SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography

Cost-Eﬀective Private Linear Key Agreement
With Adaptive CCA Security from Prime Order
Multilinear Maps and Tracing Traitors
by
Mriganka Mandal
joint work with
Ratna Dutta
Department of Mathematics
Indian Institute of Technology Kharagpur
Kharagpur-721302, India
SECRYPT 2018
26 − 28th July, 2018

Outline
1 Introduction
2 Preliminaries
3 Our PLKA Tracing Scheme
4 Security
5 Eﬃciency
6 Conclusion
Mriganka Mandal (SECRYPT 2018) Cost-Eﬀective PLKA and Traitor Tracing 26 − 28th July, 2018 2 / 29

Introduction
Introduction

Introduction
Private Linear Key Agreement (PLKA)
A special variant of traditional broadcast encryption systems having
the following properties.
1. A common encrypted message is broadcasted for a speciﬁc type of user
sets [i] ∈ S where S = {[1], . . . , [N]} ⊂ 2[N]
and [i] = {1, . . . , i}.
2. Secure against collusion of fraud users.

Introduction
Private Linear Key Agreement (PLKA)
A special variant of traditional broadcast encryption systems having
the following properties.
1. A common encrypted message is broadcasted for a speciﬁc type of user
sets [i] ∈ S where S = {[1], . . . , [N]} ⊂ 2[N]
and [i] = {1, . . . , i}.
2. Secure against collusion of fraud users.
Each user is assigned with a private key so that a user u ∈ [i] can
decrypt the encrypted message using private key and users outside [i]
obtain nothing even if they collude.

Introduction
Traitor Tracing
Devised to aid content broadcasters to identify conspiracy of coalition
of traitor users who create a pirate decoder box.

Introduction
Traitor Tracing
Devised to aid content broadcasters to identify conspiracy of coalition
of traitor users who create a pirate decoder box.
The box contains an arbitrarily complex and even obfuscated
malicious program and is capable of decrypting the encrypted digital
content.
The tracer runs an eﬃcient tracing algorithm that interacts with the
pirate decoder and outputs at least one identity of the traitor users.

Introduction
Applications
Pirate cable TV. To broadcast TV, radio programs and trace traitor
subscribers.
Set-top decoder. Trace and revoke an unauthorized decoder box in
pay base access to e-book, internet movie, live sports.
Encrypted satellite radio. Identify the conspiracy of defrauders and
mitigate them from the radio broadcast systems.
Pirate decryption software posted on internet. Prevent naive
redistribution and illegal reprint or re-sell.

Introduction
Challenges
Converting a general private linear key agreement system into a
traitor tracing system is not always a possible task.

Introduction
Challenges
Converting a general private linear key agreement system into a
traitor tracing system is not always a possible task.
Reducing the communication bandwidth and the storage requirements
as much as possible are the essential requirements.

Introduction
Our goal
Design a private linear key agreement based traitor tracing system with
shorter size ciphertext, public parameter, and user secret key without any
security breach.

Preliminaries
Preliminaries

Preliminaries
Indistinguishability Obfuscator
A PPT machine iO for a circuit class {Cη} is called an indistinguishability
obfuscator if it amuses the following properties.
i For all η ∈ N, C ∈ {Cη} and inputs x:
Pr[C (x) = C(x) : C ← iO(η, C)] = 1.
ii For all pairs of PPT adversaries A = (D1, D2), ∃ ζ(η) such that, if
Pr[∀x, C0(x) = C1(x) : (C0, C1, σ) ← D1(η)] > 1 − ζ(η)
then
|Pr[D2(σ, iO(η, C0)) = 1] − Pr[D2(σ, iO(η, C1)) = 1]| < ζ(η).
Generally, we omit η as an input to iO.

