1 / 25

Multimedia Security

Broadcast Encryption Amos Fiat & Moni Naor Advances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491. Multimedia Security. Outline. Introduction Zero Message Schemes The basic scheme 1-resilient scheme based on one-way function

yestin
Download Presentation

Multimedia Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Broadcast EncryptionAmos Fiat & Moni NaorAdvances in Cryptography - CRYPTO ’93 Proceeding, LNCS, Vol. 773, 1994, pp. 480-491 Multimedia Security

  2. Outline • Introduction • Zero Message Schemes • The basic scheme • 1-resilient scheme based on one-way function • 1-resilient scheme based on computational number theoretic assumptions • Low-Memory k-Resilient Schemes • One-level schemes • Multi-level schemes • An Example and Implementation Considerations

  3. … User 1 User 2 User 3 User N Keys Keys Keys Collusion Keys … Problem Formulation • Participants • A center • A set of users • Rules • The center provides the users with prearranged keys when they join the system • At some time, the center wish to broadcast a message (e.g. a key to decipher a video clip) to a dynamic changing privileged subsetof the users only Broadcast center

  4. User 1 User 2 User 3 User N Key1 Key2 Key3 KeyN … … User 1 User 2 User 3 User N Keys for all subsets User 1 belongs to Keys for all subsets User 2 belongs to Keys for all subsets User 3 belongs to Keys for all subsets User N belongs to … Obvious but Stupid Solutions Broadcast center Total processing/transmission time is long! Broadcast center Every user must store a large number of keys!!

  5. Goal of This Paper • To provide solutions which are efficient in both • Transmission length • Storage at the user’s end • The scheme is considered broken if a user that does not belong to the privileged class can read the transmission

  6. Definitions • Broadcast Scheme • One allocate keys to users so that given a subset of T of all users U, the center can broadcast messages to all users following which all members ofThave a common key • Resiliency • A broadcast scheme is called resilient to a set S if for every subset T that does not intersect with S, no eavesdroppers, that has all secrets associated with members of S, can obtain knowledge of the secret common to T

  7. Definitions (cont.) • k-resiliency • A scheme is called k-resilient if it is resilient to any set of S of size k • (k, p)-random-resiliency • With probability at least 1-p, the scheme is resilient to a set S of size k, chosen at random from U

  8. Zero Message Schemes vs. More General Schemes • Zero Message Schemes • Knowing the privileged subset T suffices for all users x belong to T to compute a common key with the center without any transmission • To transmit information implies using this common key to encrypt the data transmitted • More General Schemes • The center must transmit many messages

  9. Approach for Constructing Schemes Low resiliency zero-message schemes Assumption free constructions Constructions based on existence of one-way functions Constructions based on number theoretic assumptions Higher resiliency, but not zero-message type schemes One-level Schemes Multi-level Schemes

  10. Zero Message Schemes

  11. The Basic Scheme • Users can determine a common key for every subset, resilient to any set S of size k • For every set B U, 0 |B| k, define a key KB to every user x U-B. The common key to the privileged set T is simply the exclusive-or all keys KB, B U-T. • Each coalition of S k users will all be missing KS, and will be unable to compute the common key for T since S T is empty

  12. A Very Simple Example • U={a, b, c}, n=3, k=2 • B={a, b, c, {a,b}, {a,c}, {b,c}} • Keys={Ka, Kb, Kc, Kab, Kac, Kbc} • Prearranged keys • User a: Kb, Kc, Kbc • User b: Ka, Kc, Kac • User c: Ka, Kb, Kab • If T={b, c}, KT= KM, M U-T=Ka • If T={b}, KT=Ka Kc Kac

  13. Unacceptable memory requirement!! Analysis of the Basic Scheme • The memory requirements for this scheme are every user is assigned keys. Theorem 1: There exist a k-resilient scheme that requires each user to store keys and the center need not broadcast any message in order to generate a common key to the privileged class 1-resilient version: n-1 keys

  14. 1-Resilient Scheme Based on One-way Function • Reduced from n-1 keys to keys • The keys are pseudo-randomly generated from a common seed • Assume that one-way function exist and hence pseudo-random generators exist. Let f:{0,1}l  {0,1}2lbe a pseudo-random number generator • The length of the output f is twice the length of the input

  15. 1-Resilient Scheme Based on One-way Function (cont.) • Associate the n users with the leaves of a balanced binary tree on n nodes • The root is labeled with the common seed s {0,1}l • Other vertices are labeled recursively • Apply the pseudo-random generator f to the root label and taking the left half of of f(s) to the label of the left subtree while the right half to the label of the right subtree

  16. 1-Resilient Scheme Based on One-way Function (cont.) • Every user x should get all the keys except the one associated with the singleton set B={x} • Remove the path from the leaf associated with the user x to the root, thus resulting in a forest of forests • Provide user x with the labels associated with the leaves of that subtree

  17. S={0,1}l f f f f f f f f f f f A B C D A C D Another Simple Example Theorem 2. If one-way function exist, then there exist a 1-resilient scheme that requires each user to store log n keys and the center need not to broadcast any message in order to generate a common key to the privileged class

  18. 1-Resilient Scheme Based on Number Theoretic Assumption • The center chooses a random hard to factor composite N=PQ where P and Q are primes • The center also chooses a secret value g • User i is assigned key gi=gpi, where pi, pj are relative prime for all i, j belongs to U. • All users know what user index refers to what pi

  19. 1-Resilient Scheme Based on Number Theoretic Assumption • A common key for users T is taken as the value gT=gpTmod N, where pT= • Every user i T can compute gT by evaluating • For user jnot belonging to T, if he can compute the common key, it implies that he can compute g (by Euclidean GCD algorithm…) mod N

  20. 1-Resilient Scheme Based on Number Theoretic Assumption Theorem 3. If extracting root modulo composite is hard, then there exists a 1-resilient scheme that requires each user to store one key and the center need not broadcast any message in order to generate a common key to the privileged class

  21. Low Memory k-Resilient Schemes

  22. Perfect Hash Function in a Family of Functions • A family of functions f1,…,fl: U{1,…m} with the following property is required • For any subset S belongs to U and |S|=k, there exists some I such that for all x, y S, fi(x) fi(y) • This family of functions contains a perfect hash function for all size k subsets of U when mapped to the range {1,…,m}

  23. Constructing k-resilient scheme from a 1-resilient Scheme j 1 … m 1 : : l 1-resilient scheme R(i,j) i Keys for each user x associated with scheme R(i, fi(x)) M= Mi Broadcast Messages using R(i, fi(x)) for • Number of keys stored by each user: l* number of keys in 1-resilient scheme • Number of transmissions: l*m*number of transmission in 1-resilient scheme

  24. Mathematical Exploitations • The probability that random fi is 1-1 on S • set m=2k2 • The probability that no fi is 1-1 on s • set l=k logn • The probability that for all subset S of size k, the probability that there is a 1-1 fi

  25. Existence of k-resilient Schemes • There exist a k-resilience scheme that requires each user to store O(k logn w) keys and the center to broadcast O(k3logn) messages. The scheme can be constructed effectively with arbitrarily high probability by increasing the parameters • Explicit constructions of fi • Error-correcting codes of large relative distance over am alphabet of O(k2)

More Related