broadcast encryption – an overview

Broadcast Encryption – an overview

Niv Gilboa – BGU

1

Definition (FN93)

2

Broadcaster

u1

un

u2

u3

ME(M)

…

Users: U={u1,…,un}

R, users don’t get M, even with collusion. |R|=r

S, users get M.|S|=n-r

Usage Broadcast TV Content distribution

Mobile content DVD

Multi-user file systems

3

Pay TV Beginnings

1980’s Subscriptions instead of advertising TV content costs money!

Threat: a subset of users in U distribute M to u’R

[FN93] and all subsequent papers only consider users in R as a threat.

4

Straightforward Solution I

5

Broadcaster

Initialization

u1 unu2 …u3

k1 k2 knk3Private channels

k1 k2 knk3

k1, k2, k3, …,kn

Straightforward Solution II

6

Broadcaster

Broadcast I: key

u1 unu2 …u3

Broadcast channel

k1 k2 knk3

k1, k2, k3, …,kn

Eki1(key), Eki2

(key), …, i, iS

key key key key

Broadcast II: content

Ekey(content)

Diverging concerns Media distribution (practice)

Users in S can provide key / content to users in R

Broadcast encryption (theory) Separation between key and content is not

important and is obvious Straightforward solution is trivial

• Message length – O(n-r)• Storage – O(1) for user, O(n-r) for broadcaster (or

O(1) + PRF)• Revocation for free

Better solutions can be found7

Beyond Cryptography Media distribution to “secure devices”

Smart cards Secure hardware of various types Obfuscated code

The rest of the talk will focus on broadcast encryption

8

Limited collusion The assumption is that only up to t

users in R collude Original [FN93] paper Public key papers [CMN99], [NP00] Reasonable assumption, but results are

not better than fully collusion-resistant schemes

9

Logical Key Hierarchy [W97, WGL98] Users are arranged in balanced binary

tree Each user is a leaf Each node is associated with a key Each user has log n keys on path from

leaf to root Users have dynamic state Revocation of node x

Bottom up update Encrypt node key with children keys: single

key for parent of x, both keys for higher nodes

10

LKH (cont.) Broadcast:

Encrypt message with root key Complexity

Broadcast message length – O(1) Storage – O(log n) for user, O(1) + PRF for

broadcaster Revocation – O(log n) time per user

11

User dynamic state

12

Dynamic state Stateless

Connection Always on / updates from broadcaster

Connect when needed

Revocation Revoke and forget

Maintain revocation

Implementation More complex Simpler

Subset cover schemes Several works: starting with [NNL01],

improved in [HS02], [GST04] Stateless schemes B2U, a key ki is associated with every

biB User u has keys of every b such that

ub Broadcast and revocation

Broadcaster finds {b1,…,bm}B, such that Uibi=S

Broadcaster sends Eki(M) for every i=1,…,m 13

Subset cover (cont.) Message length – m Storage – broadcaster |B|, user u stores

number of sets b s.t. ub Example – same data structure as LKH

Message length – m=rlog(n/r) Storage – broadcaster O(1)+PRF, user O(log

n) Better data structures shave the log n/r

factor

14

Public keys Advantage of public key systems:

Any user can encrypt messages Sometimes that’s a disadvantage

Any symmetric key scheme can be turned into a private/public key scheme

Slight problem In the simplest transformation the

broadcaster key has to be large (O(n) or O(n-r))

Bilinear maps to the rescue! HIBE [DF02] and others.

15

Example [LSW10] Public key Stateless Revocation and broadcast in O(r) Storage for broadcaster and user O(1) Specific hardness assumptions! O(1)

here is actually quite similar to O(log n) in previous solutions.

16

LSW10 (cont.) Two groups G, G1 of size p, e:GXGG1

s.t. e(ga,gb)=e(g,g)ab

Discrete log and variations of DDH are assumed to be hard in G and G1

General parameters: g, hG, a, b{0,…,p-1}

Public key: {g, gb, gb2, hb, e(g,g)a

Private key: t{0,…,p-1}, D0=ggb2t, D1=(gbIDh)t, D2=g-t

17

LSW10 (cont.) Encryption: assume that R={1,…,r}

Choose random s and divide it into r shares s1+…+sr=s mod p

C’=e(g,g) abM, C0=gs

For i=1,…,r, Ci1=gbsi, Ci2=(gb2IDihb) si

Decryption: compute e(C0, D0) by YZ, where Y=e(D1, i(Ci1)1/(ID-IDi)) Z=e(D2, i(Ci2)1/(ID-IDi))

18

What’s still open? Stateful?

A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation

Very large r We would like schemes that are flexible

between r and n-r. An example is [BGW05], but the message size*public key~n

Closing the gap between theory and practice

19