對數儲存量及常數計算量的公開金鑰廣播加密系統

國

立

交

通

大

學

資訊科學與工程研究所

碩

士

論

文

對 數 儲 存 量 及 常 數 計 算 量 的

公 開 金 鑰 廣 播 加 密 系 統

Efficient Public Key Broadcast Encryption with

Logarithmic Key Size and Constant Decryption Time

研 究 生：沈宣佐

指導教授：曾文貴 教授

對數儲存量及常數計算量的公開金鑰廣播加密系統

Efficient Public Key Broadcast Encryption with Logarithmic Key Size

and Constant Decryption Time

研 究 生：沈宣佐 Student：Shiuan-Tzuo Shen

指導教授：曾文貴 Advisor：Wen-Guey Tzeng

國 立 交 通 大 學

資 訊 科 學 與 工 程 研 究 所

碩 士 論 文

Submitted to Institute of Computer Science and Engineering College of Computer Science

National Chiao Tung University in partial Fulfillment of the Requirements

for the Degree of Master

in

Computer Science

June 2008

Hsinchu, Taiwan, Republic of China

i  摘要 我們提出一個完全抵禦共謀的公開金鑰廣播加密系統，達到 O(1)公開金鑰量、O(log

n

r

n

r

n

存 O(log2

_n

並且不須額外的成本負擔。

Abstract

We propose a fully collusion resistant public key broadcast encryption scheme that achieves O(1) public key size, O(log n) private key size, O(r) ciphertext size, and O(1) decryption time where n is the number of users in the system and r is the number of the revoked users. To the best of our knowledge, our scheme is the most efficient scheme in the existing broadcast encryption schemes. Our scheme also achieves the IND-CCA2 security in the random oracle model. It is based on the idea of [LT08] and the result of [Boy07]. We provide a key derivation method that reduces the private key size to O(log n) while [LT08] is O(log2n). We apply the method of [Boy07] to enhance the security to IND-CCA2 without redundancy.

Contents

List of Tables

List of Figures

1 Tree-based structure . . . 9

2 Subset difference . . . 10

3 Partition of receivers . . . 10

4 Key storage . . . 12

5 Hash chain method . . . 13

6 Naming system . . . 15 7 Polynomials of subtrees . . . 17 8 PK-SD-PI . . . 19 9 Key derivation . . . 21 10 Polynomial derivation . . . 21 11 Assignment of h and h . . . 23

12 Polynomial derivation depends on the relation . . . 24

1

Introduction

Broadcast encryption is an encryption scheme useful in the multi-receiver scenario. There are many applications of broadcast encryption, such as pay-TV programs, private commu-nication between a group of users, etc. Assume that there are totally n users in the system and we want to send a message to a group of m users in the system. If we use general public key encryption systems (not broadcast encryption), we need to encrypt the message m times (encrypted with each of the receiver’s public key) and send them to the receivers. It needs much network bandwidth. There is another way to send a message to the m receivers. For each subset of the n users, we assign a public key to the subset respectively. Each user holds the private keys for the public keys of the subsets where he is in. Then we can use the public key of the set of the m receivers to encrypt the message and send the encrypted message to the receivers. But for each user, there are 2n−1subsets where he is in. Thus each user needs to store O(2n) private keys. It is not efficient enough for practical usage, because network bandwidth is expensive and storing an exponential number of secret keys is quiet inconvenient.

Broadcast encryption is a solution of striking a balance between bandwidth and storage. In a public key broadcast encryption scheme, a trusted third party sets up the whole system. It generates the system public key and the secret keys for the users. To send a message to some users, we encrypt the message with the system public key and generate the necessary information for the receivers to derive the secret key for decryption. Then we just broadcast the ciphertext and the necessary information to all users. Only the valid receivers can derive the secret key for decryption from the necessary information and their own secret keys, then they can decrypt the message correctly with the derived secret key. But the other users can not since that the information is not sufficient enough for them to derive the secret key and decrypt the message.

Broadcast encryption schemes can be symmetric or asymmetric. It depends on the type of encryption function used to encrypt the message. For a symmetric broadcast encryption scheme, only the users in the system can broadcast messages since the senders must know the secret keys. While for an asymmetric broadcast encryption scheme, everyone (even not in the system) can broadcast messages to the users in the system with the system public key. Broadcast encryption also can be stateful or stateless. For a stateful broadcast encryption scheme, the secret key of each user will be updated periodly. Thus the structure of users can be dynamic, users can join to or quit from the system if needed. While for a stateless broadcast encryption scheme, the secret key of each user won’t be updated. Thus the structure of users must be fix after the setup of the whole system. Here we deal with the stateless public key broadcast encryption scheme in this paper.

