1 / 20

A Fully Collusion Resistant Broadcast, Trace and Revoke System

A Fully Collusion Resistant Broadcast, Trace and Revoke System. Dan Boneh Stanford. Brent Waters SRI International. Broadcast Systems. Distribute content to a large set of users. Commercial Content Distribution File systems Military Grade GPS Multicast IP.

josef
Download Presentation

A Fully Collusion Resistant Broadcast, Trace and Revoke System

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. A Fully Collusion Resistant Broadcast, Trace and Revoke System Dan Boneh Stanford Brent Waters SRI International

  2. Broadcast Systems Distribute content to a large set of users • Commercial Content Distribution • File systems • Military Grade GPS • Multicast IP

  3. Trace & Revoke: A Tale of Two Problems • Broadcast Encryption: Encrypt Messages M, to subset S of receivers • Traitor Tracing: Trace Orgin of Pirate boxes • Trace & Revoke: Trace pirate box, remove from set of receivers • This talk: Overview both, show challenges • Light on mathematical details

  4. Broadcast Encryption [FN’93] • Encrypt to arbitrary subsets S. • Collusion resistance: • secure even if all users in Sc collude. d1 CT = E[M,S] d2 S  {1,…,n} d3

  5. A Trivial Solution • Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1) • Challenge: Get small ciphertext size

  6. EPKC[KF] Header< 256K App : Encrypted File Systems • Broadcast to small sets: |S| << n • Best construction: trivial. |CT|=O(|S|) , |priv|=O(1) • Examples: EFS. MS Knowledge Base:EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. EPKB[KF] EPKA[KF] File FEKF[F]

  7. Previous Solutions • t-Collusion resistant schemes [FN’93…] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t • Broadcast to large sets [NNL,HS,GST…] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players

  8. Previous Solutions • Fully-Collusion resistant schemes [BGW’06] • Resistant to any # of colluders • |CT| = O(1) |priv| = O(1) |pub| = O(n) • Algebraically-based / Uses Bilinear Groups • Ciphertexts are multiplied security parameter  FCR

  9. [S] E[S,PK,KF] Hdr File FEKF[F] Apps: Sharing in Enc. File System • Store PK on file system. n=216 |PK|=1.2MB • File header: ([S], E[S,PK,KF]) • Sharing among “800” users: • 8002 + 40 = 1640 bytes << 256KB S  {1, …, n } 40 bytes

  10. Tracing Pirate Devices[CFN’94] • Attacker creates “pirated device” • Want to trace origin of device

  11. FAQ-1 “The Content can be Copied?” • DRM- Impossibility Argument • Protecting the service • Goal: Stop attacker from creating devices that access the original broadcast

  12. FAQ 2-Why black-box tracing? [BF’99] • D: may contain unrecognized keys, is obfuscated, or tamper resistant. • All we know: Pr[ M  G, C  Encrypt (PK, M) : D(C)=M] > 1- K1 D: K3 K$*JWNFD&RIJ$ K2 R R

  13. Previous Solutions • t-Collusion resistant schemes [CFN’93…] • Resistant to t-colluders • Attacker knows t • Fully-Collusion resistant schemes [BSW’06] • Resistant to any # of colluders • |CT| = O(n) |priv| = O(1) • Algebraically-based / Uses Bilinear Groups

  14. Trace and Revoke (This Work) • What happens when catch traitor? • Torture? • Re-do system? • Want Broadcast and Tracing simultaneously

  15. Trace and Revoke

  16. BE TT M R M-R R M-R M T&R=A simple Combination? Encrypt B.E T.T. Decrypt

  17. BE TT M R M-R B.E T.T. R M-R M A simple Attack • 2 colluders split duties • Catch same one over and over (box still works)

  18. Our Approach (Intuition) • Can’t allow attackers to “separate” systems • In general hard to combine • BGW05 (Broadcast) and BSW06(Traitor Tracing) both algebraic • Multiply private keys together so can’t separate • Not so easy… needed different B.E. scheme

  19. Summary FCR • T.R.:O(n) CT, O(n) priv-keys. • Public Key Tracing • Secure even if tracing key lost • “Adaptive Security” • Open: Better Parameters:

  20. THE END

More Related