Fully Collusion Resistant Traitor
Tracing with Short Ciphertexts
and Private Keys
Dan Boneh, Amit Sahai, and Brent Waters
1
Broadcast Systems
Distribute content to a large set of users
•Commercial Content Distribution
•File systems
•Military Grade GPS
•Multicast IP
2
Tracing Pirate Devices[CFN’94]
•Attacker creates “pirated device”
•Want to trace origin of device
3
FAQ-1 “The Content can be Copied?”

DRM- Impossibility Argument

Protecting the service

Goal: Stop attacker from creating devices that
access the original broadcast
4
FAQ 2-Why black-box tracing?
K1
K3
D:
K2

D:

All we know:
[BF’99]
K$*JWN
FD&RIJ$
may contain unrecognized keys,
is obfuscated, or tamper resistant.
Pr[ M R G, C R Encrypt (PK, M) : D(C)=M] > 1-
5
Formally: Secure TT systems
(1) Semantically secure, and

TraceD( TK )
S  {1, …, n }
PK, TK, { Kj | j  S }
Pirate Decoder
Attacker
Challenger
Run
Setup(n)
(2) Traceable:
D
i  {1,…,n}
Adversary wins if:
(1) Pr[D(C)=M] > 1-,
(2)
and
iS
6
Brute Force System

Setup (n):
Generate n PKE pairs
(PKi, Ki)
Output private keys
K1 , …, Kn
PK  (PK1, …, PKn) ,
TK  PK .
C  ( EPK1(M), …, EPKn(M)
)

Encrypt (PK, M):

Tracing:

This is the best known TT system secure under
arbitrary collusion.
next slide.
… until now
7
D
Trace (PK):


[BF99, NNL00, KY02]
R G :
For i = 1, …, n+1 define for M 
pi := Pr[
D( EPK1(), …, EPKi-1(), EPKi(M), …, EPKn(M) ) = M ]
Then:
p1 > 1-  ;

pn+1  0
1- = |pn+1 – p1 | =
n
|
p
i=1
i+1
– pi
n
|  i=1
 |p

Exists i{1,…,n} s.t.

User i must be one of the pirates.
i+1
– pi
|
| pi+1 – pi |  (1- )/n
8
Security Theorem


Tracing algorithm estimates: | pi - pi | < (1-)/4n
 Need O(n2) samples per pi.
(D – stateless)
 Cubic time tracing.
•

Can be improved to quadratic in |S| .
Thm:
underlying PKE system is semantically secure

No eff. adv wins tracing game with non-neg adv.
9
Abstracting the Idea
[BSW’06]
Properties needed:
For i = 1 ,… , n+1 need to encrypt M so:

1
i-1
users cannot
decrypt

n
i
users can
decrypt
Without Ki adversary cannot distinguish:
Enc(i, PK, M)
from
Enc(i+1, PK, M)
Linear
Broadcast
Encryption
Private
B.E.
10
Private Linear Broadcast Enc (PLBE)
• Setup(n):
outputs private keys
and public-key PK.
K1 , …, Kn
• Encrypt( u, PK, M):
Encrypt M for users {u, u+1, …, n}
Output ciphertext CT.
• Decrypt(CT, j, Kj, PK):
If j  u, output M

Broadcast-Encrypt(PK,M) := Encrypt( 1, PK, M)

Note:
slightly more complicated defs in [BSW’06]
11
Security definition

Message hiding:
given all private keys:
P
Encrypt( n+1 , M, PK)

Index hiding:
Run
Setup(n)
Encrypt( n+1 , , PK)
for u = 1, … , n :
PK, { Kj | j  u }
b{0,1}
C*  Enc( u+b, PK, m)
Attacker
Challenger
m
b’  {0,1}
12
Results

Thm:
Secure PLBE  Secure TT
Same size CT and priv-keys
(black-box and publicly traceable)

New PLBE system:
CT-size = O(n)
enc-time = O(n)
;
;
priv-key size = O(1)
dec-time = O(1)
13
n PLBE Construction: hints

