1

A Fully Collusion Resistant Broadcast, Trace and Revoke

System

Brent Waters SRI International

Dan Boneh Stanford

2

Broadcast Systems

Distribute content to a large set of users

•Commercial Content Distribution

•File systems

•Military Grade GPS

•Multicast IP

3

Trace & Revoke: A Tale of Two Problems

Broadcast Encryption: Encrypt Messages M, to subset S of receivers

Traitor Tracing: Trace Orgin of Pirate boxes

Trace & Revoke: Trace pirate box, remove from set of receivers

This talk: Overview both, show challenges•Light on mathematical details

4

Broadcast Encryption [FN’93]

Encrypt to arbitrary subsets S.

Collusion resistance:•secure even if all users in Sc collude.

d1

d2

d3

S {1,…,n}

CT = E[M,S]

5

A Trivial Solution

Small private key, large ciphertext.

•Every user j has unique private key dj .

CT = { Edj[M] | jS }

|CT| = O(|S|) |priv| = O(1)

Challenge: Get small ciphertext size

6

App : Encrypted File Systems

Broadcast to small sets: |S| << n

Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)

Examples: EFS.

File F

EKF[F]

EPKA[KF]

EPKC[KF]

MS Knowledge Base:EFS has a limit of 256KB in the file

header for the EFS metadata. This limits

the number of individual entries for

file sharing to a maximum of 800

users.

Header< 256K EPKB

[KF]

7

Previous Solutions

t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t

Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players

8

Previous Solutions

Fully-Collusion resistant schemes [BGW’06]•Resistant to any # of colluders• |CT| = O(1) |priv| = O(1) |pub| = O(n)•Algebraically-based / Uses Bilinear Groups

Ciphertexts are multiplied security parameter

FCR

9

Apps: Sharing in Enc. File System

Store PK on file system. n=216 |PK|=1.2MB

File header: ( [S], E[S,PK,KF] )

Sharing among “800” users:

•8002 + 40 = 1640 bytes << 256KB

File F

EKF[F]

[S]

E[S,PK,KF]Hdr

S {1, …, n }

40 bytes

10

Tracing Pirate Devices[CFN’94]

•Attacker creates “pirated device”

•Want to trace origin of device

11

FAQ-1 “The Content can be Copied?”

DRM- Impossibility Argument

Protecting the service

Goal: Stop attacker from creating devices that access the original broadcast

12

FAQ 2-Why black-box tracing? [BF’99]

D: may contain unrecognized keys, is obfuscated, or tamper resistant.

All we know:

Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-

K1

K3

K2K$*JWNFD&RIJ$

D:

R R

13

Previous Solutions

t-Collusion resistant schemes [CFN’93…]•Resistant to t-colluders•Attacker knows t

Fully-Collusion resistant schemes [BSW’06]•Resistant to any # of colluders• |CT| = O(n) |priv| = O(1) •Algebraically-based / Uses Bilinear Groups

14

Trace and Revoke (This Work)

What happens when catch traitor?•Torture?•Re-do system?

Want Broadcast and Tracing simultaneously

15

Trace and Revoke

16

T&R=A simple Combination?

B.E T.T.

M

R M-REncrypt

Decrypt

BE TT

R M-R

M

17

A simple Attack

B.E T.T.

M

R M-R

BE TT

R M-R

M

2 colluders split duties

Catch same one over and over (box still works)

18

Our Approach (Intuition)

Can’t allow attackers to “separate” systems• In general hard to combine

BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic

Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme

19

Summary

T.R.: O(n) CT, O(n) priv-keys.

Public Key Tracing

•Secure even if tracing key lost

“Adaptive Security”

Open: Better Parameters:

FCR

20

THE END