1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters

2 Broadcast Encryption [FN’93]  Encrypt to arbitrary subsets S.  Collusion resistance: secure even if all users in S c collude. d1d1 d2d2 d3d3 S  {1,…,n} CT = E[M,S]

3 Broadcast Encryption  Public-key BE system: Setup(n):outputs private keys d 1, …, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S  {1, …, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j  S, output M.  Note: broadcast contains ( [S], CT )

4 Trivial Solutions  Small private key, large ciphertext. Every user j has unique private key d j. CT = { E d j [M] | j  S } |CT| = O(|S|)|priv| = O(1)  Large private keys, small ciphertexts Unique key K S for every subset S  {1, …, n} User j’s priv-key: d j = { K S | j  S } |CT| = O(1)|priv| = O(2 n )

5 Outline  Previous work  Security Definitions  Overview scheme  Applications  Conclusions

6 Previous Solutions  t-Collusion resistant schemes [FN’93] Resistant to t-colluders |CT| = O(t 2  log n) |priv| = O(t  log n) Attacker knows t  Broadcast to large sets [NNL,HS,GST] |CT|= O(r) |priv|=O(log n) Useful if small number of revoked players

7 Summary CT SizePriv-key size Small sets:trivialO(|S|)O(1) Large sets:NNL,HS,GSTO(n-|S|)O(log n) Any set (new): BGW ’ 05 O(1) … but, O(n) size public key. BGW ‘ 05 O(  n)O(1) … O(  n) size public key. EFS, DVD’sSubs. Service 0 n

8 Broadcast Encryption Security  Semantic security when users collude. (static adversary)  Def: Alg. A  -breaks BE sem. sec. if Pr[b=b’] > ½ +   (t,  )-security: no t-time alg. can  -break BE sem. sec. Challenger Run Setup(n) Attacker PK, { d j | j  S } m 0, m 1  G b’  {0,1} C * = Enc( S, PK, m b ) b  {0,1} S  {1, …, n }

9 Bilinear Maps  G, G T : finite cyclic groups of prime order p.  Def: An admissible bilinear map e: G  G  G T is: –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Non-degenerate: g generates G  e(g,g) generates G T. –Efficiently computable.

10 Broadcast System  Setup(n): g  G, ,   Z p, g k = g (  k ) PK = ( g, g 1, g 2, …, g n, g n+2, …, g 2n, v=g  )  G 2n+1 For k=1,…,n set: d k = (g k )   G  Encrypt(S, PK, M ): t  Z p CT = ( g t, (v   j  S g n+1-j ) t, M  e(g n,g 1 ) t )  Decrypt(CT, S, k,d k, PK): CT = (C 0, C 1, C 2 ) Fact: e( g k, C 1 ) / e( d k   g n+1-j+k, C 0 ) = e(g n,g 1 ) t jSjkjSjk

11 Security Theorem  Thm:  t-time alg. that  -breaks BE sem. sec. in G   t-time alg. that  -solves bilinear n-DDHE in G. ~

12 App : Encrypted File Systems  Broadcast to small sets: |S| << n  Best construction: trivial. | CT | =O(|S|), |priv| =O(1)  Examples: EFS. File F E K F [F] E PK A [K F ] E PK C [K F ] MS Knowledge Base: EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. Header < 256K E PK B [K F ]

13 Apps: Sharing in Enc. File System  Store PK on file system. n=2 16  |PK|=1.2MB  File header: ( [S], E[S,PK,K F ] )  Sharing among “800” users: 800  = 1640 bytes << 256KB  Each user obtains priv-key d uid  G from admin. Admin only stores   Z q File F E K F [F] [S] E[S,PK,K F ] Hdr S  {1, …, n } 40 bytes

14 Incremental file sharing  File hdr: ( [S], g t, (v   j  S g n+1-j ) t )  To grant user u access to file F, owner does: C 1  C 1  (g n+1-u ) t  File owner: instead of storing t for every file do: t  PRF K O (Nonce F ) File F E K F [F] [S] E[S,PK,K F ] Nonce F Hdr C0C0 C1C1

15 App: secure lists  Set n=2 16. Let g k = g (  k ) Suppose (g, g 1, g 2,…, g n, g n+2,…, g 2n ) are global (1.2MB)  Simple encrypted lists: List A : PK A = ( v A = g  A ) ; List B : PK B = ( v B = g  B ) When new user joins List A do: –Assign new index 1  k  2 16, give key d k = (g k )  A Encrypt msgs to List A using B.E. for current members.  Much simpler than existing techniques (e.g. LKH )

16 Summary and Open Problems  New public-key broadcast encryption systems: Full collusion resistance. Constant size priv key. System 1:|CT| = O(1)|PK| = O(n) System 2:|CT| = O(  n)|PK| = O(  n)  Open problems: Reduce public key size. Weaker assumption. Security against adaptive adversary. Tracing traitors with same parameters.

17 Apps: Content Protection  DVD content protection: n = r – revoked. No room for PK in player. Store ( [S], CT, PK) on each DVD disk. Goal: minimize |CT|+| PK |   n system  Using  n system: | PK |=O(  n), |CT|=O(  n) : |DVD-hdr| = | PK |+|CT|+|[S]| = 5MB + ( 4  r bytes)  NNL-type: |DVD-hdr| = |CT|+|[S]| = ( 36  r bytes) 4  2 16 G.E.

18 App : Content Protection  DVD Content Protection. n = 2 32 DVD player i ships with private key d i DVD disks encrypted to unrevoked players.  Broadcast to large sets: |S| = n-r where r << n. d1d1 d2d2 d3d3 d4d4