broadcast encryption and traitor tracing · broadcast encryption and traitor tracing anupam datta...
TRANSCRIPT
Broadcast Encryption and Traitor Tracing
Anupam Datta
CMU
18733: Applied Cryptography
1
Broadcast Systems
2
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
Trace & Revoke
• Broadcast Encryption: Encrypt Messages M, to subset S of receivers
• Traitor Tracing: Trace origin of pirate boxes
• Trace & Revoke: Trace pirate box, remove from set of receivers
3
Today
• D. Naor, M. Maor, J. Lotspiech, Revocation and Tracing Schemes for Stateless Receivers, CRYPTO 2001.
• Basis for Advanced Access Content System (AACS) standard
– Access restriction for HD DVD and Blue Ray Disc
4
Talk Plan • The stateless scenario for trace and revoke • The Subset Cover Framework for T&R
schemes • Two subset cover schemes
– Complete Subset – Subset Difference
• “Implementation” Issues • Tracing:
– General - bifurcation property – Subset difference
• Security definition
5
The Broadcast Encryption Problem
6
Center transmits a message to a large group
A subset of users is revoked and should not
be able to decrypt the message
subset changes dynamically
Receivers are Stateless
independent of history
depend only on initial configuration
essential for “off-line” applications, useful
otherwise
Center revoked non-revoked
message M
Tracing
7
The problem of Tracing Traitors:
Encryption allows to figure out who leaked the keys
black-box tracing
traitors can gather information, e.g. a clone
Trace and Revoke
trace leaked key(s)
revoke it/them - make box unusable Powerful
Combination! }
8
A Trivial Solution
• Small private key, large ciphertext.
– Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)
• Challenge: Get small ciphertext size
Key protection in Media
• Content is distributed on CD, DVD, memory-card... – content is encrypted
• Players/Recorders are the receivers – typically are Stateless
– Receivers are given decryption keys at manufacturing
Goal: – Revoke non-compliant players
• revoked player cannot decode future content
– Trace the identity of a "cloned"/"hacked" player • black-box tracing
• Example: CPRM (DVD Audio)
9
Desiderata
• Low bandwidth: Small message expansion - E(content) not much longer than original message.
• Amount of storage at the users - Iu - small – Also at the center
• Attentiveness - users need not be online - stateless
• Resiliency to large coalitions of users who collude and share their resources
10
Preliminaries
11
Notion:
N - set of n users
R - set of r users whose privileges are to be revoked;
Assumption: Stateless devices
Goal: encrypt so that
a non-revoked user can decrypt correctly
No coalition of revoked users (of an arbitrary size)
can decrypt
Subset-Cover Revocation and Tracing Algorithms
12
n - total no. of users
r - no. revocations
t - no. of traitors (illegal users)
Scheme Message
Length
# Keys
per device
Processing
Time
# decrypt Message
Length for
traitors
Complete
Subtree
r log n/r log n log log n 1 t log n
Subset
Difference
2r-1
1.25r (avg.)
0.5 log2n
log n
applications
of a PRG
1 5t
Components of a stateless system
• Scheme Initiation - – a method to assign secret information to devices, Iu to
u. • The broadcast algorithm -
– For message M and a set R of users to be revoked, produce a ciphertext C to broadcast to all.
• A decryption algorithm (at device)- – a non-revoked device should produce M from
ciphertext C. – Decryption should be based on the current message
and the secret information Iu only (i.e. stateless). – Impossible to produce M from ciphertext even when
provided with the secret information of all revoked users.
13
Subset Cover Framework
Framework encapsulates many previous schemes
• Idea: to revoke a set R, partition the remaining users into subsets from some predetermined collection.
