6 Our Scheme

In PK-SD-PI, an user needs to store O(log²n) secret keys. Use figure 7 as an example, the user u₃ needs to store the shares {f1¹(2), f₂¹(5), f₃¹(u₃)}, {f1²(5), f₂²(u₃)}, and f1⁵(u₃).

We observe that these shares usually use the same intput values but apply to different polynomials. For example,{f2¹(5), f₁²(5)} share the same input 5 and {f3¹(u₃), f₂²(u₃), f₁⁵(u₃)} share the same input u₃. It means that we can have an easy method of key derivation, because we only need to focus on the translation of coefficients between the polynomials. That’s why we can use O(log n) independent polynomials and O(log n) independent information to substitute the O(log²n) independent polynomials in PK-SD-PI.

Our key derivation method is in the horizontal form, not in the intuitional vertical form.

We let the polynomials of subtree T_i can be derivated from the polynomials of subtree T₁ respectively. Using the information kd_i, the polynomial f_jⁱ can be derivated from the poly-nomial f_{j+log i}¹ directly. In figure 9, {f1²(5), f₂²(u3)} can be derivated from {f2¹(5), f₃¹(u3)} respectively with the same information kd2, and f₁⁵(u3) can be derivated from f₃¹(u3) with the infromation kd₅.

The polynomials belong to subtree T₁ are all independent, and the information kd_i, 2 ≤ i ≤ n − 1, used for key derivation are all independent, too. Figure 10 is a sketch of the polynomial derivation. The polynomial f_jⁱ(x) can be derivated from the polynomial f_j¹(x) = A_jx²+ B_jx + C_j with kd_i = (D_i, E_i) by adding D_i to the coefficient of x-term and E_i to the coefficient of constant term, that is f_jⁱ(x) = f_j¹(x) + D_ix + E_i.

Let k be the security parameter, and p be a large prime such that |p| = k. We have a multiplicative group G = g such that |G| = p. Let H1 : {0, 1}^∗ → {0, 1}^k and H2 : {0, 1}^∗→ G be collision resistant hash functions. Furthermore, let ID be the identity name of the scheme, h and h^ ∈ G be the assigned values, and n be the total number of users in the scheme. Without loss of generality, we assume that n is a power of 2, and let log be the

Figure 9: Key derivation

ORJ

Figure 10: Polynomial derivation

logarithm with the base 2.

In our scheme, the users are the leaves of a complete binary tree, and the internal nodes cover the users in its descendant leaves. The polynomial f_jⁱ is used for the nodes that are descendants of node i and are in the j-th level from node i. These settings are almost the same as PK-SD-PI, except that we use the polynomials of degree of 2 while PK-SD-PI uses the polynomials of degree of 1. We denote f_jⁱ(X) = aⁱ_j,2X² + aⁱ_j,1X + aⁱ_j,0 (mod p) be a 2-degree polynomial function.

Each polynomial f_jⁱ is assigned a specific value either h or h^. Most of them are assigned h, and the remains are assigned h^. We claim that for each subtree T_i, there are at most one polynomial f_jⁱ_ that is assigned h^. We use the hash function H₁to pick up which polynomials are assigned h^:

i is assigned h^. The other polynomials belong to subtree T_i are assigned h.

Figure 11 is an example. Subtree T_u has 4 levels, and we have H₁(ID||u) ≡ 2 (mod 5).

Thus the polynomial f₂^u is assigned h^, and the remaining polynomials of T_u are assigned h.

Likewise, Subtree T_v has 3 levels, and we have H₁(ID||v) ≡ 0 (mod 4). Thus there is no polynomial of T_v assigned h^, and the polynomials belong to T_v are all assigned h.

Then there are three possible relation between the polynomial f_{j+log i}¹ and f_jⁱ:

1. The polynomial f_{j+log i}¹ is assigned h (h^), and the polynomial f_jⁱ is also assigned the same value h (h^). We denote it as h→ h (h^ → h^).

