Topics in Cryptography Lecture 6 Topic: Chosen Ciphertext Security Lecturer: Moni Naor.
1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann...
-
Upload
abigail-booker -
Category
Documents
-
view
217 -
download
0
Transcript of 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann...
![Page 1: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/1.jpg)
1
Trace, Revoke and Self Enforcement Mechanisms for Protecting Information
Moni Naor
Weizmann Institute of Science
![Page 2: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/2.jpg)
2
Digital ContentDigital Content
• Very easy to generate, transfer and reproduce
• However - also easy to violate ownership:– Copyright– Privacy
Safe prediction: this phenomenon will only increase in the future.
![Page 3: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/3.jpg)
3
Ownership ProtectionOwnership Protection
• Social Issue
• Technological developments can impact the ground rules: by imposing technical as well as social barriers
for the violators
Technology is neither a panacea nor irrelevant!
![Page 4: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/4.jpg)
4
TechniquesTechniques
• Protecting content - – methods for discouraging/preventing redistribution of content - after decryption
• Watermarking• Fingerprinting
• Tamper Resistance • Hardware• Software
• Protecting cryptographic keys– Broadcast Encryption/Revocation– Tracing Traitors– Trace and Revoke
Solution may apply combination of techniques
![Page 5: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/5.jpg)
5
Methods for Key ProtectionMethods for Key Protection
Goal of key protection mechanisms:• Create a legitimate channel of distribution of
content and disallow its abuse. • Illegitimate distribution should require the
establishment of alternative channels – should not be able to piggyback on the legitimate
channel
Alternative channels should be combated using other means
![Page 6: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/6.jpg)
6
Techniques for Key ProtectionTechniques for Key Protection
How to send information only to intended recipients• Broadcast Encryption/RevocationHow to detect/prevent abuse• Traitor Tracing• Self Enforcement
![Page 7: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/7.jpg)
7
Talk Plan• The stateless scenario for trace and revoke• The Subset Cover Framework for T&R schemes• Two subset cover schemes
– Complete Subset– Subset Difference
• “Implementation” Issues• Tracing:
– General - bifurcation property– Subset difference
• Security definition
![Page 8: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/8.jpg)
8
The Broadcast Encryption ProblemThe Broadcast Encryption ProblemCenter transmits a message to a large group
A subset of users is revoked and should not
be able to decrypt the message subset changes dynamically
Receivers are Stateless independent of history
depend only on initial configuration
essential for “off-line” applications, useful
otherwise
Center revokednon-revoked
message M
![Page 9: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/9.jpg)
9
TracingTracing The problem of Tracing Traitors:
Encryption allows to figure out who leaked the keys
black-box tracing
traitors can gather information, e.g. a clone
Trace and Revoke
trace leaked key(s)
revoke it/them - make box unusablePowerful
Combination!}
![Page 10: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/10.jpg)
10
Key protection in MediaKey protection in Media
• Content is distributed on CD, DVD, memory-card...– content is encrypted
• Players/Recorders are the receivers– typically are Stateless– Receivers are given decryption keys at manufacturing
Goal:– Revoke non-compliant players
• revoked player cannot decode future content– Trace the identity of a "cloned"/"hacked" player
• black-box tracing
• Example: CPRM (DVD Audio)
![Page 11: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/11.jpg)
11
DesiderataDesiderata
• Low bandwidth: Small message expansion - E(content) not much longer than original message.
• Amount of storage at the users - Iu - small– Also at the center
• Attentiveness - users need not be online - stateless• Resiliency to large coalitions of users who collude and
share their resources
![Page 12: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/12.jpg)
12
Summary of ResultsSummary of ResultsDefine the Subset-CoverSubset-Cover framework
Family of algorithms, encapsulating previous methods
Rigorous security analysis Sufficient condition for an algorithm in framework to be secure
Provide the Subset-DifferenceSubset-Difference revocation algorithms r-flexible
concise message length
Tracing algorithm Works for any algorithm in framework satisfying the bifurcation
property
Seamless integration with the revocation algorithm
Withstands any coalition size
![Page 13: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/13.jpg)
13
PreliminariesPreliminaries Notion: NN - set of n users
R - set of r users whose privileges are to be revoked;
Assumption: Stateless devices
Goal: encrypt so that a non-revoked user can decrypt correctly
No coalition of revoked users (of an arbitrary size)
can decrypt
![Page 14: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/14.jpg)
14
Subset-Cover Revocation and Subset-Cover Revocation and Tracing AlgorithmsTracing Algorithms
n - total no. of users
r - no. revocations
t - no. of traitors (illegal users)
Scheme MessageLength
# Keysper device
ProcessingTime
# decrypt MessageLength fortraitors
CompleteSubtree
r log n/r log n log log n 1 t log n
SubsetDifference
2r-11.25r (avg.) 0.5 log2n
log napplicationsof a PRSG
1 5t
![Page 15: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/15.jpg)
15
• Scheme Initiation -– a method to assign secret information to devices, Iu to u.