• Encrypt for each subset separately
Suggest schemes with low bandwidth, low storage that allow tracing
15
An algorithm in the framework:
Underlying collection of subsets (of devices) S1, S2 , ... ,SW Sj N. • Each subset Sj associated with long-lived key
Lj – A device u Sj should be able to deduce Lj from
its secret information Iu
• Given a revoked set R, the non-revoked users N \ R are partitioned into m disjoint subsets
Si1, Si2
, ... , Sim (N \ R = Sij
) – a session key K is encrypted m times with Li1
, Li2 ,
... , Lim .
16
Framework: Encryption Primitives Separating Short Term from Long Lived Keys
17
Fk : encrypts the message
K is a session key, fresh for each message
fast, not expanding plaintext (e.g. stream cipher)
EL : encrypts the session key
L are long lived keys
generally stronger than F
Can give precise definition for the required
strength of EL and Fk
The Broadcast Algorithm
18
• Choose a session key K
• Given R, find a partition of N \ R into disjoint sets
Si1, Si2
, ... , Sim
N \ R = Sij
with associated keys Li1, Li2
, ... , Lim
• Encrypt message M
[i1, i2, …,im], ELil(K), ELi2(K), … , ELim(K) FK(M)
HEADER Body
The Decryption Step at u
19
[i1, i2, …,im], Cl=ELil(K), … , Cm=ELim(K) FK(M)
HEADER Body
Either
Find the subset ij such that u Sij , or
null if u R
Obtain Lij from the private information Iu
Compute DLij(Cj) to obtain K
Decrypt FK(M) with K to obtain the message.
u is revoked!
A Subset-Cover Algorithm
20
Specifies: Evaluated based on: Collection of
underlying subsets
Key assignment to each
subset
“Subset-Cover” method
to cover the
non-revoked devices
For a device: how to
find its subset S and its
key Ls from its private
information.
Header length
Storage (# keys) at the
device
Processing at the device
time
# decryptions
Flexibility with respect to r
Two extreme examples
• Collection of subsets: all Sj N W = 2n -1 – Low bandwidth
For any R we have m=1 - use S1 = N \ R – No good key assignment - each user should store
2n-1 keys
• Collection of subsets: all Sj ={j}. W = n
– High bandwidth For any R we have m = |N \ R | - use all {Sj
| j N \ R }
– Good key assignment - each user stores only 1 key
Challenge: find a scheme with small coverage m
and succinct secret information Iu
21
Important Observation: Key Indistinguishability
Users Sj should not know long-lived key Lj Possible solution:
– Choose Lj independently. – Let Iu = {L
j | u Sj } - can result in long Iu
Alternative: sufficient condition for security: Given {Iu | u Sj }, key Lj is computationally
indistinguishable from random
Yields (provably) large savings in storage at the receivers
22
Security Theorem (format)
Any subset cover scheme where
• Fk : is sufficiently strong
• EL : is sufficiently strong
• The keys Lj satisfy the Key Indistinguishability property
Is Secure…
23
The Complete Subtree Method
24
• Imagine a full-binary tree with n leaves corr. To N
• E.g. if n=232
, a 32-levels complete binary tree
• Underlying Subsets S1, S2 , … ,SW
• For node vi in the full tree,
Si – set of all leaves in the subtree of vi.
• w = 2n-1
• Key assignment:
• assign a key Li to every node vi in the tree
• Device keys:
• store all log n+1 keys along path to the root
• E.g. if n=232
, need 33 keys
Si
…
Vi
Li
Complete Subtree: Key Assignment
25
devices
Iu = { L1 , L2 , L3 , L4 , L5 , L6 }
u
L1
L2
L3
L4
L5
L6
Subset Cover of non-revoked devices Complete Subtree Method
26
revoked
non-revoked cover
Subset cover of non-revoked devices
Cover = all maximal sets Si (complete subtrees)
containing only non-revoked devices,
• Worst/Average case – r log n/r such sets
• Example: for n =232
, r=216
and 7-bytes session-key:
total of 16*7 + 4=116 bytes/revocation (4+7*log216
)
33 keys/device
27
The Subset-difference Method: Subset Definition
28
Imagine a full-binary tree with n leaves corr. To N
E.g. if n=232
, a 32-levels complete binary tree
Subsets S1, S2 , … ,SW , w = n log n
for a pair of nodes [Vi, Vj] in the full tree such that
Vi is an ancestor of Vj ,
Sij – set of all leaves in the subtree of Vi but not in Vj.
