symmetric encryption - georgetown...
TRANSCRIPT
Symmetric EncryptionAdam O’Neill
based on http://cseweb.ucsd.edu/~mihir/cse207/
SyntaxEat $
1
-k7t~
m→T# c- Do → m
drawrandomised } distinguishes from
or Hatefulywckcipter
CorrectnessPr [ NCK
,Eck ,M))=M]=1
fm in the message - space
where the probability is orer, .
K # K and the
Coins of { if any .
Modes of OperationModes of operation
E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` a family of functions
Usually a block cipher, in which case ` = n.
Notation: x [i ] is the i-th block of a string x, so that x = x [1] . . . x [m].Length of blocks varies.
Always:
Alg KK
$ {0, 1}kreturn K
Mihir Bellare UCSD 4
Modes of OperationModes of operation
Block cipher provides parties sharing K with
EK
M
C
which enables them to encrypt a 1-block message.
How do we encrypt a long message using a primitive that only applies ton-bit blocks?
Mihir Bellare UCSD 5
ECBXID ...
x[ on )I d
Ee Ett d
Electronic code book mode Cfl ] CENT
Algorithm E ( k,
x ) Algorikm Dabck ,c )Ecb
let ×=xTi ].
-x[ m ] let ⇐ EZD
. - In ]For it 1 to m do : For i. 1 to m do :
ei ←
Eklxi) xitetlcd
Let c=c[ is.
-
ctn ) let x=xFD . - In ]
return C return X
Security of ECBleaks input equality !
Security of ECBSecurity of ECB
Suppose we know that there are only two possible messages, Y = 1n andN = 0n, for example representing
• FIRE or DON’T FIRE a missile• BUY or SELL a stock• Vote YES or NO
Then ECB algorithm will be EK (M) = EK (M).
EK
M
C
Mihir Bellare UCSD 8
Voting with ECBVoters
*
did IIIIIIIO. "
Is this avoidable?Is this avoidable?
Let SE = (K, E ,D) be ANY encryption scheme.
Suppose M1,M2 2 {Y ,N} and
• Sender sends ciphertexts C1 EK (M1) and C2 EK (M2)
• Adversary A knows that M1 = Y
Adversary says: If C2 = C1 then M2 must be Y else it must be N.
Does this attack work?
Yes, if E is deterministic.
Mihir Bellare UCSD 10
Randomized EncryptionRandomized encryption
For encryption to be secure it must be randomized
That is, algorithm EK flips coins.
If the same message is encrypted twice, we are likely to get back di↵erentanswers. That is, if M1 = M2 and we let
C1$ EK (M1) and C2
$ EK (M2)
thenPr [C1 = C2]
will (should) be small, where the probability is over the coins of E .
Mihir Bellare UCSD 12
Randomized EncryptionRandomized encryption
A fundamental departure from classical and conventional notions ofencryption.
Clasically, encryption (e.g., substitution cipher) is a code, associating toeach message a unique ciphertext.
Now, we are saying no such code is secure, and we look to encryptionmechanisms which associate to each message a number of di↵erentpossible ciphertexts.
Mihir Bellare UCSD 14
CBC$CBC$: Cipher Block Chaining with random IV mode
SE = (K, E ,D) where:
Alg EK (M)
C [0] $ {0, 1}nfor i = 1, . . . ,m do
C [i ] EK (M[i ]� C [i � 1])return C
Alg DK (C )
for i = 1, . . . ,m do
M[i ] E�1K (C [i ])� C [i � 1]
return M
Correct decryption relies on E being a block cipher.Mihir Bellare UCSD 15
CBLCTR Cipher . block
Chaining mode
µ Called initial :ztnvector Eu )
Voting with CBC$Voters
¥m9e÷IIon# tally. Ek( vote
,of IV )
:¥ PinkEcrocsilkyoten
)=)¥5
F. (
Votenotwn
)
Towards a Definition
• We see CBC$ is better than ECB in some sense.
• But is it secure?
• What does secure mean here?
