Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Secure Broadcast Systems and Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai.

Published byCorey Cory Park Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Secure Broadcast Systems and Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai."— Presentation transcript:

1 1 Secure Broadcast Systems and Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai

2 2 Broadcast Systems Distribute content to a large set of users Commercial Content Distribution File systems Military Grade GPS Multicast IP

3 3 Broadcast Encryption [FN’93]  Encrypt to arbitrary subsets S.  Collusion resistance: secure even if all users in S c collude. d1d1 d2d2 d3d3 S  {1,…,n} CT = E[M,S]

4 4 App : Encrypted File Systems  Broadcast to small sets: |S| << n  Best construction: trivial. | CT | =O(|S|), |priv| =O(1)  Examples: EFS. File F E K F [F] E PK A [K F ] E PK C [K F ] MS Knowledge Base: EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. Header < 256K E PK B [K F ]

5 5 Broadcast Encryption  Public-key BE system: Setup(n):outputs private keys d 1, …, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S  {1, …, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j  S, output M.  Note: broadcast contains ( [S], CT )

6 6 Previous Solutions  t-Collusion resistant schemes [FN’93…] Resistant to t-colluders |CT| = O(t 2  log n) |priv| = O(t  log n) Attacker knows t  Broadcast to large sets [NNL,HS,GST…] |CT|= O(r) |priv|=O(log n) Useful if small number of revoked players  Ciphertexts are multiplied security parameter 

7 7 Overview CT SizePriv-key size Small sets:trivialO(|S|)O(1) Large sets:NNL,HS,GSTO(n-|S|)O(log n) Any set (new): BGW ’ 05 O(1) … but, O(n) size public key. BGW ‘ 05 O(  n)O(1) … O(  n) size public key. EFS, EmailDVD’sSubs. Service 0 n

8 8 Broadcast Encryption Security  Semantic security when users collude. (static adversary)  Def: Alg. A  -breaks BE sem. sec. if Pr[b=b’] > ½ +  Challenger Run Setup(n) Attacker PK, { d j | j  S } m 0, m 1  G b’  {0,1} C * = Enc( S, PK, m b ) b  {0,1} S  {1, …, n }

9 9 Bilinear Maps  G, G T : finite cyclic groups of prime order p.  Def: An admissible bilinear map e: G  G  G T is: –Bilinear: e(g a, g b ) = e(g,g) ab  a,b  Z, g  G –Efficiently computable.

10 10 Broadcast System [BGW’05]  Setup(n): g  G, ,   Z p, g k = g (  k ) PK = ( g, g 1, g 2, …, g n, g n+2, …, g 2n, v=g  )  G 2n+1 For u=1,…,n set: K u = (g u )   G  Encrypt(S, PK, M ): t  Z p CT = ( g t, (v   j  S g n+1-j ) t, M  e(g n,g 1 ) t )  Decrypt(CT, S, u,K u, PK): CT = (C 0, C 1, C 2 ) Fact: e( g u, C 1 ) / e( K u   g n+1-j+u, C 0 ) = e(g n,g 1 ) t jSjujSju

11 11 Security Theorem  Thm:  t-time alg. that  -breaks static BE security in G   t-time alg. that  -solves bilinear n-DDHE in G. ~ Open problem: adaptive security with similar params. New [BW’06]: adaptive security with O(  n) – size CT

12 12 Apps: Sharing in Enc. File System  Store PK on file system. n=2 16  |PK|=1.2MB  File header: ( [S], E[S,PK,K F ] )  Sharing among “800” users: 800  2 + 40 = 1640 bytes << 256KB  Each user obtains priv-key d uid  G from admin. Admin only stores   Z q File F E K F [F] [S] E[S,PK,K F ] Hdr S  {1, …, n } 40 bytes

13 13 Summary of Broadcast Enc.  New public-key broadcast encryption systems: Full collusion resistance. Constant size priv key. System 1:|CT| = O(1)|PK| = O(n) System 2:|CT| = O(  n)|PK| = O(  n)  Description of set, |S|, is now dominant term

14 14 Tracing Pirate Devices [CFN’94] Attacker creates “pirated device” Want to trace origin of device

15 15 T.T: a popular problem O. Berkman D. Boneh H. Chabanne B. Chor Y. Desmedt Y. Dodis N. Fazio A. Fiat M. Franklin E. Gafni M. Goodrich D. Halevy G. Hanaoka D. Hieu-Phan H. Imai M. Kasahara A. Kiayias K. Kurosawa J. Lotspiech S. Mitsunari M. Naor D. Naor M. Parnas B. Pfitzmann B. Pinkas D.Pointcheval R.Safavi-Naini A.Sahai R.Sakai J.Sgall A.Shamir J.Shaw A.Silverberg J.Staddon D.Stinson J. Sun R.Tamassia G. Tardos T. Tassa V. To M. Waidner J. Walker Y. Wang Y. Watanabe B. Waters R. Wei L. Yin M. Yung F. Zhang 32 papers from 49 authors

