Advertisement

Algorithmica

, Volume 79, Issue 4, pp 1233–1285 | Cite as

Multiparty Key Exchange, Efficient Traitor Tracing, and More from Indistinguishability Obfuscation

  • Dan Boneh
  • Mark Zhandry
Article
  • 712 Downloads

Abstract

In this work, we show how to use indistinguishability obfuscation to build multiparty key exchange, efficient broadcast encryption, and efficient traitor tracing. Our schemes enjoy several interesting properties that have not been achievable before:
  • Our multiparty non-interactive key exchange protocol does not require a trusted setup. Moreover, the size of the published value from each user is independent of the total number of users.

  • Our broadcast encryption schemes support distributed setup, where users choose their own secret keys rather than be given secret keys by a trusted entity. The broadcast ciphertext size is independent of the number of users.

  • Our traitor tracing system is fully collusion resistant with short ciphertexts, secret keys, and public key. Ciphertext size is logarithmic in the number of users and secret key size is independent of the number of users. Our public key size is polylogarithmic in the number of users. The recent functional encryption system of Garg, Gentry, Halevi, Raykova, Sahai, and Waters also leads to a traitor tracing scheme with similar ciphertext and secret key size, but the construction in this paper is simpler and more direct. These constructions resolve an open problem relating to differential privacy.

  • Generalizing our traitor tracing system gives a private broadcast encryption scheme (where broadcast ciphertexts reveal minimal information about the recipient set) with optimal size ciphertext.

Several of our proofs of security introduce new tools for proving security using indistinguishability obfuscation.

Keywords

Obfuscation Key exchange Traitor tracing Broadcast encryption 

Notes

Acknowledgements

We thank Jonathan Ullman for his comments on the connection to differential privacy. We thank Brent Waters for suggesting adding capabilities to existing systems such as RSA, and for comments on the definitions of security for key exchange protocols. This work was supported by NSF, the DARPA PROCEED program, an AFO SR MURI award, a grant from ONR, an IARPA project provided via DoI/NBC, and by a Google faculty scholarship. Opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of DARPA or IARPA.