Security RequirementsSecurity requirements
Suppose sender computes
C1$ EK (M1) ; · · · ; Cq
$ EK (Mq)
Adversary A has C1, . . . ,Cq
What if A
Retrieves K Bad!Retrieves M1 Bad!
But also we want to hide all partial information about the data stream,such as
• Does M1 = M2?
• What is first bit of M1?
• What is XOR of first bits of M1,M2?
Something we won’t hide: the length of the messageMihir Bellare UCSD 21
What we seek• A “master” property that
What we seek• A “master” property that
• Can be easily specified
What we seek• A “master” property that
• Can be easily specified
• Allows us to evaluate whether a scheme is secure
What we seek• A “master” property that
• Can be easily specified
• Allows us to evaluate whether a scheme is secure
• Implies a ciphertext reveals NO partial information about plaintext
What we seek• A “master” property that
• Can be easily specified
• Allows us to evaluate whether a scheme is secure
• Implies a ciphertext reveals NO partial information about plaintext
• In the case of a blockcipher the master property was PRF-security. Here it is different because encryption should be randomized
IntuitionIntuition for definition of IND-CPA
The master property MP is called IND-CPA (indistinguishability underchosen plaintext attack).
Consider encrypting one of two possible message streams, either
M10 , ...,M
q0
orM1
1 , ...,Mq1
Adversary, given ciphertexts and both data streams, has to figure outwhich of the two streams was encrypted.
Mihir Bellare UCSD 23
lmiklmilti
IND-CPA GamesGames for ind-cpa-advantage of an adversary A
Let SE = (K, E ,D) be an encryption scheme
Game LeftSE
procedure Initialize
K$ K
procedure LR(M0,M1)
Return C$ EK (M0)
Game RightSE
procedure Initialize
K$ K
procedure LR(M0,M1)
Return C$ EK (M1)
Associated to SE ,A are the probabilities
PrhLeft
ASE)1
iPr
hRight
ASE)1
i
that A outputs 1 in each world. The (ind-cpa) advantage of A is
Adv
ind-cpaSE (A) = Pr
hRight
ASE)1
i� Pr
hLeft
ASE)1
i
Mihir Bellare UCSD 24
In distinguish ability under chosen - plaintext attack
Measure of SuccessThe measure of success
Adv
ind-cpaSE (A) ⇡ 1 means A is doing well and SE is not ind-cpa-secure.
Adv
ind-cpaSE (A) ⇡ 0 (or 0) means A is doing poorly and SE resists the
attack A is mounting.
Adversary resources are its running time t and the number q of its oraclequeries, the latter representing the number of messages encrypted.
Security: SE is IND-CPA-secure if Advind-cpaSE (A) is “small” for ALL Athat use “practical” amounts of resources.
Insecurity: SE is not IND-CPA-secure if we can specify an explicit A thatuses “few” resources yet achieves “high” ind-cpa-advantage.
Mihir Bellare UCSD 25
IND-CPA security of ECBin
Adversary ACRC .
,. )
M.
← IlMet ol
C ← LRLM.,µ ,
) -In LEFT ret
LRCM . ,m .)
✓ €kCMo )
C '← RIGHT at
It c=c'
ret 0 Even , )
Else ret I
Added
.tn#=prTRIbttEaast7H-prEtt.t.aEnf
Right Game AnalysisCtapffmbttteni .⇒A=1 .
Proof Since Mo # M,
and EK is determinate
we have Ctd.
⇒ A returns 1$
Left Game AnalysisClaim
. PELEFTEAA,
⇒ 17 IO
Proof Analogous .
ConclusionAdviencdjon (a) = 1 - 0=1
⇒ GCB is notIWD - CPA secure
!
