Upload
claribel-pope
View
213
Download
0
Embed Size (px)
Citation preview
Broadcast Encryption andBroadcast Encryption andTraitor TracingTraitor Tracing
2001. 12.
2001507
Jin Kim
2
ContentsContents
Introduction Broadcast Encryption Traitor Tracing Traitor Tracing Models Conclusion & Further Work Reference
3
Broadcast EncryptionBroadcast Encryption
Provider transmits encrypted content to a privileged subset of users Pay TV, Online DB.
Consider a center and a set of users . The center wishes to broadcast a message to a
privileged set of users.
Goal: Efficiency of
transmission length storage at the user’s end the computation in retrieving the common key.
4
Broadcast EncryptionBroadcast Encryption
CenterE(content)
I1 I2 I3 In
U1 U2 3U Un
Ui Decrypts E(content) using Ii
5
The DangerThe Danger
Some Users leak their keys to pirates Pirates construct unauthorized decryption devices
and sell them at a discount
K1 K3 K8
E(Content) ContentPirate Box
6
Stopping LeakageStopping Leakage
Two non-exclusive approaches: Traitor Tracing
Trace and Revoke Trace users who leak their keys Revoke those keys - rendering pirated boxes dysfunctional.
Powerful combination! Self Enforcement
Goal: discourage users from leaking keys Idea: key should contain sensitive information that user doesn’t
want to spread. Should be impossible to use without revealing explicitly
Example: Credit Card Number Challenge: how to embed the sensitive information in the keys
7
RevocationRevocation
E’(M)
LegalDecoder
LegalDecoder
PirateDecoderPirate
Decoder
M
M’(decode
incorrectly)
8
TraitorsTraitors
Traitors are legitimate users who aid a pirate by: Plaintext re-transmission compromised keys
9
Traitor TracingTraitor Tracing
Goal of Traitor Tracing Schemes: Find source of keys of illegal decryption devices If at most t traitors - should identify (one of) them No honest user should be implicated
K1 K3 K8
K3
Tracer
Pirate Box
10
Traitor TracingTraitor Tracing
Fighting Piracy Identify piracy Prevent transmitting information to pirate users Identify the source of such piracy
Finding Traitors
Consideration Memory and Computation requirements
Per authorized user For the data supplier
Data redundancy overhead
11
Tracing SchemesTracing Schemes
Some Models of previous schemes: Static Asymmetric Dynamic Sequential Alternative
If group members can share exactly the same data, the problem of determining guilt or innocent is unsolvable To find a traitor, Give a slightly different secret to the shares
12
Chor-Fiat-Naor SchemeChor-Fiat-Naor Scheme
Traitor tracing message : (enabling block, cipher block) Cipher block : symmetric encryption of the actual data Enabling block : user’s key set and enabling block can generate
decryption key
decrypt
decrypt
decrypt
Originalblock
User 1
broadcast
Personalkey
User n
Cipherblock
Enablingblock
Personalkey
13
Some SchemesSome Schemes
Boneh and Franklin Fixed key-length of private key Length of enabling block depends on the # of revocation
capability
W. Tzeng and Z. Tzeng Enlarged the # of revocation capability to the degree of Shamir
polynomail
Kim, Lee, and Lim Enlarged the # of revocation capability to the infinity
14
Comparison : Comparison : Some schemesSome schemes
m : # of users, k : revocation capability, H : hash ftn., p, q : prime number, |p|>1024, |q|>160, q|(p-1), z : Shamir degree of polynomial, modulus of n-RSA |n|>1024, p’, q’ : prime, |p’|>|n|, q’|(p’-1)
CFNPOpen 1-level
BonehFranklin
Lee, KimLim
TzengTzeng
Private Key O(k2logm)*|H| |q| 2|n|+|Φ(n)|+q’ |q|
Length ofEncryption Block
O(k4logm)*|H| (2k+1)*|p|3|n|+|Φ(n)|
{O(z) + |p’|}O(z)*|p|
Compute amount of
EncryptionO(k4logm)XORs
≈(2k+1) Exps.
(mod p)
1 Exp. + 2Mls. (mod n) + {O(z) Exps. (mod
p)}
O(z) Exps. (mod p)
Compute amount of
EncryptionO(k4logm)XORs
≈(2k+1) Exps.
+(2k+1)Mls.(mod p)
2 Exps. + 2Mls. (mod n) + {O(z) Exps. + O(z)
Mls. (mod p)}
O(z) Exps. + O(z) Mls (mod p)
# of Revocation - - ∞ ≤ z
15
Comparison : Comparison : Threshold schemesThreshold schemes
PROPERTY SECTIONPersonal
KEYData
RedundancyDecryptionOperations
Secret 2-level Best fully-resilient 3 496 21270000 496
ThresholdOne-level, min.
Data redundancy4.1 53000 4000 1
ThresholdTwo-level, min.
Data redundancy4.2
W=1/21660 185000 9
ThresholdTwo-levelMin. key
4.2Α -> infinity
380 1290000 13
Threshold tradeoff4.2
W=1/810000 54500 3
Complexity of different Tracing Traitor schemes
Using n=106 , k=1000, q=3/4
16
Proposed SchemsProposed Schems
Based on Lee, Kim and Lim’s Scheme
Difference :
Enabling Block : by reducing random number r
change from <shdxM, A1trxM, A2trxM, t-rxMd, tr, d> to <shdxM, A1txM, A2 txM, t-xMd, d>
17
Advances in the proposed schemeAdvances in the proposed scheme
Proposed scheme is more useful.
Because of Provider can more short enabling block. Efficiency of storage at the user’s end With no change of semantic security
18
ConclusionConclusion
Introducing broadcast encryption and their issue – traitor tracing.
Dividing enabling block & retrieving block is more efficient than all in one scheme.
Proposed method is decreasing the number of each user’s enabling block.
Further Works Research about
Efficiency of proposed scheme New (Updated) Traitor Tracing Schemes Key Management New (Updated) Broadcast Encryption Scheme And Provably Secure Broadcast Encryption Scheme Study on other problems of Broadcast Scheme
19
ReferencesReferences
1. S. Berkovits. How to Broadcast a Secret. Advances in Cryptology - Eurocrypt ’91, Lecture Notes in Computer Science 547 (1992), pp. 536-541.
2. A. Fiat and M. Naor. Broadcast Encryption. Advances in Cryptology - Crypto ’93, Lecture Notes in Computer Science 773, (1994), pp. 480–491.
3. M. Just, E. Kranakis, D. Krizanc ans P. van Oorschot. On Key Distribution via True Broadcasting. In Proceedings of 2nd ACM Conference on Computer and Communications Security, November 1994, pp. 81–88.
4. B. Chor, A. Fiat and M.Naor. Tracing traitors. Advances in Cryptology - Crypto ’94, Lecture Notes in Computer Science 839, (1994), pp. 257–270.
5. D. Boneh and M Franklin. An Efficient Public Key Traitor Tracing Scheme. Advances in Cryptology - Crypto ’99, Lecture Notes in Computer Science , (1994), pp. 338–353.
6. D.H. Lee, H.J. Kim and J.I. Lim. Efficient Public-Key Traitor Tracing in Provably Secure Broadcast Encryption with Unlimited Revocation Capability, WISC 2001, WISC 2001 Proceeding, (2001), pp. 31–42
Thank you for listening.Thank you for listening.Any Questions?Any Questions?