public key broadcast encryption - university of …fuchun/seminars/181214.pdf · 1 public key...
TRANSCRIPT
1
Public Key Broadcast Encryption
Leyou Zhang Centre for Computer and Information Security
University of Wollongong
Australia
Nature Science Foundation(NSF) of China: Public
key Broadcast Encryption(BE)(Finished,2010-2012)
Nature Science Foundation(NSF) of China: Provably
Secure HIBE in the Standard model(2012.1-
2014.12)
Nature Science Foundation(NSF) of China: ABE for
Fine-grained Access Control Policy in the
Cloud.(2015.1-2018.12)
Nature Science Foundation(NSF) of Shaanxi Province: Broadcast Encryption over New Hardness
Assumptions. (2012-2014)
Outline
Backgrounds
Definition and Security Model
Some Typical Schemes
Some Special Case
Key Research Points (■)
Conclusion
Backgrounds In computer networking, multicast (one-to-many or many-to-many distribution) is group communication where information is addressed to a group of destination computers simultaneously .
• 1 IP multicast
• 2 Application layer multicast
• 3 Multicast over wireless networks and cable-TV
• 4 Other multicast technologies
http://searchnetworking.techtarget.com/definition/multicast
users users
n
…
It is called multi-receiver encryption[1]. Assume that there are n
receivers, numbered 1…n, and that each of them keeps a
private and public key pair denoted by (ski,pki). A sender then
encrypts a message Mi directed to receiver i using pki for i =
1,…, n and sends (C1,…,Cn) as a ciphertext. Upon receiving the
ciphertext, receiver i extracts Ci and decrypts it using its private
key ski. [1] M. Bellare, A. Boldyreva, and D. Pointcheval, Multi-Recipient Encryption Schemes: Security Notions and
Randomness Re-Use, In PKC 2003, LNCS 2567, pp. 85-99, Springer-Verlag, 2003.
users users
n
…
It is called multi-receiver encryption. Assume that there are n
receivers, numbered 1…n, and that each of them keeps a
private and public key pair denoted by A sender then
encrypts a message Mi directed to receiver i using pki for i =
1,…, n and sends as a ciphertext. Upon receiving the
ciphertext, receiver i extracts Ci and decrypts it using its private
key ski. [BSS] Joonsang Baek, Reihaneh Safavi-naini, Willy Susilo. Efficient Multi-receiver Identity-Based
Encryption and Its Application to Broadcast Encryption (2005),In Proc. of PKC’05.
(ski,pki).
(C1,…,Cn)
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance: secure even if all users in Sc collude
[FN’93] A. Fiat and M. Naor. Broadcast encryption. In Proceedings of Crypto ’93, volume 773 of LNCS, pages 480–491. Springer-Verlag, 1993.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
Typically, broadcast encryption schemes are classified as either stateful or stateless.
• Stateful schemes provide keys that may be updated after join or revocation events. It require receivers to be online in order to receive key update messages. Stateful schemes typically achieve lower communication cost than stateless schemes.
• Stateless schemes provide users with long-term keys that are never changed throughout the lifetime of the system.
[2] D. Naor, M. Naor, and J.Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Advances in Cryptology -
Crypto ’01, vol. 2139 of LNCS, pp. 41–62, Springer-Verlag, 2001.
Stateless Schemes Symmetric Encryption
1) High efficiency but no dynamic feature
Asymmetric Encryption(PK)
1) Support dynamic feature
We say that a broadcast system is dynamic[3] when
i) the system setup as well as the ciphertext size are fully independent from the
expected number of users or an upper bound thereof,
ii) a new user can join anytime without implying a modification of preexisting user
decryption keys,
iii) the encryption key is unchanged in the private-key setting or incrementally
updated in the public-key setting, meaning that this operation must be of
complexity at most O(1). [3] Cecile Delerabl´ee, Pascal Paillier, and David Pointcheval. Fully collusion secure dynamic broadcast encryption with constant-size
ciphertexts or decryption keys. In Pairing 2007, LNCS 4575, pages 39–59. Springer, 2007.
PK Broadcast Encryption Public-key BE system:
Setup(n): output private keys d1 , …, dn
and public-key PK.
