Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.

Published byMerilyn Carr Modified over 9 years ago

Similar presentations

Presentation on theme: "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented."— Presentation transcript:

1 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented By Gayathri VS

2 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes  Basic Scheme  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes 2 Outline

3 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 3 The Problem The System consists of broadcasting center set U of n users. key is distributed to users upon joining the system. securely transmit data to a randomly changing privileged subset of users out of the set S Any Coalition of k users from the universe, who are not part of the privileged set should not be able to decrypt the message.(Scheme is k-resilient).

4 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  U is the universe consisting of n users  P is privileged subset  S is any subset trying to learn the secret (S ∩ P = NULL)  |S| is size of subset S  K s is key common to subset S 4 Notations

5 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Scheme is resilient if for all subset S ( S ∩ P = NULL, where P ⊂ U is privileged set ) S cannot learn secret common to P.  Scheme is k-resilient if |S| <= k.  Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p) 5 Security Definitions

6 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Solution 1 : 6 Obvious Solution

7 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Solution 2 : 7 Obvious Solution

8 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Solution 1 : Each user is assigned a unique key 1 key per user & O(n) messages  Solution 2 : Each subset gets a unique key 2 n-1 keys per user & O(1) message  For any arbitrary subset, we have two choices for X 2.. X n. (they may or may not be present in that subset) Total number of subset which contains x 1 1.2.2…2 = 2 n-1 8 Obvious Solutions – Performance

9 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Goal is the optimize a) number of transmissions sent by the center to create the common secret b) Number of keys each user stores c) Computational effort in retrieving the common key by the members of the privileged class. 9 Problem Statement.. Revisited

10 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes (Low –resiliency)  Basic Scheme (Assumption Free)  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes 10 Outline

11 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center  The privileged set can be identified by sending a relatively short transmission. This is ‘set identification transmission’ ( different from the broadcast encryption transmission ) 11 Zero Message Schemes

12 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  For every set S ⊂ U where 0 ≤ |S| ≤ k, Assign key K s  Distribute K s to all users x ⊂ U – S U = { a, b, c }. Here n=3. Let k be 2 KEY DISTIBUTION : S = {a, b, c, {a,b}, {a,c}, {b,c}} K s = {K a, K b, K c, K ab,K ac,K bc } User a has K b, K c, K bc User b has K a, K c, K ac User c has K a, K b, K ab 12 BASIC SCHEME

13 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys K S where S ⊂ U – P  If P = { a,b } then K = XOR K S where S ⊂ U – P Here S is c so K = K C  RESILENCY : Every possible set S ⊂ U – P 0 ≤ |S| ≤ k will miss the key K S and cannot decrypt the message sent by the center.  NUMBER OF MESSAGES,KEYS : Number of keys per each User : Σ I = 0 to k (n)_C_i  For the above scheme to be 1-resilient each user should store (n+1) keys  For the above scheme to be n-resilient each user should store 2 n-1 keys 13

14 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  O(n) keys in previous scheme can be reduced to keys if keys are pseudo-randomly generated  Let f: {0,1} l -> {0,1} 2l be a pseudo-random generator (the length of the output of is twice the length of the input).  Users are on the leaf of the balanced binary tree.  The root is labeled with the common seed from Set {0,1} l 14 1-resilient scheme based on one-way function

15 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  apply the pseudo-random generators to the root label.Assign the left half (first bits) to be the label of the left subtree while the right half (last bits) is the label of the right subtree.  User x should get all leaf labels except his. To achieve this, we remove the path from x to the root,which is a forest on log n labels.  Every x ∈ U can use the ⌈ log n ⌉ values that he got and generate all leaf labels except his own. 15

16 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 16

17 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The center chooses a random hard to factor composite N= P.Q where P and Q are primes.  It also chooses a secret value g of high index.  Each user i ∈ U is assigned g i = g pi. gcd(pi,pj) = 1, for I ≠ j  The common key for P ⊂ U is g T = g PT mod N where PT = Π i ∈ P pi  Each user i ∈ P can compute g T by g i x mod N where X = Π i ∈ (P-i) pi 17 A 1-resilient scheme based on Computational Number Theoretic Assumptions

18 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science SCHEMENO OF KEYS/USER MESSAGE LENGTH RESILIENCYASSUMPTION TRIVIAL SOLUTION- 1 1O(n)anyNothing TRIVIAL SOLUTION- 2 2 n-1 1AnyNothing BASIC SCHEMEΣ K (n)C k 1KNothing BASIC SCHEME (k=1) O(n)11Nothing BASIC SCHEME(K=N-1) O(2 n )1Nnothing 1-resilant using PRG Ceil(log n)11One-way functions and hence PRG exist 1-resilent using number theory 111Root extraction is hard 18

