1

Secure Broadcast Systemsand Perspective on Pairings

Brent Waters

Joint work with Dan Boneh, Craig Gentry, and Amit Sahai

2

Broadcast Systems

Distribute content to a large set of users

•Commercial Content Distribution

•File systems

•Military Grade GPS

•Multicast IP

3

Broadcast Encryption [FN’93]

Encrypt to arbitrary subsets S.

Collusion resistance:•secure even if all users in Sc collude.

d1

d2

d3

S {1,…,n}

CT = E[M,S]

4

App : Encrypted File Systems

Broadcast to small sets: |S| << n

Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)

Examples: EFS.

File F

EKF[F]

EPKA[KF]

EPKC[KF]

MS Knowledge Base:EFS has a limit of 256KB in the file

header for the EFS metadata. This limits

the number of individual entries for

file sharing to a maximum of 800

users.

Header< 256K EPKB

[KF]

5

Broadcast Encryption

Public-key BE system:

•Setup(n): outputs private keys d1 , …, dn

and public-key PK.

•Encrypt(S, PK, M):Encrypt M for users S {1, …,

n}Output ciphertext CT.

•Decrypt(CT, S, j, dj, PK): If j S, output M.

Note: broadcast contains ( [S], CT )

6

Previous Solutions

t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t

Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players

Ciphertexts are multiplied security parameter

7

Overview

CT Size Priv-key size

Small sets: trivial O(|S|) O(1)

Large sets: NNL,HS,GST O(n-|S|) O(log n)

Any set (new):

BGW ’05 O(1) O(1)

… but, O(n) size public key.

BGW ‘05 O( n) O(1)

… O(n) size public key.

EFS, Email DVD’sSubs. Service0 n

8

Broadcast Encryption Security

Semantic security when users collude. (static adversary)

Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +

Ch

alle

ng

er

RunSetup(n) A

ttacke

r

PK, { dj | j S }

m0, m1 G

b’ {0,1}

C* = Enc( S, PK, mb)b{0,1}

S {1, …, n }

9

Bilinear Maps

G , GT : finite cyclic groups of prime order p.

Def: An admissible bilinear map e: GG

GT is:

– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

– Efficiently computable.

10

Broadcast System [BGW’05]

Setup(n): g G , , Zp, gk = g(k)

PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )

G2n+1

For u=1,…,n set: Ku = (gu) G

Encrypt(S, PK, M): t Zp

CT = ( gt , (v jS gn+1-j)

t , Me(gn,g1)

t )

Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2)

Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)tjS

ju

11

Security Theorem

Thm:

t-time alg. that -breaks static BE security in G

t-time alg. that -solves bilinear n-DDHE in G.

~

• Open problem: adaptive security with similar params.

• New [BW’06]: adaptive security with O(n) – size CT

12

Apps: Sharing in Enc. File System

Store PK on file system. n=216 |PK|=1.2MB

File header: ( [S], E[S,PK,KF] )

Sharing among “800” users:

•8002 + 40 = 1640 bytes << 256KB

Each user obtains priv-key duid G from admin.

•Admin only stores Zq

File F

EKF[F]

[S]

E[S,PK,KF]Hdr

S {1, …, n }

40 bytes

13

Summary of Broadcast Enc.

New public-key broadcast encryption systems:

•Full collusion resistance. Constant size priv

key.

•System 1: |CT| = O(1) |PK| = O(n)

•System 2: |CT| = O(n) |PK| =

O(n)

Description of set, |S|, is now dominant term

14

Tracing Pirate Devices[CFN’94]

•Attacker creates “pirated device”

•Want to trace origin of device

15

T.T: a popular problem

O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy

G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas

D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia

G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang

32 papers from 49 authors

16

FAQ-1 “The Content can be Copied?”

DRM- Impossibility Argument

Protecting the service

Goal: Stop attacker from creating devices that access the original broadcast

17

FAQ 2-Why black-box tracing? [BF’99]

D: may contain unrecognized keys, is obfuscated, or tamper resistant.