• The broadcast algorithm -– For message M and a set R of users to be revoked, produce
a ciphertext C to broadcast to all.• A decryption algorithm (at device)-
– a non-revoked device should produce M from ciphertext C. – Decryption should be based on the current message and the
secret information Iu only (i.e. stateless).– Impossible to produce M from ciphertext even when provided
with the secret information of all revoked users.
Components of a stateless systemComponents of a stateless system
![Page 16: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/16.jpg)
16
• Can define it rigorously• Moral equivalent of an adaptive chosen ciphertext
attack
Definition of Security for a Definition of Security for a Stateless Broadcast SystemStateless Broadcast System
Separation between long and short term security requirement
![Page 17: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/17.jpg)
17
Subset Cover FrameworkSubset Cover Framework
Framework encapsulates many previous schemes
• Idea: to revoke a set RR, partition the remaining users into subsets from some predetermined collection.
• Encrypt for each subset separately
Suggest schemes with low bandwidth, low storage that allow tracing
![Page 18: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/18.jpg)
18
An algorithm in the framework:An algorithm in the framework:
Underlying collection of subsets (of devices) S1, S2 , ... ,SW Sj N.
• Each subset Sj associated with long-lived key Lj – A device u Sj should be able to deduce Lj from its secret
information Iu
• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets
Si1, Si2
, ... , Sim (NN \ RR = Sij
)
– a session key K is encrypted m times with Li1, Li2
, ... , Lim .
![Page 19: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/19.jpg)
19
Framework: Encryption PrimitivesFramework: Encryption PrimitivesSeparating Short Term from Long Lived KeysSeparating Short Term from Long Lived Keys
Fk : encrypts the message
K is a session key, fresh for each message
fast, not expanding plaintext (e.g. stream cipher)
EL : encrypts the session key
L are long lived keys
generally stronger than F
Can give precise definition for the required strength of EL and Fk
![Page 20: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/20.jpg)
20
The Broadcast AlgorithmThe Broadcast Algorithm• Choose a session key K
• Given R, find a partition of N \ R into disjoint sets
Si1, Si2
, ... , Sim
NN \ RR = Sij
with associated keys Li1, Li2
, ... , Lim
• Encrypt message M
[i1, i2, …,im], ELil(K), ELi2(K), … , ELim(K) FK(M)
HEADER Body
![Page 21: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/21.jpg)
21
The Decryption Step at uThe Decryption Step at u
[i1, i2, …,im], Cl=ELil(K), … , Cm=ELim(K) FK(M)
HEADER Body
Either
Find the subset ij such that u Sij , or
null if u R
Obtain Lij from the private information Iu
Compute DLij(Cj) to obtain K
Decrypt FK(M) with K to obtain the message.
u is revoked!
![Page 22: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/22.jpg)
22
A Subset-Cover AlgorithmA Subset-Cover Algorithm
Specifies:Specifies: Evaluated based on:Evaluated based on:Collection of underlying subsetsKey assignment to each subset“Subset-Cover” method to cover the non-revoked devicesFor a device: how to find its subset S and its key Ls from its private information.