Arrange users in matrix

Key for user (x,y):
Kx,y  Rx  Cy


CT:
one tuple per row,
one tuple per col.
size = O(n)
CT to user (i,j):
User (x,y) can dec. if
(x > i) OR
[ (x=i) AND (y  j) ]
n=36 users
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
Encrypt to user (4,3)
14
Bilinear groups of order N=pq

G: group of order N=pq.
bilinear map:


G = Gp  G q .
Facts:
hG
(p,q) – secret.
e: G  G  GT
gp = gq  Gp

[BGN’05]
;
gq = gp  Gq
h = (gq)  (gp)
a
p
b
q
N
e( gp , gq ) = e(g , g ) = e(g,g) = 1
e( gp , h ) = e( gp , gp)
b
!!
15
A n size PLBE

Ciphertext:
( C1, …, Cn, R1, …, Rn )

User (x,y) must pair Rx and Cy to decrypt
Well-formed
Malformed/Random
Zero
Type
Rx : x < i
Rx: x = i
Rx : x > i
C y: y < j
C y: y  j
Gq Gp
Case
Result
x<i
No: Rx not well formed
x=i & y < j
No: Cy malformed in Gp
x=i & y  j
Yes: both well formed
x>i
Yes: indep. of column
16
Summary and Open Problems

New results:
[BGW’05, BSW’06, BW’06]
• Full collusion resistance:
• B.E: O(1) CT,
• T.T:
O(n) CT,
• T.R.: O(n) CT,

O(1) priv-keys
… but O(n) PK
O(1) priv-keys.
O(n) priv-keys.
Open questions:
• Private linear B.E. with O(log n) CT.
• Private B.E. with short ciphertexts.
17
THE END
18
BGN encryption

Subgroup assumption:

E(m) :
G p G p
r
r  ZN , C  gm (gp)  G
• Additive hom:
E(m1+m2) = C1  C2  (gp)r
• One mult hom:
E(m1m2) = e(C1,C2)  e(gp,gp)r
19
Results

Thm:

New PLBE system:
CT-size = O(n)
enc-time = O(n)

Secure PLBE  Secure TT
Same size CT and priv-keys
(black-box and publicly traceable)
;
;
priv-key size = O(1)
dec-time = O(1)
Applications:
• Tracing Traitors :
• Adaptive BE.
O(n) CTs and O(1) keys.
(need Augmented PLBE)
• Comparison searches on encrypted data.
20
T.T:
a popular problem
32 papers from 49 authors
O.
D.
H.
B.
Y.
Y.
N.
A.
M.
E.
M.
D.
Berkman
Boneh
Chabanne
Chor
Desmedt
Dodis
Fazio
Fiat
Franklin
Gafni
Goodrich
Halevy
G.
D.
H.
M.
A.
K.
J.
S.
M.
D.
M.
B.
B.
Hanaoka
Hieu-Phan
Imai
Kasahara
Kiayias
Kurosawa
Lotspiech
Mitsunari
Naor
Naor
Parnas
Pfitzmann
Pinkas
D.
R.
A.
R.
J.
A.
J.
A.
J.
D.
J.
R.
Pointcheval
Safavi-Naini
Sahai
Sakai
Sgall
Shamir
Shaw
Silverberg
Staddon
Stinson
Sun
Tamassia
G. Tardos
T. Tassa
V. To
M. Waidner
J. Walker
Y. Wang
Y. Watanabe
B. Waters
R. Wei
L. Yin
M. Yung
F. Zhang
21
A Simple System



n users in system, each gets separate key
User i gets Ki
Encrypt message to separately to user –lump it
• (Use “hybrid encryption” and encrypt an AES key)
i
E(K1 , M)
E(K2 , M)
… E(Ki , M)
… E(Kn , M)
M
22
Tracing

Let E’(i, M) => Encrypt R to
1,…,i-1 and M to i,…n
E(K1 , R)

E(K2 , R)
… E(Ki-1 , R) E(Ki , M)
… E(Kn , M)
Pi = prob. pirate device decrypts E’(i,M)
• Can learn Pi’s from probing the device
i
Pi
1
100
j
100
j+1
35
n+1
0
Device works
User j is an attacker
Everything Random
23