Broadcast Encryption CMLAB, 2008 Outline
• Introduction • Definition • Key management • Secret key distribution • Traitor tracing for broadcast encryption Introduction
• Broadcast encryption ▫ Amos Fiat & Moni Naor, CRYPTO’93 ▫ Securely transmit a message to all members of the privileged subset
Privileged users Broadcast
Center
Non-privileged users Introduction
• How broadcast encryption works? ▫ Key management block Is sent at the beginning of a broadcast Is prerecorded on blank media ▫ Each recipient (device) reads the key management block and processes it to yield a management key Introduction • Simplest broadcast scheme Introduction • Applications ▫ Copy protection for PC games Introduction
• Broadcast encryption vs. public key cryptography ▫ Broadcast encryption is fast ▫ All calculations in broadcast encryption are done using simple symmetric encryptions ▫ Public key calculations require exponentiation operations over a finite field Introduction ▫ For classic cryptography, secrets are easier to be found while handshaking ▫ For broadcast encryption, secrets are hidden much more deeply in the software Definition-Preliminaries
• U ▫ The set of receivers (users) • S ▫ S U ▫ The set of revoked receivers (users who we do not want to be able to decrypt the next transmission) • T ▫ U \S ▫ The set of privileged (i.e., non-revoked) users
• F: KxMF→CF ▫ F: encryption algorithm K: key space MF: message space CF: ciphertext space Definition
• Broadcast encryption ▫ A broadcast encryption scheme is a triple of algorithm (SETUP, BROADCAST, DECRYPT) such that: SETUP takes a user u U and constructs that
receiver’s private information PuP BROADCAST takes the list of revoked users S and the session key and outputs a broadcast message M A user u U runs the decryption algorithm
DECRYPT(M, Pu,u) to compute the K associated with M, assuming u T 11
Definition-Resiliency
• Resiliency ▫ A broadcast scheme is called resilient to set S if for every subset T (T∩S=Φ), no eavesdropper that has all secrets associated with members of S, can obtain knowledge of the secret common to T ▫ k-resilient The scheme is resilient to any set S U of size k
U T S k Definition-Resiliency
▫ (k,p)-resilient The scheme is resilient to a 1-p fraction of sets S U of size k
U T S k 13
Definition-Resiliency
• Example: A basic scheme
▫ For every set B U, 0|B|k, define a key KB and give KB to every user xU-B ▫ The common key to the privileged set T is the
exclusive or of all keys KB, BU-T ▫ Every coalition S with less than k users will all be
missing key KS and will therefore be unable to compute the common key for any privileged set T (T∩S=Φ) K B1 KB2
S B2 Bj B1 T KBj 14 Key management • Issues ▫ How to assign and store the keys ▫ How to save the key storage for both the server and clients ▫ How to update the keys when users join or leave • A comprehensive survey A. Wool, 2000 A simple scheme The extended-header scheme Suppose that a program p belongs to t packages for t users
Broadcast ENCKp(p) to users Header: ID Key
1 Es1(Kp) …. …
t Est(Kp) Key management
▫ Matrix-based schemes Content protection for recordable media (CPRM) Content protection for prerecorded media (CPPM) (for the DVD audio) Media key block Device keys Drawbacks: The size of the matrix Sensitive to insider attacks
15 Key management
▫ The media key block is prerecorded on blank media at manufacturing time ▫ The key matrix is generated by the CPRM licensing agency and is preembossed in the lead-in area on the disk ▫ The media key block is the encryption of the media key using different device key 16
Ed00(km) Ed01(km) …… >2500 Ed10(km) ….. ….. Ekm(data) 16 Key management
– CPRM key matrix
16 device keys
17 18
Key management • Other possible scenarios 19 Key management
• The state update problem ▫ Content is encrypted using a group key which is known to a group of users in many scenarios ▫ When users leave or join the group, the group key must be changed Prevent leaving members from decrypting content in the future Prevent joining members from decrypting previous content (backward secrecy) O(n) messages ▫ How to reduce the overhead of the key update messages? Key management
▫ When a group member leave, GC must change the group key and inform all group members
Kg(Kg’) ? Forward secrecy? S1(Kg’), S2(Kg’), S3(Kg’), … ▫ Tree-based schemes Wallner, 1997 and Wong, 1997 → Logical key hierarchy (LKH) trees Manage key changes
20 Key management
– LKH (Logical Key Hierarchy) trees – A central server (key server) for each group holds a key tree – Each device is associated with a leaf of the tree – Each member holds a key path, from leaf up to the root
21 Key management
– Suppose device 13 is revoked – Using sibling keys(gray nodes) to encrypt the new management key and delivering the encrypted management key to sub-trees of these gray nodes
22 23
Key management
• But how to deliver new internal keys? Key management
– NNL trees – IBM, 2001 – The photographic negative of the LKH tree – The device has every key in the tree except the keys between its leaf and the root
24 Secret key distribution
• Secret Sharing Schemes
Xn: a set of users, Γ 2X is a set of subsets called autorized subsets. In a secret sharing scheme, the TA (trusted authority) has one secre t value k G F ( q ), called the key. The TA will distribute secret information to each user in X , in such a way that any authorized subset can compute k from the shares they jointly hold, but no una uthorized subset has any information about k .
