\documentclass[11pt]{article}
\usepackage{amsfonts}
\usepackage{latexsym}
\usepackage{setspace}
\setlength{\oddsidemargin}{.25in}
\setlength{\evensidemargin}{.25in} \setlength{\textwidth}{6in}
\setlength{\topmargin}{-0.4in} \setlength{\textheight}{8.5in}
\setstretch{1.3}
\newtheorem{theorem}{Theorem}[section]
\newtheorem{fact}[theorem]{Fact}
\newtheorem{proposition}[theorem]{Proposition}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{definition}[theorem]{Definition}
\newtheorem{corollary}[theorem]{Corollary}
\newtheorem{remark}[theorem]{Remark}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{conjecture}[theorem]{Conjecture}
\newtheorem{assumption}[theorem]{Assumption}
\newcommand{\qed}{\hfill \ensuremath{\Box}}
\newenvironment{proof}{
\vspace*{-\parskip}\noindent\textit{Proof.}}{$\qed$
\medskip
}
\newcommand{\handout}[5]{
\renewcommand{\thepage}{#1-\arabic{page}}
\noindent
\begin{center}
\framebox{
\vbox{
\hbox to 5.78in { {\bf CS395T Advanced Cryptography} \hfill #2 }
\vspace{4mm}
\hbox to 5.78in { {\Large \hfill #5 \hfill} }
\vspace{2mm}
\hbox to 5.78in { {\it #3 \hfill #4} }
}
}
\end{center}
\vspace*{4mm}
}
\newcommand{\ho}[5]{\handout{#1}{#2}{Instructor:
#3}{Scribe: #4}{Lecture #1: #5}}
\newcommand{\al}{\alpha}
\newcommand{\Zp}{\mathbb{Z}_p}
\newcommand{\G}{\mathbb G}
\newcommand{\GT}{\mathbb{G}_T}
\newcommand{\A}{\mathcal A}
\newcommand{\B}{\mathcal B}
\newcommand{\C}{\mathcal C}
\begin{document}
\ho{13}{26 March, 2009}{Brent Waters} {Abhik K. Das} {Broadcast
Encryption (Contd.) and Traitor Tracing}
\section{Security of BGW ('05) Broadcast Encryption Scheme}
The security of BGW scheme with $n$ subscribers depends on the
hardness of the $n$-BDHE assumption which was described in the
previous scribe-note. We now give a proof of its security in form
of the theorem mentioned below.
\begin{theorem}
Let $\G$ be a bilinear group of prime order $p$. Then the BGW
scheme with $n$ subscribers is secure in `static' sense against
CPA if the $n$-BDHE assumption holds in $\G$.
\end{theorem}
\begin{proof}
We prove the contrapositive statement i.e. if the exists an attack
of non-negligible advantage, say $\epsilon$, on the BGW scheme
with $n$ subscribers, then it can be used to construct an attack
of non-negligible advantage on the $n$-BDHE assumption in $\G$.
Let $\A$ denote the $n$-BDHE assumption challenger, $\B$ denote
the the $n$-BDHE assumption attacker or BGW scheme challenger and
$\C$ denote the BGW scheme attacker. The following game is played
among $\A$, $\B$ and $\C$:
\begin{itemize}
\item $\A$ chooses a random $t\in\{0,1\}$ and passes
$g,h,g^a,\ldots,g^{a^n},g^{a^{n+2}},\ldots,g^{a^{2n}},T,\G,\GT$ to
$\B$, where $T=e(g,h)^{a^{n+1}}$ if $t=0$ and $T=$ some random
element in $\GT$ if $t=1$. $\B$ declares the set of subscribers
$S^*\subseteq\{1,2,\ldots,n\}$, it wishes to attack, to $\C$.
\item $\B$ uses group $\G$ and generator $g$ for constructing the
BGW scheme. $\alpha$ is set to $a^{n+1}$ indirectly by setting
$e(g,g)^{\alpha}=e(g^a,g^{a^n})$. $y_1,y_2,\ldots,y_n \in \Zp$ are
chosen randomly and $u_i$'s are set as $u_i=g^{y_i}$ if $i\in S^*$
and $u_i=g^{a^i}g^{y_i}$ if $i\notin S^*$.