 __ PRG

 __ PRG

Figure 11: Assignment of h and h^

2. The polynomial f_{j+log i}¹ is assigned h, while the polynomial f_jⁱ is assigned h^. We denote it as h→ h^.

3. The polynomial f_{j+log i}¹ is assigned h^, while the polynomial f_jⁱ is assigned h. We denote it as h^ → h.

For different relation between f_{j+log i}¹ and f_jⁱ, we use different information to derivate the polynomial f_jⁱ. Thus kd_i is composed of three parts (D_i,1, E_i,1), (D_i,2, E_i,2), and (D_i,3, E_i,3).

Figure 12 is a sketch for the polynomial derivation:

• The first part (D_i,1, E_i,1) is used for the case 1: h → h or h^ → h^.

• The second part (Di,2, E_i,2) is used for the case 2: h→ h^.

• The third part (Di,3, E_i,3) is used for the case 3: h^ → h.

The coefficients of the polynomial f_jⁱ(X) = aⁱ_j,2X² + aⁱ_j,1X + aⁱ_j,0 are secrets, but their masked values are public information. The masked values are the coefficients put in the exponents of g, that is g^aij,k for 0≤ k ≤ 2. The information kd_i for key derivation also needs to be masked, that is kd_i ={(g^bi1,0, g^bi1,1), (g^bi2,0, g^bi2,1), (g^bi3,0, g^bi3,1)}.

ORJ

Figure 12: Polynomial derivation depends on the relation

The masked values of the polynomials belong to subtree T₁and the information kd_iwhere 2≤ i ≤ n − 1 are computed as follows:

• g^a1j,s = H₂(ID||1||j||s), for 1 ≤ j ≤ log n and 0 ≤ s ≤ 2

• g^bil,s = H₂(ID||i||l||s), for 1 ≤ l ≤ 3 and 0 ≤ s ≤ 1

where a¹_j,sis the coefficient of the X^s-term of the polynomial f_j¹, and bⁱ_l,s is the key derivation information for the X^s-term of the polynomial belong to subtree T_i respect to the case l.

Thus the masked values of the polynomials belong to subtree T_i where 2≤ i ≤ n − 1 are computed as follows:

• g^aij,2 = g^a1j+log i,2, for 1 ≤ j ≤ log n − log i

• g^aij,s = g^a1j+log i,s× g^bil,s if it is case l, for 1≤ j ≤ log n − log i and 0 ≤ s ≤ 1

The masked coefficients of the polynomials can be computed easily. But these polynomi-als can not be accessed directly since their function values are the secrets to guarantee the security. The users can access these polynomials only in the masked way (in the exponent of g).

6.1 Construction

Let k be the security parameter, and p be a large prime such that |p| = k. We have two multiplicative groups G = g and G_t =g_t such that |G| = |G_t| = p, and a bilinear map ˆ

e : G× G → G_t such that ˆe(g, g) = g_t. Let H₁ : {0, 1}^∗ → {0, 1}^k, H₂ : {0, 1}^∗ → G, π : G_t → Zp, Ψ : G_t → Gt, and Φ : G× Gt → Gt be collision resistant hash functions.

Furthermore, let ID be the identity name of the scheme, h and h^ ∈ G be the assigned values, and n be the total number of users in the scheme. Without loss of generality, we assume that n is a power of 2, and let log be the logarithm with the base 2. We denote Δh = h^/h.

The scheme is composed of the following algorithms:

• Setup(1^k, ID, U ):

k is the security parameter, ID is the identity of this system, and U is the set of users in the system. The private key generator (PKG) chooses the master secret key ρ∈ Zp

randomly, thus M SK = ρ. PKG then publishes the public key P K and generates the secret key SK_v for each user u_v as follows:

– P K ={ID, G, G_t, ˆe, g, g^ρ, h, h^, H₁, H₂, π, Ψ, Φ} it depends on the assigned value of polynomial f_j¹, and

kd_i ={(g^rvbi1,1, g^rvbi1,0), (g^{rv(bi2,1Ii,jv +bi2,0)}, g^rvbi2,0Δh^ρ), (g^{rv(bi3,1Ii,jv +bi3,0)}, g^rvbi3,0 1 Δh^ρ)} Here sk¹_j is the share of polynomial f_j¹ held by the user u_v, and kd_i is the information used to derivate the polynomial f_jⁱ from the polynomial f_{j+log i}¹ . Moreover, r_v ∈ Zp is

chosen randomly, g^bil,s = H2(ID||i||l||s) is the key derivation information, and I_i,j^v is an identity of the node that is an ascendant of u_vand in the j-th level of the subtree T_i, see figure 13. We denote I_i,j^v _ as the identity of the node whose polynomials f_j¹_{+log i} and f_jⁱ are in the case 2: h → h^, and I_i,j^v  as the identity of the node whose polynomials f_j¹_{+log i} and f_jⁱ are in the case 3: h^ → h.

