1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan...
-
Upload
warren-roberts -
Category
Documents
-
view
212 -
download
0
Transcript of 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan...
![Page 1: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/1.jpg)
1
A Fully Collusion Resistant Broadcast, Trace and Revoke
System
Brent Waters SRI International
Dan Boneh Stanford
![Page 2: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/2.jpg)
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
![Page 3: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/3.jpg)
3
Trace & Revoke: A Tale of Two Problems
Broadcast Encryption: Encrypt Messages M, to subset S of receivers
Traitor Tracing: Trace Orgin of Pirate boxes
Trace & Revoke: Trace pirate box, remove from set of receivers
This talk: Overview both, show challenges•Light on mathematical details
![Page 4: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/4.jpg)
4
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance:•secure even if all users in Sc collude.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
![Page 5: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/5.jpg)
5
A Trivial Solution
Small private key, large ciphertext.
•Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)
Challenge: Get small ciphertext size
![Page 6: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/6.jpg)
6
App : Encrypted File Systems
Broadcast to small sets: |S| << n
Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)
Examples: EFS.
File F
EKF[F]
EPKA[KF]
EPKC[KF]
MS Knowledge Base:EFS has a limit of 256KB in the file
header for the EFS metadata. This limits
the number of individual entries for
file sharing to a maximum of 800
users.
Header< 256K EPKB
[KF]
![Page 7: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/7.jpg)
7
Previous Solutions
t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t
Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players
![Page 8: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/8.jpg)
8
Previous Solutions
Fully-Collusion resistant schemes [BGW’06]•Resistant to any # of colluders• |CT| = O(1) |priv| = O(1) |pub| = O(n)•Algebraically-based / Uses Bilinear Groups
Ciphertexts are multiplied security parameter
FCR
![Page 9: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/9.jpg)
9
Apps: Sharing in Enc. File System
Store PK on file system. n=216 |PK|=1.2MB
File header: ( [S], E[S,PK,KF] )
Sharing among “800” users:
•8002 + 40 = 1640 bytes << 256KB
File F
EKF[F]
[S]
E[S,PK,KF]Hdr
S {1, …, n }
40 bytes
![Page 10: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/10.jpg)
10
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
![Page 11: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/11.jpg)
11
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
![Page 12: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/12.jpg)
12
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
![Page 13: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/13.jpg)
13
Previous Solutions
t-Collusion resistant schemes [CFN’93…]•Resistant to t-colluders•Attacker knows t
Fully-Collusion resistant schemes [BSW’06]•Resistant to any # of colluders• |CT| = O(n) |priv| = O(1) •Algebraically-based / Uses Bilinear Groups
![Page 14: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/14.jpg)
14
Trace and Revoke (This Work)
What happens when catch traitor?•Torture?•Re-do system?
Want Broadcast and Tracing simultaneously
![Page 15: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/15.jpg)
15
Trace and Revoke
![Page 16: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/16.jpg)
16
T&R=A simple Combination?
B.E T.T.
M
R M-REncrypt
Decrypt
BE TT
R M-R
M
![Page 17: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/17.jpg)
17
A simple Attack
B.E T.T.
M
R M-R
BE TT
R M-R
M
2 colluders split duties
Catch same one over and over (box still works)
![Page 18: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/18.jpg)
18
Our Approach (Intuition)
Can’t allow attackers to “separate” systems• In general hard to combine
BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic
Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme
![Page 19: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/19.jpg)
19
Summary
T.R.: O(n) CT, O(n) priv-keys.
Public Key Tracing
•Secure even if tracing key lost
“Adaptive Security”
Open: Better Parameters:
FCR
![Page 20: 1 A Fully Collusion Resistant Broadcast, Trace and Revoke System Brent Waters SRI International Dan Boneh Stanford.](https://reader036.fdocuments.in/reader036/viewer/2022072006/56649d045503460f949d725c/html5/thumbnails/20.jpg)
20
THE END