Efficient Methods for Integrating Traceability and Broadcast Encryption
15 Aug 1999-pp 372-387
TL;DR: A method forAdding any desired level of broadcasting capability to any traceability scheme and a method for adding any desiredlevel of traceability to any broadcast encryption scheme are presented.
Abstract: In many applications for content distribution, broadcast channels are used to transmit information from a distribution center to a large set of users. Broadcast encryption schemes enable the center to prevent certain users from recovering the information that is broadcast in encrypted form, while traceability schemes enable the center to trace users who collude to produce pirate decoders. In this paper, we study general methods for integrating traceability and broadcasting capability. In particular, we present a method for adding any desired level of broadcasting capability to any traceability scheme and a method for adding any desired level of traceability to any broadcast encryption scheme. To support our general methods, we also present new constructions of broadcast encryption schemes which are close to optimal in terms of the total number keys required. Our new schemes are the first to be both maximally resilient and fully scalable.
Citations
More filters
19 Aug 2001
TL;DR: In this paper, the Subset-Cover framework is proposed for the stateless receiver case, where the users do not (necessarily) update their state from session to session, and sufficient conditions that guarantee the security of a revocation algorithm in this class are provided.
Abstract: We deal with the problem of a center sending a message to a group of users such that some subset of the users is considered revoked and should not be able to obtain the content of the message. We concentrate on the stateless receiver case, where the users do not (necessarily) update their state from session to session. We present a framework called the Subset-Cover framework, which abstracts a variety of revocation schemes including some previously known ones. We provide sufficient conditions that guarantees the security of a revocation algorithm in this class.
We describe two explicit Subset-Cover revocation algorithms; these algorithms are very flexible and work for any number of revoked users. The schemes require storage at the receiver of log N and 1/2 log2 N keys respectively (N is the total number of users), and in order to revoke r users the required message lengths are of r log N and 2r keys respectively. We also provide a general traitor tracing mechanism that can be integrated with any Subset-Cover revocation scheme that satisfies a "bifurcation property". This mechanism does not need an a priori bound on the number of traitors and does not expand the message length by much compared to the revocation of the same set of traitors.
The main improvements of these methods over previously suggested methods, when adopted to the stateless scenario, are: (1) reducing the message length to O(r) regardless of the coalition size while maintaining a single decryption at the user's end (2) provide a seamless integration between the revocation and tracing so that the tracing mechanisms does not require any change to the revocation algorithm.
1,277 citations
14 Aug 2005
TL;DR: In this paper, the authors describe two new public key broadcast encryption systems for stateless receivers, which are fully secure against any number of colluders and provide a tradeoff between ciphertext size and public key size.
Abstract: We describe two new public key broadcast encryption systems for stateless receivers. Both systems are fully secure against any number of colluders. In our first construction both ciphertexts and private keys are of constant size (only two group elements), for any subset of receivers. The public key size in this system is linear in the total number of receivers. Our second system is a generalization of the first that provides a tradeoff between ciphertext size and public key size. For example, we achieve a collusion resistant broadcast system for n users where both ciphertexts and public keys are of size $O(\sqrt{N})$ for any subset of receivers. We discuss several applications of these systems.
1,214 citations
19 Aug 2001
TL;DR: In this article, it was shown that the Boneh-Franklin (BF) scheme and the Kurosawa-Desmedt (KDS) scheme have no black-box traceability in the self-protecting model when the number of traitors is super-logarithmic.