References

  1. 1.
    Ananth, P., Boneh, D., Garg, S., Sahai, A., Zhandry, M.: Differing-inputs obfuscation and applications. Cryptology ePrint Archive, Report 2013/689 (2013). http://eprint.iacr.org/
  2. 2.
    Barth, A., Boneh, D., Waters, B.: Privacy in encrypted content distribution using private broadcast encryption. In: Financial Cryptography, pp. 52–64 (2006)Google Scholar
  3. 3.
    Barak, B., Goldreich, O., Impagliazzo, R., Rudich, S., Sahai, A., Vadhan, S., Yang, K.: On the (Im)possibility of obfuscating programs. In: Advances in Cryptology—CRYPTO 2001, number Im (2001)Google Scholar
  4. 4.
    Boyle, E., Goldwasser, S., Ivan, I.: Functional signatures and pseudorandom functions. In: Krawczyk, H. (ed.) Public-Key Cryptography—PKC 2014: 17th International Conference on Practice and Theory in Public-Key Cryptography, Buenos Aires, Argentina, March 26–28, 2014. Proceedings, pp. 501–519, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2014)Google Scholar
  5. 5.
    Barak, B., Garg, S., Kalai, Y.T., Paneth, O., Sahai, A.: Protecting obfuscation against algebraic attacks. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology—EUROCRYPT 2014: 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, pp. 221–238, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2014)Google Scholar
  6. 6.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Advances in Cryptology—CRYPTO 2005, pp. 1–19 (2005)Google Scholar
  7. 7.
    Boneh, D., Naor, M.: Traitor tracing with constant size ciphertext. In: ACM Conference on Computer and Communications Security, pp. 501–510 (2008)Google Scholar
  8. 8.
    Barak, B., Ong, S.J., Vadhan, S.P.: Derandomization in cryptography. In: Proc. of Crypto (2003)Google Scholar
  9. 9.
    Brakerski, Z., Rothblum, G.N.: Black-box obfuscation for d-cnfs. In: Proceedings of the 5th Conference on Innovations in Theoretical Computer Science, ITCS ’14, pp. 235–250, New York, NY, USA. ACM (2014)Google Scholar
  10. 10.
    Brakerski, Z., Rothblum, G.N.: Virtual black-box obfuscation for all circuits via generic graded encoding. In: Lindell, Y. (ed.) Theory of Cryptography: 11th Theory of Cryptography Conference, TCC 2014, San Diego, CA, USA, February 24–26, 2014. Proceedings, pp. 1–25, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2014)Google Scholar
  11. 11.
    Boneh, D., Silverberg, A.: Applications of multilinear forms to cryptography. Contemp. Math. 324, 71–90 (2003)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Boneh, D., Sahai, A., Waters, B.: Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys. In: Advances in Cryptology—EUROCRYPT 2006, pp. 573–592 (2006)Google Scholar
  13. 13.
    Boneh, D., Waters, B.: A fully collusion resistant broadcast trace and revoke system with public traceability. In: ACM Conference on Computer and Communication Security (CCS) (2006)Google Scholar
  14. 14.
    Boneh, D., Waters, B.: Constrained pseudorandom functions and their applications. In: Advances in Cryptology—ASIACRYPT 2013, pp. 1–23 (2013)Google Scholar
  15. 15.
    Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Proceedings of CRYPTO (2014)Google Scholar
  16. 16.
    Boneh, D., Zhandry, M.: Multiparty key exchange, efficient traitor tracing, and more from indistinguishability obfuscation. In: Garay, J.A., Gennaro, R. (eds.) Advances in Cryptology—CRYPTO 2014: 34th Annual Cryptology Conference, Santa Barbara, CA, USA, August 17–21, 2014, Proceedings, Part I, pp. 480–499, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2014)Google Scholar
  17. 17.
    Canetti, R.: Towards realizing random oracles: hash functions that hide all partial information. In: Advances in Cryptology—CRYPTO 1997, pp. 455–469 (1997)Google Scholar
  18. 18.
    Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: CRYPTO, pp. 257–270 (1994)Google Scholar
  19. 19.