Any deterministic scheme is not IND-CPA
The theorem generalizes to show that thesame adversary breaks
any deterministicenc scheme ( meaning E is deterministic & Stateless )
CTR$CTR$ mode
Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family of functions. If X 2 {0, 1}nand i 2 N then X + i denotes the n-bit string formed by converting X toan integer, adding i modulo 2n, and converting the result back to an n-bitstring. Below the message is a sequence of `-bit blocks:
Alg EK (M)
C [0] $ {0, 1}nfor i = 1, . . . ,m do
P[i ] EK (C [0] + i)C [i ] P[i ]�M[i ]
return C
Alg DK (C )
for i = 1, . . . ,m do
P[i ] EK (C [0] + i)M[i ] P[i ]� C [i ]
return M
Mihir Bellare UCSD 16
CM - C
¥ Gnline - offline
* parwlli table
Birthday Attack on CTR$Birthday attack on CTR$
Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family of functions and SE = (K,E ,D) the corresponding CTR$ symmetric encryption scheme. Suppose1-block messages M0,M1 are encrypted:
C0[0]C0[1]$ E(K ,M0) C1[0]C1[1]
$ E(K ,M1)
Let us say we are lucky If C0[0] = C1[0]. If so:
C0[1] = C1[1] if and only if M0 = M1
So if we are lucky we can detect message equality and violate IND-CPA.Mihir Bellare UCSD 38
E¥f
The AdversaryBirthday attack on CTR$
Let 1 q < 2n be a parameter and let hii be integer i encoded as an `-bitstring.
adversary A
for i = 1, ..., q do
C i [0]C i [1] $ LR(hii, h0i)S {(j , t) : C j [0] = C t [0] and j < t}If S 6= ;, then
(j , t) $ SIf C j [1] = C t [1] then return 1
return 0
Mihir Bellare UCSD 39
Birthday Of queryq
birthday attack
adversary
← µ±fPr[rioHEaigm⇒D- Preening'⇒D
Want to know Adviundrjem ( Aida " ) zoisodzl
Left Game AnalysisAyr
'
Abadan⇒ If = O
.Prf letters
ProofTwo cases :
Case 1 . S=f$ . Then CIED ot Cj > A city # ( ⇒
Since Cite ]=ct 'Ll ] and j¥t .
Case 2 = 5=4 .A always oupits O
.
So in either case A outputs O⇒
Right Game AnalysisClaim Pr[Rl6HEAm£$M ] } o
.3q÷-
proof If s # ¢ then we have
Cs 'Ll ]=@'Cozy ) goal =< ettoftlsoolsince C
's'LoT=ctZo ]
.
i
ConclusionAdrien:P
"
C Abi.,) I G 3¥
`Security of CTR$
So far: A q-query adversary can break CTR$ with advantage ⇡ q2
2n+1
Question: Is there any better attack?
Answer: NO!
We can prove that the best q-query attack short of breaking the blockcipher has advantage at most
2(q � 1)�
2n
where � is the total number of blocks across all messages encrypted.
Example: If q 1-block messages are encrypted then � = q so the adversaryadvantage is not more than 2q2/2n.
For E = AES this means up to about 264 blocks may be securelyencrypted, which is good.Mihir Bellare UCSD 45
Security of CTR$
The TheoremSecurity of CTR$
Theorem: [BDJR97] Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}` be a family offunctions and SE = (K, E ,D) the corresponding CTR$ symmetricencryption scheme. Let A be an ind-cpa adversary against SE that hasrunning time t and makes at most q LR queries, the messages across themtotaling at most � blocks. Then there is a prf-adversary B against E suchthat
Adv
ind-cpaSE (A) 2 · AdvprfE (B) +
2(q � 1)�
2n
Furthermore, B makes at most � oracle queries and has running timet +⇥(� · (n + `)).
Mihir Bellare UCSD 46
-
birthday.
Intuition
thought:
replace E with random function wl same domain and
Runge .
Now,
if the adversary is lucky-
and makesLR queries such that Cito ]=etE @
then it can gain advantage .
Otherwise we are encrypting with a
)one-tinepad]
Interval IntersectionInterval intersection probability
Let N, q,m � 1 be integers and let ZN = {0, 1, . . . ,N � 1}. Let + beaddition modulo N. Consider the game
For i = 1, . . . , q do
ci$ ZN ; Ii {ci + 1, . . . , ci +m}
For 1 i < j q define the events
Bi ,j : Si \ Sj 6= ; and B :W
1i<jqBi ,j .