Abstract: We present a new generic black-box traitor tracing model in which the pirate-decoder employs a self-protection technique. This mechanism is simple, easy to implement in any (software or hardware) device and is a natural way by which a pirate (an adversary) which is black-box accessible, may try to evade detection. We present a necessary combinatorial condition for black-box traitor tracing of self-protecting devices. We constructively prove that any system that fails this condition, is incapable of tracing pirate-decoders that contain keys based on a superlogarithmic number of traitor keys. We then combine the above condition with specific properties of concrete systems. We show that the Boneh-Franklin (BF) scheme as well as the Kurosawa-Desmedt scheme have no black-box tracing capability in the self-protecting model when the number of traitors is superlogarithmic, unless the ciphertext size is as large as in a trivial system, namely linear in the number of users. This partially settles in the negative the open problem of Boneh and Franklin regarding the general black-box traceability of the BF scheme: at least for the case of superlogarithmic traitors. Our negative result does not apply to the Chor-Fiat-Naor (CFN) scheme (which, in fact, allows tracing in our self-protecting model); this separates CFN black-box traceability from that of BF. We also investigate a weaker form of black-box tracing called single-query "black-box confirmation." We show that, when suspicion is modeled as a confidence weight (which biases the uniform distribution of traitors), such single-query confirmation is essentially not possible against a self-protecting pirate-decoder that contains keys based on a superlogarithmic number of traitor keys.
1,132 citations
Journal Article•
TL;DR: This work constructively proves that any system that fails this condition, is incapable of tracing pirate-decoders that contain keys based on a superlogarithmic number of traitor keys, and investigates a weaker form of black-box tracing called single-query "black-box confirmation."
Abstract: We present a new generic black-box traitor tracing model in which the pirate-decoder employs a self-protection technique. This mechanism is simple, easy to implement in any (software or hardware) device and is a natural way by which a pirate (an adversary) which is black-box accessible, may try to evade detection. We present a necessary combinatorial condition for black-box traitor tracing of self-protecting devices. We constructively prove that any system that fails this condition, is incapable of tracing pirate-decoders that contain keys based on a superlogarithmic number of traitor keys. We then combine the above condition with specific properties of concrete systems. We show that the Boneh-Franklin (BF) scheme as well as the Kurosawa-Desmedt scheme have no black-box tracing capability in the self-protecting model when the number of traitors is superlogarithmic, unless the ciphertext size is as large as in a trivial system, namely linear in the number of users. This partially settles in the negative the open problem of Boneh and Franklin regarding the general black-box traceability of the BF scheme: at least for the case of superlogarithmic traitors. Our negative result does not apply to the Chor-Fiat-Naor (CFN) scheme (which, in fact, allows tracing in our self-protecting model); this separates CFN black-box traceability from that of BF. We also investigate a weaker form of black-box tracing called single-query black-box confirmation. We show that, when suspicion is modeled as a confidence weight (which biases the uniform distribution of traitors), such single-query confirmation is essentially not possible against a self-protecting pirate-decoder that contains keys based on a superlogarithmic number of traitor keys.
1,098 citations
02 May 2002
TL;DR: The first public-key traitor tracing scheme with constant transmission rate was proposed by Naccac, Shamir, and Stern as mentioned in this paper, which achieves the same expansion efficiency as regular ElGamal encryption.
Abstract: An important open problem in the area of Traitor Tracing is designing a scheme with constant expansion of the size of keys (users' keys and the encryption key) and of the size of ciphertexts with respect to the size of the plaintext. This problem is known from the introduction of Traitor Tracing byChor, Fiat and Naor. We refer to such schemes as traitor tracing with constant transmission rate. Here we present a general methodologyand two protocol constructions that result in the first two public-keytraitor tracing schemes with constant transmission rate in settings where plaintexts can be calibrated to be sufficientlylarge. Our starting point is the notion of "copyrighted function" which was presented byNaccac he, Shamir and Stern. We first solve the open problem of discrete-log-based and public-key-based "copyrighted function." Then, we observe the simple yet crucial relation between (public-key) copyrighted encryption and (public-key) traitor tracing, which we exploit byin troducing a generic design paradigm for designing constant transmission rate traitor tracing schemes based on copyrighted encryption functions. Our first scheme achieves the same expansion efficiency as regular ElGamal encryption. The second scheme introduces only a slightlylarger (constant) overhead, however, it additionallyac hieves efficient black-box traitor tracing (against any pirate construction).
667 citations
References
More filters
Book•
01 Jan 1995
TL;DR: The object of the book is to produce a general, comprehensive textbook that treats all the essential core areas of cryptography.
Abstract: From the Publisher:
The object of the book is to produce a general, comprehensive textbook that treats all the essential core areas of cryptography.
