Security Notions for Broadcast Encryption - Semantic Scholar

Security Notions for Broadcast Encryption

Security Notions for Broadcast Encryption D. Hieu Phan, David Pointcheval, Mario Strefler ENS [email protected]

2011 June 09

1 / 28

Security Notions for Broadcast Encryption

1 Motivation 2 Our security model 3 Fully adaptive security 4 Choice of the target set 5 A fully secure scheme 6 Conclusion

2 / 28

Security Notions for Broadcast Encryption Motivation

Broadcast Encryption N users {u1 , . . . uN } = U Here: Key encapsulation mechanism Goal: Encrypt K to any S ⊂ U Security definition? (Different in most papers)

3 / 28

Security Notions for Broadcast Encryption Our security model

Security of BE (MSK, EK) ← Setup(1k ) XXX EK XX z X S 9

(H , K ) ← Enc(EK, S ) $ Kb ← K , K1−b ← K HX ,K , K1 X0 win if b = b 0

9

XX X z X 0 b

Restrictions: no corrupted users in S don’t query decaps on H

A

* H YH HH j H

Join() Corrupt() Decaps()

* H YH HH j

Join() Corrupt() Decaps()

4 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle Choice of the target set

XXEK XXX z X S 9

A

HX ,K , K1 X0

XX X z X 0 b 9

5 / 28


Security Notions Dynamic (join oracle) static (fixed at setup)

Adaptive corruption Decryption oracle Choice of the target set

n 9 XXEK XXX z X S 9

A

HX ,K X0 , K1

XXX z X 0 b 9

6 / 28


Security Notions Dynamic (join oracle) static (fixed at setup) dynamic1


XXEK XXX z X S 9

A

*

Join()

HX ,K X0 , K1

XXX z X 0 b 9

7 / 28


Security Notions Dynamic (join oracle) static (fixed at setup) dynamic1 dynamic2


XXEK XXX z X S 9

HX ,K X0 , K1

XXX z X 0 b 9

A

*

*

Join()

Join()

8 / 28


Security Notions Dynamic (join oracle) Adaptive corruption no corruption

XXEK XXX z X S 9

A

HX ,K , K1 X0

Decryption oracle Choice of the target set

XXX z X 0 b 9

9 / 28


Security Notions Dynamic (join oracle) Adaptive corruption no corruption selective corruption

C 9 XXEK XXX z X S 9

A

HX ,K X0 , K1


XXX z X 0 b 9

10 / 28


Security Notions Dynamic (join oracle) Adaptive corruption no corruption selective corruption adaptive1


XXEK XXX z X S 9

A

-

Corrupt()

HX ,K , K1 X0

XXX z X 0 b 9

11 / 28


Security Notions Dynamic (join oracle) Adaptive corruption no corruption selective corruption adaptive1 adaptive2


XXEK XXX z X S 9

A

-

Corrupt()

-

Corrupt()

HX ,K , K1 X0

XXX z X 0 b 9

12 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle

XXEK XXX z X S 9

A

CPA HX ,K , K1 X0

Choice of the target set

XXX z X 0 b 9

13 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle CPA CCA1


XXEK XXX z X S 9

AH Y

H HH j H

Decaps()

HX ,K , K1 X0

XXX z X 0 b 9

14 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle CPA CCA1 CCA2


XXEK XXX z X S 9

AH Y

H HH j H

Decaps()

YH H HH j H

Decaps()

HX ,K , K1 X0

XXX z X 0 b 9

15 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle Choice of the target set chosen before setup

S 9 XXEK XXX z X

A

HX ,K , K1 X0

XXX z X 0 b 9

16 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle Choice of the target set chosen before setup fixed to include all noncorrupted users

XXEK XXX z X 9

A

HX ,K , K1 X0

XXX z X 0 b 9

17 / 28


Security Notions Dynamic (join oracle) Adaptive corruption Decryption oracle Choice of the target set chosen before setup fixed to include all noncorrupted users chosen by the adversary

