Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented By Gayathri VS

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes  Basic Scheme  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes 2 Outline

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 3 The Problem The System consists of broadcasting center set U of n users. key is distributed to users upon joining the system. securely transmit data to a randomly changing privileged subset of users out of the set S Any Coalition of k users from the universe, who are not part of the privileged set should not be able to decrypt the message.(Scheme is k-resilient).

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  U is the universe consisting of n users  P is privileged subset  S is any subset trying to learn the secret (S ∩ P = NULL)  |S| is size of subset S  K s is key common to subset S 4 Notations

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Scheme is resilient if for all subset S ( S ∩ P = NULL, where P ⊂ U is privileged set ) S cannot learn secret common to P.  Scheme is k-resilient if |S| <= k.  Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p) 5 Security Definitions

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Solution 1 : 6 Obvious Solution

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Solution 2 : 7 Obvious Solution

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Solution 1 : Each user is assigned a unique key 1 key per user & O(n) messages  Solution 2 : Each subset gets a unique key 2 n-1 keys per user & O(1) message  For any arbitrary subset, we have two choices for X 2.. X n. (they may or may not be present in that subset) Total number of subset which contains x …2 = 2 n-1 8 Obvious Solutions – Performance

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The Goal is the optimize a) number of transmissions sent by the center to create the common secret b) Number of keys each user stores c) Computational effort in retrieving the common key by the members of the privileged class. 9 Problem Statement.. Revisited

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes (Low –resiliency)  Basic Scheme (Assumption Free)  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes 10 Outline

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center  The privileged set can be identified by sending a relatively short transmission. This is ‘set identification transmission’ ( different from the broadcast encryption transmission ) 11 Zero Message Schemes

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  For every set S ⊂ U where 0 ≤ |S| ≤ k, Assign key K s  Distribute K s to all users x ⊂ U – S U = { a, b, c }. Here n=3. Let k be 2 KEY DISTIBUTION : S = {a, b, c, {a,b}, {a,c}, {b,c}} K s = {K a, K b, K c, K ab,K ac,K bc } User a has K b, K c, K bc User b has K a, K c, K ac User c has K a, K b, K ab 12 BASIC SCHEME

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys K S where S ⊂ U – P  If P = { a,b } then K = XOR K S where S ⊂ U – P Here S is c so K = K C  RESILENCY : Every possible set S ⊂ U – P 0 ≤ |S| ≤ k will miss the key K S and cannot decrypt the message sent by the center.  NUMBER OF MESSAGES,KEYS : Number of keys per each User : Σ I = 0 to k (n)_C_i  For the above scheme to be 1-resilient each user should store (n+1) keys  For the above scheme to be n-resilient each user should store 2 n-1 keys 13

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  O(n) keys in previous scheme can be reduced to keys if keys are pseudo-randomly generated  Let f: {0,1} l -> {0,1} 2l be a pseudo-random generator (the length of the output of is twice the length of the input).  Users are on the leaf of the balanced binary tree.  The root is labeled with the common seed from Set {0,1} l 14 1-resilient scheme based on one-way function

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  apply the pseudo-random generators to the root label.Assign the left half (first bits) to be the label of the left subtree while the right half (last bits) is the label of the right subtree.  User x should get all leaf labels except his. To achieve this, we remove the path from x to the root,which is a forest on log n labels.  Every x ∈ U can use the ⌈ log n ⌉ values that he got and generate all leaf labels except his own. 15

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 16

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The center chooses a random hard to factor composite N= P.Q where P and Q are primes.  It also chooses a secret value g of high index.  Each user i ∈ U is assigned g i = g pi. gcd(pi,pj) = 1, for I ≠ j  The common key for P ⊂ U is g T = g PT mod N where PT = Π i ∈ P pi  Each user i ∈ P can compute g T by g i x mod N where X = Π i ∈ (P-i) pi 17 A 1-resilient scheme based on Computational Number Theoretic Assumptions

