Secure Broadcast Systems and Perspective on Pairings

1. Secure Broadcast Systemsand Perspective on Pairings Brent Waters Joint work with Dan Boneh, Craig Gentry, and Amit Sahai

2. Broadcast Systems Distribute content to a large set of users • Commercial Content Distribution • File systems • Military Grade GPS • Multicast IP

3. Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S  {1,…,n} d3

4. EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]

5. Broadcast Encryption • Public-key BE system: • Setup(n): outputs private keys d1 , …, dn and public-key PK. • Encrypt(S, PK, M): Encrypt M for users S  {1, …, n} Output ciphertext CT. • Decrypt(CT, S, j, dj, PK): If j  S, output M. • Note: broadcast contains ( [S], CT )

6. Previous Solutions • t-Collusion resistant schemes [FN’93…] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST…] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players • Ciphertexts are multiplied security parameter 

7. EFS, Email Subs. Service DVD’s Overview n 0

8. S  {1, …, n } PK, { dj| j  S } m0, m1  G C* = Enc( S, PK, mb) b’  {0,1} Broadcast Encryption Security • Semantic security when users collude. (static adversary) • Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ +  Challenger Attacker RunSetup(n) b{0,1}

9. Bilinear Maps • G , GT : finite cyclic groups of prime order p. • Def: An admissible bilinear mape: GG GTis: • Bilinear:e(ga, gb) = e(g,g)ab a,bZ, gG • Efficiently computable.

10. Broadcast System [BGW’05] • Setup(n): g  G , ,   Zp, gk = g(k) PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , v=g )  G2n+1 For u=1,…,n set: Ku = (gu)  G • Encrypt(S, PK, M): t  Zp CT = ( gt , (v  jS gn+1-j)t , Me(gn,g1)t ) • Decrypt(CT, S, u,Ku, PK): CT = (C0, C1, C2) Fact: e( gu, C1 ) / e( Ku gn+1-j+u , C0 ) = e(gn,g1)t jSju

11. Security Theorem • Thm:  t-time alg. that -breaks staticBE security in G   t-time alg. that -solves bilinear n-DDHE in G. ~ • Open problem: adaptive security with similar params. • New [BW’06]: adaptive security with O(n) – size CT

12. [S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB • Each user obtains priv-key duid  G from admin. • Admin only stores   Zq S  {1, …, n } 40 bytes

13. Summary of Broadcast Enc. • New public-key broadcast encryption systems: • Full collusion resistance. Constant size priv key. • System 1: |CT| = O(1) |PK| = O(n) • System 2: |CT| = O(n) |PK| = O(n) • Description of set, |S|, is now dominant term

14. Tracing Pirate Devices[CFN’94] • Attacker creates “pirated device” • Want to trace origin of device

15. T.T: a popular problem 32 papers from 49 authors

16. FAQ-1 “The Content can be Copied?” • DRM- Impossibility Argument • Protecting the service • Goal: Stop attacker from creating devices that access the original broadcast

17. FAQ 2-Why black-box tracing? [BF’99] • D: may contain unrecognized keys, is obfuscated, or tamper resistant. • All we know: Pr[ M  G, C  Encrypt (PK, M) : D(C)=M] > 1- K1 D: K3 K$*JWNFD&RIJ$ K2 R R

18. S  {1, …, n } PK, TK, { Kj| j  S} RunSetup(n) Pirate Decoder D TraceD( TK ) i  {1,…,n} Formally: Secure TT systems • (1) Semantically secure, and (2) Traceable: Challenger Attacker Adversary wins if: (1) Pr[D(C)=M] > 1-, and (2) i  S

19. Brute Force System • Setup (n): Generate n PKE pairs (PKi, Ki) Output private keys K1 , …, KnPK (PK1, …, PKn) , TK PK . • Encrypt (PK, M): C  ( EPK1(M), …, EPKn(M) ) • Tracing: next slide. • This is the best known TT system secure under arbitrary collusion. … until now

20. n n i=1 i=1 TraceD(PK): [BF99, NNL00, KY02] R • For i = 1, …, n+1 define for M  G : pi := Pr[D( EPK1(), …, EPKi-1(), EPKi(M), …, EPKn(M) ) = M] • Then: p1 > 1-  ; pn+1  0 • 1- = |pn+1 – p1 | = | pi+1 – pi|   |pi+1 – pi|  Exists i{1,…,n} s.t. | pi+1 – pi |  (1- )/n User i must be one of the pirates.

21. Security Theorem  • Tracing algorithm estimates: | pi - pi | < (1-)/4n • Need O(n2) samples per pi. (D – stateless) • Cubic time tracing. • Can be improved to quadratic in |S| . • Thm: underlying PKE system is semantically secure  No eff. adv wins tracing game with non-neg adv.

