Title of the presentation: Cost-Effective Private Linear Key Agreement With Adaptive CCA Security from Prime Order Multilinear Maps and Tracing Traitors
Authors: Mriganka Mandal and Ratna Dutta
Accepted: SECRYPT 2018
Date and Venue: July 26 - 28, 2018 Porto, Portugal
Cot curve, melting temperature, unique and repetitive DNA
SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography
1. Cost-Effective Private Linear Key Agreement
With Adaptive CCA Security from Prime Order
Multilinear Maps and Tracing Traitors
by
Mriganka Mandal
joint work with
Ratna Dutta
Department of Mathematics
Indian Institute of Technology Kharagpur
Kharagpur-721302, India
SECRYPT 2018
26 − 28th July, 2018
4. Introduction
Private Linear Key Agreement (PLKA)
A special variant of traditional broadcast encryption systems having
the following properties.
1. A common encrypted message is broadcasted for a specific type of user
sets [i] ∈ S where S = {[1], . . . , [N]} ⊂ 2[N]
and [i] = {1, . . . , i}.
2. Secure against collusion of fraud users.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 4 / 29
5. Introduction
Private Linear Key Agreement (PLKA)
A special variant of traditional broadcast encryption systems having
the following properties.
1. A common encrypted message is broadcasted for a specific type of user
sets [i] ∈ S where S = {[1], . . . , [N]} ⊂ 2[N]
and [i] = {1, . . . , i}.
2. Secure against collusion of fraud users.
Each user is assigned with a private key so that a user u ∈ [i] can
decrypt the encrypted message using private key and users outside [i]
obtain nothing even if they collude.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 4 / 29
6. Introduction
Traitor Tracing
Devised to aid content broadcasters to identify conspiracy of coalition
of traitor users who create a pirate decoder box.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 5 / 29
7. Introduction
Traitor Tracing
Devised to aid content broadcasters to identify conspiracy of coalition
of traitor users who create a pirate decoder box.
The box contains an arbitrarily complex and even obfuscated
malicious program and is capable of decrypting the encrypted digital
content.
The tracer runs an efficient tracing algorithm that interacts with the
pirate decoder and outputs at least one identity of the traitor users.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 5 / 29
8. Introduction
Applications
Pirate cable TV. To broadcast TV, radio programs and trace traitor
subscribers.
Set-top decoder. Trace and revoke an unauthorized decoder box in
pay base access to e-book, internet movie, live sports.
Encrypted satellite radio. Identify the conspiracy of defrauders and
mitigate them from the radio broadcast systems.
Pirate decryption software posted on internet. Prevent naive
redistribution and illegal reprint or re-sell.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 6 / 29
9. Introduction
Challenges
Converting a general private linear key agreement system into a
traitor tracing system is not always a possible task.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 7 / 29
10. Introduction
Challenges
Converting a general private linear key agreement system into a
traitor tracing system is not always a possible task.
Reducing the communication bandwidth and the storage requirements
as much as possible are the essential requirements.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 7 / 29
11. Introduction
Our goal
Design a private linear key agreement based traitor tracing system with
shorter size ciphertext, public parameter, and user secret key without any
security breach.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 8 / 29
13. Preliminaries
Indistinguishability Obfuscator
A PPT machine iO for a circuit class {Cη} is called an indistinguishability
obfuscator if it amuses the following properties.
i For all η ∈ N, C ∈ {Cη} and inputs x:
Pr[C (x) = C(x) : C ← iO(η, C)] = 1.
ii For all pairs of PPT adversaries A = (D1, D2), ∃ ζ(η) such that, if
Pr[∀x, C0(x) = C1(x) : (C0, C1, σ) ← D1(η)] > 1 − ζ(η)
then
|Pr[D2(σ, iO(η, C0)) = 1] − Pr[D2(σ, iO(η, C1)) = 1]| < ζ(η).
