broadcast encryption amos fiat & moni naor

Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

Click to edit Master title style

Broadcast EncryptionAmos Fiat & Moni Naor

Presented ByGayathri VS



2Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science

The ProblemZero Message Schemes Basic Scheme 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes

Outline




The Problem

• The System consists of broadcasting center set U of n users . • key is distributed to users upon

joining the system.• securely transmit data to a

randomly changing privileged subset of users out of the set S

• Any Coalition of k users from the universe , who are not part of the privileged set should not be able to decrypt the message.(Scheme is k-resilient).




U is the universe consisting of n usersP is privileged subsetS is any subset trying to learn the secret (S ∩ P

= NULL)|S| is size of subset SKs is key common to subset S

Notations




Scheme is resilient if for all subset S ( S ∩ P = NULL , where P U is privileged set ) S cannot ⊂learn secret common to P.

Scheme is k-resilient if |S| <= k.Scheme is (k,p) random resilient if any

randomly selected Subset is k-resilient with probability (1-p)

Security Definitions




Solution 1 :

Obvious Solution




Solution 2 :

Obvious Solution




Solution 1 : Each user is assigned a unique key 1 key per user & O(n) messages Solution 2 : Each subset gets a unique key 2n-1 keys per user & O(1) message

For any arbitrary subset , we have two choices for X2 .. Xn . (they may or may not be present in that subset)

Total number of subset which contains x1

1.2.2…2 = 2n-1

Obvious Solutions – Performance




The Goal is the optimize

a) number of transmissions sent by the center to create the common secret

b) Number of keys each user stores

c) Computational effort in retrieving the common key by the members of the privileged class.

Problem Statement .. Revisited




The ProblemZero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes

Outline




Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center

The privileged set can be identified by sending a relatively short transmission. This is ‘set identification transmission’ ( different from

the broadcast encryption transmission )

Zero Message Schemes




For every set S U where 0 ≤ |S| ≤ k , Assign key K⊂ s

Distribute Ks to all users x U – S⊂U = { a, b, c } . Here n=3. Let k be 2

KEY DISTIBUTION :S = {a, b, c, {a,b}, {a,c}, {b,c}} Ks = {Ka, Kb, Kc, Kab ,Kac ,Kbc }User a has Kb, Kc, Kbc

User b has Ka, Kc, Kac User c has Ka, Kb, Kab

BASIC SCHEME




ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys KS where S U – P⊂

If P = { a,b } then K = XOR KS where S U – P⊂ Here S is c so K = KC

RESILENCY : Every possible set S U – P 0 ≤ |S| ≤ k will miss the key K⊂ S and cannot decrypt the message sent by the center.

NUMBER OF MESSAGES ,KEYS : Number of keys per each User : Σ I = 0 to k (n)_C_i For the above scheme to be 1-resilient each user should store (n+1) keys For the above scheme to be n-resilient each user should store 2n-1 keys




O(n) keys in previous scheme can be reduced to keys if keys are pseudo-randomly generated

Let f: {0,1}l -> {0,1}2l be a pseudo-random generator (the length of the output of is twice the length of the input).

Users are on the leaf of the balanced binary tree.The root is labeled with the common seed from

Set {0,1}l

1-resilient scheme based on one-way function




apply the pseudo-random generators to the root label .Assign the left half (first bits) to be the label of the left subtree while the right half (last bits) is the label of the right subtree. User x should get all leaf labels except his. To

achieve this , we remove the path from x to the root ,which is a forest on log n labels.

Every x U can use the log n values that he got ∈ ⌈ ⌉and generate all leaf labels except his own.




The center chooses a random hard to factor composite N= P.Q where P and Q are primes.

