Broadcast EncrypCon Amos Fiat & Moni Naor

Transcription

1 Broadcast EncrypCon Amos Fiat & Moni Naor Presented By Gayathri VS

2 Outline q The Problem q Zero Message Schemes à Basic Scheme à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes 2

3 The Problem The System consists of broadcascng center set U of n users. key is distributed to users upon joining the system. securely transmit data to a randomly changing privileged subset of users out of the set S Any CoaliCon of k users from the universe, who are not part of the privileged set should not be able to decrypt the message. (Scheme is k- resilient). 3

4 NotaCons q U is the universe consiscng of n users q P is privileged subset q S is any subset trying to learn the secret (S P = NULL) q S is size of subset S q K s is key common to subset S 4

5 Security DefiniCons q Scheme is resilient if for all subset S ( S P = NULL, where P U is privileged set ) S cannot learn secret common to P. q Scheme is k- resilient if S <= k. q Scheme is (k,p) random resilient if any randomly selected Subset is k- resilient with probability (1- p) 5

6 Obvious SoluCon q SoluCon 1 : 6

7 Obvious SoluCon q SoluCon 2 : 7

8 Obvious SoluCons Performance q SoluCon 1 : Each user is assigned a unique key 1 key per user & O(n) messages q SoluCon 2 : Each subset gets a unique key 2 n- 1 keys per user & O(1) message q For any arbitrary subset, we have two choices for X 2.. X n. (they may or may not be present in that subset) Total number of subset which contains x = 2 n- 1 8

9 q The Goal is the opcmize Problem Statement.. Revisited a) number of transmissions sent by the center to create the common secret b) Number of keys each user stores c) ComputaConal effort in retrieving the common key by the members of the privileged class. 9

10 Outline q The Problem q Zero Message Schemes (Low resiliency) à Basic Scheme (AssumpCon Free) à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes 10

11 Zero Message Schemes q Having the knowledge of Users in privileged set T, all users can compute the common key to decrypt the message sent by the center q The privileged set can be idencfied by sending a relacvely short transmission. This is set idencficacon transmission ( different from the broadcast encrypcon transmission ) 11

12 BASIC SCHEME q For every set S U where 0 S k, Assign key K s q Distribute K s to all users x U S U = { a, b, c }. Here n=3. Let k be 2 KEY DISTIBUTION : S = {a, b, c, {a,b}, {a,c}, {b,c}} K s = {K a, K b, K c, K ab,k ac,k bc } User a has K b, K c, K bc User b has K a, K c, K ac User c has K a, K b, K ab 12

13 q ENCRYPTION : The common key to the privileged set P is simply the exclusive or of all keys K S where S U P q If P = { a,b } then K = XOR K S where S U P Here S is c so K = K C q RESILENCY : Every possible set S U P 0 S k will miss the key K S and cannot decrypt the message sent by the center. q NUMBER OF MESSAGES,KEYS : Number of keys per each User : Σ I = 0 to k (n)_c_i q For the above scheme to be 1- resilient each user should store (n+1) keys q For the above scheme to be n- resilient each user should store 2 n- 1 keys 13

14 1- resilient scheme based on one- way funccon q O(n) keys in previous scheme can be reduced to!" log 2 n#$ keys if keys are pseudo- randomly generated q Let f: {0,1} l - > {0,1} 2l be a pseudo- random generator (the length of the output of is twice the length of the input). q Users are on the leaf of the balanced binary tree. q The root is labeled with the common seed from Set {0,1} l 14

15 q apply the pseudo- random generators to the root label.assign the lep half (first bits) to be the label of the lep subtree while the right half (last bits) is the label of the right subtree. q User x should get all leaf labels except his. To achieve this, we remove the path from x to the root,which is a forest on log n labels. q Every x U can use the log n values that he got and generate all leaf labels except his own. 15

16 16

17 A 1- resilient scheme based on ComputaConal Number TheoreCc AssumpCons q The center chooses a random hard to factor composite N= P.Q where P and Q are primes. q It also chooses a secret value g of high index. q Each user i U is assigned g i = g pi. gcd(pi,pj) = 1, for I j q The common key for P U is g T = g PT mod N where PT = Π i P pi q Each user i P can compute g T by g ix mod N where X = Π i (P- i) pi 17