XXEK XXX z X S 9

A

HX ,K , K1 X0

XXX z X 0 b 9

18 / 28


Security Notions Dynamic (join oracle) XXEK XXX z X Adaptive corruption S A 9 Decryption oracle Choice of the target set HX ,K ,K X0XX 1 X z X Consider these independently 0 b 9 Cannot corrupt users that don’t exist Interactions between corruption and choice of target set 19 / 28

Security Notions for Broadcast Encryption Fully adaptive security

Adaptive Corruption The security model of [GW09]: Setup: (ek, dk) ← KeyGen(1k ) Give ek to AOCorrupt(·) Encrypt to adversarially chosen S No second phase Is there a difference? (as for CCA1 vs. CCA2)

20 / 28


Separating Adaptive1 from Adaptive2 Only for t-collusion-resilient schemes, with t and (N − t) non-constant Reason: Nt exponential Approach: Take an Ad1-secure BE scheme Π Modify Π so it is clearly Ad2-insecure, but remains Ad1-secure

21 / 28


Separating Example Π0 .Encaps(EK, S ): (H 0 , K ) ← Π.Encaps(EK, S ); Choose a random subset I ⊂ U , with |I | = t; ∀i ∈ I : (Hi ,L Ki ) ← Π.Encaps(EK, {i }) Set K0 = K i ∈I Ki ; return(H 0 , K0 , {Hi }i ∈I ), K . Only for CPA and CCA1 Example for CCA2 is more complicated

22 / 28

Security Notions for Broadcast Encryption Choice of the target set

Choice of the Target Set Model in [DF03]: Target set is automatically the set of uncorrupted users Setup: (ek, dk) ← KeyGen(1k ) Give ek to AOCorrupt(·) Encrypt to anybody but R Is there a difference? (Restricts the adversary)

23 / 28


Separating modes of choosing S Theorem All the following implications are strict. In a model with no corruption or selective corruption, choice of the target set ⇒ fixed taget set. In a model with adaptive1 or adaptive2 corruption: For fully collusion-resilient BE schemes, choice of the target set ⇔ fixed taget set. If the adversary must leave two users uncorrupted, choice of the target set ⇒ fixed taget set.

24 / 28


Equivalence (choice ⇔ fixed) Assume a fully collusion-secure scheme. ⇒ If adversary can choose S , can set it to U \ C. ⇐ Let Achoice be a successful adversary who can choose S . Then we construct Afixed as follows: Afixed faithfully forwards all queries. When Achoice outputs his challenge target set S , Afixed corrupts users so that U \ C = S , then asks for the challenge and forwards it to Achoice . He forwards the guess bit b and wins with the same probability as Achoice .

Afixed corrupts more users, which could reduce the tightness of a security proof. 25 / 28


Separation (choice ⇒ fixed) If the adversary must leave two users uncorrupted: If not all users can be corrupted, proof fails In this case, Achoice can choose S with |S | = 1 Separating example: Scheme with pathological behaviour if |S | = 1 (e.g. K = 0)

26 / 28

Security Notions for Broadcast Encryption A fully secure scheme

Fully secure naive scheme Let PKE be an IND-CCA2 secure PKE scheme with key length κ, MAC a SUF-CMA MAC. def def def Setup(1k ) MSK = ∅; EK = ∅; Reg = ∅ Join(MSK, i) (pki , ski ) ← PKE.KeyGen(1k ). $

Encaps(EK, S ): K , Km ← − {0, 1}k ; ∀i ∈ S : ci ← PKE.Enc(pki , K ||Km ); σ ← MAC Km (c1 || . . . ||c|S | ); def

H = c1 || . . . ||c|S | ||σ Decaps(ski , S , H ): K ||Km = PKE.Dec(ski , ci ) ifMAC.Verify(Km , σ, c1 || . . . ||c|S | ) return K , else return ⊥ 27 / 28

Security Notions for Broadcast Encryption Conclusion

Summary We Defined a clean hierarchy of security notions Showed separations / equivalence between all notions Showed that schemes exist that fulfill the strongest notion

28 / 28