vi
vj
Si,j
… … …
vi
vj
Subset Difference Definition
29
Si,j = Set of all leaves in the subtree of Vi but not in Vj
vi
vj
… … …
Si,j
vi
vj
Subset Cover of non-Revoked Devices Subset-Difference Method
30
revoked
non-revoked
cover
Vi
Si,j = Vj
Cover is Very Small !!
31
Fundamental property:
Size of the subset cover in the
difference-subset method is
At most 2r-1 in the worst case
1.25r in the average case !
Key Assignment
32
GGM is practical!
GGM= Goldreich, Goldwasser & Micali
Key-Assignment Subset-Difference Method
33
Naive approach to the key assignment:
assign a key Li,j to every pair [vi, vj] in the tree
impractical: each device must store O(n) keys…
Use G, a pseudo-random sequence generator that
triples the input length (k 3k) à la GGM
Use G to derive a labeling process
S – label @ node,
GL(S) – label @ left child, GR(S) – label @ right child
GM(S) – key @ node.
G (S) = G_L (S) G_M (S) G_R (S)
S
G_L (S) G_R (S)
Key Assignment - cont.
34
Assign to each node
Vi a label LABELi
The key Li,j = GM of
the label LABELi,j at
node Vj derived from
LABELi down
towards Vj … … …
vi
vj
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
G_R (S)
G_R(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (S)))
Li,j = G_M (LABELi,j )
Key-Assignment Subset-Difference Method
35
…
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (Li)))
Li,j = G_M (LABELi,j )
… …
G_R(G_L(G_L (S)))
G_R (S)
Vi
Vj
Providing Keys to Devices
36
A device corresponds to a leaf u in
the tree
For every Vi ancestor of u whose
label is S
u receives all labels@nodes that are
hanging off the path from Vi to u.
These labels are all derived from S.
u can compute all keys of the sets it
belongs to rooted at Vi , and only
them. u
s Vi
Providing Keys to Devices
37
u
s Vi
Total # of labels u has to store is
0.5log2 n + 0.5 log n + 1 :
k labels for each ancestor Vi
which is k levels above u
k=1, …, log n+1
For n=232
, about 530 labels
Requires log n on-the-fly
applications of G to derive a key
Only 13 bytes per Single Revocation
38
For N= 232
and 7-bytes session-key
total of 1.25 * 7 + 4 < 13 bytes/revocations
530 labels/device
[i1, i2, …,im] ELi1(K), ELi2(K), … , ELim(K) FK(M)
4r bytes 9r bytes
Tracing Traitors
• Some Users leak their keys to pirates
• Pirates construct unauthorized decryption devices and sell them at discount
• Trace and Revoke for all subset cover algorithms satisfying bifurcation property
• More efficient procedure for subset difference
39 E(Content)
K1 K3 K8
Content Pirate Box
Tracing Algorithm
40
Assumptions on illegal device:
can examine box reaction on encrypted messages
reset button, no “locking” strategy
decodes with probability > q (say 0.5)
Goal: output one of the two
a user u contained in the box
a partition S = Si1 , Si2, …, Sim that disables the box
Evaluation:
performance requirement from revocation scheme
number of queries
encrypted messages
U1, U2, …, Ut
u
S = Si1 , Si2, …, Sim
Subset Tracing
41
Given an illegal decoder and a subset-cover
partition S, output:
decoder is no longer decoding
a subset Sij containing a traitor
S = Si1 , Si2, …, Sim
illegal
decoder
Subset
Tracing not decrypting
Sij contains a traitor
Why is Subset-Tracing Possible?
