Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters.

Published byMarian Baker Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters."— Presentation transcript:

1 1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters

2 2 Broadcast Encryption [FN’93]  Encrypt to arbitrary subsets S.  Collusion resistance: secure even if all users in S c collude. d1d1 d2d2 d3d3 S  {1,…,n} CT = E[M,S]

3 3 Broadcast Encryption  Public-key BE system: Setup(n):outputs private keys d 1, …, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S  {1, …, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j  S, output M.  Note: broadcast contains ( [S], CT )

4 4 Trivial Solutions  Small private key, large ciphertext. Every user j has unique private key d j. CT = { E d j [M] | j  S } |CT| = O(|S|)|priv| = O(1)  Large private keys, small ciphertexts Unique key K S for every subset S  {1, …, n} User j’s priv-key: d j = { K S | j  S } |CT| = O(1)|priv| = O(2 n )

5 5 Outline  Previous work  Security Definitions  Overview scheme  Applications  Conclusions

6 6 Previous Solutions  t-Collusion resistant schemes [FN’93] Resistant to t-colluders |CT| = O(t 2  log n) |priv| = O(t  log n) Attacker knows t  Broadcast to large sets [NNL,HS,GST] |CT|= O(r) |priv|=O(log n) Useful if small number of revoked players

7 7 Summary CT SizePriv-key size Small sets:trivialO(|S|)O(1) Large sets:NNL,HS,GSTO(n-|S|)O(log n) Any set (new): BGW ’ 05 O(1) … but, O(n) size public key. BGW ‘ 05 O(  n)O(1) … O(  n) size public key. EFS, EmailDVD’sSubs. Service 0 n

8 8 Broadcast Encryption Security  Semantic security when users collude. (static adversary)  Def: Alg. A  -breaks BE sem. sec. if Pr[b=b’] > ½ +   (t,  )-security: no t-time alg. can  -break BE sem. sec. Challenger Run Setup(n) Attacker PK, { d j | j  S } m 0, m 1  G b’  {0,1} C * = Enc( S, PK, m b ) b  {0,1} S  {1, …, n }

9 9 Bilinear Maps  G, G T : finite cyclic groups of prime order p.  Def: An admissible bilinear map e: G  G  G T is: –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Non-degenerate: g generates G  e(g,g) generates G T. –Efficiently computable.

10 10 Broadcast System  Setup(n): g  G, ,   Z p, g k = g (  k ) PK = ( g, g 1, g 2, …, g n, g n+2, …, g 2n, v=g  )  G 2n+1 For k=1,…,n set: d k = (g k )   G  Encrypt(S, PK, M ): t  Z p CT = ( g t, (v   j  S g n+1-j ) t, M  e(g n,g 1 ) t )  Decrypt(CT, S, k,d k, PK): CT = (C 0, C 1, C 2 ) Fact: e( g k, C 1 ) / e( d k   g n+1-j+k, C 0 ) = e(g n,g 1 ) t jSjkjSjk

11 11 Security Theorem  Thm:  t-time alg. that  -breaks BE sem. sec. in G   t-time alg. that  -solves bilinear n-DDHE in G. ~

12 12 App : Encrypted File Systems  Broadcast to small sets: |S| << n  Best construction: trivial. | CT | =O(|S|), |priv| =O(1)  Examples: EFS. File F E K F [F] E PK A [K F ] E PK C [K F ] MS Knowledge Base: EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. Header < 256K E PK B [K F ]

13 13 Apps: Sharing in Enc. File System  Store PK on file system. n=2 16  |PK|=1.2MB  File header: ( [S], E[S,PK,K F ] )  Sharing among “800” users: 800  2 + 40 = 1640 bytes << 256KB  Each user obtains priv-key d uid  G from admin. Admin only stores   Z q File F E K F [F] [S] E[S,PK,K F ] Hdr S  {1, …, n } 40 bytes

14 14 Incremental file sharing  File hdr: ( [S], g t, (v   j  S g n+1-j ) t )  To grant user u access to file F, owner does: C 1  C 1  (g n+1-u ) t  File owner: instead of storing t for every file do: t  PRF K O (Nonce F ) File F E K F [F] [S] E[S,PK,K F ] Nonce F Hdr C0C0 C1C1

15 15 App: secure email lists  Set n=2 16. Let g k = g (  k ) Suppose (g, g 1, g 2,…, g n, g n+2,…, g 2n ) are global (1.2MB)  Simple encrypted email lists: List A : PK A = ( v A = g  A ) ; List B : PK B = ( v B = g  B ) When new user joins List A do: –Assign new index 1  k  2 16, give key d k = (g k )  A Encrypt msgs to List A using B.E. for current members.  Much simpler than existing techniques (e.g. LKH )

16 16 Summary and Open Problems  New public-key broadcast encryption systems: Full collusion resistance. Constant size priv key. System 1:|CT| = O(1)|PK| = O(n) System 2:|CT| = O(  n)|PK| = O(  n)  Open problems: Reduce public key size. Weaker assumption. Security against adaptive adversary. Tracing traitors with same parameters.

17 17 Apps: Content Protection  DVD content protection: n = 2 32. r – revoked. No room for PK in player. Store ( [S], CT, PK) on each DVD disk. Goal: minimize |CT|+| PK |   n system  Using  n system: | PK |=O(  n), |CT|=O(  n) : |DVD-hdr| = | PK |+|CT|+|[S]| = 5MB + ( 4  r bytes)  NNL-type: |DVD-hdr| = |CT|+|[S]| = ( 36  r bytes) 4  2 16 G.E.

18 18 App : Content Protection  DVD Content Protection. n = 2 32 DVD player i ships with private key d i DVD disks encrypted to unrevoked players.  Broadcast to large sets: |S| = n-r where r << n. d1d1 d2d2 d3d3 d4d4

Download ppt "1 Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters."

Similar presentations

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.

A Crash Course in Modern Crypto Tools Dan Boneh Stanford University.
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
1 PRPs and PRFs CS255: Winter 2008 1.Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.

1 PRPs and PRFs CS255: Winter Abstract ciphers: PRPs and PRFs, 2.Security models for encryption, 3.Analysis of CBC and counter mode Dan Boneh, Stanford.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.

Dan Boneh Message Integrity A Parallel MAC Online Cryptography Course Dan Boneh.
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.

IAW 2006 Cascaded Authorization with Anonymous- Signer Aggregate Signatures Danfeng Yao Department of Computer Science Brown University Joint work with.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.

1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.
1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.

1 Efficient Conjunctive Keyword-Searchable Encryption,2007 Author: Eun-Kyung Ryu and Tsuyoshi Takagi Presenter: 顏志龍.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.
Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.

Cryptography1 CPSC 3730 Cryptography Chapter 10 Key Management.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.

1 Queries on Encrypted Data Dan Boneh Brent Waters Stanford UniversitySRI.
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Similar presentations

Ads by Google