The secret information given to user iu will be denoted i and is called the share of user i .
25 Secret key distribution
• Shamir threshold KPS (Key pre-distribution scheme)
Let qn 1 be a prime power 1. The TA chooses n distinct non-zero ran dom numbers
xii G F( q ), and gives x to user i (1 i n ). These values do not need to be secret. 2. The TA constructs a random polynomial of degree at most t- 1
t-1 f ( x ) a x ii i 0 having coefficients in G F ( q ).
The key is the constant term a 0 . 3. The TA computes the polynimail
yii f ( x )
and gives yii to user . 26 Secret key distribution
• Shamir threshold KPS
e.g. Suppose we construct a scheme in GF (17 ) and
the public values are xi i,1 i 5. Suppose that the TA chooses the polynomail f ( x) 13 10 x 2 x 2 , so the key is 13. The shares that are distribute d are
y1 f (1) 8, y 2 f (2) 7 ,y3 f (3) 10 ,
y 4 f (4) 0 ,y 5 f (5) 11 Any 3 of the ordered pairs (1,8), (2,7), (3,10), (4,0), (5,11) can be used to reconstruc t the polynomial f . 27 28
Traitor tracing for broadcast encryption
• Tracing traitors ▫ B. Chor, A. Fiat, M. Naor, & B. Pinkas, CRYPTO’94 & 98 ▫ Confiscate a pirate decoder to determine the identity of a traitor ▫ Randomly assign the decryption keys to users ▫ Make the probability of exposing an innocent user negligible 29 Traitor tracing for broadcast encryption
• A simple scheme ▫ Keys 2k2
… a a 2 a1,1 1,2 1,2 k … a 2 a 2 ,1 a 2,2 2,2 k l … … … …
… a a a 2 l ,1 l ,2 l ,2 k
▫ l hash functions h1, h2, …, hl 2 hi: {1,…,n}{1,…,2k } hi(u) the ith key for user u 30 Traitor tracing for broadcast encryption
▫ Personal key of user u P(u) {a , a ,..., a } … 1,h1 (u ) 2,h2 (u ) l ,hl (u ) a a a 2 1,1 1, 2 1,2 k Enabling ▫ 2k2l encrypted keys block … a a a 2 2 ,1 2,2 2 ,2 k
… s E a (s1 ), E a (s1 ),..., E a (s1 ) … … … 1 ,1 1 , 2 2 Cipher 1, 2 k block ... … a 2 a l ,1 a l , 2 l ,2 k E (s ), E (s ),..., E (s ) a l ,1 l a l ,1 l a 2 l Decrypt l , 2 k ▫ Decrypt si and compute secret s
s s1 s2 ... sl 31
Traitor tracing for broadcast encryption
• Tracing
s {a }{a a }{a a a }...{ a a ,... a 2 } 1 1,1 1,1 1,2 1,1 1,2 1,3 1,1 1,2 1,2 k
s {a }{a a }{a a a }...{ a a ,... a 2 } 2 2 ,1 2 ,1 2 ,2 2 ,1 2 ,2 2 ,3 2,1 2 ,2 2 ,2 k ....
