1 a fully collusion resistant broadcast, trace and revoke system brent waters sri international dan...
TRANSCRIPT
1
A Fully Collusion Resistant Broadcast, Trace and Revoke
System
Brent Waters SRI International
Dan Boneh Stanford
2
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
3
Trace & Revoke: A Tale of Two Problems
Broadcast Encryption: Encrypt Messages M, to subset S of receivers
Traitor Tracing: Trace Orgin of Pirate boxes
Trace & Revoke: Trace pirate box, remove from set of receivers
This talk: Overview both, show challenges•Light on mathematical details
4
Broadcast Encryption [FN’93]
Encrypt to arbitrary subsets S.
Collusion resistance:•secure even if all users in Sc collude.
d1
d2
d3
S {1,…,n}
CT = E[M,S]
5
A Trivial Solution
Small private key, large ciphertext.
•Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|) |priv| = O(1)
Challenge: Get small ciphertext size
6
App : Encrypted File Systems
Broadcast to small sets: |S| << n
Best construction: trivial. |CT|=O(|S|) , |priv|=O(1)
Examples: EFS.
File F
EKF[F]
EPKA[KF]
EPKC[KF]
MS Knowledge Base:EFS has a limit of 256KB in the file
header for the EFS metadata. This limits
the number of individual entries for
file sharing to a maximum of 800
users.
Header< 256K EPKB
[KF]
7
Previous Solutions
t-Collusion resistant schemes [FN’93…]•Resistant to t-colluders• |CT| = O(t2log n) |priv| = O(tlog n)•Attacker knows t
Broadcast to large sets [NNL,HS,GST…]• |CT|= O(r) |priv|=O(log n)•Useful if small number of revoked players
8
Previous Solutions
Fully-Collusion resistant schemes [BGW’06]•Resistant to any # of colluders• |CT| = O(1) |priv| = O(1) |pub| = O(n)•Algebraically-based / Uses Bilinear Groups
Ciphertexts are multiplied security parameter
FCR
9
Apps: Sharing in Enc. File System
Store PK on file system. n=216 |PK|=1.2MB
File header: ( [S], E[S,PK,KF] )
Sharing among “800” users:
•8002 + 40 = 1640 bytes << 256KB
File F
EKF[F]
[S]
E[S,PK,KF]Hdr
S {1, …, n }
40 bytes
10
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
11
FAQ-1 “The Content can be Copied?”
DRM- Impossibility Argument
Protecting the service
Goal: Stop attacker from creating devices that access the original broadcast
12
FAQ 2-Why black-box tracing? [BF’99]
D: may contain unrecognized keys, is obfuscated, or tamper resistant.
All we know:
Pr[ M G, C Encrypt (PK, M) : D(C)=M] > 1-
K1
K3
K2K$*JWNFD&RIJ$
D:
R R
13
Previous Solutions
t-Collusion resistant schemes [CFN’93…]•Resistant to t-colluders•Attacker knows t
Fully-Collusion resistant schemes [BSW’06]•Resistant to any # of colluders• |CT| = O(n) |priv| = O(1) •Algebraically-based / Uses Bilinear Groups
14
Trace and Revoke (This Work)
What happens when catch traitor?•Torture?•Re-do system?
Want Broadcast and Tracing simultaneously
15
Trace and Revoke
16
T&R=A simple Combination?
B.E T.T.
M
R M-REncrypt
Decrypt
BE TT
R M-R
M
17
A simple Attack
B.E T.T.
M
R M-R
BE TT
R M-R
M
2 colluders split duties
Catch same one over and over (box still works)
18
Our Approach (Intuition)
Can’t allow attackers to “separate” systems• In general hard to combine
BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic
Multiply private keys together so can’t separate•Not so easy… needed different B.E. scheme
19
Summary
T.R.: O(n) CT, O(n) priv-keys.
Public Key Tracing
•Secure even if tracing key lost
“Adaptive Security”
Open: Better Parameters:
FCR
20
THE END