16 16 FAQ-1 “The Content can be Copied?”  DRM- Impossibility Argument  Protecting the service  Goal: Stop attacker from creating devices that access the original broadcast

17 17 FAQ 2-Why black-box tracing? [BF’99]  D: may contain unrecognized keys, is obfuscated, or tamper resistant.  All we know: Pr [ M  G, C  Encrypt (PK, M) : D(C)=M ] > 1-  K1K1 K3K3 K2K2 K$*JWN FD&RIJ$ D: RR

18 18 Formally: Secure TT systems  (1) Semantically secure, and (2) Traceable: ChallengerAttacker Run Setup(n) S  {1, …, n } PK, TK, { K j | j  S } Pirate Decoder D Adversary wins if:(1) Pr [ D(C)=M ] > 1- , and (2) i  S Trace D ( TK ) i  {1,…,n}

19 19 Brute Force System  Setup (n):Generate n PKE pairs (PK i, K i ) Output private keys K 1, …, K n PK  ( PK 1, …, PK n ), TK  PK.  Encrypt (PK, M): C  ( E PK 1 (M), …, E PK n (M) )  Tracing: next slide.  This is the best known TT system secure under arbitrary collusion. … until now

20 20 Trace D ( PK ): [BF99, NNL00, KY02]  For i = 1, …, n+1 define for M  G : p i : = Pr [ D( E PK 1 (  ), …, E PK i-1 (  ), E PK i ( M ), …, E PK n ( M ) ) = M ]  Then: p 1 > 1-  ; p n+1  0  1-  = |p n+1 – p 1 | = |  p i+1 – p i |   | p i+1 – p i |  Exists i  {1,…,n} s.t. | p i+1 – p i |  (1-  )/n  User i must be one of the pirates. i=1 n n R

21 21 Security Theorem  Tracing algorithm estimates: | p i - p i | < (1-  )/4n  Need O(n 2 ) samples per p i. (D – stateless)  Cubic time tracing. Can be improved to quadratic in |S|.  Thm: underlying PKE system is semantically secure  No eff. adv wins tracing game with non-neg adv. 

22 22 Abstracting the Idea [BSW’06] Properties needed:  For i = 1,…, n+1 need to encrypt M so:  Without K i adversary cannot distinguish: Enc(i, PK, M) from Enc(i+1, PK, M) 1 i-1 i n users cannot decrypt users can decrypt Linear Broadcast Encryption Private B.E.

23 23 Private Linear Broadcast Enc (PLBE) Setup(n):outputs private keys K 1, …, K n and public-key PK. Encrypt( u, PK, M): Encrypt M for users {u, u+1, …, n} Output ciphertext CT. Decrypt(CT, j, K j, PK): If j  u, output M  Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)  Note: slightly more complicated defs in [BSW’06]

24 24 Security definition  Message hiding: given all private keys: Encrypt( n+1, M, PK)  P Encrypt( n+1, , PK)  Index hiding:for u = 1, …, n : Challenger Attacker m b’  {0,1} C *  Enc( u+b, PK, m ) b  {0,1} Run Setup(n) PK, { K j | j  u }

25 25 Results  Thm: Secure PLBE  Secure TT Same size CT and priv-keys (black-box and publicly traceable)  New PLBE system: CT-size = O(  n) ; priv-key size = O(1) enc-time = O(  n) ; dec-time = O(1)

26 26  n PLBE Construction: hints  Arrange users in matrix  Key for user (x,y): K x,y  CT: one tuple per row, one tuple per col. size = O(  n)  CT to position (i,j): User (x,y) can dec. if ( x > i) OR [ (x=i) AND (y  j) ] 123456 789101112 131415161718 192021222324 252627282930 313233343536 n=36 users 123456 789101112 131415161718 192021222324 252627282930 313233343536 Encrypt to postion (4,3)

27 27 Bilinear groups of order N=pq [BGN’05]  G : group of order N=pq. (p,q) – secret. bilinear map: e: G  G  G T  G = G p  G q. g p = g q  G p ; g q = g p  G q  Facts: h  G  h = (g q ) a  (g p ) b e( g p, g q ) = e(g p, g q ) = e(g,g) N = 1 e( g p, h ) = e( g p, g p ) b !!