19 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The Problem  Zero Message Schemes (Low –resiliency)  Basic Scheme (Assumption Free)  1-resilient Scheme based on 1-way function  1-resilient Scheme based on number-theory  Low-Memory k-resilient schemes  One Level Schemes  Multi Level Schemes 19 Outline

20 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  The zero message 1-resilient schemes requires for k>1 memory which is exponential in k  Low-memory k-resilient schemes can be built from 1-resilient  Let w denote the number of keys that a user is required to store in the 1-resilient scheme w = n+1 if no cryptographic assumptions are made, w = ceil(log n) if we assume that one-way functions exists and w =1 if we assume that it is hard to extract roots modulo a composite.  efficiency of the schemes is how many w’s they require. 20 Low Memory-Resilient Schemes

21 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 1. f 1, f 2 …. f l is a family of function denoted by f i : U → {1,...,m}, 1 ≤ i ≤ l 2.For every group S ⊂ U, |S|=k there exists some function f i that is 1-1 on S all x,y in S f i (x) ≠ f i (y) {f i } contains perfect hash function for all subsets of size k in U when mapped to range {1,2..m} 21 One Level Scheme

22 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 22 One Level Scheme – Key Distribution 12N user 1R(1,f 1 (1))R(1,f 1 (2))R(1,f 1 (n)) 2R(2,f 2 (1))R(2,f 2 (2))R(2,f 2 (n)) LR(L,f l (1))R(L,f L (2))R(L,f L (n)) 1.{R(i, j)}1≤i≤l,1≤j≤m are independent 1- resilient schemes 2.Each user x ∈ U gets the keys associated with the scheme R(i,fi(x)) 1 ≤ i ≤ l.

23 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 1.To transmit M to T ⊂ U, the center breaks M into l random shares such that M = M 1 XOR M 2 XOR … M l 2.For 1 ≤ i ≤ l the center transmits M i in m distinct messages using R(i,j) j=1,2..m where j=f i (x) for all x in P. 3.Every x ∈ T may recover Mi, 1 ≤ i ≤ l, from R(I,j) where j = fi(x), and then add them up to get M. If x1 is part of P, M 1 – R(1,f 1 (x1) ) M 2 – R(2,f 2 (x1) ) … M L - R(l, f l (x1) 23 One Level Schemes – Encryption and Decryption

24 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science 24 One Level Scheme - Storage 12N user 1R(1,f 1 (1))R(1,f 1 (2))R(1,f 1 (n)) 2R(2,f 2 (1))R(2,f 2 (2))R(2,f 2 (n)) LR(L,f l (1))R(L,f L (2))R(L,f L (n)) M 1 --- R(1,f 1 (1)) R(1,f 1 (2)) M 2 R(2,f 2 (1)) R(2,f 2 (2)) M L R(L,f L (1)) R(L,f L (2)) Storage per user: l times that of the 1- resilient scheme. Length of transmission: l · m messages

25 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Claim: The scheme is k-resilient.  Let S be a coalition of size |S| ≤ k.  There exists f i that is 1-1 on S.  M i is the message transmitted using f i. M i is delivered in m independent transmissions.  There can be at most only one x ∈ S for which fi(x) = j who has the keys of that scheme.  However R(i, j) is 1-resilient and hence that single user cannot recover M i and hence M. 25 One Level Scheme - Resiliency

26 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  use a perfect family of hash functions  send a “share” of the secret M corresponding to each hash function.  Each share is broadcasted with different encryptions.  The privileged users can decrypt these messages and any colluding set of at most k users cannot obtain at least one of the shares  no information about M is revealed if we miss even one of the shares. 26 One Level Scheme – Idea

27 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Set m = 2k 2, l = k log n  Theorem: There exists a k-resilient scheme that requires the users to store O(k log n · w) keys and the center to broadcast O(k 3 log n) messages. The scheme may be constructed at random with arbitrarily high probability.  Probability that a random f i is not 1-1 on S is ((kC 2 ).2 m-1 )/ 2 m = (kC 2 ).(1/m) = k(k-1)/2m = ¼ - 1/4k ≤ ¼  Given the family of function f 1, f 2.. f l Prob(No f i is 1-1 on S ) = 1/4 L =1/2 2L = 1/n 2k (l = klogn ; 2l = 2klogn ; 2l = log n 2k ;n 2k = 2 2l )  Prob ( Some f i is 1-1 on S ) = ( 1 – n -2k )  Prob ( there exists f i is 1-1 on all S of size k) >= (1-n -2k ) t, where t = n_C_k >= 1 – n -k 27 Setting Parameters

