1 / 37

Efficient Methods for Integrating Traceability and Broadcast Encryption

Efficient Methods for Integrating Traceability and Broadcast Encryption. E. Gafni, J. Staddon, and Y. L. Yin CRYPTO’99, LNCS 1666, pp. 372-387, 1999. Outline. Introduction Preliminaries Related works Optimal broadcast encryption schemes with OR protocols

mccollumm
Télécharger la présentation

Efficient Methods for Integrating Traceability and Broadcast Encryption

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Efficient Methods for Integrating Traceability and Broadcast Encryption E. Gafni, J. Staddon, and Y. L. Yin CRYPTO’99, LNCS 1666, pp. 372-387, 1999

  2. Outline • Introduction • Preliminaries • Related works • Optimal broadcast encryption schemes with OR protocols • Integrating traceability and broadcast encryption

  3. Introduction • Jessica Staddon • Combinatorial properties of frameproof and traceability codes. J. Staddon, D. R.  Stinson and R. Wei. IEEE Transactions on Information Theory (2001), 1042-1049. • Efficient traitor tracing algorithms using list decoding. A. Silverberg, J. Staddon and J. Walker. Asiacrypt 2001.

  4. Introduction • Broadcast encryption • Keys are allocated to users in such a way that broadcasts can be made to selected sets with security • Broadcasting capability. (m-resiliency) • Traceability • If at most c users pool their keys together to construct a “pirate decoder”, then at least one of the users involved can be identified by examining the keys in the decoder. (c-traceability)

  5. Introduction • The goal for constructing broadcast encryption scheme is to have both high broadcasting capability and high traceability • The contribution of this paper: To study general methods for integrating traceability and broadcasting capability • Adding any desired level of traceability to an arbitrary broadcast encryption scheme • Adding any desired level of broadcasting capability to an arbitrary traceability scheme

  6. Introduction • Idea • Using randomness when allocating keys to users allows the users’ key sets to be dispersed, and hence, is conducive to traceability • The important feature of the methods • Preservation of the properties of the underling broadcast encryption schemes • resiliency • Full scalability

  7. Introduction • Two schemes • Geometric construction • Algebraic construction • The proposed new schemes are close to optimal with respect to the total number of keys

  8. Introduction • <Definition 1> Let C be any coalition of at most c users who produce a pirate decoder F. A scheme is called a c-traceability scheme if for any user u, s.t.  users wu the following inequality holds: |UF||W F| then the probability that u is not a member of the coalition C is negligible. • <Definition 2> A scheme is fully scalable or has full scalability if when new users are added, no rekeying of existing users is necessary.

  9. Preliminaries • {u1,…,un} is the set of all users • {k1,…,kK} is the set of all keys • SP is the set of keys used to broadcast to privileged set P • BP is the message (e.g., a broadcast key) that is broadcast to P in encrypted form • n is the total number of users • K is the total number of keys • r is the number of keys per user • m is the number of users who are excluded • t is the number of transmissions. Note that |SP|≤t • c is the traceability of the scheme • OR Protocol for Broadcasting to P: Any one of the keys in SP suffices to recover BP from the broadcast • AND Protocol for Broadcasting to P: All of the keys in SP are necessary to recover BP from the broadcast

  10. Related work-Broadcast Encryption • work-Broadcast Encryption • One –time broadcast encryption scheme (1991) • Resiliency (1994) • OR protocols (1996) • Entropy of a broadcast (1996) • Trade-off: communication and storage (1996~) • Combinatorial schemes (1996~) • Information theoretic ratio (1996~) • Rekeying (1997) • Tradeoff: storage and the rekeying communication cost • A hierarchical tree-based scheme (1997) • Storage requirements • The number of keys per user↓ • The total number of keys ↓

  11. Related work-Traceability Schemes • Traceability Schemes • First introduced in 1994 • Threshold traceability (1998)

  12. Related work-Integrating Broadcast Encryption and Traceability • Integrating Broadcast Encryption and Traceability • Only two previous works study the integration of broadcast encryption and traceability • J. Staddon, “A Combinatorial study of Communication, Storage and Traceability in Broadcast Encryption Systems”, Ph. D. thesis, University of California at Berkeley, 1997. • D. Stinson and R. Wei, “Key Preassigned Traceability Schemes for Broadcast Encryption”, Proc. SAC’98, LNCS, 1556(1999), pp.144-156.

