Embed Size (px)
Citation preview
1
Trace, Revoke and Self Enforcement Mechanisms for Protecting Information
Moni Naor
Weizmann Institute of Science
2
Digital ContentDigital Content
• Very easy to generate, transfer and reproduce
• However - also easy to violate ownership:– Copyright– Privacy
Safe prediction: this phenomenon will only increase in the future.
3
Ownership ProtectionOwnership Protection
• Social Issue
• Technological developments can impact the ground rules: by imposing technical as well as social barriers
for the violators
Technology is neither a panacea nor irrelevant!
4
TechniquesTechniques
• Protecting content - – methods for discouraging/preventing redistribution of content - after decryption
• Watermarking• Fingerprinting
• Tamper Resistance • Hardware• Software
• Protecting cryptographic keys– Broadcast Encryption/Revocation– Tracing Traitors– Trace and Revoke
Solution may apply combination of techniques
5
Methods for Key ProtectionMethods for Key Protection
Goal of key protection mechanisms:• Create a legitimate channel of distribution of
content and disallow its abuse. • Illegitimate distribution should require the
establishment of alternative channels – should not be able to piggyback on the legitimate
channel
Alternative channels should be combated using other means
6
Techniques for Key ProtectionTechniques for Key Protection
How to send information only to intended recipients• Broadcast Encryption/RevocationHow to detect/prevent abuse• Traitor Tracing• Self Enforcement
7
Talk Plan• The stateless scenario for trace and revoke• The Subset Cover Framework for T&R schemes• Two subset cover schemes
– Complete Subset– Subset Difference
• “Implementation” Issues• Tracing:
– General - bifurcation property– Subset difference
• Security definition
8
The Broadcast Encryption ProblemThe Broadcast Encryption ProblemCenter transmits a message to a large group
A subset of users is revoked and should not
be able to decrypt the message subset changes dynamically
Receivers are Stateless independent of history
depend only on initial configuration
essential for “off-line” applications, useful
otherwise
Center revokednon-revoked
message M
9
TracingTracing The problem of Tracing Traitors:
Encryption allows to figure out who leaked the keys
black-box tracing
traitors can gather information, e.g. a clone
Trace and Revoke
trace leaked key(s)
revoke it/them - make box unusablePowerful
Combination!}
10
Key protection in MediaKey protection in Media
• Content is distributed on CD, DVD, memory-card...– content is encrypted
• Players/Recorders are the receivers– typically are Stateless– Receivers are given decryption keys at manufacturing
Goal:– Revoke non-compliant players
• revoked player cannot decode future content– Trace the identity of a "cloned"/"hacked" player
• black-box tracing
• Example: CPRM (DVD Audio)
11
DesiderataDesiderata
• Low bandwidth: Small message expansion - E(content) not much longer than original message.
• Amount of storage at the users - Iu - small– Also at the center
• Attentiveness - users need not be online - stateless• Resiliency to large coalitions of users who collude and
share their resources
12
Summary of ResultsSummary of ResultsDefine the Subset-CoverSubset-Cover framework
Family of algorithms, encapsulating previous methods
Rigorous security analysis Sufficient condition for an algorithm in framework to be secure
Provide the Subset-DifferenceSubset-Difference revocation algorithms r-flexible
concise message length
Tracing algorithm Works for any algorithm in framework satisfying the bifurcation
property
Seamless integration with the revocation algorithm
Withstands any coalition size
13
PreliminariesPreliminaries Notion: NN - set of n users
R - set of r users whose privileges are to be revoked;
Assumption: Stateless devices
Goal: encrypt so that a non-revoked user can decrypt correctly
No coalition of revoked users (of an arbitrary size)
can decrypt
14
Subset-Cover Revocation and Subset-Cover Revocation and Tracing AlgorithmsTracing Algorithms
n - total no. of users
r - no. revocations
t - no. of traitors (illegal users)
Scheme MessageLength
# Keysper device
ProcessingTime
# decrypt MessageLength fortraitors
CompleteSubtree
r log n/r log n log log n 1 t log n
SubsetDifference
2r-11.25r (avg.) 0.5 log2n
log napplicationsof a PRSG
1 5t
15
• Scheme Initiation -– a method to assign secret information to devices, Iu to u.
