Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking

Broadcast Encryption Transmit a message securely to a subset of a (large) user group. Introduce a resiliency measure, t, how many users can jointly break the system? Solution 1: Every user is missing a symmetric key, XOR the keys of the omitted users. This is 1-resilient. Alternately, use a tree like hash structure to reduce memory requirements per user Alternately, use a Diffie-Hellman like 1- resilient Scheme

Increasing the resiliency Assign the users to vertices of a hypercube. Transmit a message to the chosen group by transmitting 2 log n messages, 2 messages per coordinate. Every set of two users will be split by one of the partitions. This increases the resiliency to 2. Use a recursive construction to get resiliency t.

Randomized Constructions Allow randomization in the construction of the scheme For example, toss the users into t 2 bins. With constant probability a given set of size t will be split entirely. Many other solutions.

Traitor Tracing Imagine that the TV decoder is set to decrypt some data. A pirated version of the decoder should allow us to recognize the decoder copied. Simple solution: 2 log n keys in total, every decoder gets log n keys.

The idea behind TT schemes: Make it infeasible to construct an “ unrecognizable ” decoder from a set of legal decoders.

Weak One-Way Functions A function f:{0,1} *  {0,1} * is called weakly one way if the following hold: –Easy to compute f in polynomial time –Slightly hard to invert: there exists a positive polynomial p(), such that for every probabilistic polynomial time algorithm A ’, and all sufficiently large n ’ s:

Weak One-way functions imply strong one-way functions f is a weak one way function, and p() is the polynomial such that for every probabilistic polynomial time algorithm A ’, and all sufficiently large n ’ s:

Weak One-way functions imply strong one-way functions f is a weak one way function, let p() be the polynomial for which we define t(n)=n p(n) and define g as follows: Inverting g on g(y 1,y 2, …, y t(n) ) involves finding f --1 (y j )

Weak One-way functions imply strong one-way functions f is a weak one way function, we want to argue that g is a strong one way function. Alternately, we will show that if g is not a strong one way function, then f is not a weak one way function.

Weak One-way functions imply strong one-way functions if g is not a strong one way function: there exists a probabilistic polynomial time algorithm B ’ and a polynomial q() such that for infinitely many m ’ s:

Weak One-way functions imply strong one-way functions Using B ’, we now show that f is not weakly one way, one input y, n=|y|: Repeat a(n)=2n 2 q(n 2 p(n)) times: for i=1 to t(n) do select x 1, …, x t(n) from U n replace the i ’ th x with y feed the conactenated x i ’ s to B ’ check if f -1 (y) was computed

Hard core predicates f is one-way does not say that we cannot learn some partial information about f -1 (y) A polynomial time computable predicate b:{0,1} *  {0,1} * is called a hard core of a function f if for every probabilistic polynomial time algorithm A ’, every positive polynomial p(), and all sufficiently large n ’ s:

Hard core predicates for any one way function Let f be an arbitrary one-way function, and let g be defined by g(x,r) = f(x) || r. Let b(x,r) denote the inner product of the binary vectors x and r, then b is a hard core for the function g. Generalization: hard core functions (indistinguishable)

Psuedorandom generators Let f be a length preserving 1-1 strongly one way function, and let b a hard core predicate for f. Then The seqeunce (b(s), b(f(s)), b(f(f(s)), … is psuedorandom

What does this mean? You assume that AES is weakly one way: –You want a provably psuedorandom sequence for stream encryption. –You start by producing a strongly one way function which involves polynomially many applications of AES –You take the total output and xor it with a random string r, this gives you one bit of your stream –You then apply the strong one way function again, and repeat. –This is very expensive (obviously), but then, it suffices that AES be only weakly one way for you to be safe.