  13. Optimal Broadcast Encryption Schemes with OR Protocols • Two new constructions • The Cube Scheme • The Polynomial Scheme • Both schemes are fully scalable and m-resilient • Both schemes are close to optimal in terms of the total number of keys

  14. Optimal Broadcast Encryption Schemes with OR Protocols-The Cube Scheme • For a fixed number of keys per user, r, the construction is based on an r-dimensional cube • Points (entries): users • Subspaces of dim r-1 (slices): keys • e.g. r=2, consider n1/2n1/2 square, each of the n users is an entry in this square indexed by (i1, i2) where i1,i2{1,2,…,n1/2}.For 1≤i≤ n1/2 • Ci: the the set of users in column i • Ri: the set of users in row i For each i, we create two unique keys and allocate one of the keys only to the users in Ciand allocate the other only to the user in Ri.  each user has exactly 2 keys. To exclude a given user ui, the center broadcasts according to an OR protocol with all keys except the 2 keys stored by user u. Since each two users share at most 1 key, every user except u can receive the broadcast.

  15. Optimal Broadcast Encryption Schemes with OR Protocols-The Cube Scheme • r-dimension cube • The entries are indexed by r-tuples, (i1,…,ir), ij{1,2,…,n1/r}. • The slices are the subspaces of dimension r-1,Sj,w={(i1,…,ir): ij=w} a slice consists of all the r-tuples which are identical in the jth entry (e.g. in the 2D case, a unique key is created for each slice, therefore, each user has exactly r keys) • To excluded a given user u, the center broadcasts according to an OR protocol with all the keys except the r keys that u has. Since each pair of users share at most r-1 keys, every user except u can recover BPfrom the broadcast. → This scheme can exclude one user.

  16. Optimal Broadcast Encryption Schemes with OR Protocols-The Cube Scheme • A simple extension to exclude m users • By making copies of the cube scheme • Assign independent keys to m different r-dim cube scheme  each user has rm keys • We can exclude m users {u1,…um} by excluding the r keys that user i has in the ith cube scheme • The broadcast protocol is then an AND on the union of the sets of keys in each cube scheme • K=mrn1/r, the number of keys per user is mr, t=K-mr • The resulting scheme is still 1-resilient

  17. Optimal Broadcast Encryption Schemes with OR Protocols-The Polynomial Scheme • The scheme uses a set system construction based on polynomials over a finite field • r: the number of keys per userm: the number of excluded users • Polynomials: usersPoints: keys • p: a prime larger than rA: a subset of the finite field Fp of size rConsider the set of all polynomials over Fp of degree at most (r-1)/m there are p(r-1)/m+1 such polynomials • Associate each of the n users with a different polynomial p(r-1)/m+1n pnm/(r-1+m)

  18. Optimal Broadcast Encryption Schemes with OR Protocols-The Polynomial Scheme • A unique key k(x,y) is created for each pair (x,y), where xA and y Fp • If a polynomial f is given to a user u, u is allocated all the keys in the set {k(x,f(x))|x A} • Any two of the polynomials intersect in at most (r-1)/m points  any two users share at most (r-1)/m keys  if all the keys belonging to the m excluded users are removed, then each privileged user will still have at least 1 key  the center can broadcast with an OR protocol to any set of n-m users • K=rprnm/(r-1+m), the number of keys per user is r, t≤K-r • m-resiliency

  19. Optimal Broadcast Encryption Schemes with OR Protocols-The Polynomial Scheme • Fully scalable • Increasing the size of the field Fp, allows significantly more users to be added with no rekeying of the old users(e.g. if K is doubled, then 2(r-1)/m+1 more users can be added to the scheme)

  20. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • The total number of keys is close to optimal in both the cube scheme and the polynomial scheme • <Lemma 1> A collection of n sets can be used as a broadcast encryption scheme with OR protocols that can exclude any set of m user  <proof>

  21. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • <Theorem 1> Let U={k1,k2,…,kK} be a set of K elements. Let U1,…,Un be a collection of n subsets of U such that j, |Uj|=r, and , then Combining last Lemma and this Theorem, we can establish a relationship between K and r.

