A Traceable Block Cipher Olivier Billet, Henri Gilbert Content - PowerPoint PPT Presentation

A Traceable Block Cipher Olivier Billet, Henri Gilbert

Content Distribution Context M Context D K M C M E K D K Plaintext Ciphertext M D K Issues: s Key Redistribution (by traitors to pirate users) s Content Redistribution (not addressed here) 1

Traitor Tracing Definitions Context s Benny Chor, Amos Fiat, Moni Naor, 1994 Definitions s Each of the N users receives a personal key K j I K j enables user j to decrypt content I K j uniquely identifies user j s No coalition of k traitors will produce an untraceable key I allows a pirate to decrypt content I conceals all traitors' identities 2

Traitor Tracing s Four Procedures Context I Key Generation Definitions I Encrypt I Decrypt I Tracing s Previous Constructions I Combinatorial Scheme [CFN 94, NP 98] headers O ( k ln N ) I Asymmetric Algorithm [BF 99] expansion O ( k ) 3

Traceable Blockcipher Context Definitions s F K satisfies usual symmetric block cipher requirements Cipher s generation from the meta-key K of keys K j such that ≡ · · · ≡ F K j ≡ F K 1 ≡ · · · ≡ F K N F K s k -traceability requirement: an equivalent description produced from the knowledge of up to k equivalent descriptions F K j 1 , . . . , F K j k must reveal at least one of the identities j 1 , . . . , j k 4

Operation Modes s Mode with control words: F K ≡ F K j Context H i Definitions H i S i H i S i F K j Cipher F K M i M i C i Modes E S i D S i C i decoder j s Simple mode: F − 1 K ≡ F K j M C M F − 1 F K j K 5

C ∗ Scheme Matsumoto-Imai s parameters x 1 x 2 x n = x ∈ K n · · · Context I K = GF ( q ) q = 2 m Definitions I L ≃ K n S composition G is public Cipher L = K [ X ] /π n ( X ) a 1 a 2 a n · · · � a ∈ L Modes I (1 + q θ ) ⊥ ( q n − 1) C ∗ a �→ b = a 1+ q θ s public key is a set of n quadratic equations · · · b 1 b 2 b n � b ∈ L in the variables x i T s private key is ( S, T ) two invertible linear maps = y ∈ K n y 1 y 2 y n · · · s encrypt with G s decrypt with S − 1 ◦ g − 1 ◦ T − 1 6

Underlying Problems s Solving systems of multivariate equations I find one solution ( x 1 , . . . , x n ) over a finite field K of Context { y i = P i ( x 1 , . . . , x n ) } i ∈ [1 ,n ] Definitions Cipher I Decision problem is NP-complete, even over GF (2) Modes I Patarin 1995 used structure of C ∗ to invert it C ∗ s IP: isomorphism of polynomials Comp. Prob. I given two sets of polynomials { P } and { Q } find bijective linear maps A and B such that B ◦ ( P 1 , . . . , P n ) ◦ A = ( Q 1 , . . . , Q m ) I IP is harder than IG I no polynomial algorithm is known [PGC, 1998] I relinearization attack for C ∗ degree 2 from [SK, 1999] 7

Commuting Blocks Conducting Idea g 1 ◦ g 2 = g 2 ◦ g 1 x x Context Definitions s s Cipher g 1 g 2 u − 1 v − 1 Modes ≡ C ∗ u v Comp. Prob. g 2 g 1 Commuting t t y y u use a version of C ∗ with higher degree d > 2 g i : a �→ b = a 1+ q θ 1 + ... + q θd − 1 8

Commuting Blocks Key Generation metakey user j S S Context g σ (1) g 1 G 1 ,j Definitions U − 1 g 2 1 ,j Cipher Modes C ∗ U i − 1 ,j σ Comp. Prob. g σ ( i ) g i G i,j U − 1 Commuting i,j U r − 1 ,j g σ ( r ) g r G r,j T T F K F K j 9

Parameters Example user j s q = 2 16 K = GF ( q ) Context S Definitions block size is 80 bits s n = 5 g σ (1) G 1 ,j Cipher s d = 4 U − 1 1 ,j Modes equations for G i,j have degree 4 C ∗ about 70 monomials per equation Comp. Prob. U i − 1 ,j computing G i,j is at most g σ ( i ) Commuting G i,j 435 multiplications in K U − 1 Parameters i,j 32 rounds s r = 32 F K j is about 14000 mult. in K U r − 1 ,j s size for F K j is 22 KB g σ ( r ) G r,j T 10 10 F K j

Security as a Symmetric Cipher x Context S Definitions g 1 Cipher g i Modes F K C ∗ g r Comp. Prob. T Commuting y Parameters Security Input/Output observation must not allow s to recover F K s to interpolate F K s to distinguish from a random permutation 11 11

Tracing One Traitor Potential Strategy S S g σ (1) g σ (1) G 1 Context G ′ 1 U − 1 U − 1 Definitions 1 1 Cipher Modes G ′ C ∗ 2 U i − 1 Comp. Prob. g σ ( i ) G i G ′ U − 1 Commuting k i Parameters Security U 1 Tracing g σ (2) G ′ U r − 1 k +1 g σ ( r ) U − 1 G r 2 T 12 12

Tracing One Traitor Context u − 1 g i S S Definitions k − 1 g σ (1) g i G ′ u − 1 Cipher 1 1 G ′ π 1 Modes k C ∗ G ′ k + k ′ Comp. Prob. s step 1: guess g σ (1) Commuting u k − 1 G ′ g σ ( k ) Parameters k + k ′ +1 u − 1 k Security s step i : guess g σ ( i ) Tracing s σ is known 13 13

Tracing several Traitors Context g σ j (1) g σ j ( i ) g σ j ( i +1) g σ j ( r ) Definitions Cipher Modes C ∗ g σ l (1) g σ l ( i ) g σ l ( i +1) g σ l ( r ) Comp. Prob. Commuting Parameters s t -collision: { σ j ( i ) } i ∈ [1 ,t ] = { σ l ( i ) } i ∈ [1 ,t ] Security Tracing g σ j (1) g σ j ( i ) g σ k ( i +1) g σ k ( r ) s inner values reveal one identity 14 14

Conclusion s Properties Context I very low control word overhead: save bandwidth Definitions I good behavior with high number of traitors Cipher I good behavior with huge number of users: scalable Modes C ∗ I speed of symmetric block cipher Comp. Prob. I no black box yet Commuting s Security n IP for extended C ∗ with degree higher than 2 Parameters Security s Applications Tracing I White Box Cryptography I Other instantiations 15 15