1

Fully Collusion Resistant Traitor Tracing with Short

Ciphertexts and Private Keys

Dan Boneh, Amit Sahai, and Brent Waters

2

Broadcast Systems

Distribute content to a large set of users

•Commercial Content Distribution

•File systems

•Military Grade GPS

•Multicast IP

3

Tracing Pirate Devices[CFN’94]

•Attacker creates “pirated device”

•Want to trace origin of device

4

FAQ-1 “The Content can be Copied?”

DRM- Impossibility Argument

Protecting the service

Goal: Stop attacker from creating devices that access the original broadcast

5

FAQ 2-Why black-box tracing? [BF’99]

D: may contain unrecognized keys, is obfuscated, or tamper resistant.

All we know:

Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-

K1

K3

K2K$*JWNFD&RIJ$

D:

R R

6

Formally: Secure TT systems

(1) Semantically secure, and (2) Traceable:

Ch

alle

ng

er

Atta

cker

RunSetup(n)

S {1, …, n }

PK, TK, { Kj | j S }

Pirate Decoder D

Adversary wins if: (1) Pr[D(C)=M] > 1-, and

(2) i S

TraceD( TK ) i {1,…,n}

7

Brute Force System

Setup (n): Generate n PKE pairs (PKi, Ki)

Output private keys K1 , …, Kn

PK (PK1, …, PKn) , TK PK .

Encrypt (PK, M): C ( EPK1(M), …, EPKn

(M) )

Tracing: next slide.

This is the best known TT system secure under arbitrary collusion.

… until now

8

TraceD(PK): [BF99, NNL00, KY02]

For i = 1, …, n+1 define for M G :

pi := Pr[ D( EPK1(), …, EPKi-1

(), EPKi(M), …, EPKn

(M) ) =

M ]

Then: p1 > 1- ; pn+1 0

1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |

Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n

User i must be one of the pirates.

i=1

n n

i=1

R

9

Security Theorem

Tracing algorithm estimates: | pi - pi | < (1-)/4n

Need O(n2) samples per pi. (D – stateless)

Cubic time tracing.

• Can be improved to quadratic in |S| .

Thm: underlying PKE system is semantically secure

No eff. adv wins tracing game with non-neg

adv.

10

Abstracting the Idea [BSW’06]

Properties needed:

For i = 1 ,… , n+1 need to encrypt M so:

Without Ki adversary cannot distinguish:

Enc(i, PK, M) from Enc(i+1, PK, M)

1 i-1 i n

users cannot decrypt

users can decrypt

LinearBroadcastEncryption

PrivateB.E.

11

Private Linear Broadcast Enc (PLBE)

•Setup(n): outputs private keys K1 , …, Kn

and public-key PK.

•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.

•Decrypt(CT, j, Kj, PK): If j u, output M

Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)

Note: slightly more complicated defs in [BSW’06]

12

Security definition Message hiding: given all private keys:

Encrypt( n+1 , M, PK) P

Encrypt( n+1 , , PK)

Index hiding: for u = 1, … , n :

Ch

alle

ng

er

Atta

cker

m

b’ {0,1}

C* Enc( u+b, PK, m)b{0,1}

RunSetup(n) PK, { Kj | j u }

13

Results

Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)

New PLBE system:CT-size = O(n) ; priv-key size =

O(1)enc-time = O(n) ; dec-time = O(1)

14

n PLBE Construction: hints Arrange users in matrix

Key for user (x,y):Kx,y Rx Cy

CT: one tuple per row, one tuple per col.size = O(n)

CT to user (i,j): User (x,y) can dec. if

(x > i) OR [ (x=i) AND (y j) ]

1 2 3 4 5 6

7 8 9 10 11 12

13 14 15 16 17 18

19 20 21 22 23 24

25 26 27 28 29 30

31 32 33 34 35 36

n=36 users

1 2 3 4 5 6

7 8 9 10 11 12

13 14 15 16 17 18

19 20 21 22 23 24

25 26 27 28 29 30

31 32 33 34 35 36

Encrypt to user (4,3)

15

Bilinear groups of order N=pq [BGN’05]

G: group of order N=pq. (p,q) – secret.

bilinear map: e: G G GT

G = Gp Gq . gp = gq Gp ; gq = gp Gq

Facts: h G h = (gq)a (gp)

b

e( gp , gq ) = e(gp , gq) = e(g,g)N = 1

e( gp , h ) = e( gp , gp)b !!

16

A n size PLBE

Ciphertext: ( C1, …, Cn, R1, …, Rn )

User (x,y) must pair Rx and Cy to decrypt

Type Gq

Gp

Rx: x < i

Rx: x = i

Rx: x > i

Cy: y < j

Cy: y j

Case Result

x < i No: Rx not well formed

x=i & y < j

No: Cy malformed in Gp

x=i & y j

Yes: both well formed

x > i Yes: indep. of column

Well-formed

Malformed/Random

Zero

17

Summary and Open Problems

New results: [BGW’05, BSW’06, BW’06]

•Full collusion resistance:

• B.E: O(1) CT, O(1) priv-keys … but

O(n) PK

• T.T: O(n) CT, O(1) priv-keys.

• T.R.: O(n) CT, O(n) priv-keys.

Open questions:

•Private linear B.E. with O(log n) CT.

•Private B.E. with short ciphertexts.

FCR

18

THE END

19

BGN encryption

Subgroup assumption: G p Gp

E(m) : r ZN , C gm (gp)r G

•Additive hom: E(m1+m2) = C1 C2 (gp)r

•One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)r

20

Results Thm: Secure PLBE Secure TT

Same size CT and priv-keys(black-box and publicly traceable)

New PLBE system:CT-size = O(n) ; priv-key size = O(1)enc-time = O(n) ; dec-time = O(1)

Applications:

•Tracing Traitors : O(n) CTs and O(1) keys.

•Adaptive BE. (need Augmented PLBE)

•Comparison searches on encrypted data.

21

T.T: a popular problem

O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy

G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas

D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia

G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang

32 papers from 49 authors

22

A Simple System

n users in system, each gets separate key User i gets Ki

Encrypt message to separately to user –lump it• (Use “hybrid encryption” and encrypt an AES

key)

E(K1 , M) E(K2 , M) E(Ki , M) E(Kn , M)… …

i

M

23

Tracing

Let E’(i, M) => Encrypt R to 1,…,i-1 and M to i,…n

E(K1 , R) E(K2 , R) E(Ki-1 , R) E(Kn , M)… …

Pi = prob. pirate device decrypts E’(i,M)

•Can learn Pi’s from probing the device

E(Ki , M)

i Pi

1 100

j

j+1

n+1 0

Device works

Everything Random

100

35User j is an attacker