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science SCHEMENO OF KEYS/USER MESSAGE LENGTH RESILIENCYASSUMPTION TRIVIAL SOLUTION- 1 1O(n)anyNothing TRIVIAL SOLUTION- 2 2 n-1 1AnyNothing BASIC SCHEMEΣ K (n)C k 1KNothing BASIC SCHEME (k=1) O(n)11Nothing BASIC SCHEME(K=N-1) O(2 n )1Nnothing 1-resilant using PRG Ceil(log n)11One-way functions and hence PRG exist 1-resilent using number theory 111Root extraction is hard 18

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes (Low –resiliency)  Basic Scheme (Assumption Free)  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes  One Level Schemes  Multi Level Schemes 19 Outline

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  The zero message 1-resilient schemes requires for k>1 memory which is exponential in k  Low-memory k-resilient schemes can be built from 1-resilient  Let w denote the number of keys that a user is required to store in the 1-resilient scheme w = n+1 if no cryptographic assumptions are made, w = ceil(log n) if we assume that one-way functions exists and w =1 if we assume that it is hard to extract roots modulo a composite.  efficiency of the schemes is how many w’s they require. 20 Low Memory-Resilient Schemes

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 1. f 1, f 2 …. f l is a family of function denoted by f i : U → {1,...,m}, 1 ≤ i ≤ l 2.For every group S ⊂ U, |S|=k there exists some function f i that is 1-1 on S all x,y in S f i (x) ≠ f i (y) {f i } contains perfect hash function for all subsets of size k in U when mapped to range {1,2..m} 21 One Level Scheme

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 22 One Level Scheme – Key Distribution 12N user 1R(1,f 1 (1))R(1,f 1 (2))R(1,f 1 (n)) 2R(2,f 2 (1))R(2,f 2 (2))R(2,f 2 (n)) LR(L,f l (1))R(L,f L (2))R(L,f L (n)) 1.{R(i, j)}1≤i≤l,1≤j≤m are independent 1- resilient schemes 2.Each user x ∈ U gets the keys associated with the scheme R(i,fi(x)) 1 ≤ i ≤ l.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 1.To transmit M to T ⊂ U, the center breaks M into l random shares such that M = M 1 XOR M 2 XOR … M l 2.For 1 ≤ i ≤ l the center transmits M i in m distinct messages using R(i,j) j=1,2..m where j=f i (x) for all x in P. 3.Every x ∈ T may recover Mi, 1 ≤ i ≤ l, from R(I,j) where j = fi(x), and then add them up to get M. If x1 is part of P, M 1 – R(1,f 1 (x1) ) M 2 – R(2,f 2 (x1) ) … M L - R(l, f l (x1) 23 One Level Schemes – Encryption and Decryption

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science 24 One Level Scheme - Storage 12N user 1R(1,f 1 (1))R(1,f 1 (2))R(1,f 1 (n)) 2R(2,f 2 (1))R(2,f 2 (2))R(2,f 2 (n)) LR(L,f l (1))R(L,f L (2))R(L,f L (n)) M R(1,f 1 (1)) R(1,f 1 (2)) M 2 R(2,f 2 (1)) R(2,f 2 (2)) M L R(L,f L (1)) R(L,f L (2)) Storage per user: l times that of the 1- resilient scheme. Length of transmission: l · m messages

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Claim: The scheme is k-resilient.  Let S be a coalition of size |S| ≤ k.  There exists f i that is 1-1 on S.  M i is the message transmitted using f i. M i is delivered in m independent transmissions.  There can be at most only one x ∈ S for which fi(x) = j who has the keys of that scheme.  However R(i, j) is 1-resilient and hence that single user cannot recover M i and hence M. 25 One Level Scheme - Resiliency

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  use a perfect family of hash functions  send a “share” of the secret M corresponding to each hash function.  Each share is broadcasted with different encryptions.  The privileged users can decrypt these messages and any colluding set of at most k users cannot obtain at least one of the shares  no information about M is revealed if we miss even one of the shares. 26 One Level Scheme – Idea