All we know:

Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-

K1

K3

K2K$*JWNFD&RIJ$

D:

R R

18

Formally: Secure TT systems

(1) Semantically secure, and (2) Traceable:

Ch

alle

ng

er

Atta

cker

RunSetup(n)

S {1, …, n }

PK, TK, { Kj | j S }

Pirate Decoder D

Adversary wins if: (1) Pr[D(C)=M] > 1-, and

(2) i S

TraceD( TK ) i {1,…,n}

19

Brute Force System

Setup (n): Generate n PKE pairs (PKi, Ki)

Output private keys K1 , …, Kn

PK (PK1, …, PKn) , TK PK .

Encrypt (PK, M): C ( EPK1(M), …, EPKn

(M) )

Tracing: next slide.

This is the best known TT system secure under arbitrary collusion.

… until now

20

TraceD(PK): [BF99, NNL00, KY02]

For i = 1, …, n+1 define for M G :

pi := Pr[ D( EPK1(), …, EPKi-1

(), EPKi(M), …, EPKn

(M) ) =

M ]

Then: p1 > 1- ; pn+1 0

1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |

Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n

User i must be one of the pirates.

i=1

n n

i=1

R

21

Security Theorem

Tracing algorithm estimates: | pi - pi | < (1-)/4n

Need O(n2) samples per pi. (D – stateless)

Cubic time tracing.

• Can be improved to quadratic in |S| .

Thm: underlying PKE system is semantically secure

No eff. adv wins tracing game with non-neg

adv.

22

Abstracting the Idea [BSW’06]

Properties needed:

For i = 1 ,… , n+1 need to encrypt M so:

Without Ki adversary cannot distinguish:

Enc(i, PK, M) from Enc(i+1, PK, M)

1 i-1 i n

users cannot decrypt

users can decrypt

LinearBroadcastEncryption

PrivateB.E.

23

Private Linear Broadcast Enc (PLBE)

•Setup(n): outputs private keys K1 , …, Kn

and public-key PK.

•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.

•Decrypt(CT, j, Kj, PK): If j u, output M

Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)

Note: slightly more complicated defs in [BSW’06]

24

Security definition Message hiding: given all private keys:

Encrypt( n+1 , M, PK) P

Encrypt( n+1 , , PK)

Index hiding: for u = 1, … , n :

Ch

alle

ng

er

Atta

cker

m

b’ {0,1}

C* Enc( u+b, PK, m)b{0,1}

RunSetup(n) PK, { Kj | j u }

25

Results

Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)

New PLBE system:CT-size = O(n) ; priv-key size =

O(1)enc-time = O(n) ; dec-time = O(1)

26

n PLBE Construction: hints Arrange users in matrix

Key for user (x,y):Kx,y

CT: one tuple per row, one tuple per col.size = O(n)

CT to position (i,j): User (x,y) can dec. if

(x > i) OR [ (x=i) AND (y j) ]

1 2 3 4 5 6

7 8 9 10 11 12

13 14 15 16 17 18

19 20 21 22 23 24

25 26 27 28 29 30

31 32 33 34 35 36

n=36 users

1 2 3 4 5 6

7 8 9 10 11 12

13 14 15 16 17 18

19 20 21 22 23 24

25 26 27 28 29 30

31 32 33 34 35 36

Encrypt to postion (4,3)

27

Bilinear groups of order N=pq [BGN’05]

G: group of order N=pq. (p,q) – secret.

bilinear map: e: G G GT

G = Gp Gq . gp = gq Gp ; gq = gp Gq

Facts: h G h = (gq)a (gp)

b

e( gp , gq ) = e(gp , gq) = e(g,g)N = 1

e( gp , h ) = e( gp , gp)b !!

