Presentation is loading. Please wait.

Presentation is loading. Please wait.

Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security.

Published byΘεοφύλακτος Λαμέρας Modified over 5 years ago

Similar presentations

Presentation on theme: "Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security."— Presentation transcript:

1 Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp Multimedia Security

2 Outline Introduction Zero Message Schemes
The basic scheme 1-resilient scheme based on one-way function 1-resilient scheme based on computational number theoretic assumptions Low-Memory k-Resilient Schemes One-level schemes Multi-level schemes An Example and Implementation Considerations

3 Problem Formulation Participants Rules A center A set of users
The center provides the users with prearranged keys when they join the system At some time, the center wish to broadcast a message (e.g. a key to decipher a video clip) to a dynamic changing privileged subset of the users only Broadcast center User 1 User 2 User 3 User N Keys Collusion

4 Obvious but Stupid Solutions
Broadcast center User 1 User 2 User 3 User N Key1 Key2 Key3 KeyN Total processing/transmission time is long! Broadcast center User 1 User 2 User 3 User N Keys for all subsets User 1 belongs to Keys for all subsets User 2 belongs to Keys for all subsets User 3 belongs to Keys for all subsets User N belongs to Every user must store a large number of keys!!

5 Goal of This Paper To provide solutions which are efficient in both
Transmission length Storage at the user’s end The scheme is considered broken if a user that does not belong to the privileged class can read the transmission

6 Definitions Broadcast Scheme Resiliency
One allocate keys to users so that given a subset of T of all users U, the center can broadcast messages to all users following which all members of T have a common key Resiliency A broadcast scheme is called resilient to a set S if for every subset T that does not intersect with S, no eavesdroppers, that has all secrets associated with members of S, can obtain knowledge of the secret common to T

7 Definitions (cont.) k-resiliency (k, p)-random-resiliency
A scheme is called k-resilient if it is resilient to any set of S of size k (k, p)-random-resiliency With probability at least 1-p, the scheme is resilient to a set S of size k, chosen at random from U

8 Zero Message Schemes vs. More General Schemes
Knowing the privileged subset T suffices for all users x belong to T to compute a common key with the center without any transmission To transmit information implies using this common key to encrypt the data transmitted More General Schemes The center must transmit many messages

9 Approach for Constructing Schemes
Low resiliency zero-message schemes Assumption free constructions Constructions based on existence of one-way functions Constructions based on number theoretic assumptions Higher resiliency, but not zero-message type schemes One-level Schemes Multi-level Schemes

10 Zero Message Schemes

11 The Basic Scheme Users can determine a common key for every subset, resilient to any set S of size k For every set B U, 0 |B| k, define a key KB to every user x U-B. The common key to the privileged set T is simply the exclusive-or all keys KB, B U-T. Each coalition of S k users will all be missing KS, and will be unable to compute the common key for T since S T is empty

12 A Very Simple Example U={a, b, c}, n=3, k=2
B={a, b, c, {a,b}, {a,c}, {b,c}} Keys={Ka, Kb, Kc, Kab, Kac, Kbc} Prearranged keys User a: Kb, Kc, Kbc User b: Ka, Kc, Kac User c: Ka, Kb, Kab If T={b, c}, KT= KM, M U-T=Ka If T={b}, KT=Ka Kc Kac

13 Analysis of the Basic Scheme
The memory requirements for this scheme are every user is assigned keys. Unacceptable memory requirement!! Theorem 1: There exist a k-resilient scheme that requires each user to store keys and the center need not broadcast any message in order to generate a common key to the privileged class 1-resilient version: n-1 keys

14 1-Resilient Scheme Based on One-way Function
Reduced from n-1 keys to keys The keys are pseudo-randomly generated from a common seed Assume that one-way function exist and hence pseudo-random generators exist. Let f:{0,1}l  {0,1}2l be a pseudo-random number generator The length of the output f is twice the length of the input

15 1-Resilient Scheme Based on One-way Function (cont.)
Associate the n users with the leaves of a balanced binary tree on n nodes The root is labeled with the common seed s {0,1}l Other vertices are labeled recursively Apply the pseudo-random generator f to the root label and taking the left half of of f(s) to the label of the left subtree while the right half to the label of the right subtree

16 1-Resilient Scheme Based on One-way Function (cont.)
Every user x should get all the keys except the one associated with the singleton set B={x} Remove the path from the leaf associated with the user x to the root, thus resulting in a forest of forests Provide user x with the labels associated with the leaves of that subtree

17 Another Simple Example
f A B C D S={0,1}l f A C D Theorem 2. If one-way function exist, then there exist a 1-resilient scheme that requires each user to store log n keys and the center need not to broadcast any message in order to generate a common key to the privileged class

18 1-Resilient Scheme Based on Number Theoretic Assumption
The center chooses a random hard to factor composite N=PQ where P and Q are primes The center also chooses a secret value g User i is assigned key gi=gpi, where pi, pj are relative prime for all i, j belongs to U. All users know what user index refers to what pi

