1
Fully Collusion Resistant Traitor Tracing with Short
Ciphertexts and Private Keys
Dan Boneh, Amit Sahai, and Brent Waters
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
3
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
4
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
5
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
6
Formally: Secure TT systems
(1) Semantically secure, and (2) Traceable:
Ch
alle
ng
er
Atta
cker
RunSetup(n)
S {1, …, n }
PK, TK, { Kj | j S }
Pirate Decoder D
Adversary wins if: (1) Pr[D(C)=M] > 1-, and
(2) i S
TraceD( TK ) i {1,…,n}
7
Brute Force System
Setup (n): Generate n PKE pairs (PKi, Ki)
Output private keys K1 , …, Kn
PK (PK1, …, PKn) , TK PK .
Encrypt (PK, M): C ( EPK1(M), …, EPKn
(M) )
Tracing: next slide.
This is the best known TT system secure under arbitrary collusion.
… until now
8
TraceD(PK): [BF99, NNL00, KY02]
For i = 1, …, n+1 define for M G :
pi := Pr[ D( EPK1(), …, EPKi-1
(), EPKi(M), …, EPKn
(M) ) =
M ]
Then: p1 > 1- ; pn+1 0
1- = |pn+1 – p1 | = | pi+1 – pi | |pi+1 – pi |
Exists i{1,…,n} s.t. | pi+1 – pi | (1- )/n
User i must be one of the pirates.
i=1
n n
i=1
R
9
Security Theorem
Tracing algorithm estimates: | pi - pi | < (1-)/4n
Need O(n2) samples per pi. (D – stateless)
Cubic time tracing.
• Can be improved to quadratic in |S| .
Thm: underlying PKE system is semantically secure
No eff. adv wins tracing game with non-neg
adv.
10
Abstracting the Idea [BSW’06]
Properties needed:
For i = 1 ,… , n+1 need to encrypt M so:
Without Ki adversary cannot distinguish:
Enc(i, PK, M) from Enc(i+1, PK, M)
1 i-1 i n
users cannot decrypt
users can decrypt
LinearBroadcastEncryption
PrivateB.E.
11
Private Linear Broadcast Enc (PLBE)
•Setup(n): outputs private keys K1 , …, Kn
and public-key PK.
•Encrypt( u, PK, M):Encrypt M for users {u, u+1, …, n}Output ciphertext CT.
•Decrypt(CT, j, Kj, PK): If j u, output M
Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)
Note: slightly more complicated defs in [BSW’06]
12
Security definition Message hiding: given all private keys:
Encrypt( n+1 , M, PK) P
Encrypt( n+1 , , PK)
Index hiding: for u = 1, … , n :
Ch
alle
ng
er
Atta
cker
m
b’ {0,1}
C* Enc( u+b, PK, m)b{0,1}
RunSetup(n) PK, { Kj | j u }
13
Results
Thm: Secure PLBE Secure TTSame size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size =
O(1)enc-time = O(n) ; dec-time = O(1)
14
n PLBE Construction: hints Arrange users in matrix
Key for user (x,y):Kx,y Rx Cy
CT: one tuple per row, one tuple per col.size = O(n)
CT to user (i,j): User (x,y) can dec. if
(x > i) OR [ (x=i) AND (y j) ]
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
n=36 users
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
Encrypt to user (4,3)
15
Bilinear groups of order N=pq [BGN’05]
G: group of order N=pq. (p,q) – secret.
bilinear map: e: G G GT
G = Gp Gq . gp = gq Gp ; gq = gp Gq
Facts: h G h = (gq)a (gp)
b
e( gp , gq ) = e(gp , gq) = e(g,g)N = 1
e( gp , h ) = e( gp , gp)b !!
16
A n size PLBE
Ciphertext: ( C1, …, Cn, R1, …, Rn )
User (x,y) must pair Rx and Cy to decrypt
Type Gq
Gp
Rx: x < i
Rx: x = i
Rx: x > i
Cy: y < j
Cy: y j
Case Result
x < i No: Rx not well formed
x=i & y < j
No: Cy malformed in Gp
x=i & y j
Yes: both well formed
x > i Yes: indep. of column
Well-formed
Malformed/Random
Zero
17
Summary and Open Problems
New results: [BGW’05, BSW’06, BW’06]
•Full collusion resistance:
• B.E: O(1) CT, O(1) priv-keys … but
O(n) PK
• T.T: O(n) CT, O(1) priv-keys.
• T.R.: O(n) CT, O(n) priv-keys.
Open questions:
•Private linear B.E. with O(log n) CT.
•Private B.E. with short ciphertexts.
FCR
18
THE END
19
BGN encryption
Subgroup assumption: G p Gp
E(m) : r ZN , C gm (gp)r G
•Additive hom: E(m1+m2) = C1 C2 (gp)r
•One mult hom: E(m1m2) = e(C1,C2) e(gp,gp)r
20
Results Thm: Secure PLBE Secure TT
Same size CT and priv-keys(black-box and publicly traceable)
New PLBE system:CT-size = O(n) ; priv-key size = O(1)enc-time = O(n) ; dec-time = O(1)
Applications:
•Tracing Traitors : O(n) CTs and O(1) keys.
•Adaptive BE. (need Augmented PLBE)
•Comparison searches on encrypted data.
21
T.T: a popular problem
O. BerkmanD. BonehH. ChabanneB. ChorY. DesmedtY. DodisN. FazioA. FiatM. FranklinE. GafniM. GoodrichD. Halevy
G. HanaokaD. Hieu-PhanH. ImaiM. KasaharaA. KiayiasK. KurosawaJ. LotspiechS. MitsunariM. NaorD. NaorM. ParnasB. PfitzmannB. Pinkas
D. PointchevalR. Safavi-NainiA. SahaiR. SakaiJ. SgallA. ShamirJ. ShawA. SilverbergJ. StaddonD. StinsonJ. SunR. Tamassia
G. TardosT. TassaV. ToM. WaidnerJ. WalkerY. WangY. WatanabeB. WatersR. WeiL. YinM. YungF. Zhang
32 papers from 49 authors
22
A Simple System
n users in system, each gets separate key User i gets Ki
Encrypt message to separately to user –lump it• (Use “hybrid encryption” and encrypt an AES
key)
E(K1 , M) E(K2 , M) E(Ki , M) E(Kn , M)… …
i
M
23
Tracing
Let E’(i, M) => Encrypt R to 1,…,i-1 and M to i,…n
E(K1 , R) E(K2 , R) E(Ki-1 , R) E(Kn , M)… …
Pi = prob. pirate device decrypts E’(i,M)
•Can learn Pi’s from probing the device
E(Ki , M)
i Pi
1 100
j
j+1
n+1 0
Device works
Everything Random
100
35User j is an attacker
Top Related