/HYHO

/HYHO

/HYHO

Figure 13: The notation I_i,j^v

When f_{j+log i}¹ and f_jⁱ are assigned the same value h (h^), we use the first element (g^rvbi1,1, g^rvbi1,0) of kd_i to generate skⁱ_j from sk_{j+log i}¹ as follows:

skⁱ_j = sk_{j+log i}¹ × {1, (g^rvbi1,1)^Ii,jv g^rvbi1,0, g^rvbi1,0}

If f_j¹_{+log i}is assigned h and f_jⁱis assigned h^, we use the second element (g^{rv(bi2,1Ivi,j+bi2,0)}, g^rvbi2,0Δh^ρ) of kd_i to generate skⁱ_j from sk_j¹_{+log i} as follows:

sk_jⁱ = sk¹_j+log i× {1, g^{rv(bi2,1Ii,jv +bi2,0)}, g^rvbi2,0Δh^ρ}

If f_j¹_{+log i}is assigned h^and f_jⁱis assigned h, we use the third element (g^{rv(bi3,1Ii,jv +bi3,0)}, g^rvbi3,0_Δh¹_ρ)

of kd_i to generate skⁱ_j from sk_jⁱ+log i as follows:

sk_jⁱ = sk_j¹+log i× {1, g^{rv(bi3,1Ii,jv +bi3,0)}, g^rvbi3,0 1 Δh^ρ}

• Enc(P K, T , Msg):

P K is the public key, T ⊆ U is the set of valid receivers for this encryption, and Msg is the message to be encrypted. Let T = ^r

t=1

T_x^it_t be the union of disjoint subset differences of users, and r is the number of partitions for T .

The procedure of encryption is defined as follows:

1. Choose z∈ Zp randomly and compute:

⎧⎪

If the polynomials related to T are all assigned h, the part for h^ of Ctx can be omitted.

Likewise, If the polynomials related to T are all assigned h^, the part for h of Ctx can be omitted.

• Dec(P K, SKv, Ctx):

P K is the public key, SK_v is the secret key of the user u_v ∈ T , and Ctx is the ciphertext to T . Without loss of generality, we assume that the user u_v ∈ T_xⁱ where the node x is in the j-th level from the node i, and the polynomial f_jⁱ is assigned h. Thus we use the part for h of Ctx to decrypt. We denote P₁ and P₂ be the published shares that are related to the subset difference T_xⁱ. In practically, which pair (P_t,1, P_t,1) should be used for decryption is according to the first two elements (i_t, x_t) of the share P_t,1. The procedure of decryption is defined as follows:

1. If i = 1, generate the secret key skⁱ_j from sk_{j+log i}¹ and kd_i respect to the real

5. Compute C = ˆe(g^ρ, h)^z/π(B) from D, g^rvfji(0)h^ρ of skⁱ_j, and g^z/π(B)rvf

ji(0)

t :

C = e(D, gˆ ^rvfji(0)h^ρ) g_t^{z/π(B)rvfji(0)}

= ˆe(D, h^ρ)e(D, gˆ ^rvfji(0)) g^z/π(B)r_t ^vfji(0)

= ˆe(D, h^ρ) = ˆe(g^z/π(B), h^ρ)

6. Compute B from E = Φ(D, C)⊕ B and D, C:

B = E⊕ Φ(D, C)

7. Compute A = ˆe(g^ρ, h)^z from C = ˆe(g^ρ, h)^z/π(B) and B:

A = C^π(B)

8. Compute M sg from B = Ψ(A)⊕ Msg and A:

M sg = B⊕ Ψ(A)

7 Security

The scheme is IND-CCA2 secure with random oracle under the Gap-BDH assumption.