18 SCHEME TRIVIAL SOLUTION- 1 TRIVIAL SOLUTION- 2 NO OF KEYS/ USER MESSAGE LENGTH RESILIENCY ASSUMPTION 1 O(n) any Nothing 2 n- 1 1 Any Nothing BASIC SCHEME Σ K (n)c k 1 K Nothing BASIC SCHEME (k=1) BASIC SCHEME (K=N- 1) 1- resilant using PRG 1- resilent using number theory O(n) 1 1 Nothing O(2 n ) 1 N nothing Ceil(log n) 1 1 One- way funccons and hence PRG exist Root extraccon is hard 18

19 Outline q The Problem q Zero Message Schemes (Low resiliency) à Basic Scheme (AssumpCon Free) à 1- resilient Scheme based on 1- way funccon à 1- resilient Scheme based on number- theory q Low- Memory k- resilient schemes à One Level Schemes à MulC Level Schemes 19

20 Low Memory- Resilient Schemes q The zero message 1- resilient schemes requires for k>1 memory which is exponencal in k q Low- memory k- resilient schemes can be built from 1- resilient q Let w denote the number of keys that a user is required to store in the 1- resilient scheme w = n+1 if no cryptographic assumpcons are made, w = ceil(log n) if we assume that one- way funccons exists and w =1 if we assume that it is hard to extract roots modulo a composite. q efficiency of the schemes is how many w s they require. 20

21 One Level Scheme 1. f 1, f 2. f l is a family of funccon denoted by f i : U {1,...,m}, 1 i l 2. For every group S U, S =k there exists some funccon f i that is 1-1 on S all x,y in S f i (x) f i (y) {f i } contains perfect hash funccon for all subsets of size k in U when mapped to range {1,2..m} 21

22 One Level Scheme Key DistribuCon 1. {R(i, j)}1 i l,1 j m are independent 1- resilient schemes 2. Each user x U gets the keys associated with the scheme R(i,fi(x)) 1 i l. 1 2 N user 1 R(1,f 1 (1)) R(1,f 1 (2)) R(1,f 1 (n)) 2 R(2,f 2 (1)) R(2,f 2 (2)) R(2,f 2 (n)) L R(L,f l (1)) R(L,f L (2)) R(L,f L (n)) 22

23 One Level Schemes EncrypCon and DecrypCon 1. To transmit M to T U, the center breaks M into l random shares such that M = M 1 XOR M 2 XOR M l 2. For 1 i l the center transmits M i in m discnct messages using R(i,j) j=1,2..m where j=f i (x) for all x in P. 3. Every x T may recover Mi, 1 i l, from R(I,j) where j = fi(x), and then add them up to get M. If x1 is part of P, M 1 R(1,f 1 (x1) ) M 2 R(2,f 2 (x1) ) M L - R(l, f l (x1) 23

24 One Level Scheme - Storage 1 2 N user 1 R(1,f 1 (1)) R(1,f 1 (2)) R(1,f 1 (n)) 2 R(2,f 2 (1)) R(2,f 2 (2)) R(2,f 2 (n)) L R(L,f l (1)) R(L,f L (2)) R(L,f L (n)) M R(1,f 1 (1)) R(1,f 1 (2)) M 2 R(2,f 2 (1)) R(2,f 2 (2)) M L R(L,f L (1)) R(L,f L (2)) Storage per user: l Omes that of the 1- resilient scheme. Length of transmission: l m messages 24

25 One Level Scheme - Resiliency Claim: The scheme is k- resilient. q Let S be a coalicon of size S k. q There exists f i that is 1-1 on S. q M i is the message transmiued using f i. M i is delivered in m independent transmissions. q There can be at most only one x S for which fi(x) = j who has the keys of that scheme. q However R(i, j) is 1- resilient and hence that single user cannot recover M i and hence M. 25

26 One Level Scheme Idea q use a perfect family of hash funccons q send a share of the secret M corresponding to each hash funccon. q Each share is broadcasted with different encrypcons. q The privileged users can decrypt these messages and any colluding set of at most k users cannot obtain at least one of the shares q no informacon about M is revealed if we miss even one of the shares. 26