19 1-Resilient Scheme Based on Number Theoretic Assumption
A common key for users T is taken as the value gT=gpT mod N, where pT= Every user i T can compute gT by evaluating For user j not belonging to T, if he can compute the common key, it implies that he can compute g (by Euclidean GCD algorithm…) mod N

20 1-Resilient Scheme Based on Number Theoretic Assumption
Theorem 3. If extracting root modulo composite is hard, then there exists a 1-resilient scheme that requires each user to store one key and the center need not broadcast any message in order to generate a common key to the privileged class

21 Low Memory k-Resilient Schemes

22 Perfect Hash Function in a Family of Functions
A family of functions f1,…,fl: U{1,…m} with the following property is required For any subset S belongs to U and |S|=k, there exists some I such that for all x, y S, fi(x) fi(y) This family of functions contains a perfect hash function for all size k subsets of U when mapped to the range {1,…,m}

23 Constructing k-resilient scheme from a 1-resilient Scheme
j … m 1 : l 1-resilient scheme R(i,j) i Keys for each user x associated with scheme R(i, fi(x)) M= Mi Broadcast Messages using R(i, fi(x)) for Number of keys stored by each user: l* number of keys in 1-resilient scheme Number of transmissions: l*m*number of transmission in 1-resilient scheme

24 Mathematical Exploitations
The probability that random fi is 1-1 on S set m=2k2 The probability that no fi is 1-1 on s set l=k logn The probability that for all subset S of size k, the probability that there is a 1-1 fi

25 Existence of k-resilient Schemes
There exist a k-resilience scheme that requires each user to store O(k logn w) keys and the center to broadcast O(k3logn) messages. The scheme can be constructed effectively with arbitrarily high probability by increasing the parameters Explicit constructions of fi Error-correcting codes of large relative distance over am alphabet of O(k2)

Download ppt "Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security."

Similar presentations

Scalable and Dynamic Quorum Systems Moni Naor & Udi Wieder The Weizmann Institute of Science.

Scalable and Dynamic Quorum Systems Moni Naor & Udi Wieder The Weizmann Institute of Science.
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna

Michael Alves, Patrick Dugan, Robert Daniels, Carlos Vicuna
Recursive Definitions and Structural Induction

Recursive Definitions and Structural Induction
Broadcast Encryption – an overview Niv Gilboa – BGU 1.

Broadcast Encryption – an overview Niv Gilboa – BGU 1.
Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.

Traitor Tracing Papers Benny Chor, Amos Fiat and Moni Naor, Tracing Traitors (1994) Moni Naor and Benny Pinkas, Threshold Traitor Tracing (1998) Presented.
Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.

Tirgul 10 Rehearsal about Universal Hashing Solving two problems from theoretical exercises: –T2 q. 1 –T3 q. 2.
Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.

Introduction to Modern Cryptography, Lecture ?, 2005 Broadcast Encryption, Traitor Tracing, Watermarking.
Unit 11a 1 Unit 11: Data Structures & Complexity H We discuss in this unit Graphs and trees Binary search trees Hashing functions Recursive sorting: quicksort,

Unit 11a 1 Unit 11: Data Structures & Complexity H We discuss in this unit Graphs and trees Binary search trees Hashing functions Recursive sorting: quicksort,
On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.

On Everlasting Security in the Hybrid Bounded Storage Model Danny Harnik Moni Naor.
Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 8 Lecturer: Moni Naor.
Induction and recursion

Induction and recursion
ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, A Public-Key Cryptosystem and a Signature Scheme.

ElGamal Public Key Cryptography CS 303 Alg. Number Theory & Cryptography Jeremy Johnson Taher ElGamal, "A Public-Key Cryptosystem and a Signature Scheme.
CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.

CS548 Advanced Information Security Presented by Gowun Jeong Mar. 9, 2010.
Fall, 2011 - Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.

Fall, Privacy&Security - Virginia Tech – Computer Science Click to edit Master title style Broadcast Encryption Amos Fiat & Moni Naor Presented.
Discrete Structures Lecture 12: Trees Ji Yanyan United International College Thanks to Professor Michael Hvidsten.

Discrete Structures Lecture 12: Trees Ji Yanyan United International College Thanks to Professor Michael Hvidsten.
A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.

A secure re-keying scheme Introduction Background Re-keying scheme User revocation User join Conclusion.
Foundation of Computing Systems

Foundation of Computing Systems
Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.

Chapter 1 Algorithms with Numbers. Bases and Logs How many digits does it take to represent the number N >= 0 in base 2? With k digits the largest number.
Chapter 11. Chapter Summary  Introduction to trees (11.1)  Application of trees (11.2)  Tree traversal (11.3)  Spanning trees (11.4)

Chapter 11. Chapter Summary  Introduction to trees (11.1)  Application of trees (11.2)  Tree traversal (11.3)  Spanning trees (11.4)

Similar presentations

Ads by Google