Generally, we omit η as an input to iO.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 10 / 29
14. Preliminaries
Asymmetric Multilinear Map
A (leveled) asymmetric multilinear map consists of the following two
algorithms.
i aMM.Setup (1η, ) → aPPM = (κ, ge0
, . . . , geκ
) where ei is the
i-th standard basis vector, gei
’s are canonical generator of the source
groups Gei
, G is the target group, and rest of Gϑ
’s are the
intermediate groups and all the groups have same large prime order
p > 2η. Here, ∈ Zκ+1 and ϑ ∈ (N ∪ {0})κ+1
with ϑ ≤ .
ii e(ga
ϑ1
, gb
ϑ2
) → gab
ϑ1+ϑ2
(for ϑ1, ϑ2 ∈R (N ∪ {0})κ+1
, ϑ1 + ϑ2 ≤ ) such
that
eϑ1,ϑ2
(ga
ϑ1
, gb
ϑ2
) = gab
ϑ1+ϑ2
for a, b ∈R Zp. We can also generalize e to multiple inputs as
e(h(1)
, h(2)
, . . . , h(ζ)
) = e(h(1)
, e(h(2)
, . . . , h(ζ)
)).
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 11 / 29
16. Our PLKA Tracing Scheme
Construction
PLKA.Setup(η, κ)
1 Run aMM.Setup (1η, 2 ) → aPPM = (κ, ge0
, . . . , geκ
) where =
(1, . . . , 1) is a (κ + 1)-length vector.
2 Select rand, auth ∈R K = {0, 1}η and set pseudorandom functions
PRFrand : {0, 1}2η → {0, . . . , N}, PRFauth : {0, 1}2η × [N] →
{0, 1}η, and a pseudorandom generator PRG : {0, 1}η → {0, 1}2η.
3 Choose ξ, τ ∈R Zp, set the encryption program PTEnc and the
decryption program PTDec as shown in the next couple of slides.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 13 / 29
17. Our PLKA Tracing Scheme
Construction
PLKA.Setup(η, κ)
The encryption program PTEnc
Inputs: j ∈ [N], t ∈ Zp, s ∈ {0, 1}η
Outputs: (Hdr = (r, C1, C2, C3, C4), KPLKA)
Constants: PRFrand, PRFauth, (ξ, τ), κ, g , g2
1 Compute:
a r = PRG(s)
b C1 = (PRFrand(r) + j) mod (N + 1)
c C2 = PRFauth(r, C1)
d C3 = (g )t
and C4 = (g )
t τ+
j
i=1
ξ2κ−i
2 Set: KPLKA = (g2 )tξ2κ
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 14 / 29
18. Our PLKA Tracing Scheme
Construction
PLKA.Setup(η, κ)
The Decryption program PTDec
Inputs: Hdr =(r ∈ {0, 1}2η, C1 ∈ [N], C2 ∈ {0, 1}η, C3 ∈ G , C4 ∈ G ), u ∈ [N], plsku ∈ G
Output: KPLKA
Constants: PRFrand, PRFauth, (ξ, τ), κ, g , g2
1 Compute:
a j = (C1 − PRFrand(r)) mod (N + 1)
b x = PRG(PRFauth(r, C1))
c y = (g )τξu
2 Check that (u ≤ j) ∧ (x = PRG(C2)) ∧ (y = plsku)
a If check fails, output ⊥ and stop
b Otherwise, compute:
i Λ2κ−i+u = (g )ξ2κ−i+u
for all i ∈ [j], i = u and Λu = (g )ξu
ii KPLKA = e(Λu, C4) e((plsku ·
j
i=1
i=u
Λ2κ−i+u), C3)
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 15 / 29
19. Our PLKA Tracing Scheme
Construction
PLKA.Setup(η, κ)
4 Obfuscate the programs PTEnc and PTDec to generate obfuscated
programs PTEnc = iO (PTEnc) and PTDec = iO (PTDec).
5 For each user u ∈ [N], compute plsku = (g )τξu
and send to u.