Theorem 1. If Gap-BDH problem is (t, )-hard, the scheme is (t−t^, +^)-IND-CCA2 secure in the random oracle model where t^ is polynomial k-bounded and ^ ≤ ^qd(qd_p^+qΨ) = ^O(k_2k²⁾ is negligible to k (q_d is the number of decryption query and qΨ is the number of hash-Ψ query).

Proof. We reduce Gap-BDH problem to the scheme. Let H1, H2, Φ, and Ψ be random oracles, while π just be a collision resistant hash function. We denote C as the challenger of Gap-BDH problem, A as the adversary of the scheme, and S as the simulator between C and A. Then S is described as follows:

• Initial. S receives the instance (g, g^a, g^b, g^c) of BDH problem as input and the access right of decisional oracle O about BDH problem from C. Then A chooses an system identity ID and a set T ⊆ U of users to attack.

• Setup. Let T = ^r

t=1

T_x^it

t be the union of disjoint subset differences, and S sets up the random oracles H₁ and H₂ depending on T . For each T_x^it_t where 1≤ t ≤ r, we assume that node x_t is in the j_t-th level from node i_t. Then H₁ and H₂ are defined as follows:

– H₁. For each subset difference T_x^it_t where 1≤ t ≤ r, we have the pair (i_t, j_t) and set

H₁(ID||i_t) = j_t+ m_it(log n− log i_t + 1)

where m_it is a random number. Then for the remaining subtree T_i in the system, set

H₁(ID||i) = m_i(log n− log i + 1) where m_i is a random number.

The setting assigns h^ to the polynomial f_jⁱ_t^t where 1 ≤ t ≤ r and assigns h to the other polynomials. If the input is not meaningful, H₁ just returns a random number under the consistence. Note that there doesn’t exist polynomials f_jⁱ and f_{j+log i}¹ that are both assign h^. 2. Set up the information that is used for key derivation.

If subset difference T_x¹ ⊆ T (assume that the node x^ is in the j^-th level from the node 1), then for 2≤ i ≤ 2^j− 1, set

H₂(ID||i||3||s) =

 g^b+mi, if s = 0

g^−b/x, if s = 1 (4)

where m^_i ∈R Z_p is chosen by S. Then for each of the remaining subset

If the input is not meaningful, H₂ just returns a random number under the con-sistence.

Then S sets the public key

P K ={ID, G, Gt, ˆe, g, g^ρ= g^a, h = g^s, h^ = g^b, H₁, H₂, π, Ψ, φ}

where s∈R Z_p is chosen by S, and the master secret key M SK = a is unknown. The secret key SK_v of the revoked user u_v ∈ U\T is computed as follows:

1. Set g^rv = g^a+nv where n_v ∈_RZ_p is chosen by S.

secret key sk¹_j, compute

sk¹_j = {g^rv, g^{rvfj1(I1,jv )}, g^rvfj1(0)h^ρ}

= {g^a+nv, g^(a+nv)Xj, g^(a+nv)Yjg^as}

where X_j = f_j¹(I_i,j^u ) and Y_j = f_j¹(0) can be easily computed by S, since the polynomial f_j¹ is decided by S.

3. Compute the information kd_i where i∈ Ancestor(u_v).

If subset difference T_x¹_ ⊆ T (assume that the node x^ is in the j^-th level from the node 1), compute

(g^{rv(bi3,1Ii,jv +bi3,0)}, g^rvbi3,0 1

Δh^ρ) = (g^{(a+nv)(−bxx+b+mi)}, g^{(a+nv)(b+mi)}g^(s−b)a) by (4)

= (g^(a+nv)mi, g^{bnv+ami+nvmi+as})

where I_i,j^v  = x^, otherwise the user u_v is not revoked. Then for each of the remaining subset difference T_x^it_t ⊆ T (assume that the node x_t is in the j_t-th level from the node i_t), compute

(g^{rv(bi2,1Iit,jtv +bi2,0)}, g^rvbi2,0Δh^ρ) = (g^{(a+nv)(xtbxt+mit−b)}, g^{(a+nv)(mit−b)}g^(b−s)a) by (5)

= (g^(a+nv)mit, g^{amit+nvmit−bnv−as})

where I_i^v_t,jt = x_t, otherwise the user u_v is not revoked. Moreover, compute

(g^rvbi1,1, g^rvbi1,0) = (g^(a+nv)mi,1, g^(a+nv)mi,0) by (6)

Then S sends the public key P K and the secret key SK_v of the revoked user u_v ∈ U\T to A.

