1 trace, revoke and self enforcement mechanisms for protecting information moni naor weizmann...

1

Trace, Revoke and Self Enforcement Mechanisms for Protecting Information

Moni Naor

Weizmann Institute of Science

2

Digital ContentDigital Content

• Very easy to generate, transfer and reproduce

• However - also easy to violate ownership:– Copyright– Privacy

Safe prediction: this phenomenon will only increase in the future.

3

Ownership ProtectionOwnership Protection

• Social Issue

• Technological developments can impact the ground rules: by imposing technical as well as social barriers

for the violators

Technology is neither a panacea nor irrelevant!

4

TechniquesTechniques

• Protecting content - – methods for discouraging/preventing redistribution of content - after decryption

• Watermarking• Fingerprinting

• Tamper Resistance • Hardware• Software

• Protecting cryptographic keys– Broadcast Encryption/Revocation– Tracing Traitors– Trace and Revoke

Solution may apply combination of techniques

5

Methods for Key ProtectionMethods for Key Protection

Goal of key protection mechanisms:• Create a legitimate channel of distribution of

content and disallow its abuse. • Illegitimate distribution should require the

establishment of alternative channels – should not be able to piggyback on the legitimate

channel

Alternative channels should be combated using other means

6

Techniques for Key ProtectionTechniques for Key Protection

How to send information only to intended recipients• Broadcast Encryption/RevocationHow to detect/prevent abuse• Traitor Tracing• Self Enforcement

7

Talk Plan• The stateless scenario for trace and revoke• The Subset Cover Framework for T&R schemes• Two subset cover schemes

– Complete Subset– Subset Difference

• “Implementation” Issues• Tracing:

– General - bifurcation property– Subset difference

• Security definition

8

The Broadcast Encryption ProblemThe Broadcast Encryption ProblemCenter transmits a message to a large group

A subset of users is revoked and should not

be able to decrypt the message subset changes dynamically

Receivers are Stateless independent of history

depend only on initial configuration

essential for “off-line” applications, useful

otherwise

Center revokednon-revoked

message M

9

TracingTracing The problem of Tracing Traitors:

Encryption allows to figure out who leaked the keys

black-box tracing

traitors can gather information, e.g. a clone

Trace and Revoke

trace leaked key(s)

revoke it/them - make box unusablePowerful

Combination!}

10

Key protection in MediaKey protection in Media

• Content is distributed on CD, DVD, memory-card...– content is encrypted

• Players/Recorders are the receivers– typically are Stateless– Receivers are given decryption keys at manufacturing

Goal:– Revoke non-compliant players

• revoked player cannot decode future content– Trace the identity of a "cloned"/"hacked" player

• black-box tracing

• Example: CPRM (DVD Audio)

11

DesiderataDesiderata

• Low bandwidth: Small message expansion - E(content) not much longer than original message.

• Amount of storage at the users - Iu - small– Also at the center

• Attentiveness - users need not be online - stateless• Resiliency to large coalitions of users who collude and

share their resources

12

Summary of ResultsSummary of ResultsDefine the Subset-CoverSubset-Cover framework

Family of algorithms, encapsulating previous methods

Rigorous security analysis Sufficient condition for an algorithm in framework to be secure

Provide the Subset-DifferenceSubset-Difference revocation algorithms r-flexible

concise message length

Tracing algorithm Works for any algorithm in framework satisfying the bifurcation

property

Seamless integration with the revocation algorithm

Withstands any coalition size

13

PreliminariesPreliminaries Notion: NN - set of n users

R - set of r users whose privileges are to be revoked;

Assumption: Stateless devices

Goal: encrypt so that a non-revoked user can decrypt correctly

No coalition of revoked users (of an arbitrary size)

can decrypt

14

Subset-Cover Revocation and Subset-Cover Revocation and Tracing AlgorithmsTracing Algorithms

n - total no. of users

r - no. revocations

t - no. of traitors (illegal users)

Scheme MessageLength

# Keysper device

ProcessingTime

# decrypt MessageLength fortraitors

CompleteSubtree

r log n/r log n log log n 1 t log n

SubsetDifference

2r-11.25r (avg.) 0.5 log2n

log napplicationsof a PRSG

1 5t

15

• Scheme Initiation -– a method to assign secret information to devices, Iu to u.