3,545 citations
"Efficient Methods for Integrating T..." refers background in this paper
...P, according to the access structure and the choice of secret sharing scheme (see [ 14 ] for more on access structures and secret sharing)....
[...]
Proceedings Article•
[...]
TL;DR: Several schemes are presented that allow a center to broadcast a secret to any subset of privileged users out of a universe of size n so that coalitions of k users not in the privileged set cannot learn the secret.
Abstract: We introduce new theoretical measures for the qualitative and quantitative assessment of encryption schemes designed for broadcast transmissions. The goal is to allow a central broadcast site to broadcast secure transmissions to an arbitrary set of recipients while minimizing key management related transmissions. We present several schemes that allow a center to broadcast a secret to any subset of privileged users out of a universe of size n so that coalitions of k users not in the privileged set cannot learn the secret. The most interesting scheme requires every user to store O(klog klog n) keys and the center to broadcast O(k2 log2 k log n) messages regardless of the size of the privileged set. This scheme is resilient to any coalition of k users. We also present a scheme that is resilient with probability p against a random subset of k users. This scheme requires every user to store O(log k log(l/p)) keys and the center to broadcast O(klog2 fclog(l/p)) messages.
1,449 citations
01 Jun 1999
TL;DR: This report identifies a technique which allows for secure compromise recovery, while also being robust against collusion of excluded users, and minimizes the number of transmissions required to rekey the multicast group and it imposes minimal storage requirements on the multicasts group.
Abstract: This report contains a discussion of the difficult problem of key management for multicast communication sessions. It focuses on two main areas of concern with respect to key management, which are, initializing the multicast group with a common net key and rekeying the multicast group. A rekey may be necessary upon the compromise of a user or for other reasons (e.g., periodic rekey). In particular, this report identifies a technique which allows for secure compromise recovery, while also being robust against collusion of excluded users. This is one important feature of multicast key management which has not been addressed in detail by most other multicast key management proposals [1,2,4]. The benefits of this proposed technique are that it minimizes the number of transmissions required to rekey the multicast group and it imposes minimal storage requirements on the multicast group.
1,195 citations
"Efficient Methods for Integrating T..." refers background or methods in this paper
...We note that in this paper we do not consider other models such as one-time schemes [3], zero-message schemes [4], and schemes that allow rekeying [20,6]....
[...]
...In the Internet draft [20], a hierarchical tree-based scheme is recommended for use in a broadcast encryption system....
[...]
...Many solutions to this problem have been proposed using broadcast encryption schemes [3,9,10,4,5,15,13,20,11,19,16,6,1]....
[...]
Proceedings Article•
[...]
21 Aug 1994
TL;DR: In this article, the authors give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties, particularly for broadcast and database access systems.
Abstract: We give cryptographic schemes that help trace the source of leaks when sensitive or proprietary data is made available to a large set of parties. This is particularly important for broadcast and database access systems, where the data should be accessible only to authorized users. Such schemes are very relevant in the context of pay television, and easily combine, with and complement the Broadcast Encryption schemes of [6].
711 citations
TL;DR: In this paper, it was shown that the maximum number of k-subsets of ann-set satisfying the condition in the title satisfying the Steiner system is f(n, r(t−1)+1,n−d.
Abstract: Letfr(n, k) denote the maximum number ofk-subsets of ann-set satisfying the condition in the title. It is proved that
$$f_1 (n,r(t - 1) + 1 + d)\underset{\raise0.3em\hbox{$\smash{\scriptscriptstyle-}$}}{ \leqslant } (_{ t}^{n - d} )/(_{ t}^{k - d} )$$
wheneverd=0, 1 ord≦r/2t2 with equality holding iff there exists a Steiner systemS(t, r(t−1)+1,n−d). The determination offr(n, 2r) led us to a new generalization of BIBD (Definition 2.4). Exponential lower and upper bounds are obtained for the case if we do not put size restrictions on the members of the family.
491 citations
"Efficient Methods for Integrating T..." refers background in this paper
...Theorem 4 ([8])....
[...]
...2 The following result by Erdös, Frankl, Füredi [8] is very useful in determining the relationship between the parameters of a set system satisfying the condition in the previous lemma....
[...]