42
Consider a partition S = Si1 , Si2, …, Sim:
Header contains the correct key – decodes
Header contains all random keys – does not decode
Using a hybrid technique, find a subset j that has
gap at least l / m.
p0=1
pj-1
pj
pm=0
ELi1(K),…,ELij-1(K),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(R),…, ELim(R) FK(M)
Sij contains a traitor!
Definition: Bifurcation Property
43
Any subset Si can be partitioned into (roughly) two
equal sets Si1 and Si2
.
Si = Si1 U Si2
Bifurcation value:
Max { |Si1/Si|, |Si2/Si|} Vi
Vj
L R
Bifurcation value = 2/3
L
Vj
R
Vi
L
The Tracing Algorithm
44
Start with an initial partition S = Si1 , Si2, …, Sim.
Repeat
Apply “Subset-Tracing” to S If “not decrypting” , done.
Otherwise, Sj contains a traitor
Split Sj into Sj1 and Sj2 Add Sj1 and Sj2 to S
S1 S2 Sm
Subset Tracing
Sj
S1 S2 Sm Sj1 Sj2
The Tracing Algorithm
45
S1 S2 Sm
Subset Tracing
Sj
S1 S2 Sm Sj1 Sj2
Subset Tracing
Sk
S1 S2 Sk1 Sk2
Subset Tracing not decrypting - done
Efficiency: tracing t traitors
46
A subset is partitioned only if
it has a traitor
contains more than 1 element
Therefore – at most t log n iterations
actually, t log (n/t)
Results in a partition of size at most t log (n/t)
Subset Difference:
Only t subsets actually contain a traitor; Can the others be merged?
Yes, can get down to O(t) subsets !
Frontier subsets
47
Idea: merge those that were not shown to have a traitor
Frontier Subsets:
Problem: can the non-frontier sets be merged to yield
few subsets-difference sets?
B and C are in the Frontier
B1, B2 are in the frontier, C is not
Merge C with the non-frontier subsets
A
B C
C B1 B2
This can be done for Subset-Difference
48
Lemma:
given k sets of the subset-difference form, possible to
cover the rest with at most 3k sets of the
subset-difference form.
At every step, 2t frontiers sets
The merge results in 3t more set
A partition contains at most 5t sets.
“Implementation” Issues
• Specifying the subsets for quick determination
• Implementing EL and Fk
• Prefix Truncation (reducing header length)
• Public Keys
49
Prefix Truncation
50
If EL is a block cipher and K is shorter than its block size
Replace
EL(K) [Prefix K EL(U)] K
where U is a random string of the same length as the key for EL
[i1, i2, …,im, ELil(K), ELi2(K), … , ELim(K) FK(M)
reduction in length
security is preserved
[i1, i2, …,im, U, [Prefix K ELi1(U)] K), …,[Prefix K ELim(U)] K)] FK(M)
Working with public keys
• Any PKC can ``work” with any subset cover algorithm
Problems:
• The key assignment yields private keys – – Need an efficient way to generate public-keys
from private. Good method: Diffie-Hellman - gLi
• Low overhead: want to use prefix truncation.
Idea: choose random x and h and broadcast:
[(gx ,h), h(gL1 )x ))K, gx , h(gL2 )x ))K ... gx , h(gLm )x ))K], Fk(M)
51
Summary of Results
52
Define the Subset-Cover framework
Family of algorithms, encapsulating previous methods
Rigorous security analysis
Sufficient condition for an algorithm in framework to be secure
Provide the Subset-Difference revocation algorithms
r-flexible
concise message length
Tracing algorithm
Works for any algorithm in framework satisfying the bifurcation
property
Seamless integration with the revocation algorithm
Withstands any coalition size
Acknowledgments
• Mildly edited slides originally from Moni Naor
53