• The broadcast algorithm -– For message M and a set R of users to be revoked, produce

a ciphertext C to broadcast to all.• A decryption algorithm (at device)-

– a non-revoked device should produce M from ciphertext C. – Decryption should be based on the current message and the

secret information Iu only (i.e. stateless).– Impossible to produce M from ciphertext even when provided

with the secret information of all revoked users.

Components of a stateless systemComponents of a stateless system

16

• Can define it rigorously• Moral equivalent of an adaptive chosen ciphertext

attack

Definition of Security for a Definition of Security for a Stateless Broadcast SystemStateless Broadcast System

Separation between long and short term security requirement

17

Subset Cover FrameworkSubset Cover Framework

Framework encapsulates many previous schemes

• Idea: to revoke a set RR, partition the remaining users into subsets from some predetermined collection.

• Encrypt for each subset separately

Suggest schemes with low bandwidth, low storage that allow tracing

18

An algorithm in the framework:An algorithm in the framework:

Underlying collection of subsets (of devices) S1, S2 , ... ,SW Sj N.

• Each subset Sj associated with long-lived key Lj – A device u Sj should be able to deduce Lj from its secret

information Iu

• Given a revoked set RR, the non-revoked users NN \ RR are partitioned into m disjoint subsets

Si1, Si2

, ... , Sim (NN \ RR = Sij

)

– a session key K is encrypted m times with Li1, Li2

, ... , Lim .

19

Framework: Encryption PrimitivesFramework: Encryption PrimitivesSeparating Short Term from Long Lived KeysSeparating Short Term from Long Lived Keys

Fk : encrypts the message

K is a session key, fresh for each message

fast, not expanding plaintext (e.g. stream cipher)

EL : encrypts the session key

L are long lived keys

generally stronger than F

Can give precise definition for the required strength of EL and Fk

20

The Broadcast AlgorithmThe Broadcast Algorithm• Choose a session key K

• Given R, find a partition of N \ R into disjoint sets

Si1, Si2

, ... , Sim

NN \ RR = Sij

with associated keys Li1, Li2

, ... , Lim

• Encrypt message M

[i1, i2, …,im], ELil(K), ELi2(K), … , ELim(K) FK(M)

HEADER Body

21

The Decryption Step at uThe Decryption Step at u

[i1, i2, …,im], Cl=ELil(K), … , Cm=ELim(K) FK(M)

HEADER Body

Either

Find the subset ij such that u Sij , or

null if u R

Obtain Lij from the private information Iu

Compute DLij(Cj) to obtain K

Decrypt FK(M) with K to obtain the message.

u is revoked!

22

A Subset-Cover AlgorithmA Subset-Cover Algorithm

Specifies:Specifies: Evaluated based on:Evaluated based on:Collection of underlying subsetsKey assignment to each subset“Subset-Cover” method to cover the non-revoked devicesFor a device: how to find its subset S and its key Ls from its private information.

Header lengthStorage (# keys) at thedeviceProcessing at the device time # decryptionsFlexibility with respect to r

23

Two extreme examplesTwo extreme examples

• Collection of subsets: all Sj N W = 2n -1– Low bandwidth

For any R we have m=1 - use S1 = N \ R– No good key assignment - each user should store 2n-1 keys

• Collection of subsets: all Sj ={j}. W = n– High bandwidth

For any R we have m = |N \ R | - use all {Sj | j N \ R }

– Good key assignment - each user stores only 1 key

Challenge: find a scheme with small coverage m and succinct secret information Iu

24

Important Observation:Important Observation:Key Indistinguishability

Users Sj should not know long-lived key Lj Possible solution:

– Choose Lj independently. – Let Iu

= {L

j | u Sj } - can result in long Iu

Alternative: sufficient condition for security:Given {Iu | u Sj }, key Lj is computationally indistinguishable

from random

Yields (provably) large savings in storage at the receivers

25

Security Theorem (format)Security Theorem (format)