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Set m = 2k 2, l = k log n  Theorem: There exists a k-resilient scheme that requires the users to store O(k log n · w) keys and the center to broadcast O(k 3 log n) messages. The scheme may be constructed at random with arbitrarily high probability.  Probability that a random f i is not 1-1 on S is ((kC 2 ).2 m-1 )/ 2 m = (kC 2 ).(1/m) = k(k-1)/2m = ¼ - 1/4k ≤ ¼  Given the family of function f 1, f 2.. f l Prob(No f i is 1-1 on S ) = 1/4 L =1/2 2L = 1/n 2k (l = klogn ; 2l = 2klogn ; 2l = log n 2k ;n 2k = 2 2l )  Prob ( Some f i is 1-1 on S ) = ( 1 – n -2k )  Prob ( there exists f i is 1-1 on all S of size k) >= (1-n -2k ) t, where t = n_C_k >= 1 – n -k 27 Setting Parameters

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p) P(that for all subset of size k, there exists f i is 1-1 on S ) ≥ 1−p For (k,p) random resiliency substitute l = log(1/p) Theorem : (k,p)-resilient scheme requires the users to store O(log(1/p) · w) keys and the center should broadcast O(k 2 log(1/p)) messages. 28 Setting Parameters

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Multi-level schemes, like the one-level ones, convert 1-resilient schemes to k-resilient ones.  The ”multi-levelness” comes through the R(i, j)s that are sets of 1-resilient schemes.  It decrease the length of transmission at the expense of more storage at the user. 29 Multi Level Schemes

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science User 1 R(1,f 1 (1),1) R(1,f 1 (1),2) … R(1,f 1 (1),w) R(2,f 2 (1),1) R(2,f 2 (1),2) … R(2,f 2 (1),w) R(l,f l (1),1) R(l,f l (1),2) … R(l,f l (1),w) 30 Multi-Level Scheme Key Distribution For every Subset of size k, there exists for some 1≤i ≤l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S, f i (x) = j ) Every user x in U, for every 1≤i ≤l and for every 1≤r ≤w, receives keys associated with the scheme R(i,f i (x),r)

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science. 1.To transmit M to T ⊂ U, the center breaks M randomly into l shares, such that M = M 1 XOR M 2 XOR.. M l 2.Each M i is broken into w shares for each j. M 1 (i,j) M 2 (i,j) …. M w (i,j) 3.For 1≤i≤l and 1≤r≤w M r (i,j) is broadcasted to Privileged subset {x ∈ T :f i (x)=j} 4.For any subset of size k, by assumption there is an i and for all j in that I scheme w is resilient to x in S with f i (x) = j Storage per user: l · w times that of the 1-resilient scheme. Length of transmission: l · m · w times that of the 1-resilient scheme. 31 Multi Level Scheme – Encryption and Decryption

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science  Set L = 2k.log n, m = k/log k, w = log k + 1,t = 2elog k  There exists ak-resilient scheme that requires each user to store O(k.log k. log n.w) keys and the center to broadcast O(k 2 log 2 klogn) messages. Moreover, the scheme can be constructed effectively with high probability  there exists a (k,p) random-resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog 2 klog(1/p)) messages. Moreover, the scheme can be constructed effectively with high probability 32

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science SCHEMENO OF KEYS/USER MESSAGE LENGTH RESILIENCYASSUMPTION BASIC SCHEMEΣ K (n)C k 1KNothing 1-resilant using PRG Ceil(log n)11One-way functions and hence PRG exist 1-resilent using number theory 111Root extraction is hard One Level Scheme O(k log n · w)O(k 3 log n)k 1-Level (k,p)O(log(1/p) · w)O(k 2 log(1/p))k Multi-LevelO(k log k log n·w) O(k2 log2 k log n) k 33

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, Privacy&Security - Virginia Tech – Computer Science Thank You ! 34