broadcast encryption – an overview
DESCRIPTION
Broadcast Encryption – an overview. Niv Gilboa – BGU. Definition (FN93). E(M). Broadcaster. M. u 1. R, users don’t get M, even with collusion. |R|=r. u 2. S, users get M. |S|=n-r. …. u n. u 3. Users: U={u 1 ,…,u n }. Usage. Broadcast TV Content distribution Mobile content DVD - PowerPoint PPT PresentationTRANSCRIPT
Broadcast Encryption – an overview
Niv Gilboa – BGU
1
Definition (FN93)
2
Broadcaster
u1
un
u2
u3
ME(M)
…
Users: U={u1,…,un}
R, users don’t get M, even with collusion. |R|=r
S, users get M.|S|=n-r
Usage Broadcast TV Content distribution
Mobile content DVD
Multi-user file systems
3
Pay TV Beginnings
1980’s Subscriptions instead of advertising TV content costs money!
Threat: a subset of users in U distribute M to u’R
[FN93] and all subsequent papers only consider users in R as a threat.
4
Straightforward Solution I
5
Broadcaster
Initialization
u1 unu2 …u3
k1 k2 knk3Private channels
k1 k2 knk3
k1, k2, k3, …,kn
Straightforward Solution II
6
Broadcaster
Broadcast I: key
u1 unu2 …u3
Broadcast channel
k1 k2 knk3
k1, k2, k3, …,kn
Eki1(key), Eki2
(key), …, i, iS
key key key key
Broadcast II: content
Ekey(content)
Diverging concerns Media distribution (practice)
Users in S can provide key / content to users in R
Broadcast encryption (theory) Separation between key and content is not
important and is obvious Straightforward solution is trivial
• Message length – O(n-r)• Storage – O(1) for user, O(n-r) for broadcaster (or
O(1) + PRF)• Revocation for free
Better solutions can be found7
Beyond Cryptography Media distribution to “secure devices”
Smart cards Secure hardware of various types Obfuscated code
The rest of the talk will focus on broadcast encryption
8
Limited collusion The assumption is that only up to t
users in R collude Original [FN93] paper Public key papers [CMN99], [NP00] Reasonable assumption, but results are
not better than fully collusion-resistant schemes
9
Logical Key Hierarchy [W97, WGL98] Users are arranged in balanced binary
tree Each user is a leaf Each node is associated with a key Each user has log n keys on path from
leaf to root Users have dynamic state Revocation of node x
Bottom up update Encrypt node key with children keys: single
key for parent of x, both keys for higher nodes
10
LKH (cont.) Broadcast:
Encrypt message with root key Complexity
Broadcast message length – O(1) Storage – O(log n) for user, O(1) + PRF for
broadcaster Revocation – O(log n) time per user
11
User dynamic state
12
Dynamic state Stateless
Connection Always on / updates from broadcaster
Connect when needed
Revocation Revoke and forget
Maintain revocation
Implementation More complex Simpler
Subset cover schemes Several works: starting with [NNL01],
improved in [HS02], [GST04] Stateless schemes B2U, a key ki is associated with every
biB User u has keys of every b such that
ub Broadcast and revocation
Broadcaster finds {b1,…,bm}B, such that Uibi=S
Broadcaster sends Eki(M) for every i=1,…,m 13
Subset cover (cont.) Message length – m Storage – broadcaster |B|, user u stores
number of sets b s.t. ub Example – same data structure as LKH
Message length – m=rlog(n/r) Storage – broadcaster O(1)+PRF, user O(log
n) Better data structures shave the log n/r
factor
14
Public keys Advantage of public key systems:
Any user can encrypt messages Sometimes that’s a disadvantage
Any symmetric key scheme can be turned into a private/public key scheme
Slight problem In the simplest transformation the
broadcaster key has to be large (O(n) or O(n-r))
Bilinear maps to the rescue! HIBE [DF02] and others.
15
Example [LSW10] Public key Stateless Revocation and broadcast in O(r) Storage for broadcaster and user O(1) Specific hardness assumptions! O(1)
here is actually quite similar to O(log n) in previous solutions.
16
LSW10 (cont.) Two groups G, G1 of size p, e:GXGG1
s.t. e(ga,gb)=e(g,g)ab
Discrete log and variations of DDH are assumed to be hard in G and G1
General parameters: g, hG, a, b{0,…,p-1}
Public key: {g, gb, gb2, hb, e(g,g)a
Private key: t{0,…,p-1}, D0=ggb2t, D1=(gbIDh)t, D2=g-t
17
LSW10 (cont.) Encryption: assume that R={1,…,r}
Choose random s and divide it into r shares s1+…+sr=s mod p
C’=e(g,g) abM, C0=gs
For i=1,…,r, Ci1=gbsi, Ci2=(gb2IDihb) si
Decryption: compute e(C0, D0) by YZ, where Y=e(D1, i(Ci1)1/(ID-IDi)) Z=e(D2, i(Ci2)1/(ID-IDi))
18
What’s still open? Stateful?
A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation
Very large r We would like schemes that are flexible
between r and n-r. An example is [BGW05], but the message size*public key~n
Closing the gap between theory and practice
19