Any subset cover scheme where

• Fk : is sufficiently strong

• EL : is sufficiently strong

• The keys Lj satisfy the Key Indistinguishability propertyIs Secure…

26

The Complete Subtree MethodThe Complete Subtree MethodImagine a full-binary tree with n leaves corr. To NN

E.g. if n=232, a 32-levels complete binary tree

Underlying Subsets S1, S2 , … ,SW

for node vi in the full tree,

Si – set of all leaves in the subtree of vi.

w = 2n-1

Key assignment:

assign a key Li to every node vi in the tree

Device keys:

store all log n+1 keys along path to the root

E.g. if n=232, need 33 keys

Si…

ViLi

27

Complete Subtree: Key AssignmentComplete Subtree: Key Assignment

devices

Iu = { L1 , L2 , L3 , L4 , L5 , L6 }

u

L1

L2

L3

L4

L5

L6

28

Subset Cover of non-revoked devicesSubset Cover of non-revoked devicesComplete Subtree MethodComplete Subtree Method

revokednon-revoked

cover

29

Subset cover of non-revoked devicesSubset cover of non-revoked devices

Cover = all maximal sets Si (complete subtrees)

containing only non-revoked devices,

• Worst/Average case – r log n/r such sets

• Example: for n =232, r=216 and 7-bytes session-key:

total of 16*7 + 4=116 bytes/revocation (4+7*log216)

33 keys/device

30

The Subset-difference Method:The Subset-difference Method:Subset DefinitionSubset Definition

Imagine a full-binary tree with n leaves corr. To NN E.g. if n=232, a 32-levels complete binary tree

Subsets S1, S2 , … ,SW , w = n log n for a pair of nodes [Vi, Vj] in the full tree such that Vi is an ancestor of Vj , Sij – set of all leaves in the subtree of Vi but not in Vj.

vi

vj

Si,j

… … …

vi

vj

31

Subset Difference DefinitionSubset Difference Definition

Si,j = Set of all leaves in the subtree of Vi but not in Vj

vi

vj

… ……

Si,j

vi

vj

32

Subset Cover of non-Revoked DevicesSubset Cover of non-Revoked DevicesSubset-Difference MethodSubset-Difference Method

revokednon-revokedcover

Vi

Si,j = Vj

33

Cover is Very Small !!Cover is Very Small !!

Fundamental property:

Size of the subset cover in the difference-subset method is

At most 2r-1 in the worst case 1.25r in the average case !

34

Key AssignmentKey Assignment

GGM is practical!

GGM= Goldreich, Goldwasser & Micali

35

Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method

Naive approach to the key assignment:

assign a key Li,j to every pair [vi, vj] in the tree

impractical: each device must store O(n) keys…

Use G, a pseudo-random sequence generator that

triples the input length (k 3k) à la GGM

Use G to derive a labeling process

S – label @ node,

GL(S) – label @ left child, GR(S) – label @ right child

GM(S) – key @ node.G (S) = G_L (S) G_M (S) G_R (S)

S

G_L (S) G_R (S)

36

Key Assignment - cont.Key Assignment - cont.

Assign to each node

Vi a label LABELi

The key Li,j = GM of

the label LABELi,j at

node Vj derived from

LABELi down

towards Vj … ……

vi

vj

S=LABELi

G_L (S)

G_L(G_L (S))

G_L(G_L(G_L (S)))

G_R (S)

G_R(G_L(G_L (S)))

LABELi,j = G_R(G_L(G_L (S)))

Li,j = G_M (LABELi,j )

37

Key-AssignmentKey-AssignmentSubset-Difference MethodSubset-Difference Method

…

S=LABELi

G_L (S)

G_L(G_L (S))

G_L(G_L(G_L (S)))

LABELi,j = G_R(G_L(G_L (Li)))

Li,j = G_M (LABELi,j )

… …

G_R(G_L(G_L (S)))

G_R (S)

Vi

Vj

38

Providing Keys to DevicesProviding Keys to DevicesA device corresponds to a leaf u in

the tree

For every Vi ancestor of u whose

label is S u receives all labels@nodes that are

hanging off the path from Vi to u.

