Public Key Broadcast Encryption

Transcription

1 Public Key Broadcast Encryption Leyou Zhang Centre for Computer and Information Security University of Wollongong Australia 1

2 Nature Science Foundation(NSF) of China: Public key Broadcast Encryption(BE)(Finished, ) Nature Science Foundation(NSF) of China: Provably Secure HIBE in the Standard model( ) Nature Science Foundation(NSF) of China: ABE for Fine-grained Access Control Policy in the Cloud.( ) Nature Science Foundation(NSF) of Shaanxi Province: Broadcast Encryption over New Hardness Assumptions. ( )

3 Outline Backgrounds Definition and Security Model Some Typical Schemes Some Special Case Key Research Points ( ) Conclusion

4 Backgrounds In computer networking, multicast (one-to-many or many-to-many distribution) is group communication where information is addressed to a group of destination computers simultaneously. 1 IP multicast 2 Application layer multicast 3 Multicast over wireless networks and cable-tv 4 Other multicast technologies

5 Cloud Characteristics Broadcasting is used

6 How to broadcast the messages

7 PK 1 PK n users pk 1 pk n users PK 2 pkn 1 pk 2 PKn 1

8 PK 1 PK n users pk 1 pk n users PK 2 pkn 1 pk 2 PKn 1

9 n users users It is called multi-receiver encryption[1]. Assume that there are n receivers, numbered 1 n, and that each of them keeps a private and public key pair denoted by (ski,pki). A sender then encrypts a message Mi directed to receiver i using pki for i = 1,, n and sends (C1,,Cn) as a ciphertext. Upon receiving the ciphertext, receiver i extracts Ci and decrypts it using its private key ski. [1] M. Bellare, A. Boldyreva, and D. Pointcheval, Multi-Recipient Encryption Schemes: Security Notions and Randomness Re-Use, In PKC 2003, LNCS 2567, pp , Springer-Verlag, 2003.

10 n users users It is called multi-receiver encryption. Assume that there are n receivers, numbered 1 n, and that each of them keeps a private and public key pair denoted by (ski,pki). A sender then encrypts a message Mi directed to receiver i using pki for i = 1,, n and sends (C1,,Cn) as a ciphertext. Upon receiving the ciphertext, receiver i extracts Ci and decrypts it using its private key ski. [BSS] Joonsang Baek, Reihaneh Safavi-naini, Willy Susilo. Efficient Multi-receiver Identity-Based Encryption and Its Application to Broadcast Encryption (2005),In Proc. of PKC 05.

11 What is the definition of BE?

12 Broadcast Encryption [FN 93] d 1 CT = E[M,S] S {1,,n} d 2 Encrypt to arbitrary subsets S. d 3 Collusion resistance: secure even if all users in S c collude [FN 93] A. Fiat and M. Naor. Broadcast encryption. In Proceedings of Crypto 93, volume 773 of LNCS, pages Springer-Verlag, 1993.

13 Typically, broadcast encryption schemes are classified as either stateful or stateless. Stateful schemes provide keys that may be updated after join or revocation events. It require receivers to be online in order to receive key update messages. Stateful schemes typically achieve lower communication cost than stateless schemes. Stateless schemes provide users with long-term keys that are never changed throughout the lifetime of the system. [2] D. Naor, M. Naor, and J.Lotspiech, Revocation and tracing schemes for stateless receivers, in Advances in Cryptology - Crypto 01, vol of LNCS, pp , Springer-Verlag, 2001.

14 Stateless Schemes Symmetric Encryption 1) High efficiency but no dynamic feature Asymmetric Encryption(PK) 1) Support dynamic feature We say that a broadcast system is dynamic[3] when i) the system setup as well as the ciphertext size are fully independent from the expected number of users or an upper bound thereof, ii) a new user can join anytime without implying a modification of preexisting user decryption keys, iii) the encryption key is unchanged in the private-key setting or incrementally updated in the public-key setting, meaning that this operation must be of complexity at most O(1). [3] Cecile Delerabl ee, Pascal Paillier, and David Pointcheval. Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In Pairing 2007, LNCS 4575, pages Springer, 2007.

