Secure Broadcast Systems and Perspective on Pairings
description
Transcript of Secure Broadcast Systems and Perspective on Pairings
![Page 1: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/1.jpg)
1
Secure Broadcast Systemsand Perspective on Pairings
Brent Waters
Joint work with Dan Boneh, Craig Gentry, and Amit Sahai
![Page 2: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/2.jpg)
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
![Page 3: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/3.jpg)
3
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance:•secure even if all users in Sc collude.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
![Page 4: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/4.jpg)
4
App : Encrypted File Systems
Broadcast to small sets: |S| << n
Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)
Examples: EFS.
File F
EKF[F]
EPKA[KF]
EPKC[KF]
MS Knowledge Base:EFS has a limit of 256KB in the file
header for the EFS metadata. This limits
the number of individual entries for
file sharing to a maximum of 800
users.
Header< 256K EPKB
[KF]
![Page 5: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/5.jpg)
5
Broadcast Encryption
Public-key BE system:
•Setup(n): outputs private keys d1 , …, dn
and public-key PK.
•Encrypt(S, PK, M):Encrypt M for users S {1, …,
n}Output ciphertext CT.
•Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
![Page 6: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/6.jpg)
6
Previous Solutions
t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t
Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players
Ciphertexts are multiplied security parameter
![Page 7: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/7.jpg)
7
Overview
CT Size Priv-key size
Small sets: trivial O(|S|) O(1)
Large sets: NNL,HS,GST O(n-|S|) O(log n)
Any set (new):
BGW ’05 O(1) O(1)
… but, O(n) size public key.
BGW ‘05 O( n) O(1)
… O(n) size public key.
EFS, Email DVD’sSubs. Service0 n
![Page 8: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/8.jpg)
8
Broadcast Encryption Security
Semantic security when users collude. (static adversary)
Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +
Ch
alle
ng
er
RunSetup(n) A
ttacke
r
PK, { dj | j S }
m0, m1 G
b’ {0,1}
C* = Enc( S, PK, mb)b{0,1}
S {1, …, n }
![Page 9: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/9.jpg)
9
Bilinear Maps
G , GT : finite cyclic groups of prime order p.
Def: An admissible bilinear map e: GG
GT is:
– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG
– Efficiently computable.
![Page 10: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/10.jpg)
10
Broadcast System [BGW’05]
Setup(n): g G , , Zp, gk = g(k)
PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )
G2n+1
For u=1,…,n set: Ku = (gu) G
Encrypt(S, PK, M): t Zp
CT = ( gt , (v jS gn+1-j)
t , Me(gn,g1)
t )
Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2)
Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)tjS
ju
![Page 11: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/11.jpg)
11
Security Theorem
Thm:
t-time alg. that -breaks static BE security in G
t-time alg. that -solves bilinear n-DDHE in G.
~
• Open problem: adaptive security with similar params.
• New [BW’06]: adaptive security with O(n) – size CT
![Page 12: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/12.jpg)
12
Apps: Sharing in Enc. File System
Store PK on file system. n=216 |PK|=1.2MB
File header: ( [S], E[S,PK,KF] )
Sharing among “800” users:
•8002 + 40 = 1640 bytes << 256KB
Each user obtains priv-key duid G from admin.
•Admin only stores Zq
File F
EKF[F]
[S]
E[S,PK,KF]Hdr
S {1, …, n }
40 bytes
![Page 13: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/13.jpg)
13
Summary of Broadcast Enc.
New public-key broadcast encryption systems:
•Full collusion resistance. Constant size priv
key.
