1

Collusion Resistant Broadcast Encryption With Short Ciphertexts

and Private Keys

Dan Boneh, Craig Gentry, and Brent Waters

2

Broadcast Encryption [FN’93]

Encrypt to arbitrary subsets S.

Collusion resistance:•secure even if all users in Sc collude.

d1

d2

d3

S {1,…,n}

CT = E[M,S]

3

Broadcast Encryption

Public-key BE system:

•Setup(n): outputs private keys d1 , …, dn

and public-key PK.

•Encrypt(S, PK, M):Encrypt M for users S {1, …,

n}Output ciphertext CT.

•Decrypt(CT, S, j, dj, PK): If j S, output M.

Note: broadcast contains ( [S], CT )

4

Trivial Solutions

Small private key, large ciphertext.

•Every user j has unique private key dj .

CT = { Edj[M] | jS }

|CT| = O(|S|) |priv| = O(1)

Large private keys, small ciphertexts

•Unique key KS for every subset S {1, …, n}

•User j’s priv-key: dj = { KS | jS }

|CT| = O(1) |priv| = O(2n)

5

Outline

Previous work

Security Definitions

Overview scheme

Applications

Conclusions

6

Previous Solutions

t-Collusion resistant schemes [FN’93]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t

Broadcast to large sets [NNL,HS,GST]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players

7

Summary

CT Size Priv-key size

Small sets: trivial O(|S|) O(1)

Large sets: NNL,HS,GST O(n-|S|) O(log n)

Any set (new):

BGW ’05 O(1) O(1)

… but, O(n) size public key.

BGW ‘05 O(n) O(1)

… O(n) size public key.

EFS, Email DVD’sSubs. Service0 n

8

Broadcast Encryption Security Semantic security when users collude. (static adversary)

Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +

(t,)-security: no t-time alg. can -break BE sem. sec.

Ch

alle

ng

er

RunSetup(n) A

ttacke

r

PK, { dj | j S }

m0, m1 G

b’ {0,1}

C* = Enc( S, PK, mb)b{0,1}

S {1, …, n }

9

Bilinear Maps

G , GT : finite cyclic groups of prime order p.

Def: An admissible bilinear map e: GG

GT is:

– Bilinear: e(ga, gb) = e(g,g)ab a,bZ, gG

– Non-degenerate: g generates G e(g,g) generates GT .

– Efficiently computable.

10

Broadcast System

Setup(n): g G , , Zp, gk = g(k)

PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )

G2n+1

For k=1,…,n set: dk = (gk) G

Encrypt(S, PK, M): t Zp

CT = ( gt , (v jS gn+1-j)

t , Me(gn,g1)

t )

Decrypt(CT, S, k,dk, PK): CT = (C0, C1, C2)

Fact: e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1)tjS

jk

11

Security Theorem

Thm:

t-time alg. that -breaks BE sem. sec. in G

t-time alg. that -solves bilinear n-DDHE in G.

~

12

App : Encrypted File Systems

Broadcast to small sets: |S| << n

Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)

Examples: EFS.

File F

EKF[F]

EPKA[KF]

EPKC[KF]

MS Knowledge Base:EFS has a limit of 256KB in the file

header for the EFS metadata. This limits

the number of individual entries for

file sharing to a maximum of 800

users.

Header< 256K EPKB

[KF]

13

Apps: Sharing in Enc. File System

Store PK on file system. n=216 |PK|=1.2MB

File header: ( [S], E[S,PK,KF] )

Sharing among “800” users:

•8002 + 40 = 1640 bytes << 256KB

Each user obtains priv-key duid G from admin.

•Admin only stores Zq

File F

EKF[F]

[S]

E[S,PK,KF]Hdr

S {1, …, n }

40 bytes

14

Incremental file sharing

File hdr: ( [S], gt , (v jS gn+1-j)

t )

To grant user u access to file F,

owner does: C1 C1 (gn+1-u)t

File owner: instead of storing t for

every file do: t PRFKO (NonceF )

File F

EKF[F]

[S]

E[S,PK,KF]

NonceF

Hdr

C0 C1

15

App: secure email lists

Set n=216. Let gk = g(k)

Suppose (g, g1, g2,…, gn, gn+2,…, g2n) are global (1.2MB)

Simple encrypted email lists:

• ListA: PKA = (vA = gA) ; ListB: PKB = (vB = g

B)

•When new user joins ListA do:

– Assign new index 1 k 216 , give key dk = (gk)

A

•Encrypt msgs to ListA using B.E. for current members.

Much simpler than existing techniques (e.g. LKH)

16

Summary and Open Problems

New public-key broadcast encryption systems:

•Full collusion resistance. Constant size priv key.

•System 1: |CT| = O(1) |PK| = O(n)

•System 2: |CT| = O(n) |PK| = O(n)

Open problems:

•Reduce public key size. Weaker assumption.

•Security against adaptive adversary.

•Tracing traitors with same parameters.

17

Apps: Content Protection

DVD content protection: n = 232. r – revoked.•No room for PK in player.•Store ( [S], CT, PK) on each DVD disk. •Goal: minimize |CT|+|PK| n system

Using n system: |PK|=O(n) , |CT|=O(n) :

|DVD-hdr| = |PK|+|CT|+|[S]| = 5MB + (4r bytes)

NNL-type: |DVD-hdr| = |CT|+|[S]| = (36r bytes)

4216 G.E.

18

App : Content Protection

DVD Content Protection. n = 232

•DVD player i ships with private key di

•DVD disks encrypted to unrevoked players.

Broadcast to large sets: |S| = n-r where r << n.

d1 d2 d3 d4