These labels are all derived from S.

u can compute all keys of the sets it

belongs to rooted at Vi , and only

them.u

sVi

39

Providing Keys to DevicesProviding Keys to Devices

u

sVi

Total # of labels u has to store is

0.5log2 n + 0.5 log n + 1 :

k labels for each ancestor Vi

which is k levels above u

k=1, …, log n+1

For n=232, about 530 labels

Requires log n on-the-fly

applications of G to derive a key

40

Only 13 bytes per Single RevocationOnly 13 bytes per Single Revocation

For N= 232 and 7-bytes session-key

total of 1.25 * 7 + 4 < 13 bytes/revocations

530 labels/device

[i1, i2, …,im] ELi1(K), ELi2(K), … , ELim(K) FK(M)

4r bytes 9r bytes

41

Tracing TraitorsTracing Traitors• Some Users leak their keys to pirates• Pirates construct unauthorized decryption devices and

sell them at discount • Trace and Revoke for all subset cover algorithms

satisfying bifurcation property• More efficient procedure for subset difference

E(Content)

K1 K3 K8

ContentPirate Box

42

Tracing AlgorithmTracing AlgorithmAssumptions on illegal device: can examine box reaction on encrypted messages

reset button, no “locking” strategy

decodes with probability > q (say 0.5)

Goal: output one of the two a user u contained in the box

a partition S = Si1 , Si2, …, Sim that disables the box

Evaluation: performance requirement from revocation scheme

number of queries

encrypted messages

U1, U2, …, Ut

u

S = Si1 , Si2, …, Sim

43

Subset TracingSubset Tracing

Given an illegal decoder and a subset-cover

partition S, output: decoder is no longer decoding

a subset Sij containing a traitor

S = Si1 , Si2, …, Sim

illegal decoder

SubsetTracing not decrypting

Sij contains a traitor

44

Why is Subset-Tracing Possible?Why is Subset-Tracing Possible?

Consider a partition S = Si1 , Si2, …, Sim:

Header contains the correct key – decodes

Header contains all random keys – does not decode

Using a hybrid technique, find a subset j that has

gap at least l / m.

p0=1

pj-1

pj

pm=0

ELi1(K),…,ELij-1(K),ELij(K),ELij+1(K),…, ELim(K) FK(M)

ELi1(R),…,ELij-1(R),ELij(K),ELij+1(K),…, ELim(K) FK(M)

ELi1(R),…,ELij-1(R),ELij(R),ELij+1(K),…, ELim(K) FK(M)

ELi1(R),…,ELij-1(R),ELij(R),ELij+1(R),…, ELim(R) FK(M)

Sij contains a traitor!

45

Definition: Bifurcation PropertyDefinition: Bifurcation Property

Any subset Si can be partitioned into (roughly) two

equal sets Si1 and Si2

.

Si = Si1 U Si2

Bifurcation value:

Max { |Si1/Si|, |Si2/Si|}Vi

Vj

L R

Bifurcation value = 2/3

L

Vj

RVi

L

46

The Tracing AlgorithmThe Tracing AlgorithmStart with an initial partition S = Si1 , Si2, …, Sim.Repeat Apply “Subset-Tracing” to S If “not decrypting” , done. Otherwise, Sj contains a traitor

Split Sj into Sj1 and Sj2

Add Sj1 and Sj2 to S

S1 S2 Sm

Subset Tracing

Sj

S1 S2 SmSj1 Sj2

47

The Tracing AlgorithmThe Tracing Algorithm

S1 S2 Sm

Subset Tracing

Sj

S1 S2 SmSj1 Sj2

Subset Tracing

Sk

S1 S2 Sk1 Sk2

Subset Tracing not decrypting - done

48

Efficiency: tracing Efficiency: tracing tt traitors traitors

A subset is partitioned only if it has a traitor

contains more than 1 element

Therefore – at most t log n iterations

actually, t log (n/t)

Results in a partition of size at most t log (n/t)

Subset Difference: Only t subsets actually contain a traitor; Can the others be merged?