15 Stateless Schemes Certificate Authority pk i C=E(PK,M)

16 PK Broadcast Encryption Public-key BE system: Setup(n): output private keys d 1,, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S {1,, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j S, output M. Note: broadcast contains ( [S], CT )

17 PK Broadcast Encryption Public-key BE system: Setup(n): output private keys d 1,, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S {1,, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j S, output M. Note: broadcast contains ( [S], CT )

18 PK Broadcast Encryption Public-key BE system: Setup(n): output private keys d 1,, d n and public-key PK. Encrypt(S, PK, M): Encrypt M for users S {1,, n} Output ciphertext CT. Decrypt(CT, S, j, d j, PK): If j S, output M. Note: broadcast contains ( [S], CT )

19 In a word, PK broadcast encryption is the following manner: Single Public key, Multi-private-key. pk1 PK pkn

20 Broadcast Encryption Security Semantic security when users collude.(selective security) Challenger Run Setup(n) b {0,1} S {1,, n }, j S PK, { d j j S } m 0, m 1 G C * = Enc( S, PK, m b ) Extract queries { d j j S } b {0,1} Attacker Def: Alg. A -breaks BE sem. sec. if Pr[b=b ] > ½ + (t, )-security: no t-time alg. can -break BE sem. sec. If no S is outputted, adaptive security is achieved. 20

21 Some Known schemes The following section will give some typical BE schemes

22 1) BGW scheme(dan Boneh, Craig Gentry, and Brent Waters) Setup(n): g G,, Z p, g k = g ( k ), PK = ( g, g 1, g 2,, g n, g n+2,, g 2n, v=g ) G 2n+1 For k=1,,n set: d k = (g k ) G Encrypt(S, PK, M): t Z p CT = ( g t, (v j S g n+1-j ) t, M e(g n,g 1 ) t ) Decrypt(CT, S, k,d k, PK): CT = (C 0, C 1, C 2 ) Fact: K=e( g k, C 1 ) / e( d k g n+1-j+k, C 0 ) = e(g n,g 1 ) t M= C 2 /K. 22

23 2 -Identity-based BE

24 * This is the first identity-based broadcast encryption scheme (IBBE) with constant size ciphertexts and private keys. Compared with BGW scheme, it has comparable properties, but with a better efficiency: the public key is shorter than in BGW. Moreover, the total number of possible users in the system does not have to be fixed in the setup. 24

25 Shortcomings: 1) Hardness Assumption Given 2) Random Oracles We better it in 2011, Leyou Zhang, Yupu Hu and Qing Wu. New Constructions of Identity-based Broadcast Encryption without Random Oracles. TIIS Trans. on internet and information systems, Vol.5 No.2, pp , Leyou Zhang, Yupu Hu and Qing Wu. Adaptively Secure Identity-based Broadcast Encryption with constant size private keys and ciphertexts from the Subgroups. Mathematical and computer Modelling, 2012, 55,pp ,2012.

26 3 Our work based on Dual System Encryption Setup To generate the system parameters, the PKG picks randomly g h u u G, ZN v. The public parameters are defined as PK={ g h u1 e( g, g) } and the master key is.,, 1,, l p1,,,, u, Extract Given the identity ID i S( S s l ), PKG selects randomly ri ZNand also chooses random elements Ri 0, R i0, Ri 1,, Ri ( i 1), Ri ( i 1),, Ris G p3. Then it computes private keys as follows: d d d d d d d ( ( ),,,,,,, ). ID ( 0, ', 1,, 1, 1,, ) i i i s g hu IDi ri r 0 i r 0 1 i r 1 i r 1 ( 1) i r i Ri g Ri u Ri ui Ri i ui 1 Ri ( i 1) us i Ris Encrypt Without loss of generality, let S = ( ID 1, ID 2,, ID s ) denote the set of users with s l. A broadcaster selects a random k * Z N, computes C = ( C 0, Hdr) ( C 0, C 1, C 2 ) =( vm, k s IDi k k ( h u ) i 1 i, g ). Decrypt Given the ciphertexts C ( C0, C1, C2 ), any user ID i S uses his private keys to compute did i e( C, d ') 1 M C0 s ID e d j 0 j 1, j i d j C 2 (, ). l

27 4 scheme

28

29

30

31

32 Some Special Case 1) Threshold Broadcast Encryption In a threshold public key encryption scheme a message is encrypted and sent to a group of receivers, in such a way that the cooperation of at least t of them (where t is the threshold) is necessary in order to recover the original message.