It also chooses a secret value g of high index.Each user i U is assigned g∈ i = gpi .

gcd(pi,pj) = 1 , for I ≠ jThe common key for P U is g⊂ T = gPTmod N where

PT = Πi P ∈ piEach user i P can compute g∈ T by gi

xmod N where X = Πi (P-i) ∈ pi

A 1-resilient scheme based on Computational Number Theoretic Assumptions




SCHEME NO OF KEYS/USER

MESSAGE LENGTH

RESILIENCY ASSUMPTION

TRIVIAL SOLUTION-1

1 O(n) any Nothing

TRIVIAL SOLUTION-2

2n-1 1 Any Nothing

BASIC SCHEME ΣK (n)Ck 1 K Nothing

BASIC SCHEME (k=1)

O(n) 1 1 Nothing

BASIC SCHEME(K=N-1)

O(2n) 1 N nothing

1-resilant using PRG

Ceil(log n) 1 1 One-way functions and hence PRG exist

1-resilent using number theory

1 1 1 Root extraction is hard




The ProblemZero Message Schemes (Low –resiliency) Basic Scheme (Assumption Free) 1-resilient Scheme based on 1-way function 1-resilient Scheme based on number-theoryLow-Memory k-resilient schemes One Level Schemes Multi Level Schemes

Outline




The zero message 1-resilient schemes requires for k>1 memory which is exponential in k

Low-memory k-resilient schemes can be built from 1-resilient

Let w denote the number of keys that a user is required to store in the 1-resilient scheme

w = n+1 if no cryptographic assumptions are made, w = ceil(log n) if we assume that one-way functions exists and w =1 if we assume that it is hard to extract roots modulo a composite. efficiency of the schemes is how many w’s they require.

Low Memory-Resilient Schemes




1. f1 , f2 …. fl is a family of function denoted by fi : U → {1,...,m}, 1 ≤ i ≤ l2. For every group S U, |S|=k there exists ⊂

some function fi that is 1-1 on S all x,y in S fi(x) ≠ fi(y){fi} contains perfect hash function for all subsets of size k in U when mapped to range {1,2..m}

One Level Scheme




One Level Scheme – Key Distribution

1 2 N user

1 R(1,f1(1)) R(1,f1(2)) R(1,f1(n))

2 R(2,f2(1)) R(2,f2(2)) R(2,f2(n))

L R(L,fl(1)) R(L,fL(2)) R(L,fL(n))

1. {R(i, j)}1≤i≤l,1≤j≤m are independent 1- resilient schemes2. Each user x U gets the keys associated with the scheme R(i,fi(x)) 1 ≤ i ∈

≤ l.




1. To transmit M to T U, the center breaks M into l random shares ⊂such that M = M1 XOR M2 XOR … Ml

2. For 1 ≤ i ≤ l the center transmits Mi in m distinct messages using R(i,j) j=1,2..m where j=fi(x) for all x in P.

3. Every x T may recover Mi, 1 ≤ i ≤ l, from R(I,j) where j = fi(x), ∈and then add them up to get M.

If x1 is part of P , M1 – R(1,f1(x1) ) M2 – R(2,f2(x1) ) … ML - R(l , fl(x1)

One Level Schemes – Encryption and Decryption




One Level Scheme - Storage

1 2 N user

1 R(1,f1(1)) R(1,f1(2)) R(1,f1(n))

2 R(2,f2(1)) R(2,f2(2)) R(2,f2(n))

L R(L,fl(1)) R(L,fL(2)) R(L,fL(n))

M1 --- R(1,f1(1)) R(1,f1(2))

M2 R(2,f2(1)) R(2,f2(2))

ML R(L,fL(1)) R(L,fL(2))

Storage per user: l times that of the 1- resilient scheme.Length of transmission: l · m messages




Claim: The scheme is k-resilient.Let S be a coalition of size |S| ≤ k. There exists fi that is 1-1 on S. Mi is the message transmitted using fi. Mi is

delivered in m independent transmissions. There can be at most only one x S for which ∈ fi(x) = j who has the keys of that scheme.However R(i, j) is 1-resilient and hence that single

user cannot recover Mi and hence M.

One Level Scheme - Resiliency




use a perfect family of hash functions send a “share” of the secret M corresponding to

each hash function. Each share is broadcasted with different

encryptions. The privileged users can decrypt these messages

and any colluding set of at most k users cannot obtain at least one of the shares

no information about M is revealed if we miss even one of the shares.

