\documentclass[11pt]{article} \usepackage{amsfonts} \usepackage{latexsym} \usepackage{setspace} \setlength{\oddsidemargin}{.25in} \setlength{\evensidemargin}{.25in} \setlength{\textwidth}{6in} \setlength{\topmargin}{-0.4in} \setlength{\textheight}{8.5in} \setstretch{1.3} \newtheorem{theorem}{Theorem}[section] \newtheorem{fact}[theorem]{Fact} \newtheorem{proposition}[theorem]{Proposition} \newtheorem{lemma}[theorem]{Lemma} \newtheorem{definition}[theorem]{Definition} \newtheorem{corollary}[theorem]{Corollary} \newtheorem{remark}[theorem]{Remark} \newtheorem{claim}[theorem]{Claim} \newtheorem{conjecture}[theorem]{Conjecture} \newtheorem{assumption}[theorem]{Assumption} \newcommand{\qed}{\hfill \ensuremath{\Box}} \newenvironment{proof}{ \vspace*{-\parskip}\noindent\textit{Proof.}}{$\qed$ \medskip } \newcommand{\handout}[5]{ \renewcommand{\thepage}{#1-\arabic{page}} \noindent \begin{center} \framebox{ \vbox{ \hbox to 5.78in { {\bf CS395T Advanced Cryptography} \hfill #2 } \vspace{4mm} \hbox to 5.78in { {\Large \hfill #5 \hfill} } \vspace{2mm} \hbox to 5.78in { {\it #3 \hfill #4} } } } \end{center} \vspace*{4mm} } \newcommand{\ho}[5]{\handout{#1}{#2}{Instructor: #3}{Scribe: #4}{Lecture #1: #5}} \newcommand{\al}{\alpha} \newcommand{\Zp}{\mathbb{Z}_p} \newcommand{\G}{\mathbb G} \newcommand{\GT}{\mathbb{G}_T} \newcommand{\A}{\mathcal A} \newcommand{\B}{\mathcal B} \begin{document} \ho{12}{24 March, 2009}{Brent Waters} {Abhik K. Das} {Broadcast Encryption} \section{Broadcast Systems} Broadcasting refers to simultaneous transmission of a message to many receivers/users. Examples of broadcast systems include FM radio, DirectTV, streaming audio/video, shared file system and GPS. Some of the concerns faced by broadcast systems are: \begin{itemize} \item \emph{Bandwidth}: The transmission of the broadcast signal should consume as less bandwidth as possible, which has become a scarce and costly resource nowadays. \item \emph{Denial-of-Service }: The broadcast system should take measures to minimize the possibility of Denial-of-Service or D.O.S. attacks i.e.~a group of non-subscribers should not be able to block or manipulate the broadcast signal for a subscriber. \item \emph{Confidentiality}: The broadcast system should ensure that only the subscribers can extract the message from the broadcast signal. The unsubscription of some users should not affect message security and the remaining subscribers. \end{itemize} Broadcast encryption takes care of the \emph{confidentiality} concern -- schemes have been given which ensure message security even when there are multiple data streams, each having a different set of subscribers. \section{Broadcast Encryption} \subsection{A Simple Broadcast Encryption Scheme} Suppose there are $n$ subscribers and $S$ be the set of subscribers to which a message needs to be broadcasted securely. A simple way to do this is to assign a $PK$-$SK$ pair to each of the $n$ subscribers. The transmitter then uses some \emph{public key encryption} technique to encrypt the message using the $PK$'s of the subscribers in $S$ to get $|S|$ different cipher-texts. These cipher-texts are broadcasted and only the subscribers in $S$ are able to retrieve the message from the broadcast signal. This scheme proves to be inefficient as significant amount of bandwidth is used up by the broadcast signal -- if $BW$ is the average bandwidth needed to broadcast a cipher-text, the bandwidth needed to transmit the broadcast signal for $S$ under this scheme is approximately $|S|\cdot BW$. So we desire a broadcast encryption scheme which gives only one cipher-text