Download presentation

Presentation is loading. Please wait.

Published byNya McCracken Modified over 2 years ago

1
Broadcast Encryption – an overview Niv Gilboa – BGU 1

2
Definition (FN93) 2 Broadcaster u1u1 unun u2u2 u3u3 M E(M) … Users: U={u 1,…,u n } R, users don’t get M, even with collusion. |R|=r S, users get M. |S|=n-r

3
Usage r Broadcast TV r Content distribution Mobile content DVD r Multi-user file systems 3

4
Pay TV r Beginnings 1980’s Subscriptions instead of advertising TV content costs money! r Threat: a subset of users in U distribute M to u’ R r [FN93] and all subsequent papers only consider users in R as a threat. 4

5
Straightforward Solution I 5 BroadcasterInitialization u1u1 unun u2u2 … u3u3 k1k1 k2k2 knkn k3k3 Private channels k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n

6
Straightforward Solution II 6 BroadcasterBroadcast I: key u1u1 unun u2u2 … u3u3 Broadcast channel k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n E ki 1 (key), E ki 2 (key), …, i, i S key Broadcast II: content E key (content)

7
Diverging concerns r Media distribution (practice) Users in S can provide key / content to users in R r Broadcast encryption (theory) Separation between key and content is not important and is obvious Straightforward solution is trivial Message length – O(n-r) Storage – O(1) for user, O(n-r) for broadcaster (or O(1) + PRF) Revocation for free Better solutions can be found 7

8
Beyond Cryptography r Media distribution to “secure devices” Smart cards Secure hardware of various types Obfuscated code r The rest of the talk will focus on broadcast encryption 8

9
Limited collusion r The assumption is that only up to t users in R collude r Original [FN93] paper r Public key papers [CMN99], [NP00] r Reasonable assumption, but results are not better than fully collusion-resistant schemes 9

10
Logical Key Hierarchy [W97, WGL98] r Users are arranged in balanced binary tree r Each user is a leaf r Each node is associated with a key r Each user has log n keys on path from leaf to root r Users have dynamic state r Revocation of node x Bottom up update Encrypt node key with children keys: single key for parent of x, both keys for higher nodes 10

11
LKH (cont.) r Broadcast: Encrypt message with root key r Complexity Broadcast message length – O(1) Storage – O(log n) for user, O(1) + PRF for broadcaster Revocation – O(log n) time per user 11

12
User dynamic state 12 Dynamic stateStateless ConnectionAlways on / updates from broadcaster Connect when needed Revocation Revoke and forgetMaintain revocation ImplementationMore complexSimpler

13
Subset cover schemes r Several works: starting with [NNL01], improved in [HS02], [GST04] r Stateless schemes r B 2 U, a key k i is associated with every b i B r User u has keys of every b such that u b r Broadcast and revocation Broadcaster finds {b 1,…,b m } B, such that U i b i =S Broadcaster sends E ki (M) for every i=1,…,m 13

14
Subset cover (cont.) r Message length – m r Storage – broadcaster |B|, user u stores number of sets b s.t. u b r Example – same data structure as LKH Message length – m=rlog(n/r) Storage – broadcaster O(1)+PRF, user O(log n) r Better data structures shave the log n/r factor 14

15
Public keys r Advantage of public key systems: Any user can encrypt messages Sometimes that’s a disadvantage r Any symmetric key scheme can be turned into a private/public key scheme r Slight problem In the simplest transformation the broadcaster key has to be large (O(n) or O(n-r)) r Bilinear maps to the rescue! HIBE [DF02] and others. 15

16
Example [LSW10] r Public key r Stateless r Revocation and broadcast in O(r) r Storage for broadcaster and user O(1) r Specific hardness assumptions! O(1) here is actually quite similar to O(log n) in previous solutions. 16

17
LSW10 (cont.) r Two groups G, G 1 of size p, e:GXG G 1 s.t. e(g a,g b )=e(g,g) ab r Discrete log and variations of DDH are assumed to be hard in G and G 1 r General parameters: g, h G, a, b {0,…,p-1} r Public key: {g, g b, g b 2, h b, e(g,g) a r Private key: t {0,…,p-1}, D 0 =g g b 2 t, D 1 =(g bID h) t, D 2 =g -t 17

18
LSW10 (cont.) r Encryption: assume that R={1,…,r} Choose random s and divide it into r shares s 1 +…+s r =s mod p C’=e(g,g) ab M, C 0 =g s For i=1,…,r, C i1 =g bs i, C i2 =(g b 2 ID i h b ) s i r Decryption: compute e(C 0, D 0 ) by YZ, where Y=e(D 1, i (C i1 ) 1/(ID-IDi) ) Z=e(D 2, i (C i2 ) 1/(ID-IDi) ) 18

19
What’s still open? r Stateful? A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation r Very large r We would like schemes that are flexible between r and n-r. An example is [BGW05], but the message size*public key~n r Closing the gap between theory and practice 19

Similar presentations

OK

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Chapter 10 Fifth Edition by William Stallings Lecture slides by Lawrie Brown.

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on word association test for preschoolers Ppt on if clauses in english grammar Ppt on chapter 12 electricity for dummies Ppt on reflection of sound waves Ppt on credit default swaps news What does appt only means that Ppt on spices of india 5 components of reading ppt on ipad Ppt on asia continent map Ppt on combination of resistances eve