Yes, can get down to O(t) subsets !

49

Frontier subsetsFrontier subsetsIdea: merge those that were not shown to have a traitor

Frontier Subsets:

Problem: can the non-frontier sets be merged to yield

few subsets-difference sets?

B and C are in the Frontier

B1, B2 are in the frontier, C is not

Merge C with the non-frontier subsets

A

B C

C B1 B2

50

This can be done for Subset-DifferenceThis can be done for Subset-Difference

Lemma:

given k sets of the subset-difference form, possible to

cover the rest with at most 3k sets of the

subset-difference form.

At every step, 2t frontiers sets

The merge results in 3t more set

A partition contains at most 5t sets.

51

““Implementation” IssuesImplementation” Issues

• Specifying the subsets for quick determination• Implementing EL and Fk

• Prefix Truncation (reducing header length)• Public Keys

52

Prefix TruncationPrefix Truncation If EL is a block cipher and K is shorter than its block size

Replace

EL(K) [Prefix K EL(U)] K

where U is a random string of the same length as the key for EL

[i1, i2, …,im, ELil(K), ELi2(K), … , ELim(K) FK(M)

reduction in length

security is preserved

[i1, i2, …,im, U, [Prefix K ELi1(U)] K), …,[Prefix K ELim(U)] K)] FK(M)

53

Working with public keysWorking with public keys

• Any PKC can ``work” with any subset cover algorithmProblems:• The key assignment yields private keys –

– Need an efficient way to generate public-keys from private. Good method: Diffie-Hellman - gLi

• Low overhead: want to use prefix truncation. Idea: choose random x and h and broadcast: [(gx ,h), h(gL1 )x ))K, gx , h(gL2 )x ))K ... gx , h(gLm )x ))K], Fk(M)

54

PublicPublic keys - unresolved issueskeys - unresolved issues

• Size of public-key file – Need to publish the public-key of every subset - size W. Could be large– Possible solution: identity based encryption - works only for the

information theoretic case

• Immunity to chosen ciphertext attacks with prefix truncation– Cramer-Shoup, Fujiskai-Okamoto require ``per key” treatment– Possible to use Schnorr like proofs of knowledge with random oracles.

55

Comparison to Other MethodsComparison to Other MethodsStateless version

• Broadcast Encryption [Fiat Naor]– message length O(t log2 t), t is the coalition size

• Logical Key Hierarchy (LKH) – tree based methods for member-revocation – [Wallner et. al], [Wong et. al]: message length (2r log n) – [Canetti et. al]: improved to O(r log n)

• Trace & Revoke– [Naor Pinkas] , ([Anzai et. al]): transmit O(r) long DH keys,

O(t) keys/device and O(r) decryptions

56

Tracing - Comparison

• Combinatorial Schemes - black-box testing [CFN,NP]• Public-key Tracing - Boneh and Franklin black-box

confirmation• Integration with revocation [GSY]

57

Other Models

• Content Tracing: detects users redistributing content after decoding– Watermarking: [Boneh, Shaw]

– Dynamic tracing traitors: [Fiat, Tassa]• improvements: [Berkamn et. al], [Safani-Naini]

• Preventing leakage of keys– Legally: yield a proof for traitor's liability [Pfitzmann]

– Self enforcement: deter users from revealing personal information [DLN: Signets]

58

Further WorkFurther Work• Reduce Size of public-key file

– GGM in public key mode

• Public key - Immunity to chosen ciphertext attacks • Broadcast encryption with ``medium” sized sets and no hierarchy• Better lower bounds

– Information theoretic case– Computational case

• Better constructions– LSD, Halevy-Shamir– Generalizations?

• Tracing Traitors• Social/economical Implications? Restricted formats

59

Multicast Security

Group Membership:• re-keying event: all users update their group key and labels

– requires all users to be connected

Instead, add an header with legitimate users only.

Backward secrecy

lacks backward secrecy

needs re-keying when a new user is added to the group

Instead, assign users consecutively

“revoked” the unused ones

use hierarchical revocation