1. 1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters

2. 2 Broadcast Systems Distribute content to a large set of users Commercial Content Distribution File systems Military Grade GPS Multicast IP

3. 3 Tracing Pirate Devices [CFN’94] Attacker creates “pirated device” Want to trace origin of device

4. 4 FAQ-1 “The Content can be Copied?”  DRM- Impossibility Argument  Protecting the service  Goal: Stop attacker from creating devices that access the original broadcast

5. 5 FAQ 2-Why black-box tracing? [BF’99]  D: may contain unrecognized keys, is obfuscated, or tamper resistant.  All we know: Pr [ M  G, C  Encrypt (PK, M) : D(C)=M ] > 1-  K1K1 K3K3 K2K2 K$*JWN FD&RIJ$ D: RR

6. 6 Formally: Secure TT systems  (1) Semantically secure, and (2) Traceable: ChallengerAttacker Run Setup(n) S  {1, …, n } PK, TK, { K j | j  S } Pirate Decoder D Adversary wins if:(1) Pr [ D(C)=M ] > 1- , and (2) i  S Trace D ( TK ) i  {1,…,n}

7. 7 Brute Force System  Setup (n):Generate n PKE pairs (PK i, K i ) Output private keys K 1, …, K n PK  ( PK 1, …, PK n ), TK  PK.  Encrypt (PK, M): C  ( E PK 1 (M), …, E PK n (M) )  Tracing: next slide.  This is the best known TT system secure under arbitrary collusion. … until now

8. 8 Trace D ( PK ): [BF99, NNL00, KY02]  For i = 1, …, n+1 define for M  G : p i : = Pr [ D( E PK 1 (  ), …, E PK i-1 (  ), E PK i ( M ), …, E PK n ( M ) ) = M ]  Then: p 1 > 1-  ; p n+1  0  1-  = |p n+1 – p 1 | = |  p i+1 – p i |   | p i+1 – p i |  Exists i  {1,…,n} s.t. | p i+1 – p i |  (1-  )/n  User i must be one of the pirates. i=1 n n R

9. 9 Security Theorem  Tracing algorithm estimates: | p i - p i | < (1-  )/4n  Need O(n 2 ) samples per p i. (D – stateless)  Cubic time tracing. Can be improved to quadratic in |S|.  Thm: underlying PKE system is semantically secure  No eff. adv wins tracing game with non-neg adv. 

10. 10 Abstracting the Idea [BSW’06] Properties needed:  For i = 1,…, n+1 need to encrypt M so:  Without K i adversary cannot distinguish: Enc(i, PK, M) from Enc(i+1, PK, M) 1 i-1 i n users cannot decrypt users can decrypt Linear Broadcast Encryption Private B.E.

11. 11 Private Linear Broadcast Enc (PLBE) Setup(n):outputs private keys K 1, …, K n and public-key PK. Encrypt( u, PK, M): Encrypt M for users {u, u+1, …, n} Output ciphertext CT. Decrypt(CT, j, K j, PK): If j  u, output M  Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)  Note: slightly more complicated defs in [BSW’06]

12. 12 Security definition  Message hiding: given all private keys: Encrypt( n+1, M, PK)  P Encrypt( n+1, , PK)  Index hiding:for u = 1, …, n : Challenger Attacker m b’  {0,1} C *  Enc( u+b, PK, m ) b  {0,1} Run Setup(n) PK, { K j | j  u }

13. 13 Results  Thm: Secure PLBE  Secure TT Same size CT and priv-keys (black-box and publicly traceable)  New PLBE system: CT-size = O(  n) ; priv-key size = O(1) enc-time = O(  n) ; dec-time = O(1)

14. 14  n PLBE Construction: hints  Arrange users in matrix  Key for user (x,y): K x,y  R x  C y  CT: one tuple per row, one tuple per col. size = O(  n)  CT to user (i,j): User (x,y) can dec. if ( x > i) OR [ (x=i) AND (y  j) ] 123456 789101112 131415161718 192021222324 252627282930 313233343536 n=36 users 123456 789101112 131415161718 192021222324 252627282930 313233343536 Encrypt to user (4,3)

15. 15 Bilinear groups of order N=pq [BGN’05]  G : group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T  G = G p  G q. g p = g q  G p ; g q = g p  G q  Facts: h  G  h = (g q ) a  (g p ) b e( g p, g q ) = e(g p, g q ) = e(g,g) N = 1 e( g p, h ) = e( g p, g p ) b !!

16. 16 A  n size PLBE  Ciphertext: ( C 1, …, C  n, R 1, …, R  n )  User (x,y) must pair R x and C y to decrypt TypeGqGq GpGp R x : x < i R x : x = i R x : x > i C y : y < j C y : y  j CaseResult x < iNo: R x not well formed x=i & y < j No: C y malformed in G p x=i & y  jYes: both well formed x > iYes: indep. of column Well-formed Malformed/Random Zero

17. 17 Summary and Open Problems  New results: [BGW’05, BSW’06, BW’06] Full collusion resistance: B.E: O(1) CT,O(1) priv-keys … but O(n) PK T.T: O(  n) CT,O(1) priv-keys. T.R.: O(  n) CT,O(  n) priv-keys.  Open questions: Private linear B.E. with O(log n) CT. Private B.E. with short ciphertexts.  FCR

18. 18 THE END

19. 19 BGN encryption  Subgroup assumption: G  p G p  E(m) : r  Z N, C  g m (g p ) r  G Additive hom:E(m 1 +m 2 ) = C 1  C 2  (g p ) r One mult hom:E(m 1  m 2 ) = e(C 1,C 2 )  e(g p,g p ) r

20. 20 Results  Thm: Secure PLBE  Secure TT Same size CT and priv-keys (black-box and publicly traceable)  New PLBE system: CT-size = O(  n) ; priv-key size = O(1) enc-time = O(  n) ; dec-time = O(1)  Applications: Tracing Traitors : O(  n) CTs and O(1) keys. Adaptive BE. (need Augmented PLBE) Comparison searches on encrypted data.

21. 21 T.T: a popular problem O. Berkman D. Boneh H. Chabanne B. Chor Y. Desmedt Y. Dodis N. Fazio A. Fiat M. Franklin E. Gafni M. Goodrich D. Halevy G. Hanaoka D. Hieu-Phan H. Imai M. Kasahara A. Kiayias K. Kurosawa J. Lotspiech S. Mitsunari M. Naor D. Naor M. Parnas B. Pfitzmann B. Pinkas D.Pointcheval R.Safavi-Naini A.Sahai R.Sakai J.Sgall A.Shamir J.Shaw A.Silverberg J.Staddon D.Stinson J. Sun R.Tamassia G. Tardos T. Tassa V. To M. Waidner J. Walker Y. Wang Y. Watanabe B. Waters R. Wei L. Yin M. Yung F. Zhang 32 papers from 49 authors

22. 22 A Simple System  n users in system, each gets separate key  User i gets K i  Encrypt message to separately to user –lump it (Use “hybrid encryption” and encrypt an AES key) E(K 1, M)E(K 2, M) E(K i, M) E(K n, M) …… i M

23. 23 Tracing  Let E’(i, M) => Encrypt R to 1,…,i-1 and M to i,…n E(K 1, R)E(K 2, R)E(K i-1, R)E(K n, M) ……  P i = prob. pirate device decrypts E’(i,M) Can learn P i ’s from probing the device E(K i, M) iPiPi 1100 j j+1 n+10 Device works Everything Random 100 35 User j is an attacker