Fully Collusion-Resistant Broadcast Encryption and Traitor Tracing Systems
------------------------------------------------
A Broadcast Encryption cryptosystem allows a sender to encrypt a message to
some target set of users. In a secure system users in the target set
can decrypt the ciphertext and no collusion of users outside of the target
set can learn anything about the message. Broadcast encryption systems have
a variety of applications. For example, we could build a shared encrypted
filesystem from broadcast encryption where a user broadcast encrypts a file
to the set of users he wants to share it with. Broadcast encryption is also
useful for large-scale content distribution; a content distributor such as
DirectTV or XMRadio will encrypt its digital media content to the devices
of all paying subscribers.
The primary challenge with broadcast encryption is to design secure systems
with small ciphertext size. For example, we could achieve a broadcast encryption
scheme with ciphertexts linear in the number of receivers by simply encrypting
a message (or symmetric encryption key) separately to each user the target set.
However, this approach is inefficient and becomes infeasible in large systems
where there could be many users in a target set.
In this talk I will present two recent developments in broadcast encryption.
First, I will discuss my work with Dan Boneh and Craig Gentry on a broadcast
encryption scheme that has constant ciphertext size and constant size private keys.
Our scheme can be used to encrypt to arbitrary sets of users and is secure against
an arbitrary number of colluding attackers. Somewhat surprisingly, the only previous
fully-collusion resistant scheme is the trivial where we encrypt to each user
separately.
Additionally, I will present some very recent work with Dan Boneh and Amit Sahai on
a related problem known as "Tracing Traitors". Our tracing traitors construction allows
us to trace a creator of a "pirate box". Our solution achieves O(\sqrt(n)) size
ciphertexts and is secure against an arbitrary number of colluders.
Links:
http://eprint.iacr.org/2006/045.pdf
http://eprint.iacr.org/2005/018.pdf