Preliminaries
Asymmetric Multilinear Map
A (leveled) asymmetric multilinear map consists of the following two
algorithms.
i aMM.Setup (1η, ) → aPPM = (κ, ge0
, . . . , geκ
) where ei is the
i-th standard basis vector, gei
’s are canonical generator of the source
groups Gei
, G is the target group, and rest of Gϑ
’s are the
intermediate groups and all the groups have same large prime order
p > 2η. Here, ∈ Zκ+1 and ϑ ∈ (N ∪ {0})κ+1
with ϑ ≤ .
ii e(ga
ϑ1
, gb
ϑ2
) → gab
ϑ1+ϑ2
(for ϑ1, ϑ2 ∈R (N ∪ {0})κ+1
, ϑ1 + ϑ2 ≤ ) such
that
eϑ1,ϑ2
(ga
ϑ1
, gb
ϑ2
) = gab
ϑ1+ϑ2
for a, b ∈R Zp. We can also generalize e to multiple inputs as
e(h(1)
, h(2)
, . . . , h(ζ)
) = e(h(1)
, e(h(2)
, . . . , h(ζ)
)).

Our PLKA Tracing Scheme

Construction
PLKA.Setup(η, κ)
1 Run aMM.Setup (1η, 2 ) → aPPM = (κ, ge0
, . . . , geκ
) where =
(1, . . . , 1) is a (κ + 1)-length vector.
2 Select rand, auth ∈R K = {0, 1}η and set pseudorandom functions
PRFrand : {0, 1}2η → {0, . . . , N}, PRFauth : {0, 1}2η × [N] →
{0, 1}η, and a pseudorandom generator PRG : {0, 1}η → {0, 1}2η.
3 Choose ξ, τ ∈R Zp, set the encryption program PTEnc and the
decryption program PTDec as shown in the next couple of slides.

Construction
PLKA.Setup(η, κ)
The encryption program PTEnc
Inputs: j ∈ [N], t ∈ Zp, s ∈ {0, 1}η
Outputs: (Hdr = (r, C1, C2, C3, C4), KPLKA)
Constants: PRFrand, PRFauth, (ξ, τ), κ, g , g2
1 Compute:
a r = PRG(s)
b C1 = (PRFrand(r) + j) mod (N + 1)
c C2 = PRFauth(r, C1)
d C3 = (g )t
and C4 = (g )
t τ+
j
i=1
ξ2κ−i
2 Set: KPLKA = (g2 )tξ2κ

Construction
PLKA.Setup(η, κ)
The Decryption program PTDec
Inputs: Hdr =(r ∈ {0, 1}2η, C1 ∈ [N], C2 ∈ {0, 1}η, C3 ∈ G , C4 ∈ G ), u ∈ [N], plsku ∈ G
Output: KPLKA
Constants: PRFrand, PRFauth, (ξ, τ), κ, g , g2
1 Compute:
a j = (C1 − PRFrand(r)) mod (N + 1)
b x = PRG(PRFauth(r, C1))
c y = (g )τξu
2 Check that (u ≤ j) ∧ (x = PRG(C2)) ∧ (y = plsku)
a If check fails, output ⊥ and stop
b Otherwise, compute:
i Λ2κ−i+u = (g )ξ2κ−i+u
for all i ∈ [j], i = u and Λu = (g )ξu
ii KPLKA = e(Λu, C4) e((plsku ·
j
i=1
i=u
Λ2κ−i+u), C3)

Construction
PLKA.Setup(η, κ)
4 Obfuscate the programs PTEnc and PTDec to generate obfuscated
programs PTEnc = iO (PTEnc) and PTDec = iO (PTDec).
5 For each user u ∈ [N], compute plsku = (g )τξu
and send to u.
6 Publish plparams = (PRFrand, PRFauth, PRG, PTEnc, PTDec).

Construction
PLKA.Enc(plparams, j ∈ [N])
1 Choose t ∈R Zp and s ∈R {0, 1}η.
2 Extract PTEnc from plparams and run
PTEnc(j ∈ [N], t ∈ Zp, s ∈ {0, 1}η
) → (Hdr = (r, C1, C2, C3, C4), KPLKA)
3 Publish Hdr = (r, C1, C2, C3, C4) and keep KPLKA secret.

Construction
PLKA.Dec(plparams, u ∈ [N], plsku, Hdr = (r, C1, C2, C3, C4))
1 Extract PTDec from plparams and run PTDec (Hdr = (r, C1, C2, C3,
C4), u, plsku).
2 If u passes step 2 of the decryption program PTDec, then retrieve
correct KPLKA by the following computation; otherwise, gets ⊥.
e(Λu, C4) e(plsku ·
j
i=1
i=u
Λ2κ−i+u, C3)
= e


(g )ξu
, (g )
t τ+
j
i=1
ξ2κ−i


 e


(g )τξu
·
j
i=1
i=u
(g )ξ2κ−i+u
, (g )t



= KPLKA

Construction
PLKA.TraceD
(plparams, )
1 Take as inputs the public parameter plparams with the parameter
which is polynomially related to η, and run TraceD
as shown in the
next slide.
2 Output TTTS ⊆ {1, . . . , N} as the set of all traitors.