Header lengthStorage (# keys) at thedeviceProcessing at the device time # decryptionsFlexibility with respect to r
![Page 23: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/23.jpg)
23
Two extreme examplesTwo extreme examples
• Collection of subsets: all Sj N W = 2n -1– Low bandwidth
For any R we have m=1 - use S1 = N \ R– No good key assignment - each user should store 2n-1 keys
• Collection of subsets: all Sj ={j}. W = n– High bandwidth
For any R we have m = |N \ R | - use all {Sj | j N \ R }
– Good key assignment - each user stores only 1 key
Challenge: find a scheme with small coverage m and succinct secret information Iu
![Page 24: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/24.jpg)
24
Important Observation:Important Observation:Key Indistinguishability
Users Sj should not know long-lived key Lj Possible solution:
– Choose Lj independently. – Let Iu
= {L
j | u Sj } - can result in long Iu
Alternative: sufficient condition for security:Given {Iu | u Sj }, key Lj is computationally indistinguishable
from random
Yields (provably) large savings in storage at the receivers
![Page 25: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/25.jpg)
25
Security Theorem (format)Security Theorem (format)
Any subset cover scheme where
• Fk : is sufficiently strong
• EL : is sufficiently strong
• The keys Lj satisfy the Key Indistinguishability propertyIs Secure…
![Page 26: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/26.jpg)
26
The Complete Subtree MethodThe Complete Subtree MethodImagine a full-binary tree with n leaves corr. To NN
E.g. if n=232, a 32-levels complete binary tree
Underlying Subsets S1, S2 , … ,SW
for node vi in the full tree,
Si – set of all leaves in the subtree of vi.
w = 2n-1
Key assignment:
assign a key Li to every node vi in the tree
Device keys:
store all log n+1 keys along path to the root
E.g. if n=232, need 33 keys
Si…
ViLi
![Page 27: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/27.jpg)
27
Complete Subtree: Key AssignmentComplete Subtree: Key Assignment
devices
Iu = { L1 , L2 , L3 , L4 , L5 , L6 }
u
L1
L2
L3
L4
L5
L6
![Page 28: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/28.jpg)
28
Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method
revokednon-revoked
cover
![Page 29: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/29.jpg)
29
Subset cover of non-revoked devicesSubset cover of non-revoked devices
Cover = all maximal sets Si (complete subtrees)
containing only non-revoked devices,
• Worst/Average case – r log n/r such sets
• Example: for n =232, r=216 and 7-bytes session-key:
total of 16*7 + 4=116 bytes/revocation (4+7*log216)
33 keys/device
![Page 30: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/30.jpg)
30
The Subset-difference Method:The Subset-difference Method:Subset DefinitionSubset Definition
Imagine a full-binary tree with n leaves corr. To NN E.g. if n=232, a 32-levels complete binary tree
Subsets S1, S2 , … ,SW , w = n log n for a pair of nodes [Vi, Vj] in the full tree such that Vi is an ancestor of Vj , Sij – set of all leaves in the subtree of Vi but not in Vj.
vi
vj
Si,j
… … …
vi
vj
![Page 31: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/31.jpg)
31
Subset Difference DefinitionSubset Difference Definition
Si,j = Set of all leaves in the subtree of Vi but not in Vj
vi
vj
… ……
Si,j
vi
vj
![Page 32: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/32.jpg)
32
Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method
revokednon-revokedcover
Vi
Si,j = Vj
![Page 33: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/33.jpg)
33
Cover is Very Small !!Cover is Very Small !!
Fundamental property:
Size of the subset cover in the difference-subset method is
At most 2r-1 in the worst case 1.25r in the average case !
![Page 34: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/34.jpg)
34
Key AssignmentKey Assignment
GGM is practical!
GGM= Goldreich, Goldwasser & Micali
![Page 35: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/35.jpg)
35
Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method
Naive approach to the key assignment:
assign a key Li,j to every pair [vi, vj] in the tree
impractical: each device must store O(n) keys…
Use G, a pseudo-random sequence generator that
triples the input length (k 3k) à la GGM
Use G to derive a labeling process
S – label @ node,
GL(S) – label @ left child, GR(S) – label @ right child
GM(S) – key @ node.G (S) = G_L (S) G_M (S) G_R (S)
S
G_L (S) G_R (S)
![Page 36: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/36.jpg)
36
Key Assignment - cont.Key Assignment - cont.
Assign to each node
Vi a label LABELi
The key Li,j = GM of
the label LABELi,j at
node Vj derived from
LABELi down
towards Vj … ……
vi
vj
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
G_R (S)
G_R(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (S)))
Li,j = G_M (LABELi,j )
![Page 37: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/37.jpg)
37
Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method
…
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (Li)))
Li,j = G_M (LABELi,j )
… …
G_R(G_L(G_L (S)))
G_R (S)
Vi
Vj
![Page 38: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/38.jpg)
38
Providing Keys to DevicesProviding Keys to DevicesA device corresponds to a leaf u in
the tree
For every Vi ancestor of u whose
label is S u receives all labels@nodes that are
hanging off the path from Vi to u.