Encrypt(S, PK, M):
Encrypt M for users S {1, …, n}
Output ciphertext CT.
Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
PK Broadcast Encryption Public-key BE system:
Setup(n): output private keys d1 , …, dn
and public-key PK.
Encrypt(S, PK, M):
Encrypt M for users S {1, …, n}
Output ciphertext CT.
Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
PK Broadcast Encryption Public-key BE system:
Setup(n): output private keys d1 , …, dn
and public-key PK.
Encrypt(S, PK, M):
Encrypt M for users S {1, …, n}
Output ciphertext CT.
Decrypt(CT, S, j, dj, PK): If j S, output M.
Note: broadcast contains ( [S], CT )
In a word, PK broadcast encryption is the following
manner:
Single Public key, Multi-private-key.
PK
pk1
pkn
20
Broadcast Encryption Security
Semantic security when users collude.(Selective security)
Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ + (t,)-security: no t-time alg. can -break BE sem. sec. If no S is outputted, adaptive security is achieved.
Challe
nger
Run Setup(n)
Atta
cker
PK, { dj | j S }
m0, m1 G
b’ {0,1}
C* = Enc( S, PK, mb)
b{0,1}
S {1, …, n }, jS
{ dj | j S }
Extract queries
1) BGW scheme(Dan Boneh, Craig Gentry, and Brent Waters)
Setup(n): g G , , Zp, gk = g(k) ,
PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g ) G2n+1
For k=1,…,n set: dk = (gk) G
Encrypt(S, PK, M): t Zp
CT = ( gt , (v jS
gn+1-j)t , Me(gn,g1)
t )
Decrypt(CT, S, k,dk, PK): CT = (C0, C1, C2)
Fact: K=e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1)t
22
M= C2 /K.
24
* This is the first identity-based broadcast encryption scheme (IBBE) with
constant size ciphertexts and private keys. Compared with BGW scheme, it
has comparable properties, but with a better efficiency: the public key is
shorter than in BGW. Moreover, the total number of possible users in the
system does not have to be fixed in the setup.
Shortcomings:
1) Hardness Assumption
Given
2) Random Oracles
We better it in 2011,2012. - Leyou Zhang, Yupu Hu and Qing Wu. New Constructions of Identity-based Broadcast Encryption without Random Oracles.
TIIS Trans. on internet and information systems, Vol.5 No.2, pp. 247-476, 2011.
- Leyou Zhang, Yupu Hu and Qing Wu. Adaptively Secure Identity-based Broadcast Encryption with constant size private keys
and ciphertexts from the Subgroups. Mathematical and computer Modelling, 2012, 55,pp. 12–18,2012.
3 Our work based on Dual System Encryption
Setup To generate the system parameters, the PKG picks randomly
11, , , , l pg h u u G , NZ . The public parameters are defined as PK={ 1, , , , ,lg h u u
( , )v e g g } and the master key is .
Extract Given the identity IDiS( | |S s l ), PKG selects randomly
i Nr Z and also chooses random elements 0 0 1 ( 1) ( 1), , , , , , ,i i i i i i i isR R R R R R
3pG . Then
it computes private keys as follows:
0 1 1 1( , ', , , , , , )iID i i sd d d d d d d
0 0 1 1 1 ( 1) 1 ( 1)( ( ) , , , , , , , ).i i i i i i iID r r r r r r
i i i i i i i i i i s isg hu R g R u R u R u R u R
Encrypt Without loss of generality, let S = ( ID1, ID2 , , IDs)
denote the set of users with s l. A broadcaster selects a random k
*
NZ , computes C = 0 0 1 2( , ) ( , , )C Hdr C C C =( kv M ,1
( )is ID k
iih u
, kg ).
Decrypt Given the ciphertexts 0 1 2( , , )C C C C , any user IDi S uses his
private keys iIDd to compute
1
0
0 21,
( , ')
( , )js ID
jj j i
e C dM C
e d d C
.
Some Special Case
1) Threshold Broadcast Encryption
● In a threshold public key encryption scheme a message is
encrypted and sent to a group of receivers, in such a way
that the cooperation of at least t of them (where t is the
threshold) is necessary in order to recover the original
message.