s {a }{a a }{a a a }...{ a a ,... a 2 } l l ,1 l ,1 l ,2 l ,1 l ,2 l ,3 l ,1 l ,2 l ,2 k
{a1,3 , a 2,2 ,..., a l ,2 } F 1 1 1 Compute h1 (3), h2 (2),..., hl (2) {user 1, user 5}, {user 2, user 3, user 5}, {user5, user 6}, …,{user 2, user 7, user 9}, ….,{…} user 1 x x user 2 x …. user 5 x x x x x … user n x x Traitor tracing for broadcast encryption-Examples
• Efficient Methods for Integrating Traceability and Broadcast Encryption, E. Gafni, J. Staddon, and Y. L. Yin, CRYPTO’99, LNCS 1666, pp. 372-387, 1999 33
Traitor tracing for broadcast encryption-Examples
• Jessica Staddon ▫ Combinatorial properties of frameproof and traceability codes. J. Staddon, D. R. Stinson and R. Wei. IEEE Transactions on Information Theory (2001), 1042-1049. ▫ Efficient traitor tracing algorithms using list decoding. A. Silverberg, J. Staddon and J. Walker. Asiacrypt 2001. 34
Traitor tracing for broadcast encryption-Examples
• Paper introduction • Preliminaries • Related works • Optimal broadcast encryption schemes with OR protocols • Integrating traceability and broadcast encryption Traitor tracing for broadcast encryption-Examples
•
Traitor tracing for broadcast encryption-Examples
• Broadcast encryption ▫ Keys are allocated to users in such a way that broadcasts can be made to selected sets with security ▫ Broadcasting capability (m-resiliency) • Traceability ▫ If at most c users pool their keys together to construct a “pirate decoder”, then at least one of the users involved can be identified by examining the keys in the decoder. (c-traceability) 37
Traitor tracing for broadcast encryption-Examples
• The goal is to have both high broadcasting capability and high traceability • The contribution of this paper: to study general methods for integrating traceability and broadcasting capability ▫ Adding any desired level of traceability to an arbitrary broadcast encryption scheme ▫ Adding any desired level of broadcasting capability to an arbitrary traceability scheme 38
Traitor tracing for broadcast encryption-Examples
• Idea ▫ Adds a dimension of randomness to broadcast encryption to achieve high traceability ▫ Adds a dimension of structure to traceability scheme to achieve high broadcast capability • The important feature of the methods ▫ Preservation of the properties of the underling broadcast encryption schemes ▫ One can construct broadcast encryption schemes with High resiliency High traceability Full scalability • Storage requirements ▫ The number of keys per user↓ ▫ The total number of keys ↓ 39
Traitor tracing for broadcast encryption-Examples
• Related works ▫ One–time broadcast encryption scheme (1991) ▫ Resiliency (1994) ▫ OR protocols (1996) ▫ Entropy of a broadcast (1996) ▫ Trade-off: communication and storage (1996~) ▫ Combinatorial schemes (1996~) ▫ Information theoretic ratio (1996~) ▫ Rekeying (1997) Tradeoff: storage and the rekeying communication cost ▫ A hierarchical tree-based scheme (1997) 40
Traitor tracing for broadcast encryption-Examples
• Related works ▫ First introducing (1994) Tracing traitors B. Chor, A. Fiat, M. Naor, & B. Pinkas, CRYPTO’94
▫ Threshold traceability (1998) Threshold traitor tracing M. Naor & B. Pinkas, CRYPTO’98 41
Traitor tracing for broadcast encryption-Examples
• Preliminaries ▫ {u1,…,un} is the set of all users ▫ {k1,…,kK} is the set of all keys ▫ SP is the set of keys used to broadcast to privileged set P ▫ BP is the message (e.g., a broadcast key) that is broadcast to P in encrypted form ▫ n is the total number of users ▫ K is the total number of keys ▫ r is the number of keys per user ▫ m is the number of users who are excluded ▫ t is the number of transmissions. ▫ c is the traceability of the scheme ▫ OR Protocol for Broadcasting to P: Any one of the keys in SP suffices to recover BP from the broadcast ▫ AND Protocol for Broadcasting to P: All of the keys in SP are necessary to recover BP from the broadcast 42
Traitor tracing for broadcast encryption-Examples
▫ Only two previous works study the integration of broadcast encryption and traceability J. Staddon, “A Combinatorial study of Communication, Storage and Traceability in Broadcast Encryption Systems”, Ph. D. thesis, University of California at Berkeley, 1997. D. Stinson and R. Wei, “Key Preassigned Traceability Schemes for Broadcast Encryption”, Proc. SAC’98, LNCS, 1556(1999), pp.144-156. 43
Traitor tracing for broadcast encryption-Examples
• Two new constructions ▫ The Cube Scheme (geometric construction) ▫ The Polynomial Scheme (algebraic construction)
• Both schemes are fully scalable and m-resilient • Both schemes are close to optimal in terms of the total number of keys 44
Traitor tracing for broadcast encryption-Examples • Optimal Broadcast Encryption Schemes with OR Protocols- The Cube Scheme ▫ For a fixed number of keys per user, r, the construction is based on an r-dimensional cube Points (entries): users Subspaces of dim r-1 (slices): keys
Key
User Traitor tracing for broadcast encryption-Examples
▫ e.g. r=2, consider n1/2×n1/2 square, each of the n users is an entry in this square indexed by (i1, i2) where 1/2 i1,i2{1,2,…,n }. For 1≤i ≤ n1/2
Ci: the the set of users in column i Ri: the set of users in row i For each i, we create two unique keys and allocate one of the keys only to the users in Ci and allocate the other only to the user in Ri. each user has exactly 2 keys.