These labels are all derived from S.
u can compute all keys of the sets it
belongs to rooted at Vi , and only
them.u
sVi
![Page 39: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/39.jpg)
39
Providing Keys to DevicesProviding Keys to Devices
u
sVi
Total # of labels u has to store is
0.5log2 n + 0.5 log n + 1 :
k labels for each ancestor Vi
which is k levels above u
k=1, …, log n+1
For n=232, about 530 labels
Requires log n on-the-fly
applications of G to derive a key
![Page 40: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/40.jpg)
40
Only 13 bytes per Single RevocationOnly 13 bytes per Single Revocation
For N= 232 and 7-bytes session-key
total of 1.25 * 7 + 4 < 13 bytes/revocations
530 labels/device
[i1, i2, …,im] ELi1(K), ELi2(K), … , ELim(K) FK(M)
4r bytes 9r bytes
![Page 41: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/41.jpg)
41
Tracing TraitorsTracing Traitors• Some Users leak their keys to pirates• Pirates construct unauthorized decryption devices and
sell them at discount • Trace and Revoke for all subset cover algorithms
satisfying bifurcation property• More efficient procedure for subset difference
E(Content)
K1 K3 K8
ContentPirate Box
![Page 42: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/42.jpg)
42
Tracing AlgorithmTracing AlgorithmAssumptions on illegal device: can examine box reaction on encrypted messages
reset button, no “locking” strategy
decodes with probability > q (say 0.5)
Goal: output one of the two a user u contained in the box
a partition S = Si1 , Si2, …, Sim that disables the box
Evaluation: performance requirement from revocation scheme
number of queries
encrypted messages
U1, U2, …, Ut
u
S = Si1 , Si2, …, Sim
![Page 43: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/43.jpg)
43
Subset TracingSubset Tracing
Given an illegal decoder and a subset-cover
partition S, output: decoder is no longer decoding
a subset Sij containing a traitor
S = Si1 , Si2, …, Sim
illegal decoder
SubsetTracing not decrypting
Sij contains a traitor
![Page 44: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/44.jpg)
44
Why is Subset-Tracing Possible?Why is Subset-Tracing Possible?
Consider a partition S = Si1 , Si2, …, Sim:
Header contains the correct key – decodes
Header contains all random keys – does not decode
Using a hybrid technique, find a subset j that has
gap at least l / m.
p0=1
pj-1
pj
pm=0
ELi1(K),…,ELij-1(K),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(R),…, ELim(R) FK(M)
Sij contains a traitor!
![Page 45: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/45.jpg)
45
Definition: Bifurcation PropertyDefinition: Bifurcation Property
Any subset Si can be partitioned into (roughly) two
equal sets Si1 and Si2
.
Si = Si1 U Si2
Bifurcation value:
Max { |Si1/Si|, |Si2/Si|}Vi
Vj
L R
Bifurcation value = 2/3
L
Vj
RVi
L
![Page 46: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/46.jpg)
46
The Tracing AlgorithmThe Tracing AlgorithmStart with an initial partition S = Si1 , Si2, …, Sim.Repeat Apply “Subset-Tracing” to S If “not decrypting” , done. Otherwise, Sj contains a traitor
Split Sj into Sj1 and Sj2
Add Sj1 and Sj2 to S
S1 S2 Sm
Subset Tracing
Sj
S1 S2 SmSj1 Sj2
![Page 47: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/47.jpg)
47
The Tracing AlgorithmThe Tracing Algorithm
S1 S2 Sm
Subset Tracing
Sj
S1 S2 SmSj1 Sj2
Subset Tracing
Sk
S1 S2 Sk1 Sk2
Subset Tracing not decrypting - done
![Page 48: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/48.jpg)
48
Efficiency: tracing Efficiency: tracing tt traitors traitors
A subset is partitioned only if it has a traitor
contains more than 1 element
Therefore – at most t log n iterations
actually, t log (n/t)
Results in a partition of size at most t log (n/t)
Subset Difference: Only t subsets actually contain a traitor; Can the others be merged?
Yes, can get down to O(t) subsets !
![Page 49: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/49.jpg)
49
Frontier subsetsFrontier subsetsIdea: merge those that were not shown to have a traitor
Frontier Subsets:
Problem: can the non-frontier sets be merged to yield
few subsets-difference sets?