28

A n size PLBE

Ciphertext: ( C1, …, Cn, R1, …, Rn )

User (x,y) must pair Rx and Cy to decrypt

Type Gq

Gp

Rx: x < i

Rx: x = i

Rx: x > i

Cy: y < j

Cy: y j

Case Result

x < i No: Rx not well formed

x=i & y < j

No: Cy malformed in Gp

x=i & y j

Yes: both well formed

x > i Yes: indep. of column

Well-formed

Malformed/Random

Zero

29

Trace and Revoke [BW06]

What happens when catch traitor?•Torture?•Re-do system?

Want Broadcast and Tracing simultaneously•Trivial Combination does not work

BW06•Combined ideas•Bonus: Adaptive Security & Better

Assumptions

30

Trace and Revoke

31

T&R=A simple Combination?

B.E T.T.

M

R M-REncrypt

Decrypt

BE TT

R M-R

M

32

A simple Attack

B.E T.T.

M

R M-R

BE TT

R M-R

M

2 colluders split duties

Catch same one over and over (box still works)

33

Our Approach (Intuition)

Can’t allow attackers to “separate” systems• In general hard to combine

BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic

Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme

34

Summary

New results: [BGW’05, BSW’06, BW’06]

•Full collusion resistance:

• B.E: O(1) CT, O(1) priv-keys … but

O(n) PK

• T.T: O(n) CT, O(1) priv-keys.

• T.R.: O(n) CT, O(n) priv-keys.

FCR

35

Open Problems

Broadcast:

•Constant size everything (CT, pub/priv keys)

•Same params with adaptive security

Traitor Tracing:

•Private linear B.E. with O(log n) CT.

•Private B.E. from Linear Assumption

FCR

36

Pairings from the Outside

Identity-based encryption [BF01]•Efficient Selective-ID Secure IBE without Random Oracles [BB04a]

•Secure IBE without Random Oracles [BB04a]

•Efficient IBE without Random Oracles [W05]

•Practical IBE without Random Oracles [Gen06]

A ID-Based Deniable Authentication Protocol on pairings

37

Organizing Contributions (My View)

1. Identity-Based Encryption

2. Signatures ??

3. Slightly 2-Homomorphic

4. NIZKs

5. Broadcast and Tracing

38

IBE [BF01]

IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address

email encrypted using public key:

“bob@stanford.edu”

master-key

CA/PKG

I am “bob@stanford.edu”

Private keyAlice does not access a PKI

Authority is offline

Is regular PKI good enough?

39

Idea is Bigger

Encrypt “Structured” Data

master-key

CA/PKG

Capability Request

Private “Capability”

Authority is offline

40

Health Records

master-key

CA/PKG

Private “Capability”

Authority is offline

Weight=125

Height = 5’4

Age = 46

Blood Pressure= 125

Partners = …

If Weight/Height >30 AND Age > 45

Output Blood Pressure

No analogous PKI solution

41

IBE Class

IBE [BF01, CHK04, BB04, W05, Gen06]

HIBE[ HL02, GS02]

Searching on Enc. Data[BDOP04, BoyW06, BonW06]

Attribute-Based Enc. [SW05, GPSW06]

Trend of Structured Encryptions

42

NIZKs

Two GOS06 papers • 3 points of interest

1) Perfect Hiding NIZK, ZAPs (Theoretical)

2) Most Efficient NIZK (but still bit by bit)

3) Speak Bilinear Maps “Natively” (cool)Build GroupSigs[BW06], other stuff

43

An Upcoming Wall?

No 3-Linear Map

Advanced IBE somewhat limited

Traitor Tracing stuck at n

NIZKs kind of done

44

Some Inspiration

Composite Order Groups

45

THE END

46

Security Problems

1) Access control of content• Broadcast targeted to certain set• e.g. All paying subscribers

2) Identifying compromised insiders• Clones and distributes pirate decoders• Trace back to attacker

47

A Trivial Solution

Small private key, large ciphertext.

•Every user j has unique private key dj .

CT = { Edj[M] | jS }

|CT| = O(|S|) |priv| = O(1)