28 28 A  n size PLBE  Ciphertext: ( C 1, …, C  n, R 1, …, R  n )  User (x,y) must pair R x and C y to decrypt TypeGqGq GpGp R x : x < i R x : x = i R x : x > i C y : y < j C y : y  j CaseResult x < iNo: R x not well formed x=i & y < j No: C y malformed in G p x=i & y  jYes: both well formed x > iYes: indep. of column Well-formed Malformed/Random Zero

29 29 Trace and Revoke [BW06]  What happens when catch traitor? Torture? Re-do system?  Want Broadcast and Tracing simultaneously Trivial Combination does not work  BW06 Combined ideas Bonus: Adaptive Security & Better Assumptions

30 30 Trace and Revoke

31 31 T&R=A simple Combination? B.ET.T. M RM-R Encrypt Decrypt BETT RM-R M

32 32 A simple Attack B.ET.T. M RM-R BETT RM-R M  2 colluders split duties  Catch same one over and over (box still works)

33 33 Our Approach (Intuition)  Can’t allow attackers to “separate” systems In general hard to combine  BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic  Multiply private keys together so can’t separate Not so easy… needed different B.E. scheme

34 34 Summary  New results: [BGW’05, BSW’06, BW’06] Full collusion resistance: B.E: O(1) CT,O(1) priv-keys … but O(n) PK T.T: O(  n) CT,O(1) priv-keys. T.R.: O(  n) CT,O(  n) priv-keys.  FCR

35 35 Open Problems  Broadcast: Constant size everything (CT, pub/priv keys) Same params with adaptive security  Traitor Tracing: Private linear B.E. with O(log n) CT. Private B.E. from Linear Assumption  FCR

36 36 Pairings from the Outside Identity-based encryption [BF01] Efficient Selective-ID Secure IBE without Random Oracles [BB04a] Secure IBE without Random Oracles [BB04a] Efficient IBE without Random Oracles [W05] Practical IBE without Random Oracles [Gen06] A ID-Based Deniable Authentication Protocol on pairings

37 37 Organizing Contributions (My View) 1. Identity-Based Encryption 2. Signatures ?? 3. Slightly 2-Homomorphic 4. NIZKs 5. Broadcast and Tracing

38 38 IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string ( ID ).  Examples: user’s e-mail address email encrypted using public key: “bob@stanford.edu” master-key CA/PKG I am “bob@stanford.edu” Private key Alice does not access a PKI Authority is offline Is regular PKI good enough?

39 39 Idea is Bigger Encrypt “Structured” Data master-key CA/PKG Capability Request Private “Capability” Authority is offline

40 40 Health Records master-key CA/PKG Private “Capability” Authority is offline Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution

41 41 IBE Class  IBE [BF01, CHK04, BB04, W05, Gen06]  HIBE[ HL02, GS02]  Searching on Enc. Data[BDOP04, BoyW06, BonW06]  Attribute-Based Enc. [SW05, GPSW06] Trend of Structured Encryptions

42 42 NIZKs  Two GOS06 papers 3 points of interest 1) Perfect Hiding NIZK, ZAPs (Theoretical) 2) Most Efficient NIZK (but still bit by bit) 3) Speak Bilinear Maps “Natively” (cool) Build GroupSigs[BW06], other stuff

43 43 An Upcoming Wall?  No 3-Linear Map  Advanced IBE somewhat limited  Traitor Tracing stuck at  n  NIZKs kind of done

44 44 Some Inspiration Composite Order Groups

45 45 THE END

46 46 Security Problems 1) Access control of content Broadcast targeted to certain set e.g. All paying subscribers 2) Identifying compromised insiders Clones and distributes pirate decoders Trace back to attacker

47 47 A Trivial Solution  Small private key, large ciphertext. Every user j has unique private key d j. CT = { E d j [M] | j  S } |CT| = O(|S|)|priv| = O(1)

Download ppt "1 Secure Broadcast Systems and Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai."

Similar presentations

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.

Fully Secure Functional Encryption: Attribute-Based Encryption and (Hierarchical) Inner Product Encryption Allison Lewko Tatsuaki Okamoto Amit Sahai The.
Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:

Boneh-Franklin Identity-based Encryption. 2 Symmetric bilinear groups G = ágñ, g p = 1 e: G G G t Bilinear i.e. e(u a, v b ) = e(u, v) ab Non-degenerate:
Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.

Simulation-sound NIZK Proofs for a Practical Language and Constant Size Group Signatures Jens Groth University of California Los Angeles Presenter: Eike.
ElGamal Security Public key encryption from Diffie-Hellman

ElGamal Security Public key encryption from Diffie-Hellman
Trusted 3rd parties Basic key exchange

Trusted 3rd parties Basic key exchange
Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.

Probabilistic Public Key Encryption with Equality Test Duncan S. Wong Department of Computer Science City University of Hong Kong Joint work with Guomin.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Encryption Public-Key, Identity-Based, Attribute-Based.

Encryption Public-Key, Identity-Based, Attribute-Based.
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.

Dual System Encryption: Realizing IBE and HIBE from Simple Assumptions Brent Waters.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.

1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.
Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.

Traitor Tracing Vijay Ramachandran CS 655: E-commerce Foundations October 10, 2000.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.

1 Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys Dan Boneh, Amit Sahai, and Brent Waters.
Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.

Non-interactive Zaps and New Techniques for NIZK Jens Groth Rafail Ostrovsky Amit Sahai University of California Los Angeles.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.

1 Conjunctive, Subset, and Range Queries on Encrypted Data Presenter: 陳國璋 Lecture Notes in Computer Science, 2007 Dan Boneh and Brent Waters.

Similar presentations

Ads by Google