    Cheon, J.H., Han, K., Lee, C., Ryu, H., Stehlé, D.: Cryptanalysis of the multilinear map over the integers. In: Oswald, E., Fischlin, M. (eds.) Advances in Cryptology—EUROCRYPT 2015: 34th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Sofia, Bulgaria, April 26–30, 2015, Proceedings, Part I, pp. 3–12, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2015)Google Scholar
  20. 20.
    Coron, J.-S., Lee, M.S., Lepoint, T., Tibouchi, M.: Cryptanalysis of ggh15 multilinear maps. In: Robshaw, M., Katz, J. (eds.) Advances in Cryptology—CRYPTO 2016: 36th Annual International Cryptology Conference, Santa Barbara, CA, USA, August 14–18, 2016, Proceedings, Part II, pp. 607–628, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2016)Google Scholar
  21. 21.
    Coron, J.-S., Lepoint, T., Tibouchi, M.: Practical multilinear maps over the integers. In: Advances in Cryptology—CRYPTO 2013, pp. 1–22 (2013)Google Scholar
  22. 22.
    Canetti, R., Micciancio, D., Reingold, O.: Perfectly one-way probabilistic hash functions. In: Proc. of STOC 1998, pp. 131–140 (1998)Google Scholar
  23. 23.
    Chabanne, H., Phan, D.H., Pointcheval, D.: Public traceability in traitor tracing schemes. In: EUROCRYPT’05, pp. 542–558 (2005)Google Scholar
  24. 24.
    Canetti, R., Rothblum, G.N., Varia, M.: Obfuscation of hyperplane membership. In: Theory of Cryptography Conference 2010, vol. 5978, pp. 72–89 (2010)Google Scholar
  25. 25.
    Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys, vol. 2, pp. 200–215 (2007)Google Scholar
  26. 26.
    Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Proceedings of the Digital Rights Management Workshop 2002, volume 2696 of LNCS, pp. 61–80. Springer (2002)Google Scholar
  27. 27.
    Dodis, Y., Fazio, N.: Public key broadcast encryption secure against adaptive chosen ciphertext attack. In: Workshop on Public Key Cryptography (PKC) (2003)Google Scholar
  28. 28.
    Dwork, C., Naor, M.: Zaps and their applications. In: FOCS, pp. 283–293 (2000)Google Scholar
  29. 29.
    Dwork, C., Naor, M., Reingold, O., Rothblum, G.N., Vadhan, S.: On the complexity of differentially private data release: efficient algorithms and hardness results. In: Proceedings of STOC 2009 (2009)Google Scholar
  30. 30.
    Delerablée, C., Paillier, P., Pointcheval, D.: Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: PAIRING 2007 (July 2007)Google Scholar
  31. 31.
    Freire, E.S.V., Hofheinz, D., Kiltz, E., Paterson, K.: Non-interactive key exchange. In: Public-Key Cryptography, pp. 1–28 (2013)Google Scholar
  32. 32.
    Freire, E.S.V., Hofheinz, D., Paterson, K.G., Striecks, C.: Programmable hash functions in the multilinear setting. In: CRYPTO 2103, pp. 513–530 (2013)Google Scholar
  33. 33.
    Fiat, A., Naor, M.: Broadcast encryption. In: Advances in Cryptology—CRYPTO 1993, vol. 773, pp. 480–491 (1994)Google Scholar
  34. 34.
    Fazio, N., Perera, I.: Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: Public Key Cryptography—PKC 2012, volume 7293 of LNCS, pp. 225–242 (2012)Google Scholar
  35. 35.
    Freeman, D.M.: Converting pairing-based cryptosystems from composite-order groups to prime-order groups. In: EUROCRYPT, pp. 44–61 (2010)Google Scholar
  36. 36.
    Garg, S., Gentry, C., Halevi, S.: Candidate multilinear maps from ideal lattices. In: Advances in Cryptology—EUROCRYPT 2013 (2013)Google Scholar
  37. 37.
    Garg, S., Gentry, C., Halevi, S., Raykova, M., Sahai, A., Waters, B.: Candidate indistinguishability obfuscation and functional encryption for all circuits. In: Proc. of FOCS 2013 (2013)Google Scholar
  38. 38.
    Gentry, C., Gorbunov, S., Halevi, S.: Graph-induced multilinear maps from lattices. In: Dodis, Y., Nielsen, J.B. (eds.) Theory of Cryptography: 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II, pp. 498–527, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2015)Google Scholar
  39. 39.