28 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p) P(that for all subset of size k, there exists f i is 1-1 on S ) ≥ 1−p For (k,p) random resiliency substitute l = log(1/p) Theorem : (k,p)-resilient scheme requires the users to store O(log(1/p) · w) keys and the center should broadcast O(k 2 log(1/p)) messages. 28 Setting Parameters

29 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Multi-level schemes, like the one-level ones, convert 1-resilient schemes to k-resilient ones.  The ”multi-levelness” comes through the R(i, j)s that are sets of 1-resilient schemes.  It decrease the length of transmission at the expense of more storage at the user. 29 Multi Level Schemes

30 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science User 1 R(1,f 1 (1),1) R(1,f 1 (1),2) … R(1,f 1 (1),w) R(2,f 2 (1),1) R(2,f 2 (1),2) … R(2,f 2 (1),w) R(l,f l (1),1) R(l,f l (1),2) … R(l,f l (1),w) 30 Multi-Level Scheme Key Distribution For every Subset of size k, there exists for some 1≤i ≤l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S, f i (x) = j ) Every user x in U, for every 1≤i ≤l and for every 1≤r ≤w, receives keys associated with the scheme R(i,f i (x),r)

31 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science. 1.To transmit M to T ⊂ U, the center breaks M randomly into l shares, such that M = M 1 XOR M 2 XOR.. M l 2.Each M i is broken into w shares for each j. M 1 (i,j) M 2 (i,j) …. M w (i,j) 3.For 1≤i≤l and 1≤r≤w M r (i,j) is broadcasted to Privileged subset {x ∈ T :f i (x)=j} 4.For any subset of size k, by assumption there is an i and for all j in that I scheme w is resilient to x in S with f i (x) = j Storage per user: l · w times that of the 1-resilient scheme. Length of transmission: l · m · w times that of the 1-resilient scheme. 31 Multi Level Scheme – Encryption and Decryption

32 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science  Set L = 2k.log n, m = k/log k, w = log k + 1,t = 2elog k  There exists ak-resilient scheme that requires each user to store O(k.log k. log n.w) keys and the center to broadcast O(k 2 log 2 klogn) messages. Moreover, the scheme can be constructed effectively with high probability  there exists a (k,p) random-resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog 2 klog(1/p)) messages. Moreover, the scheme can be constructed effectively with high probability 32

33 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science SCHEMENO OF KEYS/USER MESSAGE LENGTH RESILIENCYASSUMPTION BASIC SCHEMEΣ K (n)C k 1KNothing 1-resilant using PRG Ceil(log n)11One-way functions and hence PRG exist 1-resilent using number theory 111Root extraction is hard One Level Scheme O(k log n · w)O(k 3 log n)k 1-Level (k,p)O(log(1/p) · w)O(k 2 log(1/p))k Multi-LevelO(k log k log n·w) O(k2 log2 k log n) k 33

34 Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Thank You ! 34

Download ppt "Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented."

Similar presentations

Relations, Functions, and Matrices Mathematical Structures for Computer Science Chapter 4 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesThe Mighty Mod.

Relations, Functions, and Matrices Mathematical Structures for Computer Science Chapter 4 Copyright © 2006 W.H. Freeman & Co.MSCS SlidesThe Mighty Mod.
Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.

Cryptography and Game Theory: Designing Protocols for Exchanging Information Gillat Kol and Moni Naor.
A Survey of Key Management for Secure Group Communications Celia Li.

A Survey of Key Management for Secure Group Communications Celia Li.
Applied Algorithmics - week7

Applied Algorithmics - week7
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 11 Lecturer: Moni Naor.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.

Bounds on Code Length Theorem: Let l ∗ 1, l ∗ 2,..., l ∗ m be optimal codeword lengths for a source distribution p and a D-ary alphabet, and let L ∗ be.
22C:19 Discrete Structures Integers and Modular Arithmetic

22C:19 Discrete Structures Integers and Modular Arithmetic
Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 4 Lecturer: Moni Naor.
Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.

Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
2015-6-3Windows Scheduling Problems for Broadcast System 1 Amotz Bar-Noy, and Richard E. Ladner Presented by Qiaosheng Shi.

Windows Scheduling Problems for Broadcast System 1 Amotz Bar-Noy, and Richard E. Ladner Presented by Qiaosheng Shi.
Session 4 Asymmetric ciphers.

Session 4 Asymmetric ciphers.
CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.

CS426Fall 2010/Lecture 351 Computer Security CS 426 Lecture 35 Commitment & Zero Knowledge Proofs.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Similar presentations

Ads by Google