Collusion Resistant Broadcast Encryption With Short Ciphertexts and Private Keys Dan Boneh, Craig Gentry, and Brent Waters 1 Broadcast Encryption [FN’93] d1 CT = E[M,S] S {1,…,n} d2 d3 Encrypt to arbitrary subsets S. Collusion resistance: • secure even if all users in Sc collude. 2 Broadcast Encryption Public-key BE system: • Setup(n): outputs private keys and public-key PK. d1 , …, dn • Encrypt(S, PK, M): Encrypt M for users S {1, …, n} Output ciphertext CT. • Decrypt(CT, S, j, dj, PK): If j S, output M. Note: broadcast contains ( [S], CT ) 3 Trivial Solutions Small private key, large ciphertext. • Every user j has unique private key dj . CT = { Edj[M] | jS } |CT| = O(|S|) |priv| = O(1) Large private keys, small ciphertexts • Unique key KS for every subset S {1, …, n} • User j’s priv-key: |CT| = O(1) dj = { KS | jS } |priv| = O(2n) 4 Outline Previous work Security Definitions Overview scheme Applications Conclusions 5 Previous Solutions t-Collusion resistant schemes [FN’93] • Resistant to t-colluders • |CT| = O(t2log n) |priv| = O(tlog n) • Attacker knows t Broadcast to large sets [NNL,HS,GST] • |CT|= O(r) |priv|=O(log n) • Useful if small number of revoked players 6 Summary EFS, Email Subs. Service DVD’s n 0 Small sets: trivial Large sets: NNL,HS,GST Any set (new): BGW ’05 CT Size Priv-key size O(|S|) O(1) O(n-|S|) O(log n) O(1) O(1) … but, O(n) size public key. BGW ‘05 O(n) O(1) … O(n) size public key. 7 Broadcast Encryption Security Semantic security when users collude. (static adversary) Run Setup(n) S {1, …, n } m0, m1 G b{0,1} C* = Enc( S, PK, mb) Attacker Challenger PK, { dj | j S } b’ {0,1} Def: Alg. A -breaks BE sem. sec. if Pr[b=b’] > ½ + (t,)-security: no t-time alg. can -break BE sem. sec. 8 Bilinear Maps G , GT : finite cyclic groups of prime order p. Def: An admissible bilinear map is: – Bilinear: ab e(ga, gb) = e(g,g) – Non-degenerate: g generates G e: GG GT a,bZ, gG e(g,g) generates GT . – Efficiently computable. 9 Broadcast System Setup(n): gG, , Zp, gk = PK = ( g, g1, g2, … , gn , gn+2 , …, g2n , For k=1,…,n set: Encrypt(S, PK, M): CT = ( gt , k) ( g v=g ) G2n+1 dk = (gk) G t Zp (v jS gn+1-j) , Me(gn,g1) Decrypt(CT, S, k,dk, PK): t t ) CT = (C0, C1, C2) Fact: e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1) jS jk t 10 Security Theorem Thm: t-time alg. that -breaks BE sem. sec. in G ~ t-time alg. that -solves bilinear n-DDHE in G. 11 App : Encrypted File Systems Broadcast to small sets: |S| << n Best construction: trivial. Examples: EFS. MS Knowledge Base: EFS has a limit of 256KB in the file header for the EFS metadata. This limits the number of individual entries for file sharing to a maximum of 800 users. |CT|=O(|S|) , |priv|=O(1) EPKC[KF] Header < 256K EPKB[KF] EPKA[KF] File F EKF[F] 12 Apps: Sharing in Enc. File System Store PK on file system. File header: n=216 |PK|=1.2MB ( [S], E[S,PK,KF] ) 40 bytes Sharing among “800” users: • 8002 + 40 = 1640 bytes Hdr << 256KB S {1, …, n } [S] E[S,PK,KF] File F EKF[F] Each user obtains priv-key duid G from admin. • Admin only stores Zq 13 Incremental file sharing File hdr: ( [S], gt , (v jS gn+1-j) C0 ) C1 [S] Hdr To grant user u access to file F, owner does: t C1 C1 (gn+1-u) t E[S,PK,KF] NonceF File F File owner: instead of storing t for every file do: t PRFK (NonceF ) EKF[F] O 14 App: secure email lists Set n=216. Let gk = k) ( g Suppose (g, g1, g2,…, gn, gn+2,…, g2n) are global (1.2MB) Simple encrypted email lists: A • ListA: PKA = (vA = g ) ; ListB: B PKB = (vB = g ) • When new user joins ListA do: – Assign new index 1 k 216 , give key dk = (gk) A • Encrypt msgs to ListA using B.E. for current members. Much simpler than existing techniques (e.g. LKH) 15 Summary and Open Problems New public-key broadcast encryption systems: • Full collusion resistance. Constant size priv key. • System 1: |CT| = O(1) |PK| = O(n) • System 2: |CT| = O(n) |PK| = O(n) Open problems: • Reduce public key size. Weaker assumption. • Security against adaptive adversary. • Tracing traitors with same parameters. 16 Apps: Content Protection DVD content protection: n = 232. r – revoked. • No room for PK in player. • Store ( [S], CT, PK) on each DVD disk. • Goal: minimize |CT|+|PK| n system Using n system: |PK|=O(n) , |CT|=O(n) : |DVD-hdr| = |PK|+|CT|+|[S]| = 5MB + (4r bytes) 4216 G.E. NNL-type: |DVD-hdr| = |CT|+|[S]| = (36r bytes) 17 App : Content Protection DVD Content Protection. n = 232 • DVD player i ships with private key di • DVD disks encrypted to unrevoked players. Broadcast to large sets: |S| = n-r where r << n. d1 d2 d3 d4 18