1 secure broadcast systems and perspective on pairings brent waters joint work with dan boneh, craig...
TRANSCRIPT
1
Secure Broadcast Systemsand Perspective on Pairings
Brent Waters
Joint work with Dan Boneh, Craig Gentry, and Amit Sahai
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
3
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance:•secure even if all users in Sc collude.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
4
App : Encrypted File Systems
Broadcast to small sets: |S| << n
Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)
Examples: EFS.
File F
EKF[F]
EPKA[KF]
EPKC[KF]
MS Knowledge Base:EFS has a limit of 256KB in the file
header for the EFS metadata. This limits
the number of individual entries for
file sharing to a maximum of 800
users.
Header< 256K EPKB
[KF]
5
Broadcast Encryption
Public-key BE system:
•Setup(n): outputs private keys d1 , …, dn
and public-key PK.
•Encrypt(S, PK, M):Encrypt M for users S {1, …,
n}Output ciphertext CT.
•Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
6
Previous Solutions
t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t
Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players
Ciphertexts are multiplied security parameter
7
Overview
CT Size Priv-key size
Small sets: trivial O(|S|) O(1)
Large sets: NNL,HS,GST O(n-|S|) O(log n)
Any set (new):
BGW ’05 O(1) O(1)
… but, O(n) size public key.
BGW ‘05 O( n) O(1)
… O(n) size public key.
EFS, Email DVD’sSubs. Service0 n
8
Broadcast Encryption Security
Semantic security when users collude. (static adversary)
Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +
Ch
alle
ng
er
RunSetup(n) A
ttacke
r
PK, { dj | j S }
m0, m1 G
b’ {0,1}
C* = Enc( S, PK, mb)b{0,1}
S {1, …, n }
9
Bilinear Maps
G , GT : finite cyclic groups of prime order p.
Def: An admissible bilinear map e: GG
GT is:
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Efficiently computable.
10
Broadcast System [BGW’05]
Setup(n): g G , , Zp, gk = g(k)
PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )
G2n+1
For u=1,…,n set: Ku = (gu) G
Encrypt(S, PK, M): t Zp
CT = ( gt , (v jS gn+1-j)
t , Me(gn,g1)
t )
Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2)
Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)tjS
ju
11
Security Theorem
Thm:
t-time alg. that -breaks static BE security in G
t-time alg. that -solves bilinear n-DDHE in G.
~
• Open problem: adaptive security with similar params.
• New [BW’06]: adaptive security with O(n) – size CT
12
Apps: Sharing in Enc. File System
Store PK on file system. n=216 |PK|=1.2MB
File header: ( [S], E[S,PK,KF] )
Sharing among “800” users:
•8002 + 40 = 1640 bytes << 256KB
Each user obtains priv-key duid G from admin.
•Admin only stores Zq
File F
EKF[F]
[S]
E[S,PK,KF]Hdr
S {1, …, n }
40 bytes
13
Summary of Broadcast Enc.
New public-key broadcast encryption systems:
•Full collusion resistance. Constant size priv
key.
•System 1: |CT| = O(1) |PK| = O(n)
•System 2: |CT| = O(n) |PK| =
O(n)
Description of set, |S|, is now dominant term
14
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
15
T.T: a popular problem
O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy
G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas
D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia
G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang
32 papers from 49 authors
16
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
17
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
18
Formally: Secure TT systems
(1) Semantically secure, and (2) Traceable:
Ch
alle
ng
er
Atta
cker
RunSetup(n)
S {1, …, n }
PK, TK, { Kj | j S }
Pirate Decoder D
Adversary wins if: (1) Pr[D(C)=M] > 1-, and
(2) i S
TraceD( TK ) i {1,…,n}
19
Brute Force System
Setup (n): Generate n PKE pairs (PKi, Ki)
Output private keys K1 , …, Kn
PK (PK1, …, PKn) , TK PK .
Encrypt (PK, M): C ( EPK1(M), …, EPKn
(M) )
Tracing: next slide.
This is the best known TT system secure under arbitrary collusion.
… until now
20
TraceD(PK): [BF99, NNL00, KY02]
For i = 1, …, n+1 define for M G :
pi := Pr[ D( EPK1(), …, EPKi-1
(), EPKi(M), …, EPKn
(M) ) =
M ]
Then: p1 > 1- ; pn+1 0
1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |
Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n
User i must be one of the pirates.
i=1
n n
i=1
R
21
Security Theorem
Tracing algorithm estimates: | pi - pi | < (1-)/4n
Need O(n2) samples per pi. (D – stateless)
Cubic time tracing.
• Can be improved to quadratic in |S| .
Thm: underlying PKE system is semantically secure
No eff. adv wins tracing game with non-neg
adv.
22
Abstracting the Idea [BSW’06]
Properties needed:
For i = 1 ,… , n+1 need to encrypt M so:
Without Ki adversary cannot distinguish:
Enc(i, PK, M) from Enc(i+1, PK, M)
1 i-1 i n
users cannot decrypt
users can decrypt
LinearBroadcastEncryption
PrivateB.E.
