On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical Institute, Kolkata Elliptic Curve Cryptography (This is not) 2014 isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 1 / 53
Conventional Symmetric Key Encryption Receiver Sender message M public channel ciphertext Encrypt Decrypt secret key K adversary secret key K isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 2 / 53
Symmetric Key Broadcast Encryption Users Users Broadcast Users Centre isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 3 / 53
Symmetric Key BE Functionality The centre pre-distributes secret information to the users. A broadcast takes place in a session. For each session: Some users are privileged and the rest are revoked. The actual message is encrypted once using a session key. The session key undergoes a number of separate encryptions. This determines the header. Only the privileged users are able to decrypt. A coalition of all the revoked users get no information about the message. isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 4 / 53
Parameters of Interest Size of the header. Size of the secret information required to be stored by the users. Time required by the centre to encrypt. Time required by a user to decrypt. Hdr sz and enc time are proportional to # enc of the session key. Requirement: Reduce header size, user storage and decryption time. isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 5 / 53
Applications of BE AACS standard: content protection in optical discs: Disney, Intel, Microsoft, Panasonic, Warner Bros., IBM, Toshiba and Sony. Pay-TV : BSkyB in UK and Ireland has a subscriber base of over 10 million; Cable Television Networks (Regulation) Amendment Act, 2011 (India). File Sharing in Encrypted File Systems. Encrypted Email to Mailing Lists. Military Broadcasts: Global Broadcast Service (US), Joint Broadcast System (Europe). . . . isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 6 / 53
Subset Cover Schemes Identify a collection S consisting of subsets of users. Assign keys to each subset in S . To each user, assign secret information such that it is able to generate secret keys for each subset in S to which it belongs; and no more. During a broadcast, form a partition { S 1 , . . . , S h } of the set of privileged users with S i ∈ S . The session key is encrypted using the keys for S 1 , . . . , S h . Each privileged user can decrypt; no coalition of revoked users gains any information about the session key (or the message). isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 7 / 53
Subset Difference Scheme Naor-Naor-Lotspiech (2001): patented, AACS standard. Assumes an underlying full binary tree Level Numbers 0 4 2 1 3 3 4 5 6 2 10 11 12 13 14 7 8 9 1 0 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 8 / 53
Subsets in the collection S S i , j = T i \ T j : has all users that are in T i but not in T j i j Collection S : has all subsets S i , j such that j ( � = i ) is in the subtree T i . isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 9 / 53
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i j Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i G L ( seed i ) G R ( seed i ) j Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i G L ( seed i ) G R ( seed i ) G L ( G L ( seed i )) G R ( G L ( seed i )) j Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i G L ( seed i ) G R ( seed i ) G L ( G L ( seed i )) G R ( G L ( seed i )) j G R ( G L ( G L ( seed i ))) Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i G L ( seed i ) G R ( seed i ) G L ( G L ( seed i )) G R ( G L ( seed i )) j G R ( G L ( G L ( seed i ))) Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo
Key Assignment Pseudo-random generator (PRG): G : { 0 , 1 } k → { 0 , 1 } 3 k G ( seed ) = G L ( seed ) || G M ( seed ) || G R ( seed ) seed i G L ( seed i ) G R ( seed i ) G L ( G L ( seed i )) G R ( G L ( seed i )) j G R ( G L ( G L ( seed i ))) L i , j = G M ( G R ( G L ( G L ( seed i )))) Figure : Key of S i , j : L i , j = G M ( G R ( G L ( G L ( seed i )))) isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 10 / 53
Assigning seeds to users isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i T j u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i T j u isilogo Figure : From one derived seed, keys of many subsets can be generated Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 11 / 53
Assigning seeds to users T i u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u T j isilogo Figure : From one derived seed, keys of many subsets can be generated
Assigning seeds to users T i T j u T i u T j isilogo Figure : From one derived seed, keys of many subsets can be generated Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 12 / 53
User Storage Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i G R ( seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i G L ( seed i ) G R ( seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i G L ( seed i ) G R ( seed i ) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
User Storage seed i G L ( seed i ) G R ( seed i ) G R ( G L ( seed i )) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo Bhattacherjee and Sarkar Symmetric Key BE 10th Oct, 2014 13 / 53
User Storage seed i G R ( seed i ) G R ( G L ( seed i )) u Figure : Secrets stored by u User u stores: for every T i to which it belongs, the derived labels of nodes “falling-off” from the path between i and u , derived from seed i . isilogo
Recommend
More recommend