$PP=(e(g^a,g^{a^n}),u_1,u_2,\ldots,u_n)$ is given to $\C$.
\item $\C$ queries about the secret keys of the subscribers not in
$S^*$ during the query phases. Then the secret key of
subscriber $i$ ($i\notin S^*$) is generated as follows:\\
$r_i$ is set to $-a^{n+1-i}$ indirectly by setting
$K_{i,2}=(g^{a^{n+1-i}})^{-1}$. This gives
$K_{i,1}=g^{a^{n+1}}u_i^{r_i}=[(g^{a^{n+1-i}})^{-1}]^{y_i}$ and
$u_j^{r_i}=(g^{a^{n+1-i+j}})^{-1}[(g^{a^{n+1-i}})^{-1}]^{y_i}$.
Since $j\neq i$, no information about $g^{a^{n+1}}$ is divulged
due to $u_j^{r_i}$'s. The query is answered by $\B$ returning
$K_i=(K_{i,1},K_{i,2},\{u_j^{r_i}\}_{j\neq i})$ to $\C$.
\item $\C$ selects a pair of distinct messages $(M_0,M_1)$ and
sends it to $\B$. $\B$ chooses a random $b\in\{0,1\}$ and encrypts
$M_b$ by setting $g^s=h$. The cipher-text
$C^*=(C_1^*,C_2^*,C_3^*)$, where
$C_1^*=M_bT,C_2^*=h,C_3^*=F(S^*)^s=\prod_{i\in S^*}h^{y_i}$, is
sent back to $\C$.
\item $\C$ guesses $b'\in\{0,1\}$ for $b$ using its attack
algorithm and sends it to $\B$. If $b=b'$, $\B$ sets $t'=0$ and
sends it to $\A$, else $t'=1$ is sent. The attack succeeds if
$t=t'$.
\end{itemize}
The probability of a successful attack is given by:
\begin{eqnarray*}
Pr(t=t')&=&Pr(t'=0|t=0)Pr(t=0)+Pr(t'=1|t=1)Pr(t=1)\\
&=&Pr(b=b')Pr(t=0)+\frac{1}{2}Pr(t=1)\\
&=&\frac{1}{2}\left(\frac{1}{2}+\epsilon\right)+\frac{1}{2}\cdot
\frac{1}{2}\\
&=&\frac{1}{2}+\frac{\epsilon}{2}
\end{eqnarray*}
We have an attack with non-negligible advantage $\epsilon/2$ on
the $n$-BDHE assumption in $\G$, which was to be shown. This
completes our proof.
\end{proof}
\section{Traitor Tracing}
In broadcast encryption, it is quite possible that a group of
subscribers is acts as a pirate and is involved in data piracy.
The pirate uses the secret keys, available to it, to build a
pirate decoder which extracts data from the broadcast signal and
distributes its copies illegally. In such a scenario, it becomes
necessary to have an algorithm capable of interacting with the
pirate decoder and getting back the identities of the subscribers
whose secret keys are being used in the pirate decoder. The guilty
subscribers can then be penalized. This is referred to as
\emph{traitor tracing}.
Traitor tracing is a hard problem in general, as the tracing
algorithm must do its job by treating the pirate decoder as a
black-box. The pirate is free to build the decoder the way it
wants -- the pirate could obfuscate the code, use tamper resistant
hardware, and try to randomize the secret keys. Hence, it is
safest to treat the pirate decoder as a black box and the tracing
algorithm cannot look into the inner-workings of the decoder. The
only thing the tracer knows is that the decoder can correctly
decrypt the messages from the broadcast signal with high
probability.
\subsection{Algorithms for Traitor Tracing}
A traitor tracing system consists of the following algorithms:
\begin{itemize}
\item \emph{Setup}($\lambda,n$): Takes as input the number of
subscribers $n$ and security parameter $\lambda$ to output the
broadcast key $PK$, tracing key $TK$, and secret keys
$K_1,K_2,\ldots,K_n$. \item \emph{Encrypt}($M,PK$): Takes as input
the message $M$ and $PK$ to output cipher-text $C$. \item
\emph{Decrypt}($i,K_i,C,PK$): Takes as input $K_i$ and $PK$ to
retrieve message $M$ from $C$. \item \emph{Trace}($TK,D$): Takes
as input $TK$ and interacts with a pirate decoder $D$ to output
the index $i\in\{1,2,\ldots,n\}$ of a key $K_i$ that was used to
create $D$.