One Level Scheme – Idea




Set m = 2k2, l = k log n Theorem: There exists a k-resilient scheme that requires the users to store O(k log n · w)

keys and the center to broadcast O(k3 log n) messages. The scheme may be constructed at random with arbitrarily high probability.

Probability that a random fi is not 1-1 on S is ((kC2).2m-1)/ 2m = (kC2).(1/m) = k(k-1)/2m = ¼ - 1/4k ≤ ¼ Given the family of function f1 ,f2 .. fl

Prob(No fi is 1-1 on S ) = 1/4L=1/22L = 1/n2k

(l = klogn ; 2l = 2klogn ; 2l = log n2k ;n2k = 22l) Prob ( Some fi is 1-1 on S ) = ( 1 – n-2k) Prob ( there exists fi is 1-1 on all S of size k) >= (1-n-2k)t , where t = n_C_k >= 1 – n-k

Setting Parameters




Scheme is (k,p) random resilient if any randomly selected Subset is k-resilient with probability (1-p)P(that for all subset of size k , there exists fi is 1-1 on S ) ≥ 1−pFor (k,p) random resiliency substitute l = log(1/p) Theorem : (k,p)-resilient scheme requires the users to store O(log(1/p) · w) keys and the center should broadcast O(k2 log(1/p)) messages.

Setting Parameters




Multi-level schemes, like the one-level ones, convert 1-resilient schemes to k-resilient ones.

The ”multi-levelness” comes through the R(i, j)s that are sets of 1-resilient schemes. It decrease the length of transmission at the

expense of more storage at the user.

Multi Level Schemes




User 1

R(1,f1(1),1) R(1,f1(1),2) … R(1,f1(1),w)

R(2,f2(1),1) R(2,f2(1),2) … R(2,f2(1),w)

R(l,fl(1),1) R(l,fl(1),2) … R(l,fl(1),w)

Multi-Level Scheme Key Distribution

For every Subset of size k , there exists for some 1≤i ≤l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S , fi(x) = j )

Every user x in U , for every 1≤i ≤l and for every 1≤r ≤w , receives keys associated with the scheme R(i,fi(x),r)




.1. To transmit M to T U, the center breaks M randomly into l ⊂

shares, such that M = M1 XOR M2 XOR .. Ml

2. Each Mi is broken into w shares for each j. M1(i,j) M2

(i,j)…. Mw(i,j)

3. For 1≤i≤l and 1≤r≤w Mr(i,j) is broadcasted to Privileged subset

{x T :f∈ i(x)=j} 4. For any subset of size k , by assumption there is an i and for

all j in that I scheme w is resilient to x in S with fi(x) = j Storage per user: l · w times that of the 1-resilient scheme. Length of transmission: l · m · w times that of the 1-resilient scheme.

Multi Level Scheme – Encryption and Decryption




Set L = 2k.log n , m = k/log k , w = log k + 1,t = 2elog kThere exists ak-resilient scheme that requires each user

to store O(k.log k. log n.w) keys and the center to broadcast O(k2log2klogn) messages. Moreover, the scheme can be constructed effectively with high probability

there exists a (k,p) random-resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog2klog(1/p)) messages. Moreover, the scheme can be constructed effectively with high probability




SCHEME NO OF KEYS/USER

MESSAGE LENGTH

RESILIENCY ASSUMPTION

BASIC SCHEME ΣK (n)Ck 1 K Nothing

1-resilant using PRG

Ceil(log n) 1 1 One-way functions and hence PRG exist

1-resilent using number theory

1 1 1 Root extraction is hard

One Level Scheme

O(k log n · w) O(k3 log n) k

1-Level (k,p) O(log(1/p) · w) O(k2 log(1/p)) k

Multi-Level O(k log k log n·w)

O(k2 log2 k log n)

k




Thank You !

broadcast encryption amos fiat & moni naor

Documents