23
Private Linear Broadcast Enc (PLBE)
•Setup(n): outputs private keys K1 , …, Kn
and public-key PK.
•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.
•Decrypt(CT, j, Kj, PK): If j u, output M
Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)
Note: slightly more complicated defs in [BSW’06]
24
Security definition Message hiding: given all private keys:
Encrypt( n+1 , M, PK) P
Encrypt( n+1 , , PK)
Index hiding: for u = 1, … , n :
Ch
alle
ng
er
Atta
cker
m
b’ {0,1}
C* Enc( u+b, PK, m)b{0,1}
RunSetup(n) PK, { Kj | j u }
25
Results
Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size =
O(1)enc-time = O(n) ; dec-time = O(1)
26
n PLBE Construction: hints Arrange users in matrix
Key for user (x,y):Kx,y
CT: one tuple per row, one tuple per col.size = O(n)
CT to position (i,j): User (x,y) can dec. if
(x > i) OR [ (x=i) AND (y j) ]
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
n=36 users
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
Encrypt to postion (4,3)
27
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
28
A n size PLBE
Ciphertext: ( C1, …, Cn, R1, …, Rn )
User (x,y) must pair Rx and Cy to decrypt
Type Gq
Gp
Rx: x < i
Rx: x = i
Rx: x > i
Cy: y < j
Cy: y j
Case Result
x < i No: Rx not well formed
x=i & y < j
No: Cy malformed in Gp
x=i & y j
Yes: both well formed
x > i Yes: indep. of column
Well-formed
Malformed/Random
Zero
29
Trace and Revoke [BW06]
What happens when catch traitor?•Torture?•Re-do system?
Want Broadcast and Tracing simultaneously•Trivial Combination does not work
BW06•Combined ideas•Bonus: Adaptive Security & Better
Assumptions
30
Trace and Revoke
31
T&R=A simple Combination?
B.E T.T.
M
R M-REncrypt
Decrypt
BE TT
R M-R
M
32
A simple Attack
B.E T.T.
M
R M-R
BE TT
R M-R
M
2 colluders split duties
Catch same one over and over (box still works)
33
Our Approach (Intuition)
Can’t allow attackers to “separate” systems• In general hard to combine
BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic
Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme
34
Summary
New results: [BGW’05, BSW’06, BW’06]
•Full collusion resistance:
• B.E: O(1) CT, O(1) priv-keys … but
O(n) PK
• T.T: O(n) CT, O(1) priv-keys.
• T.R.: O(n) CT, O(n) priv-keys.
FCR
35
Open Problems
Broadcast:
•Constant size everything (CT, pub/priv keys)
•Same params with adaptive security
Traitor Tracing:
•Private linear B.E. with O(log n) CT.
•Private B.E. from Linear Assumption
FCR
36
Pairings from the Outside
Identity-based encryption [BF01]•Efficient Selective-ID Secure IBE without Random Oracles [BB04a]
•Secure IBE without Random Oracles [BB04a]
•Efficient IBE without Random Oracles [W05]
•Practical IBE without Random Oracles [Gen06]
A ID-Based Deniable Authentication Protocol on pairings
37
Organizing Contributions (My View)
1. Identity-Based Encryption
2. Signatures ??
3. Slightly 2-Homomorphic
4. NIZKs
5. Broadcast and Tracing
38
IBE [BF01]
IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address
email encrypted using public key:
master-key
CA/PKG
I am “[email protected]”
Private keyAlice does not access a PKI
Authority is offline
Is regular PKI good enough?
39
Idea is Bigger
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
40
Health Records
master-key
CA/PKG
Private “Capability”
Authority is offline
Weight=125
Height = 5’4
Age = 46
Blood Pressure= 125
Partners = …
If Weight/Height >30 AND Age > 45
Output Blood Pressure
No analogous PKI solution
41
IBE Class
IBE [BF01, CHK04, BB04, W05, Gen06]
HIBE[ HL02, GS02]
Searching on Enc. Data[BDOP04, BoyW06, BonW06]
Attribute-Based Enc. [SW05, GPSW06]
Trend of Structured Encryptions
42
NIZKs
Two GOS06 papers • 3 points of interest
1) Perfect Hiding NIZK, ZAPs (Theoretical)
2) Most Efficient NIZK (but still bit by bit)
3) Speak Bilinear Maps “Natively” (cool)Build GroupSigs[BW06], other stuff
43
An Upcoming Wall?
No 3-Linear Map
Advanced IBE somewhat limited
Traitor Tracing stuck at n
NIZKs kind of done
44
Some Inspiration
Composite Order Groups
45
THE END
46
Security Problems
1) Access control of content• Broadcast targeted to certain set• e.g. All paying subscribers
2) Identifying compromised insiders• Clones and distributes pirate decoders• Trace back to attacker
47
A Trivial Solution
Small private key, large ciphertext.
•Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)