\end{itemize}
\subsection{Security for Traitor Tracing}
The security and traceability of a traitor tracing system can be
defined by the following game between a challenger $\A$ and
attacker $\B$:
\begin{itemize}
\item $\B$ gives $\A$ a set $S\subseteq \{1,2,\ldots,n\}$ of
subscribers whose secret keys it needs to construct a pirate
decoder. $\A$ runs \emph{Setup}($\lambda,n$) returns back the
secret keys $\{K_i|i\in S\}$ along with the broadcast key $PK$ and
tracing key $TK$ to $\B$. \item $\B$ constructs the pirate decoder
$D$ using the secret keys $\{K_i|i\in S\}$ and gives $D$ to $\A$.
Then $\A$ runs the \emph{Trace}($TK,D$) and obtains the indices of
subscribers who are supposed to be pirates.
\end{itemize}
Attacker $\B$ is said to be successful if $Pr(D(C)=M)\approx 1$
($M$ is a message and $C$ is its encryption) and the indices
returned by \emph{Trace} do not belong to $S$.
\subsection{A Simple Traitor Tracing Scheme}
A simple and brute force traitor tracing scheme can be described
as follows:
\begin{itemize}
\item \emph{Setup}($\lambda,n$): $n$ public key-secret key pairs
$\{(PK_i,K_i)\}_{i=1}^{n}$ are generated. $K_1,K_2,\ldots,K_n$ are
made the secret keys of the subscribers,
$PK=(PK_1,PK_2,\ldots,PK_n)$ is made the broadcast key as well as
the tracing key. \item \emph{Encrypt}($M,PK$): The cipher-text $C$
is obtained by concatenating the cipher-texts obtained using the
different public keys i.e.
$C=(E_{PK_1}(M),E_{PK_2}(M),\ldots,E_{PK_n}(M))$. \item
\emph{Trace}($PK,D$): For $i=1,2,\ldots,n+1$, a cipher-text is
constructed from a message $M$ as
$C_i=(E_{PK_1}(\perp),\ldots,E_{PK_{i-1}}(\perp),E_{PK_i}(M),\ldots,E_{PK_n}(M))$,
where $\perp$ is any random sample from the message space. A
polynomial number of such $C_i$'s are generated for each $i$ and
they are given as input to the pirate decoder $D$. The decryptions
given by $D$ are then used to estimate $p_i=Pr[D(C_i)=M]$ for
$i=1,2,\ldots,n+1$. We have $p_1\approx 1$ and $p_{n+1}\approx 0$
since $D$ decodes correctly with high probability and all messages
are random in $C_{n+1}$. This gives
$$
1\approx
|p_{n+1}-p_1|=\left|\sum_{i=1}^{n}(p_{i+1}-p_i)\right|\leq
\sum_{i=1}^{n}|p_{i+1}-p_i|
$$
$|p_{i+1}-p_i|\approx 0$ if $K_i$ is not used by $D$ else it is
non-negligible if $K_i$ is used by $D$. In the worst-case
scenario, $D$ uses all the keys $K_1,K_2,\ldots,K_n$ and then each
$|p_{i+1}-p_i|$ is of the order of $\frac{1}{n}$. Hence, to
identify the pirates we observe the successive differences between
the $p_i$'s i.e. $|p_{i+1}-p_i|\,\,\forall i$. $K_i$ is one of the
pirates only if $|p_{i+1}-p_i|=O(\frac{1}{n})$.
\end{itemize}
The problem with this brute-force scheme is that the size of the
cipher-texts is large which consumes a lot of bandwidth for the
broadcast signal. A fully collusion resistant traitor tracing
system has been proposed in \cite{BSW06} with the advantage of
shorter cipher-text size and constant size secret keys.
\begin{thebibliography}{99}
\bibitem[BSW06]{BSW06}
D. Boneh, A. Sahai and B. Waters. Fully Collusion Resistant
Traitor Tracing With Short Ciphertexts and Private Keys.
\emph{EUROCRYPT '06}.
\end{thebibliography}
\end{document}