• The broadcast algorithm -– For message M and a set R of users to be revoked, produce
a ciphertext C to broadcast to all.• A decryption algorithm (at device)-
– a non-revoked device should produce M from ciphertext C. – Decryption should be based on the current message and the
secret information Iu only (i.e. stateless).– Impossible to produce M from ciphertext even when provided
with the secret information of all revoked users.
Components of a stateless systemComponents of a stateless system
16
• Can define it rigorously• Moral equivalent of an adaptive chosen ciphertext
attack
Definition of Security for a Definition of Security for a Stateless Broadcast SystemStateless Broadcast System
Separation between long and short term security requirement
17
Subset Cover FrameworkSubset Cover Framework
Framework encapsulates many previous schemes
• Idea: to revoke a set RR, partition the remaining users into subsets from some predetermined collection.
• Encrypt for each subset separately
Suggest schemes with low bandwidth, low storage that allow tracing
18
An algorithm in the framework:An algorithm in the framework:
Underlying collection of subsets (of devices) S1, S2 , ... ,SW Sj N.
• Each subset Sj associated with long-lived key Lj – A device u Sj should be able to deduce Lj from its secret
information Iu
• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets
Si1, Si2
, ... , Sim (NN \ RR = Sij
)
– a session key K is encrypted m times with Li1, Li2
, ... , Lim .
19
Framework: Encryption PrimitivesFramework: Encryption PrimitivesSeparating Short Term from Long Lived KeysSeparating Short Term from Long Lived Keys
Fk : encrypts the message
K is a session key, fresh for each message
fast, not expanding plaintext (e.g. stream cipher)
EL : encrypts the session key
L are long lived keys
generally stronger than F
Can give precise definition for the required strength of EL and Fk
20
The Broadcast AlgorithmThe Broadcast Algorithm• Choose a session key K
• Given R, find a partition of N \ R into disjoint sets
Si1, Si2
, ... , Sim
NN \ RR = Sij
with associated keys Li1, Li2
, ... , Lim
• Encrypt message M
[i1, i2, …,im], ELil(K), ELi2(K), … , ELim(K) FK(M)
HEADER Body
21
The Decryption Step at uThe Decryption Step at u
[i1, i2, …,im], Cl=ELil(K), … , Cm=ELim(K) FK(M)
HEADER Body
Either
Find the subset ij such that u Sij , or
null if u R
Obtain Lij from the private information Iu
Compute DLij(Cj) to obtain K
Decrypt FK(M) with K to obtain the message.
u is revoked!
22
A Subset-Cover AlgorithmA Subset-Cover Algorithm
Specifies:Specifies: Evaluated based on:Evaluated based on:Collection of underlying subsetsKey assignment to each subset“Subset-Cover” method to cover the non-revoked devicesFor a device: how to find its subset S and its key Ls from its private information.
