Broadcast Encryption and Traitor Tracing Jin Kim

2 Contents Introduction Broadcast Encryption Traitor Tracing Traitor Tracing Models Conclusion & Further Work Reference

3 Broadcast Encryption Provider transmits encrypted content to a privileged subset of users Pay TV, Online DB. Consider a center and a set of users. The center wishes to broadcast a message to a privileged set of users. Goal: Efficiency of transmission length storage at the user’s end the computation in retrieving the common key.

4 Broadcast Encryption Center E(content) I1I1 I2I2 I3I3 InIn U1U1 U2U23U3UUnUn U i Decrypts E(content) using I i

5 The Danger Some Users leak their keys to pirates Pirates construct unauthorized decryption devices an d sell them at a discount K 1 K 3 K 8 E(Content) Content Pirate Box

6 Stopping Leakage Two non-exclusive approaches: Traitor Tracing Trace and Revoke Trace users who leak their keys Revoke those keys - rendering pirated boxes dysfunctional. Powerful combination! Self Enforcement Goal: discourage users from leaking keys Idea: key should contain sensitive information that user doesn’t w ant to spread. Should be impossible to use without revealing explicitly Example: Credit Card Number Challenge: how to embed the sensitive information in the keys

7 Revocation E’(M) Legal Decoder Legal Decoder Pirate Decoder Pirate Decoder M M’ ( decode incorrectly )

8 Traitors Traitors are legitimate users who aid a pirate by: Plaintext re-transmission compromised keys

9 Traitor Tracing Goal of Traitor Tracing Schemes: Find source of keys of illegal decryption devices If at most t traitors - should identify (one of) them No honest user should be implicated K 1 K 3 K 8 K3K3 Tracer Pirate Box

10 Traitor Tracing Fighting Piracy Identify piracy Prevent transmitting information to pirate users Identify the source of such piracy Finding Traitors Consideration Memory and Computation requirements Per authorized user For the data supplier Data redundancy overhead

11 Tracing Schemes Some Models of previous schemes: Static Asymmetric Dynamic Sequential Alternative If group members can share exactly the same data, the problem of determining guilt or innocent is unsolvable To find a traitor, Give a slightly different secret to the shares

12 Chor-Fiat-Naor Scheme Traitor tracing message : (enabling block, cipher block) Cipher block : symmetric encryption of the actual data Enabling block : user’s key set and enabling block can generate decryption key decrypt Original block User 1 broadcast Personal key User n Cipher block Enabling block Personal key

13 Some Schemes Boneh and Franklin Fixed key-length of private key Length of enabling block depends on the # of revocation capability W. Tzeng and Z. Tzeng Enlarged the # of revocation capability to the degree of Shamir polynomail Kim, Lee, and Lim Enlarged the # of revocation capability to the infinity

14 Comparison : Some schemes m : # of users, k : revocation capability, H : hash ftn., p, q : prime number, |p|>1024, |q|>160, q|(p-1), z : Shamir degree of polynomial, modulus of n- RSA |n|>1024, p ’, q ’ : prime, |p ’ |>|n|, q ’ |(p ’ -1) CFNP Open 1-level Boneh Franklin Lee, Kim Lim Tzeng Private KeyO(k2logm)*|H||q|2|n|+|Φ(n)|+q ’ |q| Length of Encryption Block O(k4logm)*|H|(2k+1)*|p| 3|n|+|Φ(n)| {O(z) + |p ’ |} O(z)*|p| Compute amount of Encryption O(k4logm)XORs ≈(2k+1) Exps. (mod p) 1 Exp. + 2Mls. (mod n) + {O(z) Exps. (mod p)} O(z) Exps. (mod p) Compute amount of Encryption O(k4logm)XORs ≈(2k+1) Exps. +(2k+1)Mls. (mod p) 2 Exps. + 2Mls. (mod n) + {O(z) Exps. + O(z) Mls. (mod p)} O(z) Exps. + O(z) Mls (mod p) # of Revocation--∞ ≤ z

15 Comparison : Threshold schemes PROPERTYSECTION Personal KEY Data Redundancy Decryption Operations Secret 2-levelBest fully-resilient Threshold One-level, min. Data redundancy Threshold Two-level, min. Data redundancy 4.2 W=1/ Threshold Two-level Min. key 4.2 Α -> infinity Thresholdtradeoff 4.2 W=1/ Complexity of different Tracing Traitor schemes Using n=10 6, k=1000, q=3/4

16 Proposed Schems Based on Lee, Kim and Lim’s Scheme Difference : Enabling Block : by reducing random number r change from to

17 Advances in the proposed scheme Proposed scheme is more useful. Because of Provider can more short enabling block. Efficiency of storage at the user’s end With no change of semantic security

18 Conclusion Introducing broadcast encryption and their issue – traitor tracing. Dividing enabling block & retrieving block is more efficient than all in one scheme. Proposed method is decreasing the number of each user’s enabling block. Further Works Research about Efficiency of proposed scheme New (Updated) Traitor Tracing Schemes Key Management New (Updated) Broadcast Encryption Scheme And Provably Secure Broadcast Encryption Scheme Study on other problems of Broadcast Scheme

19 References 1. S. Berkovits. How to Broadcast a Secret. Advances in Cryptology - Eurocrypt ’91, Lecture Notes in Computer Science 547 (1992), pp A. Fiat and M. Naor. Broadcast Encryption. Advances in Cryptology - Crypto ’93, Lecture Notes in Computer Science 773, (1994), pp. 480– M. Just, E. Kranakis, D. Krizanc ans P. van Oorschot. On Key Distribution via True Broadcasting. In Proceedings of 2nd ACM Conference on Computer and Communications Security, November 1994, pp. 81– B. Chor, A. Fiat and M.Naor. Tracing traitors. Advances in Cryptology - Crypto ’94, Lecture Notes in Computer Science 839, (1994), pp. 257– D. Boneh and M Franklin. An Efficient Public Key Traitor Tracing Scheme. Advances in Cryptology - Crypto ’99, Lecture Notes in Computer Science, (1994), pp. 338– D.H. Lee, H.J. Kim and J.I. Lim. Efficient Public-Key Traitor Tracing in Provably Secure Broadcast Encryption with Unlimited Revocation Capability, WISC 2001, WISC 2001 Proceeding, (2001), pp. 31–42

Thank you for listening. Any Questions?