Then let
IIP(N, q,m) = Pr[B] .
Problem: Upper bound IIP(N, q,m) as a function of N, q,m.
Mihir Bellare UCSD 51
Pvt Av B) I PREAI + PRIB)
.
.
Interval IntersectionInterval intersection probability
Claim: IIP(N, q,m) q(q � 1)
2
(2m � 1)
N
Why? For any 1 i < j q we have
Pr[Bi ,j ] = Pr[Si \ Sj 6= ;]
= Pr[cj 2 {ci �m + 1, . . . , ci +m � 1}] = 2m � 1
N.
Then by the Union bound
IIP(N, q,m) = Pr[W
1i<jq] X
1i<jq
Pr[Bi ,j ]
=
✓q
2
◆2m � 1
N.
Mihir Bellare UCSD 52
proof . Pr[ B ] s § RIBI,;) = (E) PIB ; ;]
and
PVLBI, ;] = PRICE { ci - MH
,. .
, Citm . i }=
Zm÷⇒ PRTB ) e- 9k¥ Kmt
Advantage RevisitedAlternative formulation of advantage
Let SE = (K, E ,D) be a symmetric encryption scheme and A an adversary.
Game GuessSE
procedure Initialize
K$ K ; b $ {0, 1}
procedure LR(M0,M1)
return C$ EK (Mb)
procedure Finalize(b0)return (b = b0)
Proposition: Advind-cpaSE (A) = 2 · PrhGuess
ASE)true
i� 1.
Proof: Observe
Pr⇥b0 = 1 | b = 1
⇤= Pr
hRight
ASE)1
i
Pr⇥b0 = 1 | b = 0
⇤= Pr
hLeft
ASE)1
i
Mihir Bellare UCSD 53
Game ChainGames G0,G1 for the proof
Game G0
procedure LR(M0,M1)
C [0] $ {0, 1}nfor i = 1, ...,m do
P C [0] + iif P 62 S then T[P] EK (P)C [i ] T [P] � Mb[i ]S S [ {P}
return C
Game G1
procedure LR(M0,M1)
C [0] $ {0, 1}nfor i = 1, ...,m do
P C [0] + i
if P /2 S then T[P] $ {0, 1}`C [i ] T[P] � Mb[i ]S S [ {P}
return C
ThenAdv
ind-cpaSE (A) = 2 · Pr
hGA0
i� 1
Mihir Bellare UCSD 56
Code I ×]{ no o }
ClaimsAnalysis
Clearly Pr[GA0 ] = Pr[GA
1 ] +�Pr[GA
0 ]� Pr[GA1 ]�.
Claim 1: We can design prf-adversary B so that
Pr[GA0 ]� Pr[GA
1 ] Adv
prfE (B)
Claim 2: Pr[GA1 ]
1
2+
(q � 1)�
2n
Given these, we have
Adv
ind-cpaSE (A) 2 ·
✓1
2+
(q � 1)�
2n
◆� 1 + 2 · AdvprfE (B)
=2(q � 1)�
2n+ 2 · AdvprfE (B)
which proves the theorem. It remains to prove the claims.