Header lengthStorage (# keys) at thedeviceProcessing at the device time # decryptionsFlexibility with respect to r
23
Two extreme examplesTwo extreme examples
• Collection of subsets: all Sj N W = 2n -1– Low bandwidth
For any R we have m=1 - use S1 = N \ R– No good key assignment - each user should store 2n-1 keys
• Collection of subsets: all Sj ={j}. W = n– High bandwidth
For any R we have m = |N \ R | - use all {Sj | j N \ R }
– Good key assignment - each user stores only 1 key
Challenge: find a scheme with small coverage m and succinct secret information Iu
24
Important Observation:Important Observation:Key Indistinguishability
Users Sj should not know long-lived key Lj Possible solution:
– Choose Lj independently. – Let Iu
= {L
j | u Sj } - can result in long Iu
Alternative: sufficient condition for security:Given {Iu | u Sj }, key Lj is computationally indistinguishable
from random
Yields (provably) large savings in storage at the receivers
25
Security Theorem (format)Security Theorem (format)
Any subset cover scheme where
• Fk : is sufficiently strong
• EL : is sufficiently strong
• The keys Lj satisfy the Key Indistinguishability propertyIs Secure…
26
The Complete Subtree MethodThe Complete Subtree MethodImagine a full-binary tree with n leaves corr. To NN
E.g. if n=232, a 32-levels complete binary tree
Underlying Subsets S1, S2 , … ,SW
for node vi in the full tree,
Si – set of all leaves in the subtree of vi.
w = 2n-1
Key assignment:
assign a key Li to every node vi in the tree
Device keys:
store all log n+1 keys along path to the root
E.g. if n=232, need 33 keys
Si…
ViLi
27
Complete Subtree: Key AssignmentComplete Subtree: Key Assignment
devices
Iu = { L1 , L2 , L3 , L4 , L5 , L6 }
u
L1
L2
L3
L4
L5
L6
28
Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method
revokednon-revoked
cover
29
Subset cover of non-revoked devicesSubset cover of non-revoked devices
Cover = all maximal sets Si (complete subtrees)
containing only non-revoked devices,
• Worst/Average case – r log n/r such sets
• Example: for n =232, r=216 and 7-bytes session-key:
total of 16*7 + 4=116 bytes/revocation (4+7*log216)
33 keys/device
30
The Subset-difference Method:The Subset-difference Method:Subset DefinitionSubset Definition
Imagine a full-binary tree with n leaves corr. To NN E.g. if n=232, a 32-levels complete binary tree
Subsets S1, S2 , … ,SW , w = n log n for a pair of nodes [Vi, Vj] in the full tree such that Vi is an ancestor of Vj , Sij – set of all leaves in the subtree of Vi but not in Vj.
vi
vj
Si,j
… … …
vi
vj
31
Subset Difference DefinitionSubset Difference Definition
Si,j = Set of all leaves in the subtree of Vi but not in Vj
vi
vj
… ……
Si,j
vi
vj
32
Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method
revokednon-revokedcover
Vi
Si,j = Vj
33
Cover is Very Small !!Cover is Very Small !!
Fundamental property:
Size of the subset cover in the difference-subset method is
At most 2r-1 in the worst case 1.25r in the average case !
34
Key AssignmentKey Assignment
GGM is practical!
GGM= Goldreich, Goldwasser & Micali
35
Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method
Naive approach to the key assignment:
assign a key Li,j to every pair [vi, vj] in the tree
impractical: each device must store O(n) keys…
Use G, a pseudo-random sequence generator that
triples the input length (k 3k) à la GGM
Use G to derive a labeling process
S – label @ node,
GL(S) – label @ left child, GR(S) – label @ right child
GM(S) – key @ node.G (S) = G_L (S) G_M (S) G_R (S)
S
G_L (S) G_R (S)
36
Key Assignment - cont.Key Assignment - cont.
Assign to each node
Vi a label LABELi
The key Li,j = GM of
the label LABELi,j at
node Vj derived from
LABELi down
towards Vj … ……
vi
vj
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
G_R (S)
G_R(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (S)))
Li,j = G_M (LABELi,j )
37
Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method
…
S=LABELi
G_L (S)
G_L(G_L (S))
G_L(G_L(G_L (S)))
LABELi,j = G_R(G_L(G_L (Li)))
Li,j = G_M (LABELi,j )
… …
G_R(G_L(G_L (S)))
G_R (S)
Vi
Vj
38
Providing Keys to DevicesProviding Keys to DevicesA device corresponds to a leaf u in
the tree
For every Vi ancestor of u whose
label is S u receives all labels@nodes that are
hanging off the path from Vi to u.
