Collusion Resistant Broadcast Encryption
With Short Ciphertexts and Private Keys
Dan Boneh, Craig Gentry, and Brent Waters
1
Broadcast Encryption
[FN’93]
d1
CT = E[M,S]
S  {1,…,n}
d2
d3

Encrypt to arbitrary subsets S.

Collusion resistance:
• secure even if all users in Sc collude.
2
Broadcast Encryption

Public-key BE system:
• Setup(n): outputs private keys
and public-key PK.
d1 , …, dn
• Encrypt(S, PK, M):
Encrypt M for users S  {1, …, n}
Output ciphertext CT.
• Decrypt(CT, S, j, dj, PK):

If j  S, output M.
Note: broadcast contains ( [S], CT )
3
Trivial Solutions

Small private key, large ciphertext.
• Every user j has unique private key dj .
CT = { Edj[M] | jS }
|CT| = O(|S|)

|priv| = O(1)
Large private keys, small ciphertexts
• Unique key KS for every subset S  {1, …, n}
• User j’s priv-key:
|CT| = O(1)
dj = { KS | jS }
|priv| = O(2n)
4
Outline

Previous work

Security Definitions

Overview scheme

Applications

Conclusions
5
Previous Solutions

t-Collusion resistant schemes [FN’93]
• Resistant to t-colluders
• |CT| = O(t2log n)
|priv| = O(tlog n)
• Attacker knows t

Broadcast to large sets [NNL,HS,GST]
• |CT|= O(r)
|priv|=O(log n)
• Useful if small number of revoked players
6
Summary
EFS, Email
Subs. Service
DVD’s
n
0
Small sets:
trivial
Large sets:
NNL,HS,GST
Any set (new):
BGW ’05
CT Size
Priv-key size
O(|S|)
O(1)
O(n-|S|)
O(log n)
O(1)
O(1)
… but, O(n) size public key.
BGW ‘05
O(n)
O(1)
… O(n) size public key.
7
Broadcast Encryption Security

Semantic security when users collude. (static adversary)
Run
Setup(n)
S  {1, …, n }
m0, m1  G
b{0,1}
C* = Enc( S, PK, mb)
Attacker
Challenger
PK, { dj | j  S }
b’  {0,1}

Def: Alg. A -breaks BE sem. sec. if
Pr[b=b’] > ½ + 

(t,)-security: no t-time alg. can -break BE sem. sec.
8
Bilinear Maps
 G , GT : finite cyclic groups of prime order p.
 Def: An admissible bilinear map
is:
– Bilinear:
ab
e(ga, gb) = e(g,g)
– Non-degenerate:
g generates G

e: GG  GT
a,bZ, gG
e(g,g) generates GT .
– Efficiently computable.
9
Broadcast System

Setup(n):
gG,
,   Zp,
gk =
PK = ( g, g1, g2, … , gn , gn+2 , …, g2n ,
For k=1,…,n set:

Encrypt(S, PK, M):
CT =

(
gt ,
k)
(
g
v=g )  G2n+1
dk = (gk)  G
t  Zp
(v  jS gn+1-j) , Me(gn,g1)
Decrypt(CT, S, k,dk, PK):
t
t
)
CT = (C0, C1, C2)
Fact: e( gk, C1 ) / e( dk gn+1-j+k , C0 ) = e(gn,g1)
jS
jk
t
10
Security Theorem

Thm:
 t-time alg. that -breaks BE sem. sec. in G
~

 t-time alg. that -solves bilinear n-DDHE in G.
11
App : Encrypted File Systems

Broadcast to small sets:
|S| << n

Best construction: trivial.

Examples: EFS.
MS Knowledge Base:
EFS has a limit of 256KB
in the file header for the
EFS metadata. This limits
the number of individual
entries for file sharing to
a maximum of 800 users.
|CT|=O(|S|) , |priv|=O(1)
EPKC[KF]
Header
< 256K
EPKB[KF]
EPKA[KF]
File F
EKF[F]
12
Apps: Sharing in Enc. File System

Store PK on file system.

File header:
n=216  |PK|=1.2MB
( [S], E[S,PK,KF] )
40 bytes

Sharing among “800” users:
• 8002 + 40 = 1640 bytes

Hdr
<< 256KB
S  {1, …, n }
[S]
E[S,PK,KF]
File F
EKF[F]
Each user obtains priv-key duid  G from admin.
• Admin only stores   Zq
13
Incremental file sharing

File hdr:
( [S],
gt
, (v  jS gn+1-j)
C0

)
C1
[S]
Hdr
To grant user u access to file F,
owner does:
t
C1  C1  (gn+1-u)
t
E[S,PK,KF]
NonceF
File F

File owner: instead of storing t for
every file do: t  PRFK (NonceF )
EKF[F]
O
14
App: secure email lists

Set
n=216.
Let gk =
k)
(
g
Suppose (g, g1, g2,…, gn, gn+2,…, g2n) are global (1.2MB)

Simple encrypted email lists:
A
• ListA: PKA = (vA = g ) ;
ListB:
B
PKB = (vB = g )
• When new user joins ListA do:
– Assign new index 1  k 
216
,
give key dk = (gk)
A
• Encrypt msgs to ListA using B.E. for current members.

Much simpler than existing techniques (e.g. LKH)
15
Summary and Open Problems

New public-key broadcast encryption systems:
• Full collusion resistance.

Constant size priv key.
• System 1:
|CT| = O(1)
|PK| = O(n)
• System 2:
|CT| = O(n)
|PK| = O(n)
Open problems:
• Reduce public key size.
Weaker assumption.
• Security against adaptive adversary.
• Tracing traitors with same parameters.
16
Apps: Content Protection

DVD content protection: n = 232.
r – revoked.
• No room for PK in player.
• Store ( [S], CT, PK) on each DVD disk.
• Goal: minimize |CT|+|PK|
 n system

Using n system:
|PK|=O(n) ,
|CT|=O(n) :
|DVD-hdr| = |PK|+|CT|+|[S]| = 5MB + (4r bytes)
4216 G.E.

NNL-type:
|DVD-hdr| = |CT|+|[S]| = (36r bytes)
17
App : Content Protection

DVD Content Protection. n = 232
• DVD player i ships with private key di
• DVD disks encrypted to unrevoked players.

Broadcast to large sets: |S| = n-r where r << n.
d1
d2
d3
d4
18