The fact that the set of receivers and the threshold are set
from the beginning can limit the applications of these
schemes in real life. One can imagine that the sender of the
message, who wants to protect some information, may want
to decide who will be the designated receivers in an ad-hoc
way, just before encrypting the message, and also decide the
threshold of receivers which will be necessary to recover the
information.
Shortcomings in the existing works:
1) Strong Assumptions;
2) High computation cost;
3) Selective security( with constant size ciphertexts);
4) Adaptive security but ciphertexts size relies on threshold
value and users depth.
Our works: -Leyou Zhang, Yupu Hu and Qing Wu. Identity-based threshold broadcast encryption in the
standard model. TIIS Trans. on internet and information systems, Vol. 4, No. 3, pp.400-410,
2010
2) HIBE
If we convert (Id1,…,Idn) to (Id1||Id2||…||Idn), we can obtain an
HIBE scheme.
broadcaster (Id1,…,Idn)
An Identity Based Encryption (IBE) system is a public key system where the
public key can be an arbitrary string such as an email address. A central
authority uses a master key to issue private keys to identities that request
them. Hierarchical IBE (HIBE) is a generalization of IBE that mirrors an
organizational hierarchy. An identity at level k of the hierarchy tree can issue
private keys to its descendant identities, but cannot decrypt messages intended
for other identities.
Dan Boneh, Xavier Boyen ,Eu-Jin Goh--- HIBE Scheme*
*Boneh, D., Boyen, X., Goh, E.: Hierarchical identity based encryption with
constant size ciphertext. In: Cramer, R.J.F. (ed.) EUROCRYPT 2005. LNCS,
vol. 3494, pp. 440–456. Springer, Heidelberg, 2005.
-Jong Hwan Park and Dong Hoon Lee. A New Public Key Broadcast Encryption Using Boneh-Boyen-Goh’s HIBE Scheme.L.
Chen, Y. Mu, and W. Susilo (Eds.): ISPEC 2008, LNCS 4991, pp. 101–115, 2008.
-Leyou Zhang, Yupu Hu and Qing Wu. New Constructions of Identity-based Broadcast Encryption without Random Oracles.
TIIS Trans. on internet and information systems, Vol.5 No.2, pp. 247-476, 2011.
- Leyou Zhang, Yupu Hu and Qing Wu. Adaptively Secure Identity-based Broadcast Encryption with constant size private keys
and ciphertexts from the Subgroups. Mathematical and computer Modelling, 2012, 55,pp. 12–18,2012
3) Traitor Tracing Scheme
Consider the distribution of digital content to subscribers over a broadcast
channel. Typically, the distributor gives each authorized subscriber a hardware
or software decoder (“box”) containing a secret decryption key. The distributor
then broadcasts an encrypted version of the digital content. Authorized
subscribers are able to decrypt and make use of the content. This scenario
comes up in the context of pay-per-view television, and more commonly in
web based electronic commerce (e.g. broadcast of online stock quotes or
broadcast of proprietary market analysis).
However, nothing prevents a legitimate subscriber
from giving a copy of her decryption software to
someone else. Worse, she might try to expose the
secret key buried in her decryption box and make
copies of the key freely available. The “traitor” would
thus make all of the distributor’s broadcasts freely
available to non-subscribers. Chor, Fiat and Naor
introduced the concept of a traitor tracing scheme to
discourage subscribers from giving away their keys.
Their approach is to give each subscriber a distinct set
of keys that both identify the subscriber and enable
her to decrypt. In a sense, each set of keys is a
“watermark” that traces back to the owner of a
particular decryption box.
Key Research Points –my opinion
1) The trade-off between the security and efficiency;
2) The trade-off between private keys/public keys size and
ciphertexts;
3) Applications in real life;
4) Public Key Traitor tracing schemes;
5) Relationship between BE and others PKE;
6) New mathematical hardness assumptions(e.g. LWE--lattice).
7) New version: functional BE(Attribute-based BE).
Conclusions
PKBE is a useful PK in the real life. The existing works
have many shortcomings and limit the application, which
is also a motivation to make this research continually.
In a word, the bottleneck is over there but the
challenge is also over there.