    Goldreich, O., Goldwasser, S., Micali, S.: How to construct random functions. JACM 33(4), 792–807 (1986)MathSciNetCrossRefzbMATHGoogle Scholar
  40. 40.
    Garg, S., Gentry, C., Sahai, A., Waters, B.: Witness encryption and its applications. In: Proceedings of the Forty-fifth Annual ACM Symposium on Theory of Computing, STOC ’13, pp. 467–476, New York, NY, USA. ACM (2013)Google Scholar
  41. 41.
    Garg, S., Kumarasubramanian, A., Sahai, A., Waters, B.: Building efficient fully collusion-resilient traitor tracing and revocation schemes. In: ACM Conference on Computer and Communications Security, pp. 121–130 (2010)Google Scholar
  42. 42.
    Garg, S., Miles, E., Mukherjee, P., Sahai, A., Srinivasan, A., Zhandry, M.: Secure obfuscation in a weak multilinear map model. In: Proceedings of TCC 2016-B (2016)Google Scholar
  43. 43.
    Groth, J., Ostrovsky, R., Sahai, A.: Perfect non-interactive zero knowledge for NP. In: Proc. of EUROCRYPT (2006)Google Scholar
  44. 44.
    Garg, S., Pandey, O., Srinivasan, A., Zhandry, M.: Breaking the sub-exponential barrier in obfustopia (2016)Google Scholar
  45. 45.
    Goldwasser, S., Rothblum, G.N.: On best-possible obfuscation. In: TCC, pp. 194–213 (2007)Google Scholar
  46. 46.
    Goodrich, M.T., Sun, J.Z., Tamassia, R.: Efficient tree-based revocation in groups of low-state devices. In: Proceedings of Crypto ’04, volume 2204 of LNCS (2004)Google Scholar
  47. 47.
    Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Advances in Cryptology—EUROCRYPT 2009, pp. 1–18 (2009)Google Scholar
  48. 48.
    Hu, Y., Jia, H.: Cryptanalysis of ggh map. In: Fischlin, M., Coron, J.-S. (eds.) Advances in Cryptology—EUROCRYPT 2016: 35th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Vienna, Austria, May 8–12, 2016, Proceedings, Part I, pp. 537–565, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2016)Google Scholar
  49. 49.
    Hofheinz, D., Jager, T., Khurana, D., Sahai, A., Waters, B., Zhandry, M.: How to generate and use universal samplers. In: Proceedings of ASIACRYPT (2016)Google Scholar
  50. 50.
    Halevy, D., Shamir, A.: The LSD broadcast encryption scheme (2002)Google Scholar
  51. 51.
    Hohenberger, S., Sahai, A., Waters, B.: Replacing a random oracle: Full domain hash from indistinguishability obfuscation. In: Nguyen, P.Q., Oswald, E. (eds.) Advances in Cryptology—EUROCRYPT 2014: 33rd Annual International Conference on the Theory and Applications of Cryptographic Techniques, Copenhagen, Denmark, May 11–15, 2014. Proceedings, pp. 201–220, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2014)Google Scholar
  52. 52.
    Joux, A.: A one round protocol for tripartite Diffie–Hellman. J. Cryptol. 17(4), 263–276 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
  53. 53.
    Komargodski, I., Moran, T., Naor, M., Pass, R., Rosen, A., Yogev, E.: One-way functions and (im)perfect obfuscation. In: Proceedings of the 2014 IEEE 55th Annual Symposium on Foundations of Computer Science, FOCS ’14, pp. 374–383, Washington, DC, USA. IEEE Computer Society (2014)Google Scholar
  54. 54.
    Kiayias, A., Papadopoulos, S., Triandopoulos, N., Zacharias, T.: Delegatable pseudorandom functions and applications. In: Proceedings of the 2013 ACM SIGSAC Conference on Computer and Communications Security, CCS ’13, pp. 669–684, New York, NY, USA. ACM (2013)Google Scholar
  55. 55.
    Khurana, D., Rao, V., Sahai, A.: Multi-party key exchange for unbounded parties from indistinguishability obfuscation. In: Iwata, T., Cheon, H.J. (eds.) Advances in Cryptology—ASIACRYPT 2015: 21st International Conference on the Theory and Application of Cryptology and Information Security,Auckland, New Zealand, November 29–December 3, 2015, Proceedings, Part I, pp. 52–75, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2015)Google Scholar
  56. 56.
