Presentation is loading. Please wait.

Presentation is loading. Please wait.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Published byNya McCracken Modified over 9 years ago

Similar presentations

Presentation on theme: "Broadcast Encryption – an overview Niv Gilboa – BGU 1."— Presentation transcript:

1 Broadcast Encryption – an overview Niv Gilboa – BGU 1

2 Definition (FN93) 2 Broadcaster u1u1 unun u2u2 u3u3 M E(M) … Users: U={u 1,…,u n } R, users don’t get M, even with collusion. |R|=r S, users get M. |S|=n-r

3 Usage r Broadcast TV r Content distribution  Mobile content  DVD r Multi-user file systems 3

4 Pay TV r Beginnings  1980’s  Subscriptions instead of advertising  TV content costs money! r Threat: a subset of users in U distribute M to u’  R r [FN93] and all subsequent papers only consider users in R as a threat. 4

5 Straightforward Solution I 5 BroadcasterInitialization u1u1 unun u2u2 … u3u3 k1k1 k2k2 knkn k3k3 Private channels k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n

6 Straightforward Solution II 6 BroadcasterBroadcast I: key u1u1 unun u2u2 … u3u3 Broadcast channel k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n E ki 1 (key), E ki 2 (key), …,  i, i  S key Broadcast II: content E key (content)

7 Diverging concerns r Media distribution (practice)  Users in S can provide key / content to users in R r Broadcast encryption (theory)  Separation between key and content is not important and is obvious  Straightforward solution is trivial Message length – O(n-r) Storage – O(1) for user, O(n-r) for broadcaster (or O(1) + PRF) Revocation for free  Better solutions can be found 7

8 Beyond Cryptography r Media distribution to “secure devices”  Smart cards  Secure hardware of various types  Obfuscated code r The rest of the talk will focus on broadcast encryption 8

9 Limited collusion r The assumption is that only up to t users in R collude r Original [FN93] paper r Public key papers [CMN99], [NP00] r Reasonable assumption, but results are not better than fully collusion-resistant schemes 9

10 Logical Key Hierarchy [W97, WGL98] r Users are arranged in balanced binary tree r Each user is a leaf r Each node is associated with a key r Each user has log n keys on path from leaf to root r Users have dynamic state r Revocation of node x  Bottom up update  Encrypt node key with children keys: single key for parent of x, both keys for higher nodes 10

11 LKH (cont.) r Broadcast:  Encrypt message with root key r Complexity  Broadcast message length – O(1)  Storage – O(log n) for user, O(1) + PRF for broadcaster  Revocation – O(log n) time per user 11

12 User dynamic state 12 Dynamic stateStateless ConnectionAlways on / updates from broadcaster Connect when needed Revocation Revoke and forgetMaintain revocation ImplementationMore complexSimpler

13 Subset cover schemes r Several works: starting with [NNL01], improved in [HS02], [GST04] r Stateless schemes r B  2 U, a key k i is associated with every b i  B r User u has keys of every b such that u  b r Broadcast and revocation  Broadcaster finds {b 1,…,b m }  B, such that U i b i =S  Broadcaster sends E ki (M) for every i=1,…,m 13

14 Subset cover (cont.) r Message length – m r Storage – broadcaster |B|, user u stores number of sets b s.t. u  b r Example – same data structure as LKH  Message length – m=rlog(n/r)  Storage – broadcaster O(1)+PRF, user O(log n) r Better data structures shave the log n/r factor 14

15 Public keys r Advantage of public key systems:  Any user can encrypt messages  Sometimes that’s a disadvantage r Any symmetric key scheme can be turned into a private/public key scheme r Slight problem  In the simplest transformation the broadcaster key has to be large (O(n) or O(n-r)) r Bilinear maps to the rescue! HIBE [DF02] and others. 15

16 Example [LSW10] r Public key r Stateless r Revocation and broadcast in O(r) r Storage for broadcaster and user O(1) r Specific hardness assumptions! O(1) here is actually quite similar to O(log n) in previous solutions. 16

17 LSW10 (cont.) r Two groups G, G 1 of size p, e:GXG  G 1 s.t. e(g a,g b )=e(g,g) ab r Discrete log and variations of DDH are assumed to be hard in G and G 1 r General parameters: g, h  G, a, b  {0,…,p-1} r Public key: {g, g b, g b 2, h b, e(g,g) a r Private key: t  {0,…,p-1}, D 0 =g  g b 2 t, D 1 =(g bID h) t, D 2 =g -t 17

18 LSW10 (cont.) r Encryption: assume that R={1,…,r}  Choose random s and divide it into r shares s 1 +…+s r =s mod p  C’=e(g,g) ab M, C 0 =g s  For i=1,…,r, C i1 =g bs i, C i2 =(g b 2 ID i h b ) s i r Decryption: compute e(C 0, D 0 ) by YZ, where  Y=e(D 1,  i (C i1 ) 1/(ID-IDi) )  Z=e(D 2,  i (C i2 ) 1/(ID-IDi) ) 18

19 What’s still open? r Stateful?  A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation r Very large r  We would like schemes that are flexible between r and n-r. An example is [BGW05], but the message size*public key~n r Closing the gap between theory and practice 19

Download ppt "Broadcast Encryption – an overview Niv Gilboa – BGU 1."

Similar presentations

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.

Security in Sensor Networks By : Rohin Sethi Aranika Mahajan Twisha Patel.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang

1 Efficient Self-Healing Group Key Distribution with Revocation Capability by Donggang Liu, Peng Ning, Kun Sun Presented by Haihui Huang
Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.

Self-Healing in Wireless Networks. The self-healing property is expected in many aspects in wireless networks: – Encryption algorithms – Key distribution.
Russell Martin August 9th, 2013. Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.

Russell Martin August 9th, Contents Introduction to CPABE Bilinear Pairings Group Selection Key Management Key Insulated CPABE Conclusion & Future.
Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.

Distribution and Revocation of Cryptographic Keys in Sensor Networks Amrinder Singh Dept. of Computer Science Virginia Tech.
Sri Lanka Institute of Information Technology

Sri Lanka Institute of Information Technology
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
Broadcast Encryption and Traitor Tracing 2001. 12. 2001507 Jin Kim.

Broadcast Encryption and Traitor Tracing Jin Kim.
CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.

CS555Spring 2012/Topic 161 Cryptography CS 555 Topic 16: Key Management and The Need for Public Key Cryptography.
Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.

Secure Multicast (II) Xun Kang. Content Batch Update of Key Trees Reliable Group Rekeying Tree-based Group Diffie-Hellman Recent progress in Wired and.
1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.

1 Dynamic Key-Updating: Privacy- Preserving Authentication for RFID Systems Li Lu, Lei Hu State Key Laboratory of Information Security, Graduate School.
Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.

Content Protection for Recordable Media Florian Pestoni IBM Almaden Research Center.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.

Mar 5, 2002Mårten Trolin1 Previous lecture More on hash functions Digital signatures Message Authentication Codes Padding.
What ~1.25 turned out to be or Complex poles and DVDs Ilya Mironov Microsoft Research, SVC October 3 rd, 2003.

What ~1.25 turned out to be or Complex poles and DVDs Ilya Mironov Microsoft Research, SVC October 3 rd, 2003.

Similar presentations

Ads by Google