To exclude a given user ui, the center broadcasts according to an OR protocol with all keys except the 2 keys stored by user u. Since each two users share at most 1 key, every user except u can receive the broadcast. i2
i1 46
Traitor tracing for broadcast encryption-Examples
▫ r-dimension cube
The entries are indexed by r-tuples, (i1,…,ir), 1/r ij{1,2,…,n }. The slices are the subspaces of dimension r-1, Sj,w={(i1,…,ir): ij=w} a slice consists of all the r-tuples which are identical in the jth entry (e.g. in the 2D case, a unique key is created for each slice, therefore, each user has exactly r keys) To excluded a given user u, the center broadcasts according to an OR protocol with all the keys except the r keys that u has. Since each pair of users share at most r-1 keys, every user except u can recover BP from the broadcast. → This scheme can exclude one user 47
Traitor tracing for broadcast encryption-Examples
▫ A simple extension to exclude m users By making copies of the cube scheme Assign independent keys to m different r-dim cube scheme each user has rm keys
We can exclude m users {u1,…um} by excluding the r keys that user i has in the ith cube scheme The broadcast protocol is then an AND on the union of the sets of keys in each cube scheme K=mrn1/r, the number of keys per user is mr, t=K-mr The resulting scheme is still 1-resilient 48
Traitor tracing for broadcast encryption-Examples
• Optimal Broadcast Encryption Schemes with OR Protocols- The Polynomial Scheme ▫ The scheme uses a set system construction based on polynomials over a finite field r: the number of keys per user m: the number of excluded users Polynomials: users Points: keys p: a prime larger than r A: a subset of the finite field Fp of size r Consider the set of all polynomials over Fp of degree at most (r-1)/m there are p(r-1)/m+1 such polynomials Associate each of the n users with a different polynomial p(r-1)/m+1 n pnm/(r-1+m) 49
Traitor tracing for broadcast encryption-Examples
A unique key k(x,y) is created for each pair (x,y), where xA and y Fp If a polynomial f is given to a user u, u is allocated all the keys in the set {k(x,f(x))|x A} Any two of the polynomials intersect in at most (r-1)/m points any two users share at most (r-1)/m keys if all the keys belonging to the m excluded users are removed, then each privileged user will still have at least 1 key the center can broadcast with an OR protocol to any set of n-m users K=rprnm/(r-1+m), the number of keys per user is r, t≤K-r m-resiliency 50
Traitor tracing for broadcast encryption-Examples
Fully scalable
Increasing the size of the field Fp, allows significantly more users to be added with no rekeying of the old users (e.g. if K is doubled, then 2(r-1)/m+1 more users can be added to the scheme) 51
Traitor tracing for broadcast encryption-Examples
• Optimal Broadcast Encryption Schemes with OR Protocols-Lower Bound on the Total Number of Keys ▫ The total number of keys is close to optimal in both the cube scheme and the polynomial scheme ▫
Traitor tracing for broadcast encryption-Examples
•
scheme and a set of m+1 users, u1,…,um+1, U m 1U s.t. 1 j2 j
if OR protocols are used, at least one of u2,…um+1 will be able to recover the message from a broadcast to u1. →←
() if for every set of m users u1,…,um and for every m user, u, outside of this set, UU jj 1 S S n U to broadcast to P={um+1,…,un}, let P i m 1 i .This SP can be used to broadcast to P with OR protocols. 53
Traitor tracing for broadcast encryption-Examples
•
• Combining last Lemma and this Theorem, we can establish a relationship between K and r. 54
Traitor tracing for broadcast encryption-Examples
•
Traitor tracing for broadcast encryption-Examples
•
Traitor tracing for broadcast encryption-Examples
•