• Query Phase 1. A issues decryption query, hash-Φ query, and hash-Ψ query adaptively.

Then S responds to these queries as follows:

– Decryption query. According to the above setting, the ciphertext to T only con-sists of the part for h^. Otherwise, S can use the part for h of ciphertext to decrypt the message trivially, since h = g^s is chosen by S and he knows the exponent s.

S receives the query Q_d = {E^, D^, P_1,1^ , P_1,2^ , . . . , P_r,1^ , P_r,2^ } and checks the query

∗ If record Ψ(AΨ) = ψ exists, returns ψ.

∗ Otherwise, returns Ψ(AΨ) = ψ^ ∈RG_t.

• Challenge. A chooses two messages M0 and M₁. Then C returns the ciphertext

Ctx ={E^, D^ = g^c, P_1,1^ , P_1,2^ , . . . , P_r,1^ , P_r,2^ }

where E^ is a random element in G_t, and the shares (P_1,1^ , P_1,2^ , . . . , P_r,1^ , P_r,2^ ) can be computed by S under the above setting (Like the computation for the second element g^{rvfji(Ii,jv )} of secret key skⁱ_j in the simulation).

• Query Phase 2. It is almost same as query phase 1, except that A can not issue the decryption query about Ctx.

• Guess. S checks the query list of hash-Φ and sees whether there is a record Φ(D^, C^) = φ^ such that O(g, g^ρ= g^a, h^ = g^b, D^ = g^c, C^) = 1. If there is, S returns C^ = ˆe(g, g)^abc as the answer of Gap-BDH problem. Otherwise, we claim that A can not have non-negligible advantage to crack our system, since that the simulation is almost perfect and the challenge ciphertext Ctx is independent to M₀ and M₁.

Finally, we are going to analyze the efficacy of the simulation. It is almost perfect, except that hash-Ψ may not be consistent. Inconsistency is caused by the artificial settings to hash-Ψ in the manipulation of the watch list of Hash-Φ. The artifical setting to hash-Ψ may contradict another artificial setting or the query list of hash-Ψ. For example, we may face the situation that we have set Ψ(A) = W before, but now we have to set Ψ(A) = W^ to complete the manipulation of watch list. The number of the artificial settings is bounded by the number of decryption query, that is q_d. Thus the probability of this situation occurring is at most C₂^qd1_p. Moreover, the adversary can issue at most q_Ψ hash-Ψ queries. After issuing a hash-Ψ query, the adversary will leave a query record in the query list. Our settings may

contradict the existing records in the query list. The probability of this situation occurring is at most C₁^qdqΨ

p .

The probability of inconsistency is negligible respect to k:

P r[Inconsistent]≤ C2^qd

1

p + C₁^qdq_Ψ

p ≤ q_d(q_d+ q_Ψ)

p = O(k²) 2^k

8 Remark

In our construction, the assignment of the specific value h and h^ is not intuitive. Someone may ask that why do not use one specific value h only, or just like PK-SD-PI that assigns each polynomial f_jⁱ an unique value h_i,j respectively. The reasons are as follows:

• Like PK-SD-PI. If we assign each polynomial f_jⁱ an unique value h_i,j that is generated by the hash function, then the assigning values are all independent to each other. Thus for each subtree T_i, we need O(log n) information for changing the assigning value h_i,j in the element g^rvfji(0)h^ρ_i,j of the secret key during the key derivation from the secret keys belong to the subtree T₁ to the secret keys belong to the subtree T_i. Then we have to put O(log²n) information in the secret keys of each user. In order to reduce secret key size to O(log n), the information needed for changing the assigning value during the key derivation for each subtree T_i must be bounded by O(1).

