Download presentation

Presentation is loading. Please wait.

Published byNya McCracken Modified about 1 year ago

1
Broadcast Encryption – an overview Niv Gilboa – BGU 1

2
Definition (FN93) 2 Broadcaster u1u1 unun u2u2 u3u3 M E(M) … Users: U={u 1,…,u n } R, users don’t get M, even with collusion. |R|=r S, users get M. |S|=n-r

3
Usage r Broadcast TV r Content distribution Mobile content DVD r Multi-user file systems 3

4
Pay TV r Beginnings 1980’s Subscriptions instead of advertising TV content costs money! r Threat: a subset of users in U distribute M to u’ R r [FN93] and all subsequent papers only consider users in R as a threat. 4

5
Straightforward Solution I 5 BroadcasterInitialization u1u1 unun u2u2 … u3u3 k1k1 k2k2 knkn k3k3 Private channels k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n

6
Straightforward Solution II 6 BroadcasterBroadcast I: key u1u1 unun u2u2 … u3u3 Broadcast channel k1k1 k2k2 knkn k3k3 k 1, k 2, k 3, …,k n E ki 1 (key), E ki 2 (key), …, i, i S key Broadcast II: content E key (content)

7
Diverging concerns r Media distribution (practice) Users in S can provide key / content to users in R r Broadcast encryption (theory) Separation between key and content is not important and is obvious Straightforward solution is trivial Message length – O(n-r) Storage – O(1) for user, O(n-r) for broadcaster (or O(1) + PRF) Revocation for free Better solutions can be found 7

8
Beyond Cryptography r Media distribution to “secure devices” Smart cards Secure hardware of various types Obfuscated code r The rest of the talk will focus on broadcast encryption 8

9
Limited collusion r The assumption is that only up to t users in R collude r Original [FN93] paper r Public key papers [CMN99], [NP00] r Reasonable assumption, but results are not better than fully collusion-resistant schemes 9

10
Logical Key Hierarchy [W97, WGL98] r Users are arranged in balanced binary tree r Each user is a leaf r Each node is associated with a key r Each user has log n keys on path from leaf to root r Users have dynamic state r Revocation of node x Bottom up update Encrypt node key with children keys: single key for parent of x, both keys for higher nodes 10

11
LKH (cont.) r Broadcast: Encrypt message with root key r Complexity Broadcast message length – O(1) Storage – O(log n) for user, O(1) + PRF for broadcaster Revocation – O(log n) time per user 11

12
User dynamic state 12 Dynamic stateStateless ConnectionAlways on / updates from broadcaster Connect when needed Revocation Revoke and forgetMaintain revocation ImplementationMore complexSimpler

13
Subset cover schemes r Several works: starting with [NNL01], improved in [HS02], [GST04] r Stateless schemes r B 2 U, a key k i is associated with every b i B r User u has keys of every b such that u b r Broadcast and revocation Broadcaster finds {b 1,…,b m } B, such that U i b i =S Broadcaster sends E ki (M) for every i=1,…,m 13

14
Subset cover (cont.) r Message length – m r Storage – broadcaster |B|, user u stores number of sets b s.t. u b r Example – same data structure as LKH Message length – m=rlog(n/r) Storage – broadcaster O(1)+PRF, user O(log n) r Better data structures shave the log n/r factor 14

15
Public keys r Advantage of public key systems: Any user can encrypt messages Sometimes that’s a disadvantage r Any symmetric key scheme can be turned into a private/public key scheme r Slight problem In the simplest transformation the broadcaster key has to be large (O(n) or O(n-r)) r Bilinear maps to the rescue! HIBE [DF02] and others. 15

16
Example [LSW10] r Public key r Stateless r Revocation and broadcast in O(r) r Storage for broadcaster and user O(1) r Specific hardness assumptions! O(1) here is actually quite similar to O(log n) in previous solutions. 16

17
LSW10 (cont.) r Two groups G, G 1 of size p, e:GXG G 1 s.t. e(g a,g b )=e(g,g) ab r Discrete log and variations of DDH are assumed to be hard in G and G 1 r General parameters: g, h G, a, b {0,…,p-1} r Public key: {g, g b, g b 2, h b, e(g,g) a r Private key: t {0,…,p-1}, D 0 =g g b 2 t, D 1 =(g bID h) t, D 2 =g -t 17

18
LSW10 (cont.) r Encryption: assume that R={1,…,r} Choose random s and divide it into r shares s 1 +…+s r =s mod p C’=e(g,g) ab M, C 0 =g s For i=1,…,r, C i1 =g bs i, C i2 =(g b 2 ID i h b ) s i r Decryption: compute e(C 0, D 0 ) by YZ, where Y=e(D 1, i (C i1 ) 1/(ID-IDi) ) Z=e(D 2, i (C i2 ) 1/(ID-IDi) ) 18

19
What’s still open? r Stateful? A scheme with the same parameters as LSW is known [DGK12] by changing the state as part of the revocation r Very large r We would like schemes that are flexible between r and n-r. An example is [BGW05], but the message size*public key~n r Closing the gap between theory and practice 19

Similar presentations

© 2016 SlidePlayer.com Inc.

All rights reserved.

Ads by Google