27 Se}ng Parameters q Set m = 2k 2, l = k log n q Theorem: There exists a k- resilient scheme that requires the users to store O(k log n w) keys and the center to broadcast O(k 3 log n) messages. The scheme may be constructed at random with arbitrarily high probability. q Probability that a random f i is not 1-1 on S is ((kc 2 ).2 m- 1 )/ 2 m = (kc 2 ).(1/m) = k(k- 1)/2m = ¼ - 1/4k ¼ q Given the family of funccon f 1, f 2.. f l Prob(No f i is 1-1 on S ) = 1/4 L =1/2 2L = 1/n 2k (l = klogn ; 2l = 2klogn ; 2l = log n 2k ;n 2k = 2 2l ) q Prob ( Some f i is 1-1 on S ) = ( 1 n - 2k ) q Prob ( there exists f i is 1-1 on all S of size k) >= (1- n - 2k ) t, where t = n_c_k >= 1 n - k 27

28 Se}ng Parameters Scheme is (k,p) random resilient if any randomly selected Subset is k- resilient with probability (1- p) P(that for all subset of size k, there exists f i is 1-1 on S ) 1 p For (k,p) random resiliency subsctute l = log(1/p) Theorem : (k,p)- resilient scheme requires the users to store O(log(1/p) w) keys and the center should broadcast O(k 2 log(1/p)) messages. 28

29 MulC Level Schemes q MulC- level schemes, like the one- level ones, convert 1- resilient schemes to k- resilient ones. q The mulc- levelness comes through the R(i, j)s that are sets of 1- resilient schemes. q It decrease the length of transmission at the expense of more storage at the user. 29

30 MulC- Level Scheme Key DistribuCon Every user x in U, for every 1 i l and for every 1 r w, receives keys associated with the scheme R(i,f i (x),r) User 1 R(1,f 1 (1),1) R(1,f 1 (1),2) R(1,f 1 (1),w) R(2,f 2 (1),1) R(2,f 2 (1),2) R(2,f 2 (1),w) R(l,f l (1),1) R(l,f l (1),2) R(l,f l (1),w) For every Subset of size k, there exists for some 1 i l such that for all j there exist some w such that R(i,j,w)is resilient to set {x in S, f i (x) = j ) 30

31 MulC Level Scheme EncrypCon and DecrypCon. 1. To transmit M to T U, the center breaks M randomly into l shares, such that M = M 1 XOR M 2 XOR.. M l 2. Each M i is broken into w shares for each j. M 1 (i,j) M 2 (i,j). M w (i,j) 3. For 1 i l and 1 r w M r (i,j) is broadcasted to Privileged subset {x T :f i (x)=j} 4. For any subset of size k, by assumpcon there is an i and for all j in that I scheme w is resilient to x in S with f i (x) = j Storage per user: l w Cmes that of the 1- resilient scheme. Length of transmission: l m w Cmes that of the 1- resilient scheme. 31

32 q Set L = 2k.log n, m = k/log k, w = log k + 1,t = 2elog k q There exists a k- resilient scheme that requires each user to store O(k.log k. log n.w) keys and the center to broadcast O(k 2 log 2 klogn) messages. Moreover, the scheme can be constructed effeccvely with high probability q there exists a (k,p) random- resilient scheme with the property that the number of keys each user should store is O(log k.log(1/p).w) and the center should broadcast O(klog 2 klog(1/p)) messages. Moreover, the scheme can be constructed effeccvely with high probability 32

33 SCHEME NO OF KEYS/ USER MESSAGE LENGTH RESILIENCY ASSUMPTION BASIC SCHEME Σ K (n)c k 1 K Nothing 1- resilant using PRG 1- resilent using number theory One Level Scheme Ceil(log n) 1 1 One- way funccons and hence PRG exist Root extraccon is hard O(k log n w) O(k 3 log n) k 1- Level (k,p) O(log(1/p) w) O(k 2 log(1/p)) k MulC- Level O(k log k log n w) O(k2 log2 k log n) k 33

34 Thank You! 34