for a given message and $S$ thereby conserving bandwidth. \subsection{Algorithms for Broadcast Encryption} A typical broadcast encryption scheme consists of the following algorithms: \begin{itemize} \item \emph{Setup}($\lambda,n$): Takes as input the number of subscribers $n$ to output the public parameters $PP$ and secret keys $K_1,K_2,\ldots,K_n$ for the subscribers. \item \emph{Encrypt}($S,PP,M$): Takes as input a message $M$, the set of subscribers $S$ to which $M$ needs to be broadcasted and $PP$ to output the cipher-text $C$. \item \emph{Decrypt}($S,i,K_i,C$): Takes as input the set of subscribers $S$, the subscriber id $i$, $K_i$ and $C$ to output message $M$ if $i\in S$ and nothing ($\bot$) if $i\notin S$. \end{itemize} The \emph{Decrypt} algorithm is run by all the subscribers. The correctness of the scheme lies in the fact that retrieval of $M$ from $C$ should be possible only when the subscriber is in $S$. \subsection{Security Model for Broadcast Encryption} A broadcast encryption scheme is said to be secure if given any $S$, the subscribers not in $S$ as well as the non-subscribers are not able to extract the message from its cipher-text, meant for the subscribers in $S$, even through collusion. Formally, the security can be defined using the following game between a challenger $\A$ and an attacker $\B$: \begin{itemize} \item \emph{Setup}: $\mathcal{A}$ runs \emph{Setup}($\lambda,n$) to generate the public parameters which it passes onto $\B$. \item \emph{Query Phase 1}: $\B$ adaptively queries about the secret keys of subscribers $i_1,i_2,\ldots,i_l$ and $\A$ responds with the keys $K_{i_1},K_{i_2},\ldots,K_{i_l}$. \item \emph{Challenge}: $\B$ decides on a set $S^* \subseteq \{1,2,\ldots, n\}\backslash\{i_1,i_2,\ldots,i_l\}$ of subscribers it wants to attack. It chooses a pair of distinct messages ($M_0,M_1$) and gives it to $\A$ along with $S^*$. $\A$ chooses a random $b\in\{0,1\}$ and runs \emph{Encrypt}($S^*,PP,M_b$) to obtain the cipher-text $C^*$ which it gives to $\B$. \item \emph{Query Phase 2}: $\B$ continues to adaptively query about the secret keys of other subscribers $i_{l+1},i_{l+2},\ldots,i_{l+m}$, who are not in $S^*$, and gets the keys $K_{i_{l+1}},K_{i_{l+2}},\ldots,K_{i_{l+m}}$. \item \emph{Guess}: $\B$ guesses $b'\in\{0,1\}$ for $b$ and wins the game if $b = b'$. \end{itemize} The broadcast encryption scheme is secure against CPA if for all attacks $$Pr(b=b')=\frac{1}{2}+\epsilon(\lambda)$$ where $\epsilon(\lambda)$ is a negligible function in $\lambda$. A weaker notion of security called `static security against CPA', can be defined where the set $S^*$ to be attacked is known to the challenger before \emph{Query Phase 1} starts. Then the following game is played between the attacker $\A$ and challenger $\B$: \begin{itemize} \item \emph{Init}: $\B$ declares the set $S^* \subseteq \{1,2,\ldots, n\}$ of subscribers it wants to attack. \item \emph{Setup}: $\mathcal{A}$ runs \emph{Setup}($\lambda,n$) to generate the public parameters which it passes onto $\B$. \item \emph{Query Phase 1}: $\B$ adaptively queries about the secret keys of subscribers $i_1,i_2,\ldots,i_l$, who are not in $S^*$, and $\A$ responds with the keys $K_{i_1},K_{i_2},\ldots,K_{i_l}$. \item \emph{Challenge}: $\B$ chooses a pair of distinct messages ($M_0,M_1$) and gives it to $\A$. $\A$ chooses a random $b\in\{0,1\}$ and runs \emph{Encrypt}($S^*,PP,M_b$) to obtain the cipher-text $C^*$ which it gives to $\B$. \item \emph{Query Phase 2}: $\B$ continues to adaptively query about the secret keys of other subscribers $i_{l+1},i_{l+2},\ldots,i_{l+m}$, who