Proposed Scheme

Let k be a security parameter and n be the number of subscribers. Choose k-bit primes p_i = 2q_i+ 1, where q_i are odd primes. For convenience, assume p₁ < p₂ < · · · < p_n. The primes will be such that q^1/2₁ is large enough. Let M = Qⁿ

i=1

pi. Assume the contents (plaintext) are elements of Zp1. Let g be a common primitive root modulo each of the p_i’s. By Lemma 4.3.1 such a g exists because any −a² is a valid candidate when 1 < a < p₁− 1. We now describe the four components of our scheme.

• Key generation: Each subscriber i chooses a private decryption key di ∈ Zpi

randomly and sends (β_i, p_i) to the distributor, where β_i = g^di mod p_i. Next, the distributor computes β = Pⁿ

i=1

β_iM_iy_i mod M, where M_i = M/p_i and M_iy_i ≡ 1 (mod p_i), for 1 ≤ i ≤ n. The triple (g, β, M ) is the public encryption key. Note that

β ≡ β_i (mod p_i).

• Encryption: Let the plaintext be x ∈ Zp1. The distributor picks a random element r from {0, 1, . . . , p₁− 1} and computes

z₁ = g^r mod M, z2 = xβ^rmod M.

The ciphertext is C = (z1, z2). Note that the digital content is encrypted only once not n times.

• Decryption: Given a ciphertext C = (z₁, z₂), the decryption algorithm com-putes z₂(z₁^di)⁻¹ mod p_i. This step correctly yields the plaintext x because

z₂(z₁^di)⁻¹ ≡ xβ^r(g^rdi)⁻¹

≡ xβ_i^r(g^rdi)⁻¹

≡ x(g^di)^r(g^rdi)⁻¹

≡ x (mod p_i).

• Tracing: The tracing algorithm is described in Section 4.5.

The encryption and decryption algorithms are similar to those in the ElGamal cryptosystem. The content is encrypted once, and each subscriber can decrypt using his or her own decryption key. There is no need of a key generation center to generate the decryption keys. Instead, subscribers generate their own keys at random. The distributor creates the encryption key without knowing any decryption key. The decryption keys are therefore private to their respective owners. This is identical to the standard point-to-point public-key cryptosystem setup. Our scheme is hence fully public-key.

Consider this straightforward approach to secure broadcasting in a full public-key setting [56]: Before broadcasting, the plaintext is encrypted n times with all sub-scribers’ public keys, and then the Chinese remainder algorithm is applied. If the straightforward approach uses the ElGamal probabilistic encryption, the number of modular multiplications and squarings in performing encryptions is n-times ours be-cause we encrypt the plaintext only once. The fast modular multiplication algorithm devised in [32] requires t + 7 clock pulses, where t is the length of the modulus. As-sume our encryption needs a total of ` modular multiplications and squarings. For each plaintext, our encryption needs time `(nk +7), but the straightforward approach needs time `n(k + 7) plus O_B(M(nk) log(n)) + O_B(nM (k) log(k)) for performing the Chinese remainder algorithm. Hence, our scheme is more efficient.

4.4.1 Security Analysis

We will show that our scheme is plaintext-secure against a passive generic adversary if q^1/2₁ is large enough. We now explain the terms. A passive generic adversary is a generic algorithm and can only eavesdrop the network. A generic algorithm does not exploit any special properties of the encodings of group elements except that each group element is encoded as a unique bit string [208]. An encryption system is plaintext-secure if the full plaintext about a content cannot be derived from its encryption form.

Let M⁰ be a product of t primes p_i, say,

M⁰ = pi1pi2· · · pit.

Let β⁰ = β mod M⁰. As before, g is a common primitive root modulo p_i, i =

1, 2, . . . , n. The Diffie-Hellman problem (DH) in a group with generator g is to com-pute g^r1r2 from g^r1 and g^r2. Shoup shows that any generic algorithm must perform Ω(q^1/2max) group operations for the problem, where qmax is the largest prime dividing the order of the group [208]. Because g is a common primitive root modulo each of the p_is, the largest possible order of g modulo M⁰ is λ(M⁰) = 2q_i1q_i2· · · q_it by equa-tion (2.1). So the subgroup H of Z_M^∗ 0 generated by g has order λ(M⁰). The order of H surely contains a prime factor which is not smaller than q₁. As we choose a large q^1/2₁ , the DH problem in H is intractable for a generic adversary. Based on this intractability, we next prove that our encryption scheme is plaintext-secure against a passive generic adversary. But first we need the following lemma.

Lemma 4.4.1. If the ElGamal cryptosystem in Z_M^∗ 0 can be broken, then the Diffie-Hellman problem in the subgroup H of Z_M^∗ 0 generated by g can be solved efficiently.

Proof. Suppose that there is an algorithm A that breaks the ElGamal cryptosystem in Z_M^∗ 0. Given g, M⁰, β⁰, z₁ and z₂, algorithm A computes the plaintext

x = z₂(β^0loggz1)⁻¹ mod M⁰.