Mihir Bellare UCSD 57
}
Proof of Claim 1Adversary BFNC . )
bets { o( 19
Run A
when A makes ER every no,
m,
Code ITIP ] ← FNCP ) ]tf A outputs b then net
. 1
Proof of Claim 2
Games Con’tIntroducing the “bad” flag
Game G1
procedure LR(M0,M1)
C [0] $ {0, 1}n
for i = 1, ...,m do
P C [0] + i
If P /2 S thenT[P] $ {0, 1}`
C [i ] T[P]�Mb[i ]
S S [ {P}return C
Game G2 , G3
procedure LR(M0,M1)
C [0] $ {0, 1}n
for i = 1, ...,m do
P C [0] + i
C [i ] $ {0, 1}`
If P 2 S thenbad true ; C [i ] T[P]�Mb[i ]
T[P] C [i ]�Mb[i ]
S S [ {P}return C
Pr[GA1 ] = Pr[GA
2 ] = Pr[GA3 ] +
⇣Pr[GA
2 ]� Pr[GA3 ]⌘
Mihir Bellare UCSD 60
Using fundamental lemmaUsing the fundamental lemma
Game G2 , G3
procedure LR(M0,M1)
C [0] $ {0, 1}n
for i = 1, ...,m do
P C [0] + i; C [i ] $ {0, 1}`
If P 2 S thenbad true ; C [i ] T[P]�Mb[i ]
T[P] C [i ]�Mb[i ]; S S [ {P}return C
G2 and G3 are identical-until-bad, so Fundamental Lemma implies
PrhGA2
i� Pr
hGA3
i Pr
hGA3 sets bad
i.
Mihir Bellare UCSD 63
Completing the Proof
Security of CBC$Security of CBC$
Theorem: [BDJR97] Let E : {0, 1}k ⇥ {0, 1}n ! {0, 1}n be a block cipherand SE = (K, E ,D) the corresponding CBC$ symmetric encryptionscheme. Let A be an ind-cpa adversary against SE that has running time tand makes at most q LR queries, the messages across them totaling atmost � blocks. Then there is a prf-adversary B against E such that
Adv
ind-cpaSE (A) 2 · AdvprfE (B) +
�2
2n
Furthermore, B makes at most � oracle queries and has running timet +⇥(� · n).
Exercise: Prove the above theorem.
Mihir Bellare UCSD 67
Padding
mi0, mi1, and vi are completely determined, as are the values vi0 and xi0j for i0 = 1, . . . , i � 1 andj = 0, . . . , vi0�1; however, the values of yi0, . . . , yi` are still uniformly and independently distributedover X . Moreover, as xij = yij �mib[j] for j = 0, . . . , vi � 1, it follows that these xij values are alsouniformly and independently distributed over X . Thus, for any fixed index j = 0, . . . , vi � 1, andany fixed indices i0 and j0, with (i0, j0) < (i, j), the probability that xij = xi0j0 in this conditionalprobability space is 1/N . The bound (5.28) now follows from an easy calculation.
Finally, we claim thatPr[W3] = 1/2. (5.29)
This follows from the fact that
Coins , b, yij (i = 1, . . . Q, j = 0, . . . , `)
are independently distributed, and the fact that the adversary’s output b̂ is a function of
Coins, yij (i = 1, . . . Q, j = 0, . . . , `).
From this, we see that b̂ and b are independent, and so (5.29) follows immediately.Putting together (5.24) through (5.29), we have
CPAadv
⇤[A, E 0] Q2`2
2N+ PRFadv[B, E].
By Theorem 4.4, we have
�
�BCadv[B, E ] � PRFadv[B, E]�
� Q2`2
2N,
and (5.23) follows, which proves the theorem. 2
5.4.4 Case study: CBC padding in TLS 1.0
Let E = (E, D) be a block cipher with domain X . Our description of CBC mode encryption using Eassumes that messages to be encrypted are elements of X`. When the domain is X = {0, 1}128,as in the case of AES, this implies that the length of messages to be encrypted must be a multipleof 16 bytes. Since the length of messages in practice need not be a multiple of 16 we need a wayaugment CBC to handle messages whose length is not necessarily a multiple of the block size.
Suppose we wish to encrypt a v-byte message m using AES in CBC mode when v is notnecessarily a multiple of 16. The first thing that comes to mind is to somehow pad the message mso that its length in bytes is a multiple of 16. Clearly the padding function needs to be invertibleso that during decryption the padding can be removed.
The TLS 1.0 protocol defines the following padding function for encrypting a v-byte messagewith AES in CBC mode: let p := 16 � (v mod 16), then append p bytes to the message m wherethe content of each byte is value p � 1. For example, consider the following two cases:
• if m is 29 bytes long then p = 3 and the pad consists of the three bytes “222” so that thepadded message is 32 bytes long which is exactly two AES blocks.