are not in $S^*$, and gets the keys $K_{i_{l+1}},K_{i_{l+2}},\ldots,K_{i_{l+m}}$. \item \emph{Guess}: $\B$ guesses $b'\in\{0,1\}$ for $b$ and wins the game if $b = b'$. \end{itemize} The broadcast encryption scheme has `static' security against CPA if for all attacks $$Pr(b=b')=\frac{1}{2}+\epsilon(\lambda)$$ where $\epsilon(\lambda)$ is a negligible function in $\lambda$. \section{Boneh-Gentry-Waters (BGW) Scheme ('05)} Broadcast encryption was first formally discussed in \cite{FN93} and a $t$-user collusion resistant scheme was proposed in the same. The scheme suffers from one main drawback -- the cipher-text size is of the order $O(t(\log{t})^2\log{n})$, which increases with increasing $t$ and $n$. The BGW scheme proposed in \cite{BGW05} offers reduced cipher-text size, depending only on security parameter $\lambda$. Moreover it proves to be fully collusion resistant, which is definitely securer than any $t$-user collusion resistant scheme. \subsection{Algorithms for BGW Scheme} We present a simplified version of the BGW scheme consisting of the following algorithms: \begin{itemize} \item \emph{Setup}($\lambda,n$): Fix a prime number $p$ of order $\lambda$. Choose a bilinear group $\G$ with generator $g$ and target group $\GT$, both of order $p$. Pick $\alpha \in \Zp$, random $r_1,r_2,\ldots,r_n \in \Zp$ and $u_1,u_2,\ldots,u_n \in \G$. Consider a function $F(S)=\prod_{i\in S}u_i$ where $S \subseteq\{1,2,\ldots,n\}$. Define public parameters as $PP=(e(g,g)^{\alpha},u_1,u_2,\ldots,u_n)$ and the secret key for subscriber $i$ as $K_i=(K_{i,1},K_{i,2},u_1^{r_i},\ldots,u_{i-1}^{r_i}, u_{i+1}^{r_i},\ldots,u_n^{r_i})$ with $K_{i,1}=g^{\alpha}u_i^{r_i},K_{i,2}=g^{r_i}$. \item \emph{Encrypt}($S,PP,M$): Pick a random $s\in\Zp$. Define the cipher-text for message $M\in\G$ as $C=(C_1,C_2,C_3)$ where $C_1=Me(g,g)^{\alpha s},C_2=g^s,C_3=F(S)^s$, $S$ being the set of subscribers to which $M$ is communicated. \item \emph{Decrypt}($S,i,K_i,C$): If $i\in S$, $M$ can be retrieved from $C$ as follows: Dividing $e(K_{i,2},C_3)=e(g,\prod_{j\in S}u_j)^{r_i s}$ by $e(\prod_{j\in S\backslash\{i\}}u_j^{r_i},C_2)=e(g,\prod_{j\in S\backslash\{i\}}u_j)^{r_i s}$ gives $e(g,u_i)^{r_i s}$, which can be divided from $e(K_{i,1},C_2)=e(g,g)^{\alpha s}e(g,u_i)^{r_i s}$ to get the blinding factor for the message, $e(g,g)^{\alpha s}$. The blinding factor can now be eliminated from $C_1=Me(g,g)^{\alpha s}$ to get $M$. \end{itemize} One may note that $r_i$'s cannot be a part of $PP$ as then $e(g,g)^{r_i s} = e(C_2,u_i^{r_i})$ can be computed for all $i$ and the blinding factor $e(g,g)^{\alpha s}$ can be determined by all subscribers. \subsection{Security of BGW Scheme} We describe a new hard problem called the $q$-BDHE assumption:\\ Consider a prime-order bilinear group $\G$ with generator $g$ and target group $\GT$. Let $h\in \G$ and $a,q\in \Zp$. Choose $b\in\{0,1\}$ randomly and define $T=e(g,h)^{a^{q+1}}$ if $b=0$, else make $T$ equal to some random element in $\GT$. Then given the groups $\G,\G_T$ and the values $g,h,g^a,\ldots,g^{a^q},g^{a^{q+2}},\ldots,g^{a^{2q}},T$, it is hard to determine $b$. It can be shown that the BGW scheme with $n$ subscribers possesses `static' security if the $n$-BDH problem is hard. The proof of security will be given in the next scribe-note. \begin{thebibliography}{99} \bibitem[FN93]{FN93} A. Fiat and M. Naor. Broadcast encryption. \emph{Proceedings of Crypto '93}. \bibitem[BGW05]{BGW05} D. Boneh, C. Gentry and B. Waters. Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. \emph{CRYPTO '05}. \end{thebibliography} \end{document}