33 The fact that the set of receivers and the threshold are set from the beginning can limit the applications of these schemes in real life. One can imagine that the sender of the message, who wants to protect some information, may want to decide who will be the designated receivers in an ad-hoc way, just before encrypting the message, and also decide the threshold of receivers which will be necessary to recover the information.

34 Motivations

35

36 Shortcomings in the existing works: 1) Strong Assumptions; 2) High computation cost; 3) Selective security( with constant size ciphertexts); 4) Adaptive security but ciphertexts size relies on threshold value and users depth. Our works: -Leyou Zhang, Yupu Hu and Qing Wu. Identity-based threshold broadcast encryption in the standard model. TIIS Trans. on internet and information systems, Vol. 4, No. 3, pp , 2010

37 2) HIBE broadcaster (Id1,,Idn) If we convert (Id1,,Idn) to (Id1 Id2 Idn), we can obtain an HIBE scheme. An Identity Based Encryption (IBE) system is a public key system where the public key can be an arbitrary string such as an address. A central authority uses a master key to issue private keys to identities that request them. Hierarchical IBE (HIBE) is a generalization of IBE that mirrors an organizational hierarchy. An identity at level k of the hierarchy tree can issue private keys to its descendant identities, but cannot decrypt messages intended for other identities.

38

39 Dan Boneh, Xavier Boyen,Eu-Jin Goh--- HIBE Scheme* *Boneh, D., Boyen, X., Goh, E.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R.J.F. (ed.) EUROCRYPT LNCS, vol. 3494, pp Springer, Heidelberg, 2005.

40

41 Transformed to a IBBE by Jong Hwan Park and Dong Hoon Lee

42 -Jong Hwan Park and Dong Hoon Lee. A New Public Key Broadcast Encryption Using Boneh-Boyen-Goh s HIBE Scheme.L. Chen, Y. Mu, and W. Susilo (Eds.): ISPEC 2008, LNCS 4991, pp , Leyou Zhang, Yupu Hu and Qing Wu. New Constructions of Identity-based Broadcast Encryption without Random Oracles. TIIS Trans. on internet and information systems, Vol.5 No.2, pp , Leyou Zhang, Yupu Hu and Qing Wu. Adaptively Secure Identity-based Broadcast Encryption with constant size private keys and ciphertexts from the Subgroups. Mathematical and computer Modelling, 2012, 55,pp ,2012

43 3) Traitor Tracing Scheme Consider the distribution of digital content to subscribers over a broadcast channel. Typically, the distributor gives each authorized subscriber a hardware or software decoder ( box ) containing a secret decryption key. The distributor then broadcasts an encrypted version of the digital content. Authorized subscribers are able to decrypt and make use of the content. This scenario comes up in the context of pay-per-view television, and more commonly in web based electronic commerce (e.g. broadcast of online stock quotes or broadcast of proprietary market analysis).

44 However, nothing prevents a legitimate subscriber from giving a copy of her decryption software to someone else. Worse, she might try to expose the secret key buried in her decryption box and make copies of the key freely available. The traitor would thus make all of the distributor s broadcasts freely available to non-subscribers. Chor, Fiat and Naor introduced the concept of a traitor tracing scheme to discourage subscribers from giving away their keys. Their approach is to give each subscriber a distinct set of keys that both identify the subscriber and enable her to decrypt. In a sense, each set of keys is a watermark that traces back to the owner of a particular decryption box.

45 App : Content Protection DVD Content Protection.. d 1 d 2 d 3 d 4 45

46 Key Research Points my opinion 1) The trade-off between the security and efficiency; 2) The trade-off between private keys/public keys size and ciphertexts; 3) Applications in real life; 4) Public Key Traitor tracing schemes; 5) Relationship between BE and others PKE; 6) New mathematical hardness assumptions(e.g. LWE--lattice). 7) New version: functional BE(Attribute-based BE).

47 Conclusions PKBE is a useful PK in the real life. The existing works have many shortcomings and limit the application, which is also a motivation to make this research continually. In a word, the bottleneck is over there but the challenge is also over there.

48 Thanks to All