B and C are in the Frontier
B1, B2 are in the frontier, C is not
Merge C with the non-frontier subsets
A
B C
C B1 B2
![Page 50: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/50.jpg)
50
This can be done for Subset-DifferenceThis can be done for Subset-Difference
Lemma:
given k sets of the subset-difference form, possible to
cover the rest with at most 3k sets of the
subset-difference form.
At every step, 2t frontiers sets
The merge results in 3t more set
A partition contains at most 5t sets.
![Page 51: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/51.jpg)
51
““Implementation” IssuesImplementation” Issues
• Specifying the subsets for quick determination• Implementing EL and Fk
• Prefix Truncation (reducing header length)• Public Keys
![Page 52: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/52.jpg)
52
Prefix TruncationPrefix Truncation If EL is a block cipher and K is shorter than its block size
Replace
EL(K) [Prefix K EL(U)] K
where U is a random string of the same length as the key for EL
[i1, i2, …,im, ELil(K), ELi2(K), … , ELim(K) FK(M)
reduction in length
security is preserved
[i1, i2, …,im, U, [Prefix K ELi1(U)] K), …,[Prefix K ELim(U)] K)] FK(M)
![Page 53: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/53.jpg)
53
Working with public keysWorking with public keys
• Any PKC can ``work” with any subset cover algorithmProblems:• The key assignment yields private keys –
– Need an efficient way to generate public-keys from private. Good method: Diffie-Hellman - gLi
• Low overhead: want to use prefix truncation. Idea: choose random x and h and broadcast: [(gx ,h), h(gL1 )x ))K, gx , h(gL2 )x ))K ... gx , h(gLm )x ))K], Fk(M)
![Page 54: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/54.jpg)
54
PublicPublic keys - unresolved issueskeys - unresolved issues
• Size of public-key file – Need to publish the public-key of every subset - size W. Could be large– Possible solution: identity based encryption - works only for the
information theoretic case
• Immunity to chosen ciphertext attacks with prefix truncation– Cramer-Shoup, Fujiskai-Okamoto require ``per key” treatment– Possible to use Schnorr like proofs of knowledge with random oracles.
![Page 55: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/55.jpg)
55
Comparison to Other MethodsComparison to Other MethodsStateless version
• Broadcast Encryption [Fiat Naor]– message length O(t log2 t), t is the coalition size
• Logical Key Hierarchy (LKH) – tree based methods for member-revocation – [Wallner et. al], [Wong et. al]: message length (2r log n) – [Canetti et. al]: improved to O(r log n)
• Trace & Revoke– [Naor Pinkas] , ([Anzai et. al]): transmit O(r) long DH keys,
O(t) keys/device and O(r) decryptions
![Page 56: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/56.jpg)
56
Tracing - Comparison
• Combinatorial Schemes - black-box testing [CFN,NP]• Public-key Tracing - Boneh and Franklin black-box
confirmation• Integration with revocation [GSY]
![Page 57: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/57.jpg)
57
Other Models
• Content Tracing: detects users redistributing content after decoding– Watermarking: [Boneh, Shaw]
– Dynamic tracing traitors: [Fiat, Tassa]• improvements: [Berkamn et. al], [Safani-Naini]
• Preventing leakage of keys– Legally: yield a proof for traitor's liability [Pfitzmann]
– Self enforcement: deter users from revealing personal information [DLN: Signets]
![Page 58: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/58.jpg)
58
Further WorkFurther Work• Reduce Size of public-key file
– GGM in public key mode
• Public key - Immunity to chosen ciphertext attacks • Broadcast encryption with ``medium” sized sets and no hierarchy• Better lower bounds
– Information theoretic case– Computational case
• Better constructions– LSD, Halevy-Shamir– Generalizations?
• Tracing Traitors• Social/economical Implications? Restricted formats
![Page 59: 1 Trace, Revoke and Self Enforcement Mechanisms for Protecting Information Moni Naor Weizmann Institute of Science.](https://reader030.fdocuments.us/reader030/viewer/2022032703/56649d155503460f949eb05e/html5/thumbnails/59.jpg)
59
Multicast Security
Group Membership:• re-keying event: all users update their group key and labels
– requires all users to be connected
Instead, add an header with legitimate users only.
Backward secrecy
lacks backward secrecy
needs re-keying when a new user is added to the group
Instead, assign users consecutively
“revoked” the unused ones
use hierarchical revocation