A Traceable Block Cipher Olivier Billet, Henri Gilbert Content - - PowerPoint PPT Presentation

a traceable block cipher
SMART_READER_LITE
LIVE PREVIEW

A Traceable Block Cipher Olivier Billet, Henri Gilbert Content - - PowerPoint PPT Presentation

May 13, 2023 298 likes •466 views

A Traceable Block Cipher Olivier Billet, Henri Gilbert Content Distribution Context M Context D K M C M E K D K Plaintext Ciphertext M D K Issues: s Key Redistribution (by traitors to pirate users) s Content Redistribution (not addressed

slide-1
SLIDE 1

A Traceable Block Cipher

Olivier Billet, Henri Gilbert

slide-2
SLIDE 2

1

Content Distribution

Context

EK DK DK DK M

Plaintext Ciphertext

C M M M

Issues: s Key Redistribution (by traitors to pirate users) s Content Redistribution (not addressed here)

Context

slide-3
SLIDE 3

2

Traitor Tracing

Definitions

s Benny Chor, Amos Fiat, Moni Naor, 1994 s Each of the N users receives a personal key Kj I Kj enables user j to decrypt content I Kj uniquely identifies user j s No coalition of k traitors will produce an untraceable key I allows a pirate to decrypt content I conceals all traitors' identities

Context Definitions

slide-4
SLIDE 4

3

Traitor Tracing

s Four Procedures I Key Generation I Encrypt I Decrypt I Tracing s Previous Constructions I Combinatorial Scheme [CFN 94, NP 98] headers O(k ln N) I Asymmetric Algorithm [BF 99] expansion O(k)

Context Definitions

slide-5
SLIDE 5

4

Traceable Blockcipher

s FK satisfies usual symmetric block cipher requirements s generation from the meta-key K of keys Kj such that

FK

≡ FK1 ≡ · · · ≡ FKj ≡ · · · ≡ FKN

s k-traceability requirement: an equivalent description produced from the knowledge

  • f up to k equivalent descriptions FKj1, . . . , FKjk must

reveal at least one of the identities j1, . . . , jk

Context Definitions Cipher

slide-6
SLIDE 6

5

Operation Modes

s Mode with control words: FK ≡ FKj

FK ESi Mi Hi Ci Hi Si FKj DSi

decoder j

Ci Mi Hi Si

s Simple mode: F −1

K ≡ FKj

F −1

K

FKj M C M

Context Definitions Cipher Modes

slide-7
SLIDE 7

6

C∗ Scheme Matsumoto-Imai

T S a → b = a1+qθ

= x ∈ Kn

x1 x2 · · · xn a ∈ L a1 a2 · · · an b ∈ L b1 b2 · · · bn

= y ∈ Kn

y1 y2 · · · yn

composition G is public

s parameters I K = GF(q)

q = 2m

I L ≃ Kn L = K[X]/πn(X) I (1 + qθ) ⊥ (qn − 1) s public key is a set of

n quadratic equations

in the variables xi s private key is (S, T) two invertible linear maps s encrypt with G s decrypt with S−1 ◦ g−1 ◦ T −1

Context Definitions Cipher Modes C∗

slide-8
SLIDE 8

7

Underlying Problems

s Solving systems of multivariate equations I find one solution (x1, . . . , xn) over a finite field K of

{yi = Pi(x1, . . . , xn)}i∈[1,n]

I Decision problem is NP-complete, even over GF(2) I Patarin 1995 used structure of C∗ to invert it s IP: isomorphism of polynomials I given two sets of polynomials {P} and {Q} find bijective linear maps A and B such that

B ◦ (P1, . . . , Pn) ◦ A = (Q1, . . . , Qm)

I IP is harder than IG I no polynomial algorithm is known [PGC, 1998] I relinearization attack for C∗ degree 2 from [SK, 1999]

Context Definitions Cipher Modes C∗

  • Comp. Prob.
slide-9
SLIDE 9

8

Commuting Blocks Conducting Idea

g1 ◦ g2 = g2 ◦ g1

t g2 u u−1 g1 s t g1 v v−1 g2 s ≡ x x y y

u use a version of C∗ with higher degree d > 2

gi : a → b = a1+qθ1+...+qθd−1

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting

slide-10
SLIDE 10

9

Commuting Blocks

Key Generation

U −1

1,j

gσ(1) S U −1

i,j

gσ(i) Ui−1,j T gσ(r) Ur−1,j G1,j Gi,j Gr,j

user j

FKj T g1 g2 gi gr S

metakey

FK σ

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting

slide-11
SLIDE 11

10 10

Parameters

Example

U −1

1,j

gσ(1) S U −1

i,j

gσ(i) Ui−1,j T gσ(r) Ur−1,j G1,j Gi,j Gr,j

user j

FKj

s q = 216 K = GF(q) s n = 5 block size is 80 bits s d = 4 equations for Gi,j have degree 4 about 70 monomials per equation computing Gi,j is at most 435 multiplications in K s r = 32 32 rounds

FKj is about 14000 mult. in K

s size for FKj is 22 KB

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters

slide-12
SLIDE 12

11 11

Security

as a Symmetric Cipher

T S g1 gi gr FK x y

Input/Output observation must not allow s to recover FK s to interpolate FK s to distinguish from a random permutation

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters Security

slide-13
SLIDE 13

12 12

Tracing One Traitor Potential Strategy

U −1

1

gσ(1) S G′

1

G′

2

G′

k

U −1

2

gσ(2) U1 G′

k+1

U −1

1

gσ(1) S U −1

i

gσ(i) Ui−1 T gσ(r) Ur−1 G1 Gi Gr

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters Security Tracing

slide-14
SLIDE 14

13 13

Tracing One Traitor

gi u−1

k−1

G′

k

G′

k+k′

u−1

k

gσ(k) uk−1 G′

k+k′+1

S gi u−1

1

gσ(1) S G′

1

π1

s step 1: guess gσ(1) s step i: guess gσ(i) s σ is known

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters Security Tracing

slide-15
SLIDE 15

14 14

Tracing several Traitors

gσj(1) gσj(i) gσj(i+1) gσj(r) gσl(1) gσl(i) gσl(i+1) gσl(r)

s t-collision: {σj(i)}i∈[1,t] = {σl(i)}i∈[1,t]

gσj(1) gσj(i) gσk(i+1) gσk(r)

s inner values reveal one identity

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters Security Tracing

slide-16
SLIDE 16

15 15

Conclusion

s Properties I very low control word overhead: save bandwidth I good behavior with high number of traitors I good behavior with huge number of users: scalable I speed of symmetric block cipher I no black box yet s Security n IP for extended C∗ with degree higher than 2 s Applications I White Box Cryptography I Other instantiations

Context Definitions Cipher Modes C∗

  • Comp. Prob.

Commuting Parameters Security Tracing