  22. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • <Theorem 2> In a broadcast encryption scheme with OR protocols, the total number of keys, K, is , where rm is the number of keys per user and m is the number of users that can be excluded in the scheme. <proof>

  23. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • <Table 1> A summary of the proposed Broadcast Encryption Schemes

  24. Integrating Traceability and Broadcast Encryption • This paper presents two methods for integrating traceability with broadcasting capability. Both of them are efficient and conceptually quite simple. • Adding traceability to broadcast encryption schemes • Adding broadcasting capability to traceability schemes

  25. Integrating Traceability and Broadcast Encryption-Adding Traceability to Broadcast Encryption Schemes • <Lemma 2> Any broadcast encryption scheme that can exclude m (m1) users has at least 1-traceability. In addition, a broadcast encryption scheme that can exclude m users may have no more than 1-traceability. <proof> →The traceability of an arbitrary broadcast encryption scheme can be quite limited. → The central idea in the proposed method is to incorporate some randomness into the way in which the keys are assigned to users in a broadcast encryption scheme.

  26. Integrating Traceability and Broadcast Encryption-Adding Traceability to Broadcast Encryption Schemes

  27. Integrating Traceability and Broadcast Encryption-Adding Traceability to Broadcast Encryption Schemes • <Theorem 3> Let B be a broadcast encryption scheme with parameters (n,m,K,r,t). If r>4c2logn,   a broadcast encryption scheme, B’, which has c-traceability and parameters (n,m,K’,r’,t’), where K’=2c2K, r’=r, and t’=2c2t. <proof>

  28. Integrating Traceability and Broadcast Encryption-Adding Broadcasting Capability to Traceability Schemes • <Lemma 3> In a c-traceability scheme with users u1,…,un, the following must be true: • <Theorem 4> A c-traceability scheme can be used as a broadcast encryption scheme with OR protocols that can exclude any set of m users for any m≤c. <proof>

  29. Integrating Traceability and Broadcast Encryption-Adding Broadcasting Capability to Traceability Schemes

  30. Integrating Traceability and Broadcast Encryption-Adding Broadcasting Capability to Traceability Schemes • <Theorem 5> Let T be a traceability scheme with parameters (n,c,K,r,t) and broadcasting capability c.   a traceability T ’ which has broadcasting capability m and parameters (n,c,K’,r’,t’), where K’=mK/c, r’=mr/c, and t’=mt/c. <proof>

  31. Integrating Traceability and Broadcast Encryption • Using the proposed broadcast encryption schemes in conjunction with Method 1, one can construct broadcast encryption schemes with high traceability, high resiliency, and full scalability.

  32. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • <proof>() assume we have such a broadcast encryption scheme and  a set of m+1 users, u1,…,um+1, s.t. if OR protocols are used, at least one of u2,…um+1 will be able to recover the message from a broadcast to u1. →← () if for every set of m users u1,…,um and for every user, u, outside of this set, to broadcast to P={um+1,…,un}, let .This SP can be used to broadcast to P with OR protocols.

  33. Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys • <proof>From <Lemma 1>, it follows that any broadcast encryption scheme with OR protocol must satisfy the condition of <Theorem 1>. the lower bound of K can be easily derived from the inequality given in <Theorem 1>.

  34. Integrating Traceability and Broadcast Encryption-Adding Traceability to Broadcast Encryption Schemes • <proof>The first statement follows from the definition. To prove the second statement, it suffices to produce a broadcast encryption scheme with 1-traceability. In [13], a scheme using AND protocols is described and it’s proven that the scheme has 1-traceability for sufficiently large n.

  35. Integrating Traceability and Broadcast Encryption-Adding Traceability to Broadcast Encryption Schemes • <proof>All the assertions about B’except its c-traceability follow from the construction of Method 1 . The argument for traceability is very similar to the argument for the “open one-level scheme in “Traitor Tracing”, A. Fiat and M. Naor. In particular, if we set h=2c2 and a pirate decoder contains at least s>4c2logn keys, then the probability that a user who has at least s/c keys in common with the decoder in innocent, is negligible. By definition, B’ has c-traceability.

  36. Integrating Traceability and Broadcast Encryption-Adding Broadcasting Capability to Traceability Schemes • <proof>If for some m≤c,  distinct sets U1,…,Um+1 s.t. then clearly those sets cannot be part of a c-traceability scheme. The result follows from <Lemma 1>.

  37. Integrating Traceability and Broadcast Encryption-Adding Broadcasting Capability to Traceability Schemes • <proof>We first show the broadcasting capability of T ’. Since for any excluded user u,  a j s.t. uPj, u is unable to obtain , and hence, u is unable to obtain the message BP. To see that T ’ has c-traceability we note that a decoder contains sr keys, where s=m/c. Since there are s copies of T, one of the copies must contain at least r keys. Hence, the c-traceability of T ’ follows from the c-traceability of T.All the other assertions about T ’ follow from <Method 2>.

More Related