Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security.

Slides:



Advertisements
Similar presentations
Scalable and Dynamic Quorum Systems Moni Naor & Udi Wieder The Weizmann Institute of Science.
Advertisements

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Recursive Definitions and Structural Induction
Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Unit 11a 1 Unit 11: Data Structures & Complexity H We discuss in this unit Graphs and trees Binary search trees Hashing functions Recursive sorting: quicksort,
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Induction and recursion
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.
Discrete Structures Lecture 12: Trees Ji Yanyan United International College Thanks to Professor Michael Hvidsten.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Foundation of Computing Systems
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
Chapter 11. Chapter Summary  Introduction to trees (11.1)  Application of trees (11.2)  Tree traversal (11.3)  Spanning trees (11.4)
Section Recursion 2  Recursion – defining an object (or function, algorithm, etc.) in terms of itself.  Recursion can be used to define sequences.
Linear, Nonlinear, and Weakly-Private Secret Sharing Schemes
Revision. Cryptography depends on some properties of prime numbers. One of these is that it is rather easy to generate large prime numbers, but much harder.
Theory of Computational Complexity Probability and Computing Chapter Hikaru Inada Iwama and Ito lab M1.
Chapter 11 Sorting Acknowledgement: These slides are adapted from slides provided with Data Structures and Algorithms in C++, Goodrich, Tamassia and Mount.
CSC 421: Algorithm Design Analysis
CSC 421: Algorithm Design Analysis
CS 210 Discrete Mathematics The Integers and Division (Section 3.4)
Public Key Encryption Major topics The RSA scheme was devised in 1978
Mathematics of Cryptography
Applied Discrete Mathematics Week 15: Trees
Probabilistic Algorithms
Multiway Search Trees Data may not fit into main memory
CS 2210:0001Discrete Structures Modular Arithmetic and Cryptography
Applied Algorithmics - week7
B+ Tree.
PC trees and Circular One Arrangements
Optimal Merging Of Runs
Number Theory (Chapter 7)
Computer Science Department
Digital Signature Schemes and the Random Oracle Model
CS222P: Principles of Data Management Notes #6 Index Overview and ISAM Tree Index Instructor: Chen Li.
Optimal Merging Of Runs
Number Theory and Euclidean Algorithm
Cryptography Lecture 6.
Celia Li Computer Science and Engineering York University
Group Key Management Scheme for Simultaneous Multiple Groups with Overlapped Membership Andrew Moore 9/27/2011.
Chapter 16: Greedy algorithms Ming-Te Chi
Efficient State Update for Key Management
Data Structures Sorting Haim Kaplan & Uri Zwick December 2014.
Chapter 16: Greedy algorithms Ming-Te Chi
CS222/CS122C: Principles of Data Management Notes #6 Index Overview and ISAM Tree Index Instructor: Chen Li.
Pseudorandom number, Universal Hashing, Chaining and Linear-Probing
And the Final Subject is…
Secret Sharing: Linear vs. Nonlinear Schemes (A Survey)
Where Complexity Finally Comes In Handy…
Combinatorial Optimization of Multicast Key Management
Introduction to Modern Cryptography
(2,4) Trees /6/ :26 AM (2,4) Trees (2,4) Trees
Where Complexity Finally Comes In Handy…
Oblivious Transfer.
B-Trees.
Heaps & Multi-way Search Trees
CS222/CS122C: Principles of Data Management UCI, Fall 2018 Notes #05 Index Overview and ISAM Tree Index Instructor: Chen Li.
Cryptography Lecture 23.
Locality In Distributed Graph Algorithms
Where Complexity Finally Comes In Handy…
Lecture-Hashing.
Presentation transcript:

Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security

Outline Introduction Zero Message Schemes The basic scheme 1-resilient scheme based on one-way function 1-resilient scheme based on computational number theoretic assumptions Low-Memory k-Resilient Schemes One-level schemes Multi-level schemes An Example and Implementation Considerations

Problem Formulation Participants Rules A center A set of users The center provides the users with prearranged keys when they join the system At some time, the center wish to broadcast a message (e.g. a key to decipher a video clip) to a dynamic changing privileged subset of the users only Broadcast center … User 1 User 2 User 3 User N … Keys … Collusion

Obvious but Stupid Solutions Broadcast center User 1 User 2 User 3 User N … Key1 Key2 Key3 KeyN … Total processing/transmission time is long! Broadcast center User 1 User 2 User 3 User N … Keys for all subsets User 1 belongs to Keys for all subsets User 2 belongs to Keys for all subsets User 3 belongs to Keys for all subsets User N belongs to Every user must store a large number of keys!!