22. Linear Broadcast Encryption Private B.E. Abstracting the Idea [BSW’06] Properties needed: • For i = 1 ,… , n+1 need to encrypt M so: • Without Ki adversary cannot distinguish: Enc(i, PK, M) from Enc(i+1, PK, M) n 1 i-1 i users cannot decrypt users can decrypt

23. Private Linear Broadcast Enc (PLBE) • Setup(n): outputs private keys K1 , …, Kn and public-key PK. • Encrypt( u, PK, M): Encrypt M for users {u, u+1, …, n} Output ciphertext CT. • Decrypt(CT, j, Kj, PK): If j  u, output M • Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M) • Note: slightly more complicated defs in [BSW’06]

24. PK, { Kj| j  u} m C*  Enc( u+b, PK, m) b’  {0,1} Security definition • Message hiding: given all private keys: Encrypt( n+1 , M, PK) PEncrypt( n+1 , , PK) • Index hiding: for u = 1, … , n : Challenger Attacker RunSetup(n) b{0,1}

25. Results • Thm: Secure PLBE  Secure TT Same size CT and priv-keys (black-box and publicly traceable) • New PLBE system: CT-size = O(n) ; priv-key size = O(1) enc-time = O(n) ; dec-time = O(1)

26. n PLBE Construction: hints • Arrange users in matrix • Key for user (x,y): Kx,y • CT: one tuple per row, one tuple per col. size = O(n) • CT to position (i,j): User (x,y) can dec. if (x > i) OR [ (x=i) AND (y  j) ] n=36 users Encrypt to postion (4,3)

27. Bilinear groups of order N=pq [BGN’05] • G: group of order N=pq. (p,q) – secret. bilinear map: e: G  G  GT • G = Gp  Gq . gp = gq  Gp ; gq = gp  Gq • Facts: h  G  h = (gq)a  (gp)b e( gp , gq ) = e(gp , gq) = e(g,g)N = 1 e( gp , h ) = e( gp , gp)b !!

28. A n size PLBE • Ciphertext: ( C1, …, Cn, R1, …, Rn) • User (x,y) must pair Rx and Cy to decrypt Well-formed Malformed/Random Zero

29. Trace and Revoke [BW06] • What happens when catch traitor? • Torture? • Re-do system? • Want Broadcast and Tracing simultaneously • Trivial Combination does not work • BW06 • Combined ideas • Bonus: Adaptive Security & Better Assumptions

30. Trace and Revoke

31. BE TT M R M-R R M-R M T&R=A simple Combination? Encrypt B.E T.T. Decrypt

32. BE TT M R M-R B.E T.T. R M-R M A simple Attack • 2 colluders split duties • Catch same one over and over (box still works)

33. Our Approach (Intuition) • Can’t allow attackers to “separate” systems • In general hard to combine • BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic • Multiply private keys together so can’t separate • Not so easy… needed different B.E. scheme

34. Summary FCR • New results:[BGW’05, BSW’06, BW’06] • Full collusion resistance: • B.E: O(1) CT, O(1) priv-keys … but O(n) PK • T.T: O(n) CT, O(1) priv-keys. • T.R.:O(n) CT, O(n) priv-keys.

35. Open Problems FCR • Broadcast: • Constant size everything (CT, pub/priv keys) • Same params with adaptive security • Traitor Tracing: • Private linear B.E. with O(log n) CT. • Private B.E. from Linear Assumption

36. Pairings from the Outside Identity-based encryption [BF01] • Efficient Selective-ID Secure IBE without Random Oracles [BB04a] • Secure IBE without Random Oracles [BB04a] • Efficient IBE without Random Oracles [W05] • Practical IBE without Random Oracles [Gen06] A ID-Based Deniable Authentication Protocol on pairings

37. Organizing Contributions (My View) • Identity-Based Encryption • Signatures ?? • Slightly 2-Homomorphic • NIZKs • Broadcast and Tracing

38. I am“bob@stanford.edu” email encrypted using public key: “bob@stanford.edu” Private key IBE [BF01] IBE: [BF01] Public key encryption scheme where public key is an arbitrary string (ID). • Examples: user’s e-mail address Is regular PKI good enough? Alice does not access a PKI CA/PKG Authority is offline master-key

39. Capability Request Encrypt “Structured” Data Private “Capability” Idea is Bigger CA/PKG Authority is offline master-key

40. Private “Capability” Health Records Weight=125 Height = 5’4 Age = 46 Blood Pressure= 125 Partners = … If Weight/Height >30 AND Age > 45 Output Blood Pressure No analogous PKI solution CA/PKG Authority is offline master-key

41. IBE Class • IBE [BF01, CHK04, BB04, W05, Gen06] • HIBE[ HL02, GS02] • Searching on Enc. Data[BDOP04, BoyW06, BonW06] • Attribute-Based Enc. [SW05, GPSW06] Trend of Structured Encryptions

42. NIZKs • Two GOS06 papers • 3 points of interest • Perfect Hiding NIZK, ZAPs (Theoretical) • Most Efficient NIZK (but still bit by bit) • Speak Bilinear Maps “Natively” (cool) Build GroupSigs[BW06], other stuff

43. An Upcoming Wall? • No 3-Linear Map • Advanced IBE somewhat limited • Traitor Tracing stuck at n • NIZKs kind of done

44. Some Inspiration Composite Order Groups

45. THE END

46. Security Problems 1) Access control of content • Broadcast targeted to certain set • e.g. All paying subscribers 2) Identifying compromised insiders • Clones and distributes pirate decoders • Trace back to attacker

47. A Trivial Solution • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1)