These labels are all derived from S.
u can compute all keys of the sets it
belongs to rooted at Vi , and only
them.u
sVi
39
Providing Keys to DevicesProviding Keys to Devices
u
sVi
Total # of labels u has to store is
0.5log2 n + 0.5 log n + 1 :
k labels for each ancestor Vi
which is k levels above u
k=1, …, log n+1
For n=232, about 530 labels
Requires log n on-the-fly
applications of G to derive a key
40
Only 13 bytes per Single RevocationOnly 13 bytes per Single Revocation
For N= 232 and 7-bytes session-key
total of 1.25 * 7 + 4 < 13 bytes/revocations
530 labels/device
[i1, i2, …,im] ELi1(K), ELi2(K), … , ELim(K) FK(M)
4r bytes 9r bytes
41
Tracing TraitorsTracing Traitors• Some Users leak their keys to pirates• Pirates construct unauthorized decryption devices and
sell them at discount • Trace and Revoke for all subset cover algorithms
satisfying bifurcation property• More efficient procedure for subset difference
E(Content)
K1 K3 K8
ContentPirate Box
42
Tracing AlgorithmTracing AlgorithmAssumptions on illegal device: can examine box reaction on encrypted messages
reset button, no “locking” strategy
decodes with probability > q (say 0.5)
Goal: output one of the two a user u contained in the box
a partition S = Si1 , Si2, …, Sim that disables the box
Evaluation: performance requirement from revocation scheme
number of queries
encrypted messages
U1, U2, …, Ut
u
S = Si1 , Si2, …, Sim
43
Subset TracingSubset Tracing
Given an illegal decoder and a subset-cover
partition S, output: decoder is no longer decoding
a subset Sij containing a traitor
S = Si1 , Si2, …, Sim
illegal decoder
SubsetTracing not decrypting
Sij contains a traitor
44
Why is Subset-Tracing Possible?Why is Subset-Tracing Possible?
Consider a partition S = Si1 , Si2, …, Sim:
Header contains the correct key – decodes
Header contains all random keys – does not decode
Using a hybrid technique, find a subset j that has
gap at least l / m.
p0=1
pj-1
pj
pm=0
ELi1(K),…,ELij-1(K),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(K),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(K),…, ELim(K) FK(M)
ELi1(R),…,ELij-1(R),ELij(R),ELij+1(R),…, ELim(R) FK(M)
Sij contains a traitor!
45
Definition: Bifurcation PropertyDefinition: Bifurcation Property
Any subset Si can be partitioned into (roughly) two
equal sets Si1 and Si2
.
Si = Si1 U Si2
Bifurcation value:
Max { |Si1/Si|, |Si2/Si|}Vi
Vj
L R
Bifurcation value = 2/3
L
Vj
RVi
L
46
The Tracing AlgorithmThe Tracing AlgorithmStart with an initial partition S = Si1 , Si2, …, Sim.Repeat Apply “Subset-Tracing” to S If “not decrypting” , done. Otherwise, Sj contains a traitor
Split Sj into Sj1 and Sj2
Add Sj1 and Sj2 to S
S1 S2 Sm
Subset Tracing
Sj
S1 S2 SmSj1 Sj2
47
The Tracing AlgorithmThe Tracing Algorithm
S1 S2 Sm
Subset Tracing
Sj
S1 S2 SmSj1 Sj2
Subset Tracing
Sk
S1 S2 Sk1 Sk2
Subset Tracing not decrypting - done
48
Efficiency: tracing Efficiency: tracing tt traitors traitors
A subset is partitioned only if it has a traitor
contains more than 1 element
Therefore – at most t log n iterations
actually, t log (n/t)
Results in a partition of size at most t log (n/t)
Subset Difference: Only t subsets actually contain a traitor; Can the others be merged?
Yes, can get down to O(t) subsets !
