Privacy in Encrypted Content Distribution Using Private Broadcast Encryption

Adam BarthDan BonehBrent Waters

Private Broadcast Encryption

• Make data available to select principals– Encrypt the data to those principals

• Often important to hide the set of principals– BCC recipients in encrypted email– Customer list (hide from competitors)– Promotion committee can read evaluations

• Private broadcast encryption– Recipient privacy against active attackers

Related Work

• Key privacy in public-key setting [BBDP01]– IK-CCA: Ciphertext does not leak public key

• Attacker viewing ciphertext encrypted under one of two public keys cannot guess which key was used

– Cramer-Shoup is IK-CCA (with common prime)– Important building block for recipient privacy

• Previous broadcast encryption systems– Increasing collusion resistance– Reducing ciphertext overhead– We focus on hiding recipient set

Our Results

• Generic construction (standard model)– Achieves CCA recipient privacy– Uses generic IK-CCA public-key system– Decryption time is linear in number of recipients

• Efficient construction (random oracle)– Achieves CCA recipient privacy– Assumes CDH is hard– Decryption in O(1) cryptographic operations

Broadcast Systems in Practice

• Microsoft Outlook– Encrypted email as a broadcast system– Outlook completely reveals BCC recipients

• issuerAndSerialNumber

– BCC recipients’ names can appear in the clear– Could send separate message for email

• Windows Encrypted File System

• Pretty Good Privacy (PGP)– GnuPG as an example implementation

Pretty Good Privacy?

• Message encrypted with symmetric key, K

• K encrypted for each recipient

• To speed decryption, components labeled with KeyIDs– Hash of public key

• User identities completely revealed

{ }K

A:B:C:

{K}pk(A)

{K}pk(B)

{K}pk(C)

Recipient Privacy in PGP

• PGP labels encryptions using a KeyIDC:\gpg>gpg --verbose -d message.txtgpg: armor header: Version: GnuPG v1.2.2 (MingW32)gpg: public key is 3CF61C7Bgpg: public key is 028EAE1C

• KeyIDs easily translated into names and email addresses using a public key server

• GPG includes option to withhold KeyIDs– Vulnerable to passive recipient privacy attack

Security Model

Private Broadcast Encryption

• I Setup()– Generates global parameters I

• (pk, sk) Keygen(I)– Generates public-private key pairs

• C Encrypt(S, M)– Encrypts plaintext M for recipient set S

• M Decrypt(sk, C)– Decrypts ciphertext C with private key sk

CPA Recipient Privacy Defined

Global Parameter

S0 and S1

S0 and S1 subsets of {1, …, n} such that |S0| = |S1|

Adversary Challenger

All public keys

Secret keys for S0 S1

b R {0,1}

M encrypted for Sb as C*

Guess b’Adversary wins if b’ = b

Some schemes vulnerable with large overlap, whereas others are

vulnerable with small overlap

Simple CPA Recipient Privacy

• Remove labels• Use key-private scheme• Reorder components

• O(n) decrypt time• CPA recipient privacy• But, active attack…

– Even with IK-CCA

A:B:C:

{K}pk(A)

{K}pk(B)

{K}pk(C)

B:A:C:

XXX

{ }K

{K}pk(B)

{K}pk(A)

{K}pk(C)

{ }K

Active Attack on Simple Scheme

• Attacker a recipient– Learns K

• Replaces message with something alluring

• Forwards malicious message to Alice

• Waits for response

• Receives response only if Alice was a recipient

{K}pk(B)

{K}pk(A)

{K}pk(C)

CCA Recipient Privacy Defined

Global Parameter

S0 and S1

S0 and S1 subsets of {1, …, n} such that |S0| = |S1|

Adversary Challenger

All public keys

Secret keys for S0 S1

b R {0,1}

M encrypted for Sb as C*

Guess b’Adversary wins if b’ = b

Decrypt query on (u, C)

Decrypt query on (u, C) (C C*)

Constructions

Primitives Used in Constructions

• Strong correctness– Decrypting with wrong key results in

• Strong signatures– Attacker cannot create a new signature– Even on a previously signed message– Example: RSA full-domain hash

• CCA key private (IK-CCA) cryptosystem– Ciphertext does not leak public key

Generic CCA Construction

• Start with CPA scheme• Generate a fresh signing

key pair (vk, sk)• Include verification key,

vk, in each component• Sign the ciphertext

• Thm: CCA recipient private

• O(n) decryption time

{ , K}pk(B)

{ , K}pk(A)

{ , K}pk(C)

{ }K

vkvkvk

Added Primitives for Efficiency

• A group G where CDH is hard– Extend public keys with ga, private keys with a

• Model hash function as a random oracle– Use extraction property to break CDH– Use DH self-corrector [Shoup97]

Ciphertext Component Labels

• Speed decryption with private labels• To make labels for every component:

– Pick a single fresh exponent r– Include gr in the ciphertext– Label component for (pk, ga) with H(gar)

• Each recipient computes own label with gr and a– Attacker can not associate H(gar) with ga

• Still need to tie labels to verification key…– Include gar in ciphertext components

Efficient CCA Construction

• Thm: CCA recipient private (in RO model)• O(1) cryptographic operations for decryption

{vk, , K}pk(B)

{vk, , K}pk(A)

{vk, , K}pk(C)

{M}K

H(gbr):H(gar):H(gcr):

gbr

gar

gcr

, gr

Conclusions

• Many widely-deployed content distribution systems lack recipient privacy– Email and encrypted file systems

• Introduced private broadcast encryption– Recipient privacy against an active attacker– Performance similar to non-private schemes

• Open problem: private broadcast encryption with shorter ciphertext

Questions?

Broadcast Semantics of Email

Mail User Agent(MUA)

Mail Transfer Agent(MTA) Recipient MTA

Recipient MTARecipientRecipient

Recipient

BCC privacy in S/MIME

• S/MIME label is the RecipientInfo field.• Label consists of the issuer and serial

number of the recipient’s certificate• Self-signed certificate:

– Full name and email address in the clear444:d=9 hl=2 l= 3 prim: OBJECT :commonName449:d=9 hl=2 l= 11 prim: PRINTABLESTRING :Henry Kyser462:d=7 hl=2 l= 32 cons: SET 464:d=8 hl=2 l= 30 cons: SEQUENCE 466:d=9 hl=2 l= 9 prim: OBJECT :emailAddress477:d=9 hl=2 l= 17 prim: IA5STRING :h9565@hotmail.com

• VeriSign certificate: identity at verisign.com

BCC Privacy by User Agent

Completely Exposes Partially Reveals Protects Identity

Apple Mail.app 2.622

Outlook 2003

Outlook Express 6

Thunderbird 1.02

Outlook Web Access

EudoraGPG 2.0

GPGshell 3.42

Hushmail KMail 1.8

PGP Desktop 9.0

Turnpike 6.04

S/M

IME

-bas

edP

GP

-bas

ed

Sending Separate Encryptions

• Sending separate encryptions provides BCC privacy• Advantages of separate encryptions

– Can be deployed immediately and unilaterally– Conceals the number (and existence of) BCC recipients

• Disadvantages of separate encryptions– Difficult to implement for MUA plug-ins such as EudoraGPG– Increases MTA workload and network traffic