•System 1: |CT| = O(1) |PK| = O(n)
•System 2: |CT| = O(n) |PK| =
O(n)
Description of set, |S|, is now dominant term
![Page 14: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/14.jpg)
14
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
![Page 15: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/15.jpg)
15
T.T: a popular problem
O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy
G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas
D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia
G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang
32 papers from 49 authors
![Page 16: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/16.jpg)
16
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
![Page 17: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/17.jpg)
17
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
![Page 18: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/18.jpg)
18
Formally: Secure TT systems
(1) Semantically secure, and (2) Traceable:
Ch
alle
ng
er
Atta
cker
RunSetup(n)
S {1, …, n }
PK, TK, { Kj | j S }
Pirate Decoder D
Adversary wins if: (1) Pr[D(C)=M] > 1-, and
(2) i S
TraceD( TK ) i {1,…,n}
![Page 19: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/19.jpg)
19
Brute Force System
Setup (n): Generate n PKE pairs (PKi, Ki)
Output private keys K1 , …, Kn
PK (PK1, …, PKn) , TK PK .
Encrypt (PK, M): C ( EPK1(M), …, EPKn
(M) )
Tracing: next slide.
This is the best known TT system secure under arbitrary collusion.
… until now
![Page 20: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/20.jpg)
20
TraceD(PK): [BF99, NNL00, KY02]
For i = 1, …, n+1 define for M G :
pi := Pr[ D( EPK1(), …, EPKi-1
(), EPKi(M), …, EPKn
(M) ) =
M ]
Then: p1 > 1- ; pn+1 0
1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |
Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n
User i must be one of the pirates.
i=1
n n
i=1
R
![Page 21: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/21.jpg)
21
Security Theorem
Tracing algorithm estimates: | pi - pi | < (1-)/4n
Need O(n2) samples per pi. (D – stateless)
Cubic time tracing.
• Can be improved to quadratic in |S| .
Thm: underlying PKE system is semantically secure
No eff. adv wins tracing game with non-neg
adv.
![Page 22: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/22.jpg)
22
Abstracting the Idea [BSW’06]
Properties needed:
For i = 1 ,… , n+1 need to encrypt M so:
Without Ki adversary cannot distinguish:
Enc(i, PK, M) from Enc(i+1, PK, M)
1 i-1 i n
users cannot decrypt
users can decrypt
LinearBroadcastEncryption
PrivateB.E.
![Page 23: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/23.jpg)
23
Private Linear Broadcast Enc (PLBE)
•Setup(n): outputs private keys K1 , …, Kn
and public-key PK.
•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.
•Decrypt(CT, j, Kj, PK): If j u, output M
Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)
Note: slightly more complicated defs in [BSW’06]
![Page 24: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/24.jpg)
24
Security definition Message hiding: given all private keys:
Encrypt( n+1 , M, PK) P
Encrypt( n+1 , , PK)
Index hiding: for u = 1, … , n :
Ch
alle
ng
er
Atta
cker
m
b’ {0,1}
C* Enc( u+b, PK, m)b{0,1}
RunSetup(n) PK, { Kj | j u }
![Page 25: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/25.jpg)
25
Results
Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size =
O(1)enc-time = O(n) ; dec-time = O(1)
![Page 26: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/26.jpg)
26
n PLBE Construction: hints Arrange users in matrix
Key for user (x,y):Kx,y
CT: one tuple per row, one tuple per col.size = O(n)
CT to position (i,j): User (x,y) can dec. if
(x > i) OR [ (x=i) AND (y j) ]
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
n=36 users
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
Encrypt to postion (4,3)
![Page 27: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/27.jpg)
27
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
![Page 28: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/28.jpg)
28
A n size PLBE
Ciphertext: ( C1, …, Cn, R1, …, Rn )
User (x,y) must pair Rx and Cy to decrypt
Type Gq
Gp
Rx: x < i
Rx: x = i
Rx: x > i
Cy: y < j
Cy: y j
Case Result
x < i No: Rx not well formed
x=i & y < j
No: Cy malformed in Gp
x=i & y j
Yes: both well formed
x > i Yes: indep. of column
Well-formed
Malformed/Random
Zero
![Page 29: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/29.jpg)
29
Trace and Revoke [BW06]
What happens when catch traitor?•Torture?•Re-do system?
Want Broadcast and Tracing simultaneously•Trivial Combination does not work
BW06•Combined ideas•Bonus: Adaptive Security & Better
Assumptions
![Page 30: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/30.jpg)
30
Trace and Revoke
![Page 31: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/31.jpg)
31
T&R=A simple Combination?