• if the length of m is a multiple of the block size, say 32 bytes, then p = 16 and the padconsists of 16 bytes. The padded message is then 48 bytes long which is three AES blocks.
194
Revocable Broadcast
k1k1 k2k2 k3k3 k4k4 k5k5 k6k6 k7k7 k8k8
k9 k10 k11 k12
k13 k14
k15
Figure 5.5: The tree of keys for n = 8 devices; shaded nodes are the keys embedded in device 3.
to revoke that key, so that this device key cannot be used to decrypt future Blu-ray disks, butwithout impacting any other devices in the field.
A revocable broadcast system. Suppose there are n devices in the system, where for simplicity,let us assume n is a power of two. We treat these n devices as the leaves of a complete binary tree,as shown in Fig. 5.5. Every internal node in the tree is assigned a random key in the key space K.The keys embedded in device number i 2 {1, . . . , n} is the set of keys on the path from leaf numberi to the root. This way, every device is given exactly log2 n keys in K.
When the system is first launched, and no device keys are yet revoked, all content is encryptedusing the key at the root (key number 15 in Fig. 5.5). More precisely, we encrypt a movie m as:
cm :=�
k R K, c1 R E(kroot, k), c R E0(k, m), output (c1, c)
Because all devices have the root key kroot, all devices can decrypt.
Revoking devices. Now, suppose device number i is attacked, and all the keys stored on it arepublished. Then all future content will be encrypted using the keys associated with the siblings ofthe log2 n nodes on the path from leaf i to the root. For example, when device number 3 in Fig. 5.5is revoked, all future content is encrypted using the three keys k4, k9, k14 as
cm :=
8
>
>
<
>
>
:
k R Kc1 R E(k4, k), c2 R E(k9, k), c3 R E(k14, k)c R E0(k, m)output (c1, c2, c3, c)
9
>
>
=
>
>
;
(5.34)
Again, (c1, c2, c3) is the ciphertext header, and c is the ciphertext body. Observe that devicenumber 3 cannot decrypt cm, because it cannot decrypt any of the ciphertexts in the header.However, every other device can easily decrypt using one of the keys at its disposal. For exampledevice number 6 can use k14 to decrypt c3. In e↵ect, changing the encryption scheme to encryptas in (5.35) revokes device number 3, without impacting any other device. The cost to this is thatthe ciphertext header now contains log2 n blocks, as opposed to a single block before the devicewas revoked.
More generally, suppose r devices have been compromised and need to be revoked. Let S ✓{1, . . . , n} be the set of non-compromised devices, so that that |S| = n � r. New content will beencrypted using keys in the tree so that devices in S can decrypt, but all devices outside of Scannot. The set of keys that makes this possible is characterized by the following definition:
201
Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. LetS ✓ {1, . . . , n} be a set of leaves. We say that a set of nodes W ✓ {1, . . . , 2n � 1} covers the setS if every leaf in S is a descendant of some node in W , and leaves outside of S are not. We usecover(S) to denote the smallest set of nodes that covers S.
Fig. 5.6 gives an example of a cover of the set of leaves {1, 2, 4, 5, 6}. The figure captures asettings where devices number 3, 7, and 8 are revoked. It should be clear that if we use keys incover(S) to encrypt a movie m, then devices in S can decrypt, but devices outside of S cannot. Inparticular, we encrypt m as follows:
cm :=
8
>
>
<
>
>
:
k R Kfor u 2 cover(S) : cu R E(ku, k)c R E0(k, m)output ({cu}u2cover(S), c)
9
>
>
=
>
>
;
. (5.35)
The more devices are revoked, the larger the header of cm becomes. The following theorem showshow big the header gets in the worst case. The proof is an induction argument that also suggestsan e�cient recursive algorithm to compute an optimal cover.
Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every1 r n, and every set S of n� r leaves, we have
|cover(S)| r · log2(n/r)
Proof. We prove the theorem by induction on log2 n. For n = 1 the theorem is trivial. Now, assumethe theorem holds for a tree with n/2 leaves, and let us prove it for a tree T with n leaves. Thetree T is made up of a root node, and two disjoint sub-trees, T1 and T2, each with n/2 leaves. Letus split the set S ✓ {1, . . . , n} in two: S = S1 [ S2, where S1 is contained in {1, . . . , n/2}, and S2
is contained in {n/2+ 1, . . . , n}. That is, S1 are the elements of S that are leaves in T1, and S2 arethe elements of S that are leaves in T2. Let r1 := (n/2)� |S1| and r2 := (n/2)� |S2|. Then clearlyr = r1 + r2.
First, suppose both r1 and r2 are greater than zero. By the induction hypothesis, we know thatfor i = 1, 2 we have |cover(Si)| ri log2(n/2ri). Therefore,
|cover(S)| = |cover(S1)| + |cover(S2)| r1 log2(n/2r1) + r2 log2(n/2r2)
= r log2(n/r) +�
r log2 r � r1 log2(2r1)� r2 log2(2r2)� r log2(n/r),
which is what we had to prove in the induction step. The last inequality follows from a simple factabout logarithms, namely that for all numbers r1 � 1 and r2 � 1, we have
(r1 + r2) log2(r1 + r2) r1 log2(2r1) + r2 log2(2r2).
Second, if r1 = 0 then r2 = r � 1, and the induction step follows from:
|cover(S)| = 1 + |cover(S2)| 1 + r log2(n/2r) = 1 + r log2(n/r)� r r log2(n/r),
as required. The case r2 = 0 follows similarly. This completes the induction step, and the proof. 2
Theorem 5.8 shows that r devices can be revoked at the cost of increasing the ciphertext headersize to O(r log n) blocks. For moderate values of r this is not too big. Nevertheless, this general
202
Definition 5.4. Let T be a complete binary tree with n leaves, where n is a power of two. LetS ✓ {1, . . . , n} be a set of leaves. We say that a set of nodes W ✓ {1, . . . , 2n � 1} covers the setS if every leaf in S is a descendant of some node in W , and leaves outside of S are not. We usecover(S) to denote the smallest set of nodes that covers S.
Fig. 5.6 gives an example of a cover of the set of leaves {1, 2, 4, 5, 6}. The figure captures asettings where devices number 3, 7, and 8 are revoked. It should be clear that if we use keys incover(S) to encrypt a movie m, then devices in S can decrypt, but devices outside of S cannot. Inparticular, we encrypt m as follows:
cm :=
8
>
>
<
>
>
:
k R Kfor u 2 cover(S) : cu R E(ku, k)c R E0(k, m)output ({cu}u2cover(S), c)
9
>
>
=
>
>
;
. (5.35)
The more devices are revoked, the larger the header of cm becomes. The following theorem showshow big the header gets in the worst case. The proof is an induction argument that also suggestsan e�cient recursive algorithm to compute an optimal cover.
Theorem 5.8. Let T be a complete binary tree with n leaves, where n is a power of two. For every1 r n, and every set S of n� r leaves, we have
|cover(S)| r · log2(n/r)
Proof. We prove the theorem by induction on log2 n. For n = 1 the theorem is trivial. Now, assumethe theorem holds for a tree with n/2 leaves, and let us prove it for a tree T with n leaves. Thetree T is made up of a root node, and two disjoint sub-trees, T1 and T2, each with n/2 leaves. Letus split the set S ✓ {1, . . . , n} in two: S = S1 [ S2, where S1 is contained in {1, . . . , n/2}, and S2
is contained in {n/2+ 1, . . . , n}. That is, S1 are the elements of S that are leaves in T1, and S2 arethe elements of S that are leaves in T2. Let r1 := (n/2)� |S1| and r2 := (n/2)� |S2|. Then clearlyr = r1 + r2.