• Use one value only. If we only use one specific value h, then we must set h = g^b in the simulation to feed the challenge input g^b to the adversary. Thus we have to set all the polynomials f_jⁱ with f_jⁱ(0) = b + m_i,j where m_i,j ∈R Z_p is chosen by us, because we can only compute the element g^rvfji(0)h^ρ of the secret key in this way that g^rvfji(0)h^ρ = (g^−a)^(b+mi,j)(g^b)^a = (g^a)^−mi,j. But this setting makes all polynomials be secret to us, and we only know two function values of each polynomial. If the number of revoked users is greater than 2, we can not compute all the elements g^{rvflog n1 (x)} of the secret keys of the revoked users. We can only compute two secret keys for revoked users, but the number of revoked users is more than two.

9 Conclusion

We have proposed a fully collusion resistant public key broadcast encryption scheme that achieves O(1) public key size, O(log n) secret key size, O(r) ciphertext size, and O(1) de-cryption time. Our scheme is the most efficient scheme in the existing broadcast ende-cryption schemes.

We propose some open questions about broadcast encryption:

1. Is it possible to construct a more efficient scheme?

2. Is it possible to construct a scheme with the same efficiency but in normal model?

References

[AFG⁺06] Nuttapong Attrapadung, Jun Furukawa, Takeshi Gomi, Goichiro Hanaoka, Hideki Imai, and Rui Zhang 0002. Efficient identity-based encryption with tight security reduction. In CANS, pages 19–36, 2006.

[BGW05] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. In CRYPTO, pages 258–

275, 2005.

[Boy07] Xavier Boyen. Miniature cca2 pk encryption: Tight security without redundancy.

In ASIACRYPT, pages 485–501, 2007.

[BSNS05] Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo. Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In Public Key Cryptography, pages 380–397, 2005.

[DF03] Yevgeniy Dodis and Nelly Fazio. Public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In Public Key Cryptography, pages 100–115, 2003.

[FN93] Amos Fiat and Moni Naor. Broadcast encryption. In CRYPTO, pages 480–491, 1993.

[HL06] Yong Ho Hwang and Pil Joong Lee. Efficient broadcast encryption scheme with log-key storage. In Financial Cryptography, pages 281–295, 2006.

[HSaFZ06] Xinyi Huang, Willy Susilo, and Yi Mu amd Futai Zhang. Short (identity-based) strong designated verifier signature schemes. ISPEC, 2006. LNCS 3903.

[HSaFZ08] Xinyi Huang, Willy Susilo, and Yi Mu amd Futai Zhang. Short designated verifier signature scheme and its identity-based variant. International Journal of Network Security, 2008. Vol.6, No.1.

[LT08] Yi-Ru Liu and Wen-Guey Tzeng. Public key broadcast encryption with low number of keys and constant decryption time. In Public Key Cryptography, pages 380–396, 2008.

[MSLR04] Yi Mu, Willy Susilo, Yan-Xia Lin, and Chun Ruan. Identity-based authenticated broadcast encryption and distributed authenticated encryption. In ASIAN, pages 169–181, 2004.

[NNL01] Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless receivers. In CRYPTO, pages 41–62, 2001.

[NP01] Moni Naor and Benny Pinkas. Efficient trace and revoke schemes. In FC ’00: Pro-ceedings of the 4th International Conference on Financial Cryptography, pages 1–20, London, UK, 2001. Springer-Verlag.

[SVG⁺08] S. Sharmila Deva Selvi, S. Sree Vivek, Ragavendran Gopalakrishnan, Naga Naresh Karuturi, and C. Pandu Rangan. Provably secure id-based broad-cast signcryption (ibbsc) scheme. Cryptology ePrint Archive, Report 2008/225, 2008. http://eprint.iacr.org/.

[TNJ⁺05] GOMI TAKESHI, ATTRAPADUNG NUTTAPONG, FURUKAWA JUN, ZHANG RUI, HANAOKA GOICHIRO, and IMAI HIDEKI. Cca-secure ibe scheme with tight security reduction based on the gap bdh assumption. Pro-ceedings of the Symposium on Information Theory and Its Applications, 2005.

VOL.28th;NO.Vol.1.

[YJCK04] Eun Sun Yoo, Nam-Su Jho, Jung Hee Cheon, and Myung-Hwan Kim. Efficient broadcast encryption using multiple interpolation methods. In ICISC, pages 87–103, 2004.

在文檔中 對數儲存量及常數計算量的公開金鑰廣播加密系統 (頁 32-53)