A Fully Collusion Resistant Broadcast,
Trace and Revoke System
Dan Boneh
Stanford
Brent Waters
SRI International
1
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
2
Trace & Revoke: A Tale of Two Problems

Broadcast Encryption: Encrypt Messages M, to
subset S of receivers

Traitor Tracing: Trace Orgin of Pirate boxes

Trace & Revoke: Trace pirate box, remove from set
of receivers

This talk: Overview both, show challenges
• Light on mathematical details
3
Broadcast Encryption
[FN’93]
d1
CT = E[M,S]
S  {1,…,n}
d2
d3

Encrypt to arbitrary subsets S.

Collusion resistance:
• secure even if all users in Sc collude.
4
A Trivial Solution

Small private key, large ciphertext.
• Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|)

|priv| = O(1)
Challenge: Get small ciphertext size
5
App : Encrypted File Systems

Broadcast to small sets:
|S| << n

Best construction: trivial.

Examples: EFS.
MS Knowledge Base:
EFS has a limit of 256KB
in the file header for the
EFS metadata. This limits
the number of individual
entries for file sharing to
a maximum of 800 users.
|CT|=O(|S|) , |priv|=O(1)
EPKC[KF]
Header
< 256K
EPKB[KF]
EPKA[KF]
File F
EKF[F]
6
Previous Solutions

t-Collusion resistant schemes [FN’93…]
• Resistant to t-colluders
• |CT| = O(t2log n)
|priv| = O(tlog n)
• Attacker knows t

Broadcast to large sets [NNL,HS,GST…]
• |CT|= O(r)
|priv|=O(log n)
• Useful if small number of revoked players
7
Previous Solutions

Fully-Collusion resistant schemes [BGW’06]
• Resistant to any # of colluders
• |CT| = O(1) |priv| = O(1) |pub| = O(n)
• Algebraically-based / Uses Bilinear Groups

Ciphertexts are multiplied security parameter 
8
Apps: Sharing in Enc. File System

Store PK on file system.

File header:
n=216  |PK|=1.2MB
( [S], E[S,PK,KF] )
40 bytes

Hdr
Sharing among “800” users:
• 8002 + 40 = 1640 bytes
<< 256KB
S  {1, …, n }
[S]
E[S,PK,KF]
File F
EKF[F]
9
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
10
FAQ-1 “The Content can be Copied?”

DRM- Impossibility Argument

Protecting the service

Goal: Stop attacker from creating devices that
access the original broadcast
11
FAQ 2-Why black-box tracing?
K1
K3
D:
K2

D:

All we know:
[BF’99]
K$*JWN
FD&RIJ$
may contain unrecognized keys,
is obfuscated, or tamper resistant.
Pr[ M R G, C R Encrypt (PK, M) : D(C)=M] > 1-
12
Previous Solutions

t-Collusion resistant schemes [CFN’93…]
• Resistant to t-colluders
• Attacker knows t

Fully-Collusion resistant schemes [BSW’06]
• Resistant to any # of colluders
• |CT| = O(n) |priv| = O(1)
• Algebraically-based / Uses Bilinear Groups
13
Trace and Revoke
(This Work)

What happens when catch traitor?
• Torture?
• Re-do system?

Want Broadcast and Tracing simultaneously
14
Trace and Revoke
15
T&R=A simple Combination?
M
Encrypt
R
M-R
B.E
T.T.
BE
Decrypt
TT
R
M-R
M
16
A simple Attack
M
2 colluders split duties
R
M-R
B.E
T.T.
BE
Catch same one over
and over (box still works)
TT
R
M-R
M
17
Our Approach (Intuition)

Can’t allow attackers to “separate” systems
• In general hard to combine

BGW05 (Broadcast) and BSW06(Traitor Tracing)
both algebraic

Multiply private keys together so can’t separate
• Not so easy… needed different B.E. scheme
18
Summary
O(n) CT,

T.R.:

Public Key Tracing
O(n) priv-keys.
• Secure even if tracing key lost

“Adaptive Security”

Open: Better Parameters:
19
THE END
20