Construction
PLKA.TraceD
(plparams, )
Traitor tracing program TraceD
Input: plparams,
Output: TTTS
for i = 0 to N do
success ← 0;
for j = 1 to 2 log N 2
do
i (Hdr(i)
, K
(i)
PLKA
) ← PLKA.Enc (plparams, i);
ii K
(i )
PLKA
← D (Hdr(i)
);
iii if K
(i)
PLKA
= K
(i )
PLKA
, success ← success + 1;
end do
Yobsrv
i ← success;
end do
return TTTS = i : Yobsrv
i − Yobsrv
i−1 ≥
4(log N)2
;

Security
Security

Security
κ-Hybrid Diﬃe-Hellman Exponent Assumption
(κ-HDHE)
It is hard to guess µ ∈ {0, 1} given χµ ← Gκ−HDHE
µ (1η).
Gκ−HDHE
µ (1η):
1 Run aMM.Setup (1η
, 2 ) → aPPM = (e, ge0
, . . . , geκ
) where is a
(κ + 1)-length vector with all 1’s.
2 Choose t, ξ ∈R Zp, compute V = gt
, Γi = (gei
)ξ2i
for i = 0, . . . , κ − 1
and Γκ = (geκ
)ξ2κ+1
.
3 Set T0 = (g2 )tξ2κ
and T1 = some random element in G2 .
4 Return χµ = (e, aPPM, Γ0, . . . , Γκ−1, Γκ, V , Tµ).

Security
Security Statements
Theorem 1 (Security of Indistinguishability)
Assuming secure iO, our PLKA scheme achieves adaptive CCA-security
under the κ-HDHE assumption.
Theorem 2 (Security of Traceability)
Suppose that our PLKA scheme is adaptive CCA-secure. Then, the
publicly traceable PLKA.TraceD
algorithm outputs identity of all the
traitors.

Eﬃciency
Eﬃciency

Eﬃciency
Complexity Analysis
Communication, storage and other functionality
(Boneh and Waters, 2006): Boneh, D. and Waters, B. In ACM-CCS, 2006.
(Boneh et al., 2006): Boneh, D., Sahai, A., and Waters, B. In Advances in Cryptology- EUROCRYPT, 2006.
(Garg et al., 2010): Garg, S., Kumarasubramanian, A., Sahai, A., and Waters, B. In TCC, 2010.
(Boneh and Zhandry, 2014): Boneh, D. and Zhandry, M. In Advances in Cryptology- CRYPTO, 2014.
(Nishimaki et al., 2016): Nishimaki, R., Wichs, D., and Zhandry, M. In AICTACT, 2016.
(Garg et al., 2016): Garg, S., Gentry, C., Halevi, S., and Zhandry, M. In TCC, 2016.

Eﬃciency
Complexity Analysis
Computation and tracing time
(Boneh and Waters, 2006): Boneh, D. and Waters, B. In ACM-CCS, 2006.
(Boneh et al., 2006): Boneh, D., Sahai, A., and Waters, B. In Advances in Cryptology- EUROCRYPT, 2006.
(Garg et al., 2010): Garg, S., Kumarasubramanian, A., Sahai, A., and Waters, B. In TCC, 2010.

Conclusion
Conclusion

Conclusion
Summary
Coupling iO with the PRF under the prime order multilinear group
setting, we have presented an adaptively CCA-secure PLKA tracing
scheme whose security relied on the hardness of standard multilinear
HDHE-assumption.
Our fully collusion resistance and publicly traceable construction
signiﬁcantly reduces the parameter sizes and tracing time which are
so far a conceivable improvement in the literature.

Conclusion
Thanking Note
For any query mail at:
mriganka_mandal@maths.iitkgp.ernet.in

SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography

Similar to SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography (20)

Recently uploaded

Recently uploaded (20)

SECRYPT 2018 Presentation: 15th International Conference on Security and Cryptography