Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys

1
Fully Collusion Resistant Traitor Tracing with
Short Ciphertexts and Private Keys
Dan Boneh, Amit Sahai, and Brent Waters
2
Broadcast Systems
Distribute content to a large set of users

• Commercial Content Distribution
• File systems
• Military Grade GPS
• Multicast IP

3
Tracing Pirate DevicesCFN94

• Attacker creates pirated device
• Want to trace origin of device

4
FAQ-1 The Content can be Copied?

• DRM- Impossibility Argument
• Protecting the service
• Goal Stop attacker from creating devices that
  access the original broadcast

5
FAQ 2-Why black-box tracing? BF99
K1
D
K3
KJWNFDRIJ
K2

• D may contain unrecognized keys, is
  obfuscated, or tamper resistant.
• All we know
• Pr M ? G, C ? Encrypt (PK, M) D(C)M
  gt 1-?

R
R
6
Formally Secure TT systems

• (1) Semantically secure, and (2) Traceable

Challenger
Attacker
Adversary wins if (1) PrD(C)M gt 1-?,
and (2) i ? S
7
Brute Force System

• Setup (n) Generate n PKE pairs (PKi, Ki)
  Output private keys K1 , , Kn PK ? (PK1,
  , PKn) , TK ? PK .
• Encrypt (PK, M) C ? ( EPK1(M), , EPKn(M)
  )
• Tracing next slide.
• This is the best known TT system secure under
  arbitrary collusion.
• until now

8
TraceD(PK) BF99, NNL00, KY02

• For i 1, , n1 define for M ? G
• pi Pr D( EPK1(?), , EPKi-1(?), EPKi(M),
  , EPKn(M) ) M
• Then p1 gt 1- ? pn1 ? 0
• 1-? pn1 p1 ? pi1 pi ?
  ? pi1 pi
• ? Exists i?1,,n s.t. pi1 pi
  ? (1- ?)/n
• ? User i must be one of the pirates.

R
9
Security Theorem
?

• Tracing algorithm estimates pi - pi lt
  (1-?)/4n
• Need O(n2) samples per pi. (D
  stateless)
• Cubic time tracing.
• Can be improved to quadratic in S .
• Thm
• underlying PKE system is semantically secure
• ?
• No eff. adv wins tracing game with non-neg adv.

10
Abstracting the Idea BSW06

• Properties needed
• For i 1 , , n1 need to encrypt M so
• Without Ki adversary cannot distinguish
• Enc(i, PK, M) from Enc(i1, PK, M)

n
1
i-1
i
users cannot decrypt
users can decrypt
11
Private Linear Broadcast Enc (PLBE)

• Setup(n) outputs private keys K1 , , Kn
• and public-key PK.
• Encrypt( u, PK, M)
• Encrypt M for users u, u1, , n
• Output ciphertext CT.
• Decrypt(CT, j, Kj, PK) If j ? u, output
  M
• Broadcast-Encrypt(PK,M) Encrypt( 1, PK, M)
• Note slightly more complicated defs in
  BSW06

12
Security definition

• Message hiding given all private keys
• Encrypt( n1 , M, PK) ?P Encrypt( n1 ,
  ?, PK)
• Index hiding for u 1, , n

Challenger
Attacker
RunSetup(n)
b?0,1
13
Results

• Thm Secure PLBE ? Secure TT
• Same size CT and priv-keys
• (black-box and publicly traceable)
• New PLBE system
• CT-size O(?n) priv-key size
  O(1)
• enc-time O(?n) dec-time O(1)

14
?n PLBE Construction hints

• Arrange users in matrix
• Key for user (x,y)
• Kx,y ? Rx ? Cy
• CT one tuple per row, one tuple per col.
• size O(?n)
• CT to user (i,j)
• User (x,y) can dec. if
• (x gt i) OR (xi) AND (y ? j)

n36 users
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
1 2 3 4 5 6
7 8 9 10 11 12
13 14 15 16 17 18
19 20 21 22 23 24
25 26 27 28 29 30
31 32 33 34 35 36
Encrypt to user (4,3)
15
Bilinear groups of order Npq BGN05

• G group of order Npq. (p,q)
  secret.
• bilinear map e G ? G ? GT
• G Gp ? Gq . gp gq ? Gp
  gq gp ? Gq
• Facts h ? G ? h (gq)a ? (gp)b
• e( gp , gq ) e(gp , gq) e(g,g)N 1
• e( gp , h ) e( gp , gp)b !!

16
A ?n size PLBE

• Ciphertext ( C1, , C?n, R1, , R?n )
• User (x,y) must pair Rx and Cy to decrypt

Well-formed
Malformed/Random
Zero
Type Gq Gp
Rx x lt i
Rx x i
Rx x gt i
Cy y lt j
Cy y ? j
Case Result
x lt i No Rx not well formed
xi y lt j No Cy malformed in Gp
xi y ? j Yes both well formed
x gt i Yes indep. of column
17
Summary and Open Problems

• New results BGW05, BSW06, BW06
• Full collusion resistance
• B.E O(1) CT, O(1) priv-keys but O(n) PK
• T.T O(?n) CT, O(1) priv-keys.
• T.R. O(?n) CT, O(?n) priv-keys.
• Open questions
• Private linear B.E. with O(log n) CT.
• Private B.E. with short ciphertexts.

? FCR
18
THE END
19
BGN encryption

• Subgroup assumption G ?p Gp
• E(m) r ? ZN , C ? gm (gp)r ? G
• Additive hom E(m1m2) C1 ? C2 ? (gp)r
• One mult hom E(m1?m2) e(C1,C2) ? e(gp,gp)r

20
Results

• Thm Secure PLBE ? Secure TT
• Same size CT and priv-keys
• (black-box and publicly traceable)
• New PLBE system
• CT-size O(?n) priv-key size
  O(1)
• enc-time O(?n) dec-time O(1)
• Applications
• Tracing Traitors O(?n) CTs and O(1)
  keys.
• Adaptive BE. (need Augmented PLBE)
• Comparison searches on encrypted data.

21
T.T a popular problem
32 papers from 49 authors
O. Berkman D. Boneh H. Chabanne B. Chor Y. Desmedt Y. Dodis N. Fazio A. Fiat M. Franklin E. Gafni M. Goodrich D. Halevy G. Hanaoka D. Hieu-Phan H. Imai M. Kasahara A. Kiayias K. Kurosawa J. Lotspiech S. Mitsunari M. Naor D. Naor M. Parnas B. Pfitzmann B. Pinkas D. Pointcheval R. Safavi-Naini A. Sahai R. Sakai J. Sgall A. Shamir J. Shaw A. Silverberg J. Staddon D. Stinson J. Sun R. Tamassia G. Tardos T. Tassa V. To M. Waidner J. Walker Y. Wang Y. Watanabe B. Waters R. Wei L. Yin M. Yung F. Zhang
22
A Simple System

• n users in system, each gets separate key
• User i gets Ki
• Encrypt message to separately to user lump it
• (Use hybrid encryption and encrypt an AES key)

E(Ki , M)


E(K1 , M)
E(K2 , M)
E(Kn , M)
23
Tracing

• Let E(i, M) gt Encrypt R to 1,,i-1 and M to i,n

E(K1 , R)
E(K2 , R)
E(Ki-1 , R)
E(Kn , M)
E(Ki , M)

• Pi prob. pirate device decrypts E(i,M)
• Can learn Pis from probing the device

i Pi
1 100

j
j1

n1 0