    Koppula, V., Ramchen, K., Waters, B.: Separations in circular security for arbitrary length key cycles. In: Dodis, Y., Nielsen, J.B. (eds.) Theory of Cryptography: 12th Theory of Cryptography Conference, TCC 2015, Warsaw, Poland, March 23–25, 2015, Proceedings, Part II, pp. 378–400, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2015)Google Scholar
  57. 57.
    Kiayias, A., Samari, K.: Lower bounds for private broadcast encryption. In: Information Hiding, pp. 176–190. Springer (2013)Google Scholar
  58. 58.
    Kiayias, A., Yung, M.: Breaking and repairing asymmetric public-key traitor tracing. In: Feigenbaum, J. (ed.) ACM Workshop in Digital Rights Management—DRM 2002, volume 2696 of Lecture Notes in Computer Science, pp. 32–50. Springer (2002)Google Scholar
  59. 59.
    Libert, B., Paterson, K.G., Quaglia, E.A.: Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In: Public Key Cryptography, pp. 206–224 (2012)Google Scholar
  60. 60.
    Lynn, B., Prabhakaran, M., Sahai, A.: Positive results and techniques for obfuscation. In: Advances in Cryptology—EUROCRYPT 2004, pp. 1–18 (2004)Google Scholar
  61. 61.
    Lewko, A.B., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: IEEE Symposium on Security and Privacy, pp. 273–285 (2010)Google Scholar
  62. 62.
    Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Proceedings of Crypto ’01, volume 2139 of LNCS, pp. 41–62 (2001)Google Scholar
  63. 63.
    Naor, M., Pinkas, B.: Efficient trace and revoke schemes. In: Financial cryptography 2000, volume 1962 of LNCS, pp. 1–20. Springer (2000)Google Scholar
  64. 64.
    Pfitzmann, B.: Trials of traced traitors. In: Proceedings of Information Hiding Workshop, pp. 49–64 (1996)Google Scholar
  65. 65.
    Pfitzmann, B., Waidner, M.: Asymmetric fingerprinting for larger collusions. In: Proceedings of the ACM Conference on Computer and Communication Security, pp. 151–160 (1997)Google Scholar
  66. 66.
    Rao, V.: Adaptive multiparty non-interactive key exchange without setup in the standard model. Cryptology ePrint Archive, Report 2014/910 (2014). http://eprint.iacr.org/
  67. 67.
    Sakai, R., Furukawa, J.: Identity-Based Broadcast Encryption. In: IACR Cryptology ePrint Archive (2007)Google Scholar
  68. 68.
    Sirvent, T.: Traitor tracing scheme with constant ciphertext rate against powerful pirates. In: Workshop on Coding and Cryptography (2007)Google Scholar
  69. 69.
    Sahai , A., Waters, B.: How to use indistinguishability obfuscation: deniable encryption, and more. In: Proceedings of the 46th Annual ACM Symposium on Theory of Computing, STOC ’14, pp. 475–484, New York, NY, USA. ACM (2014)Google Scholar
  70. 70.
    Ullman, J.: Answering \(n^{2+O(1)}\) counting queries with differential privacy is hard. In: Proceedings of the Forty-fifth Annual ACM Symposium on Theory of Computing, STOC’13, pp. 361–370, New York, NY, USA. ACM (2013)Google Scholar
  71. 71.
    Wee, H.: On obfuscating point functions. In: Proceedings of the Thirty-seventh Annual ACM Symposium on Theory of Computing, STOC ’05, pp. 523–532, New York, NY, USA. ACM (2005)Google Scholar
  72. 72.
    Watanabe, Y., Hanaoka, G., Imai, H.: Efficient asymmetric public-key traitor tracing without trusted agents. In: Proceedings CT-RSA ’01, volume 2020 of LNCS, pp. 392–407 (2001)Google Scholar
  73. 73.
    Zhandry, M.: Adaptively secure broadcast encryption with small system parameters. Cryptology ePrint Archive, Report 2014/757 (2014). http://eprint.iacr.org/
  74. 74.
    Zhandry, M.: How to avoid obfuscation using witness prfs. In: Kushilevitz, E., Malkin, T. (eds.) Theory of Cryptography: 13th International Conference, TCC 2016-A, Tel Aviv, Israel, January 10–13, 2016, Proceedings, Part II, pp. 421–448, Berlin, Heidelberg. Springer, Berlin, Heidelberg (2016)Google Scholar

Copyright information

© Springer Science+Business Media New York 2016

Authors and Affiliations

  1. 1.Stanford UniversityStanfordUSA
  2. 2.Princeton UniversityPrincetonUSA

Personalised recommendations