Goal of This Paper To provide solutions which are efficient in both Transmission length Storage at the user’s end The scheme is considered broken if a user that does not belong to the privileged class can read the transmission

Definitions Broadcast Scheme Resiliency One allocate keys to users so that given a subset of T of all users U, the center can broadcast messages to all users following which all members of T have a common key Resiliency A broadcast scheme is called resilient to a set S if for every subset T that does not intersect with S, no eavesdroppers, that has all secrets associated with members of S, can obtain knowledge of the secret common to T

Definitions (cont.) k-resiliency (k, p)-random-resiliency A scheme is called k-resilient if it is resilient to any set of S of size k (k, p)-random-resiliency With probability at least 1-p, the scheme is resilient to a set S of size k, chosen at random from U

Zero Message Schemes vs. More General Schemes Knowing the privileged subset T suffices for all users x belong to T to compute a common key with the center without any transmission To transmit information implies using this common key to encrypt the data transmitted More General Schemes The center must transmit many messages

Approach for Constructing Schemes Low resiliency zero-message schemes Assumption free constructions Constructions based on existence of one-way functions Constructions based on number theoretic assumptions Higher resiliency, but not zero-message type schemes One-level Schemes Multi-level Schemes

Zero Message Schemes

The Basic Scheme Users can determine a common key for every subset, resilient to any set S of size k For every set B U, 0 |B| k, define a key KB to every user x U-B. The common key to the privileged set T is simply the exclusive-or all keys KB, B U-T. Each coalition of S k users will all be missing KS, and will be unable to compute the common key for T since S T is empty

A Very Simple Example U={a, b, c}, n=3, k=2 B={a, b, c, {a,b}, {a,c}, {b,c}} Keys={Ka, Kb, Kc, Kab, Kac, Kbc} Prearranged keys User a: Kb, Kc, Kbc User b: Ka, Kc, Kac User c: Ka, Kb, Kab If T={b, c}, KT= KM, M U-T=Ka If T={b}, KT=Ka Kc Kac

Analysis of the Basic Scheme The memory requirements for this scheme are every user is assigned keys. Unacceptable memory requirement!! Theorem 1: There exist a k-resilient scheme that requires each user to store keys and the center need not broadcast any message in order to generate a common key to the privileged class 1-resilient version: n-1 keys

1-Resilient Scheme Based on One-way Function Reduced from n-1 keys to keys The keys are pseudo-randomly generated from a common seed Assume that one-way function exist and hence pseudo-random generators exist. Let f:{0,1}l  {0,1}2l be a pseudo-random number generator The length of the output f is twice the length of the input

1-Resilient Scheme Based on One-way Function (cont.) Associate the n users with the leaves of a balanced binary tree on n nodes The root is labeled with the common seed s {0,1}l Other vertices are labeled recursively Apply the pseudo-random generator f to the root label and taking the left half of of f(s) to the label of the left subtree while the right half to the label of the right subtree

1-Resilient Scheme Based on One-way Function (cont.) Every user x should get all the keys except the one associated with the singleton set B={x} Remove the path from the leaf associated with the user x to the root, thus resulting in a forest of forests Provide user x with the labels associated with the leaves of that subtree

Another Simple Example f A B C D S={0,1}l f A C D Theorem 2. If one-way function exist, then there exist a 1-resilient scheme that requires each user to store log n keys and the center need not to broadcast any message in order to generate a common key to the privileged class

1-Resilient Scheme Based on Number Theoretic Assumption The center chooses a random hard to factor composite N=PQ where P and Q are primes The center also chooses a secret value g User i is assigned key gi=gpi, where pi, pj are relative prime for all i, j belongs to U. All users know what user index refers to what pi

1-Resilient Scheme Based on Number Theoretic Assumption A common key for users T is taken as the value gT=gpT mod N, where pT= Every user i T can compute gT by evaluating For user j not belonging to T, if he can compute the common key, it implies that he can compute g (by Euclidean GCD algorithm…) mod N

1-Resilient Scheme Based on Number Theoretic Assumption Theorem 3. If extracting root modulo composite is hard, then there exists a 1-resilient scheme that requires each user to store one key and the center need not broadcast any message in order to generate a common key to the privileged class

Low Memory k-Resilient Schemes

Perfect Hash Function in a Family of Functions A family of functions f1,…,fl: U{1,…m} with the following property is required For any subset S belongs to U and |S|=k, there exists some I such that for all x, y S, fi(x) fi(y) This family of functions contains a perfect hash function for all size k subsets of U when mapped to the range {1,…,m}

Constructing k-resilient scheme from a 1-resilient Scheme j 1 … m 1 : l 1-resilient scheme R(i,j) i Keys for each user x associated with scheme R(i, fi(x)) M= Mi Broadcast Messages using R(i, fi(x)) for Number of keys stored by each user: l* number of keys in 1-resilient scheme Number of transmissions: l*m*number of transmission in 1-resilient scheme

Mathematical Exploitations The probability that random fi is 1-1 on S set m=2k2 The probability that no fi is 1-1 on s set l=k logn The probability that for all subset S of size k, the probability that there is a 1-1 fi

Existence of k-resilient Schemes There exist a k-resilience scheme that requires each user to store O(k logn w) keys and the center to broadcast O(k3logn) messages. The scheme can be constructed effectively with arbitrarily high probability by increasing the parameters Explicit constructions of fi Error-correcting codes of large relative distance over am alphabet of O(k2)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.