B.E T.T.
M
R M-REncrypt
Decrypt
BE TT
R M-R
M
![Page 32: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/32.jpg)
32
A simple Attack
B.E T.T.
M
R M-R
BE TT
R M-R
M
2 colluders split duties
Catch same one over and over (box still works)
![Page 33: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/33.jpg)
33
Our Approach (Intuition)
Can’t allow attackers to “separate” systems• In general hard to combine
BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic
Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme
![Page 34: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/34.jpg)
34
Summary
New results: [BGW’05, BSW’06, BW’06]
•Full collusion resistance:
• B.E: O(1) CT, O(1) priv-keys … but
O(n) PK
• T.T: O(n) CT, O(1) priv-keys.
• T.R.: O(n) CT, O(n) priv-keys.
FCR
![Page 35: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/35.jpg)
35
Open Problems
Broadcast:
•Constant size everything (CT, pub/priv keys)
•Same params with adaptive security
Traitor Tracing:
•Private linear B.E. with O(log n) CT.
•Private B.E. from Linear Assumption
FCR
![Page 36: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/36.jpg)
36
Pairings from the Outside
Identity-based encryption [BF01]•Efficient Selective-ID Secure IBE without Random Oracles [BB04a]
•Secure IBE without Random Oracles [BB04a]
•Efficient IBE without Random Oracles [W05]
•Practical IBE without Random Oracles [Gen06]
A ID-Based Deniable Authentication Protocol on pairings
![Page 37: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/37.jpg)
37
Organizing Contributions (My View)
1. Identity-Based Encryption
2. Signatures ??
3. Slightly 2-Homomorphic
4. NIZKs
5. Broadcast and Tracing
![Page 38: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/38.jpg)
38
IBE [BF01]
IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). Examples: user’s e-mail address
email encrypted using public key:
master-key
CA/PKG
I am “[email protected]”
Private keyAlice does not access a PKI
Authority is offline
Is regular PKI good enough?
![Page 39: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/39.jpg)
39
Idea is Bigger
Encrypt “Structured” Data
master-key
CA/PKG
Capability Request
Private “Capability”
Authority is offline
![Page 40: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/40.jpg)
40
Health Records
master-key
CA/PKG
Private “Capability”
Authority is offline
Weight=125
Height = 5’4
Age = 46
Blood Pressure= 125
Partners = …
If Weight/Height >30 AND Age > 45
Output Blood Pressure
No analogous PKI solution
![Page 41: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/41.jpg)
41
IBE Class
IBE [BF01, CHK04, BB04, W05, Gen06]
HIBE[ HL02, GS02]
Searching on Enc. Data[BDOP04, BoyW06, BonW06]
Attribute-Based Enc. [SW05, GPSW06]
Trend of Structured Encryptions
![Page 42: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/42.jpg)
42
NIZKs
Two GOS06 papers • 3 points of interest
1) Perfect Hiding NIZK, ZAPs (Theoretical)
2) Most Efficient NIZK (but still bit by bit)
3) Speak Bilinear Maps “Natively” (cool)Build GroupSigs[BW06], other stuff
![Page 43: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/43.jpg)
43
An Upcoming Wall?
No 3-Linear Map
Advanced IBE somewhat limited
Traitor Tracing stuck at n
NIZKs kind of done
![Page 44: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/44.jpg)
44
Some Inspiration
Composite Order Groups
![Page 45: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/45.jpg)
45
THE END
![Page 46: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/46.jpg)
46
Security Problems
1) Access control of content• Broadcast targeted to certain set• e.g. All paying subscribers
2) Identifying compromised insiders• Clones and distributes pirate decoders• Trace back to attacker
![Page 47: Secure Broadcast Systems and Perspective on Pairings](https://reader035.fdocuments.in/reader035/viewer/2022062520/56815735550346895dc4d667/html5/thumbnails/47.jpg)
47
A Trivial Solution
Small private key, large ciphertext.
•Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)