49
Frontier subsetsFrontier subsetsIdea: merge those that were not shown to have a traitor
Frontier Subsets:
Problem: can the non-frontier sets be merged to yield
few subsets-difference sets?
B and C are in the Frontier
B1, B2 are in the frontier, C is not
Merge C with the non-frontier subsets
A
B C
C B1 B2
50
This can be done for Subset-DifferenceThis can be done for Subset-Difference
Lemma:
given k sets of the subset-difference form, possible to
cover the rest with at most 3k sets of the
subset-difference form.
At every step, 2t frontiers sets
The merge results in 3t more set
A partition contains at most 5t sets.
51
““Implementation” IssuesImplementation” Issues
• Specifying the subsets for quick determination• Implementing EL and Fk
• Prefix Truncation (reducing header length)• Public Keys
52
Prefix TruncationPrefix Truncation If EL is a block cipher and K is shorter than its block size
Replace
EL(K) [Prefix K EL(U)] K
where U is a random string of the same length as the key for EL
[i1, i2, …,im, ELil(K), ELi2(K), … , ELim(K) FK(M)
reduction in length
security is preserved
[i1, i2, …,im, U, [Prefix K ELi1(U)] K), …,[Prefix K ELim(U)] K)] FK(M)
53
Working with public keysWorking with public keys
• Any PKC can ``work” with any subset cover algorithmProblems:• The key assignment yields private keys –
– Need an efficient way to generate public-keys from private. Good method: Diffie-Hellman - gLi
• Low overhead: want to use prefix truncation. Idea: choose random x and h and broadcast: [(gx ,h), h(gL1 )x ))K, gx , h(gL2 )x ))K ... gx , h(gLm )x ))K], Fk(M)
54
PublicPublic keys - unresolved issueskeys - unresolved issues
• Size of public-key file – Need to publish the public-key of every subset - size W. Could be large– Possible solution: identity based encryption - works only for the
information theoretic case
• Immunity to chosen ciphertext attacks with prefix truncation– Cramer-Shoup, Fujiskai-Okamoto require ``per key” treatment– Possible to use Schnorr like proofs of knowledge with random oracles.
55
Comparison to Other MethodsComparison to Other MethodsStateless version
• Broadcast Encryption [Fiat Naor]– message length O(t log2 t), t is the coalition size
• Logical Key Hierarchy (LKH) – tree based methods for member-revocation – [Wallner et. al], [Wong et. al]: message length (2r log n) – [Canetti et. al]: improved to O(r log n)
• Trace & Revoke– [Naor Pinkas] , ([Anzai et. al]): transmit O(r) long DH keys,
O(t) keys/device and O(r) decryptions
56
Tracing - Comparison
• Combinatorial Schemes - black-box testing [CFN,NP]• Public-key Tracing - Boneh and Franklin black-box
confirmation• Integration with revocation [GSY]
57
Other Models
• Content Tracing: detects users redistributing content after decoding– Watermarking: [Boneh, Shaw]
– Dynamic tracing traitors: [Fiat, Tassa]• improvements: [Berkamn et. al], [Safani-Naini]
• Preventing leakage of keys– Legally: yield a proof for traitor's liability [Pfitzmann]
– Self enforcement: deter users from revealing personal information [DLN: Signets]
58
Further WorkFurther Work• Reduce Size of public-key file
– GGM in public key mode
• Public key - Immunity to chosen ciphertext attacks • Broadcast encryption with ``medium” sized sets and no hierarchy• Better lower bounds
– Information theoretic case– Computational case
• Better constructions– LSD, Halevy-Shamir– Generalizations?
• Tracing Traitors• Social/economical Implications? Restricted formats
59
Multicast Security
Group Membership:• re-keying event: all users update their group key and labels
– requires all users to be connected
Instead, add an header with legitimate users only.
Backward secrecy
lacks backward secrecy
needs re-keying when a new user is added to the group
Instead, assign users consecutively
“revoked” the unused ones
use hierarchical revocation