6 Publish plparams = (PRFrand, PRFauth, PRG, PTEnc, PTDec).
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 16 / 29
20. Our PLKA Tracing Scheme
Construction
PLKA.Enc(plparams, j ∈ [N])
1 Choose t ∈R Zp and s ∈R {0, 1}η.
2 Extract PTEnc from plparams and run
PTEnc(j ∈ [N], t ∈ Zp, s ∈ {0, 1}η
) → (Hdr = (r, C1, C2, C3, C4), KPLKA)
3 Publish Hdr = (r, C1, C2, C3, C4) and keep KPLKA secret.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 17 / 29
21. Our PLKA Tracing Scheme
Construction
PLKA.Dec(plparams, u ∈ [N], plsku, Hdr = (r, C1, C2, C3, C4))
1 Extract PTDec from plparams and run PTDec (Hdr = (r, C1, C2, C3,
C4), u, plsku).
2 If u passes step 2 of the decryption program PTDec, then retrieve
correct KPLKA by the following computation; otherwise, gets ⊥.
e(Λu, C4) e(plsku ·
j
i=1
i=u
Λ2κ−i+u, C3)
= e
(g )ξu
, (g )
t τ+
j
i=1
ξ2κ−i
e
(g )τξu
·
j
i=1
i=u
(g )ξ2κ−i+u
, (g )t
= KPLKA
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 18 / 29
22. Our PLKA Tracing Scheme
Construction
PLKA.TraceD
(plparams, )
1 Take as inputs the public parameter plparams with the parameter
which is polynomially related to η, and run TraceD
as shown in the
next slide.
2 Output TTTS ⊆ {1, . . . , N} as the set of all traitors.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 19 / 29
23. Our PLKA Tracing Scheme
Construction
PLKA.TraceD
(plparams, )
Traitor tracing program TraceD
Input: plparams,
Output: TTTS
for i = 0 to N do
success ← 0;
for j = 1 to 2 log N 2
do
i (Hdr(i)
, K
(i)
PLKA
) ← PLKA.Enc (plparams, i);
ii K
(i )
PLKA
← D (Hdr(i)
);
iii if K
(i)
PLKA
= K
(i )
PLKA
, success ← success + 1;
end do
Yobsrv
i ← success;
end do
return TTTS = i : Yobsrv
i − Yobsrv
i−1 ≥
4(log N)2
;
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 20 / 29
28. Efficiency
Complexity Analysis
Communication, storage and other functionality
(Boneh and Waters, 2006): Boneh, D. and Waters, B. In ACM-CCS, 2006.
(Boneh et al., 2006): Boneh, D., Sahai, A., and Waters, B. In Advances in Cryptology- EUROCRYPT, 2006.
(Garg et al., 2010): Garg, S., Kumarasubramanian, A., Sahai, A., and Waters, B. In TCC, 2010.
(Boneh and Zhandry, 2014): Boneh, D. and Zhandry, M. In Advances in Cryptology- CRYPTO, 2014.
(Nishimaki et al., 2016): Nishimaki, R., Wichs, D., and Zhandry, M. In AICTACT, 2016.
(Garg et al., 2016): Garg, S., Gentry, C., Halevi, S., and Zhandry, M. In TCC, 2016.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 25 / 29
29. Efficiency
Complexity Analysis
Computation and tracing time
(Boneh and Waters, 2006): Boneh, D. and Waters, B. In ACM-CCS, 2006.
(Boneh et al., 2006): Boneh, D., Sahai, A., and Waters, B. In Advances in Cryptology- EUROCRYPT, 2006.
(Garg et al., 2010): Garg, S., Kumarasubramanian, A., Sahai, A., and Waters, B. In TCC, 2010.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 26 / 29
31. Conclusion
Summary
Coupling iO with the PRF under the prime order multilinear group
setting, we have presented an adaptively CCA-secure PLKA tracing
scheme whose security relied on the hardness of standard multilinear
HDHE-assumption.
Our fully collusion resistance and publicly traceable construction
significantly reduces the parameter sizes and tracing time which are
so far a conceivable improvement in the literature.
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 28 / 29
32. Conclusion
Thanking Note
For any query mail at:
mriganka_mandal@maths.iitkgp.ernet.in
Mriganka Mandal (SECRYPT 2018) Cost-Effective PLKA and Traitor Tracing 26 − 28th July, 2018 29 / 29