First, suppose both r1 and r2 are greater than zero. By the induction hypothesis, we know thatfor i = 1, 2 we have |cover(Si)| ri log2(n/2ri). Therefore,
|cover(S)| = |cover(S1)| + |cover(S2)| r1 log2(n/2r1) + r2 log2(n/2r2)
= r log2(n/r) +�
r log2 r � r1 log2(2r1)� r2 log2(2r2)� r log2(n/r),
which is what we had to prove in the induction step. The last inequality follows from a simple factabout logarithms, namely that for all numbers r1 � 1 and r2 � 1, we have
(r1 + r2) log2(r1 + r2) r1 log2(2r1) + r2 log2(2r2).
Second, if r1 = 0 then r2 = r � 1, and the induction step follows from:
|cover(S)| = 1 + |cover(S2)| 1 + r log2(n/2r) = 1 + r log2(n/r)� r r log2(n/r),
as required. The case r2 = 0 follows similarly. This completes the induction step, and the proof. 2
Theorem 5.8 shows that r devices can be revoked at the cost of increasing the ciphertext headersize to O(r log n) blocks. For moderate values of r this is not too big. Nevertheless, this general
202
Broadcast Encryption
In particular, for every nCPA adversary A that attacks E 0 as in the bit-guessing version of AttackGame 5.3, and which makes at most Q queries to its challenger, there exists BC adversary Bthat attacks E as in Attack Game 4.1, and a PRF adversary BF that attacks F as in AttackGame 4.2, where B and BF are elementary wrappers around A, such that
nCPAadv[A, E 0] 2Q2`2
N+ 2 · PRFadv[BF , F ] + 2 · BCadv[B, E ]. (5.33)
Again, we leave the proof as an exercise for the reader. Note that in the above construction,we may use the underlying block cipher E for the PRF F ; however, it is essential that independentkeys k and k0 are used (see Exercise 5.14).
5.6 A fun application: revocable broadcast encryption
Movie studios spend a lot of e↵ort making blockbuster movies, and then sell the movies (on DVDs)to millions of customers who purchase them to watch at home. A customer should be able to watchmovies on a stateless standalone movie player, that has no network connection.
The studios are worried about piracy, and do not want to send copyrighted digital content in theclear to millions of users. A simple solution could work as follows. Every authorized manufactureris given a device key kd 2 K, and it embeds this key in every device that it sells. If there are a
hundred authorized device manufacturers, then there are a hundred device keys k(1)d , . . . , k(100)
d . Amovie m is encrypted as:
cm :=
8
>
>
<
>
>
:
k R Kfor i = 1, . . . , 100 : ci R E(k(i)
d , k)c R E0(k, m)output (c1, . . . , c100, c)
9
>
>
=
>
>
;
where (E, D) is a CPA secure cipher, and (E0, D0) is semantically secure with key space K. Weanalyze this construction in Exercise 5.4, where we show that it is CPA secure. We refer to(c1, . . . , c100) as the ciphertext header, and refer to c is the body.
Now, every authorized device can decrypt the movie using its embedded device key. First,decrypt the appropriate ciphertext in the header, and then use the obtained key k to decryptthe body. This mechanism forms the basis of the content scrambling system (CSS) used toencrypted DVDs. We previously encountered CSS in Section 3.8.
The trouble with this scheme is that once a single device is comprised, and its device key kd isextracted and published, then anyone can use this kd to decrypt every movie ever published. Thereis no way to revoke kd without breaking many consumer devices in the field. In fact, this is exactlyhow CSS was broken: the device key was extracted from an authorized player, and then used in asystem called DeCSS to decrypt encrypted DVDs.
The lesson from CSS is that global unrevocable device keys are a bad idea. Once a single keyis leaked, all security is lost. When the DVD format was updated to a new format called Blu-ray,the industry got a second chance to design the encryption scheme. In the new scheme, called theAdvanced Access Content System (AACS), every device gets a random device key unique tothat device. The system is designed to support billions of devices, each with its own key.
The goals of the system are twofold. First, every authorized device should be able to decryptevery Blu-ray disk. Second, whenever a device key is extracted and published, it should be possible
200