Assume that β⁰, γ ∈ H. When given inputs g, M⁰, β⁰ and γ for the Diffie-Hellman problem, A can be invoked to solve this DH problem by

A(g, M⁰, β⁰, γ, 1)⁻¹ = ((β^0loggγ)⁻¹)⁻¹ mod M⁰

= g^{loggβ0loggγ} mod M⁰.

Theorem 4.4.1. Our encryption scheme is plaintext-secure against a passive generic adversary.

Proof. A passive adversary can only eavesdrop to get C = (z₁, z₂). For such an ad-versary, to derive plaintext is equivalent to breaking the ElGamal encryption scheme in Z_M^∗ 0. Nevertheless, by Lemma 4.4.1, breaking the ElGamal scheme in Z_M^∗ 0 implies solving the DH problem in the subgroup H of Z_M^∗ 0 generated by g. For a generic algorithm, solving the DH problem for the subgroup H needs at least Ω(q^1/2₁ ) time.

Because q₁^1/2 is chosen to be large, the theorem is proved.

4.4.2 Semantic Security

The security of our scheme is based on the ElGamal encryption scheme in Z_M^∗ 0. To enhance the security, we show how to choose the generator of subgroups and limit the message so that our scheme is semantically secure.

Because g is the common generator of the Z_p^∗_i’s, g² has order qi and generates all the q_i quadratic residues in Z_p^∗_i for each i = 1, 2, . . . , n. Similarly, g² has order λ(M⁰)/2 = q_i1q_i2· · · q_ik and generates all the quadratic residues in Z_M^∗ 0. So the cyclic subgroup of Z_M^∗ 0 generated by g² has order q_i1q_i2· · · q_ik, each of whose prime factors is at least q₁. The decision Diffie-Hellman problem (DDH) in group G generated by h with a large order is to efficiently distinguish the two distributions: (h^r1, h^r2, h^z) where r1, r2, z are random and (h^r1, h^r2, h^r1r2) where r1, r2 are random. Any generic algorithm must perform Ω(q^1/2_min) group operations for the DDH problem, where q_min is the smallest prime dividing the order of the group [208]. Modify the parameters in our scheme: Let the common generator be g² and assume the plaintext (contents) in Z_p1 must be a common quadratic residue of all the p_i’s. Because q₁^1/2 is chosen to be large, the DDH problem for the subgroup generated by g² is intractable for a generic adversary. Based on this intractability, our scheme can be shown to be semantically secure by using a similar result in [216] after replacing the modulus p there with our M⁰.

The parameters were modified so that each plaintext x ∈ Z_p1 is a common quadratic residue of all the p_i’s. That is very inconvenient. Here is an alterna-tive. Encrypt x² instead of x. After decryption, subscriber i obtains x⁰ = x² mod p_i. As pi ≡ 3 (mod 4), the solutions to x² ≡ x⁰ (mod pi) are x ≡ ±x^0(pi+1)/4 (mod pi).

Note that one of the solutions is odd and the other even. If we always pad one bit in the least significant bit of x to make it, say, odd, the plaintext can be uniquely decided. So we have the following theorem.

Theorem 4.4.2. Our scheme modified as described above is semantically secure against a passive generic adversity.

4.4.3 Forgery of Decryption Keys

Recall that β, M, β_i, p_i, g, and d_i, for i = 1, 2, . . . , n, are all the keys in the system, among which only d_i are not public. The ciphertext (z₁, z₂) is also public. Because our encryption scheme is plaintext-secure, it is impossible to fake subscribers’ keys or create new decryption keys from the public information. This implies that combining d_i’s is the only way to create decryption keys. Suppose t of the d_i’s are used to create a new decryption key d_H, say d₁, d₂, . . . , d_t. Because d₁, d₂, . . . , d_t are involved in creating d_H, we solve d_H from

g^dH ≡ g^di (mod p_i) (4.1)

for i = 1, . . . , t. Let M_H⁰ = p₁p₂· · · p_t. The following lemma proves that this d_H works.

Lemma 4.4.2. Suppose that d1, d2, . . . , dt are used to create a new decryption key d_H. Then d_H exists and equals P^t

i=1

d_iM_Hiy_i mod M_H if and only if gcd(p_i− 1, p_j− 1) divides d_i− d_j, where M_H = lcm(p₁− 1, p₂− 1, . . . , p_t− 1), M_Hi = M_H/(p_i− 1), and M_Hiy_i ≡ 1 (mod p_i− 1) for i = 1, 2, . . . , t.

Proof. By equation (4.1), d_H satisfies g^dH ≡ β (mod M_H⁰ ). Hence d_H and M_H⁰ can be used to decrypt the ciphertext. By Fact 2.2.16, g^dH ≡ g^di (mod p_i) implies d_H ≡ d_i (mod p_i− 1). The rest of the lemma follows from Fact 2.2.12.

The next theorem is immediate.

Theorem 4.4.3. For a passive generic adversary, the only way to create a new decryption key d_H in our scheme is to combine the d_i’s in the way mentioned in Lemma 4.4.2.