsets S.  Collusion resistance: secure even if all users in S c collude. d1d1 d2d2 d3d3 S  {1,…,n} CT = E[M,S]

5 A Trivial Solution  Small private key, large ciphertext. Every user j has unique private key d j. CT = { E d j [M] | j  S } |CT| = O(|S|)|priv| = O(1)  Challenge: Get small ciphertext size

6 App : Encrypted File Systems  Broadcast to small sets: |S| << n  Best construction: trivial. | CT | =O(|S|), |priv| =O(1)  Examples: EFS. File F E K F [F] E PK A [K F ] E PK C [K F ] MS Knowledge Base: EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. Header < 256K E PK B [K F ]

7 Previous Solutions  t-Collusion resistant schemes [FN’93…] Resistant to t-colluders |CT| = O(t 2  log n) |priv| = O(t  log n) Attacker knows t  Broadcast to large sets [NNL,HS,GST…] |CT|= O(r) |priv|=O(log n) Useful if small number of revoked players

8 Previous Solutions  Fully-Collusion resistant schemes [BGW’06] Resistant to any # of colluders |CT| = O(1) |priv| = O(1) |pub| = O(n) Algebraically-based / Uses Bilinear Groups  Ciphertexts are multiplied security parameter   FCR

9 Apps: Sharing in Enc. File System  Store PK on file system. n=2 16  |PK|=1.2MB  File header: ( [S], E[S,PK,K F ] )  Sharing among “800” users: 800  = 1640 bytes << 256KB File F E K F [F] [S] E[S,PK,K F ] Hdr S  {1, …, n } 40 bytes

10 Tracing Pirate Devices [CFN’94] Attacker creates “pirated device” Want to trace origin of device

11 FAQ-1 “The Content can be Copied?”  DRM- Impossibility Argument  Protecting the service  Goal: Stop attacker from creating devices that access the original broadcast

12 FAQ 2-Why black-box tracing? [BF’99]  D: may contain unrecognized keys, is obfuscated, or tamper resistant.  All we know: Pr [ M  G, C  Encrypt (PK, M) : D(C)=M ] > 1-  K1K1 K3K3 K2K2 K$*JWN FD&RIJ$ D: RR

13 Previous Solutions  t-Collusion resistant schemes [CFN’93…] Resistant to t-colluders Attacker knows t  Fully-Collusion resistant schemes [BSW’06] Resistant to any # of colluders |CT| = O(  n) |priv| = O(1) Algebraically-based / Uses Bilinear Groups

14 Trace and Revoke (This Work)  What happens when catch traitor? Torture? Re-do system?  Want Broadcast and Tracing simultaneously

15 Trace and Revoke

16 T&R=A simple Combination? B.ET.T. M RM-R Encrypt Decrypt BETT RM-R M

17 A simple Attack B.ET.T. M RM-R BETT RM-R M  2 colluders split duties  Catch same one over and over (box still works)

18 Our Approach (Intuition)  Can’t allow attackers to “separate” systems In general hard to combine  BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic  Multiply private keys together so can’t separate Not so easy… needed different B.E. scheme

19 Summary  T.R.: O(  n) CT,O(  n) priv-keys.  Public Key Tracing Secure even if tracing key lost  “Adaptive Security”  Open: Better Parameters:  FCR

20 THE END