1.1

Related Work

In 1993, Fiat and Naor [FN93] firstly gave a formal definition of broadcast encryption. They defined the ciphertext in the form of Hdr(S, K), E_K(M ), where Hdr(S, K) is the header about the set S of receivers, the session key K is used for encryption, and E_K(M ) is the symmetric encryption of the message M with K. Only the users in S can gain the session key K from Hdr(S, K) and then decrypt the message M from E_K(M ), while other users can not. We say that a broadcast encryption scheme is fully collusion resistant if the users not in S can not gain the session key K from Hdr(S, K) even they all collude together. The header size is usually dominated by the number of partitions of the receivers, and the efficiency of a broadcast encryption is usually measured by the size of secret key, the size of header, and the time of decryption.

In 2001, D. Naor, M. Naor, and Lotspiech [NNL01] proposed a Subset-Cover framework and two broadcast encryption schemes under the framework. Let n be the number of total users and r be the number of the revoked users. The first scheme is called Complete Subtree

(CS), and it achieves O(log n) secret key size, O(r logn_r) header size, and O(log log n) decryp-tion time. The second scheme is called Subset Difference (SD), it achieves O(log2n) secret key size, O(r) header size, and O(log n) decryption time. CS and SD are very important in the history of broadcast encryption, on which many broadcast encryption schemes are based. In 2003, Dodis and Fazio [DF03] used Identity Based Encryption (IBE) and Hierarchical Identity Based Encryption (HIBE) as building blocks to construct two public key broadcast encryption schemes based on the idea of CS and SD respectively. The two schemes are called PK-CS and PK-SD respectively. PK-CS achieves O(1) public key size, O(log n) secret key size, O(r logn_r) header size, and O(1) decryption time. PK-SD achieves O(1) public key size, O(log2n) secret key size, O(r) header size, and O(log n) decryption time.

In 2004, Yoo, Jho, Cheon, and Kim [YJCK04] proposed a symmetric broadcast encryption scheme based on the idea of Naor and Pinkas [NP01]. They used the idea of user set partition and multiple polynomials interpolation to construct a broadcast encryption scheme that is more efficient than SD. The scheme achieves O(logn_r) secret key size and O(αr + m) header size, where 1 < α < 2 is a predetermined system parameter.

In 2005, Boneh, Gentry, and Waters [BGW05] proposed a fully collusion resistant public key broadcast encryption scheme with short ciphertext and short private key. The scheme achieves O(1) secret key size and O(1) header size. But the public key size is O(n) and the decryption time is O(n− r). Boneh, Gentry, and Waters also proposed a trade-off between the public key size and the header size. For example, a fully collusion resistant public key broadcast encryption scheme with O(√n) public key size, O(1) secret key size, O(√n) header size, and O(√n) decryption time.

In the same year, Hwang and Lee [HL06] used one-way hash functions as the building block to construct a symmetric broadcast encryption with logarithm secret key size. The scheme achieves O(log n) secret key size and O(r) header size. But their decryption time is O(nβ_{), where 0 < β≤ 1 is a system parameter.}

In 2007, Liu and Tzeng [LT08] proposed three fully collusion resistant broadcast encryp-tion schemes based on the idea of polynomial interpolaencryp-tion. The first scheme is call BE-PI. Each user holds a share of the polynomial. When broadcasting the message, the shares of revoked users are broadcasted. Thus the valid receivers can obtain enough shares to recover the necessary information for decrypting the message, while the revoked users can not have enough shares from the broadcasted messages. BE-PI achieves O(1) public key size, O(log n) secret key size, O(r) header size, and O(r) decryption time. The second scheme is called PK-SD-PI, and it is based on the scheme PK-SD. PK-SD-PI achieves O(1) public key size, O(log2n) secret key size, O(r) header size, and O(1) decryption time. The third scheme is called PK-LSD-PI, and it is based on the scheme PK-LSD. PK-LSD-PI achieves O(1) public key size, O(log1+n) secret key size, O(r/) header size, and O(1) decryption time, where 0 <  < 1 is a system parameter.

In 2008, Selvi, Vivek, Gopalakrishnan, Karuturi, and Rangan [SVG+08] found a vulnera-bility of the ID-based broadcast signcryption scheme that was proposed by Mu, Susilo, Lin, and Ruan [MSLR04] in 2004. They proposed a new scheme that is called IBBSC is provably secure and achieves the IND-CCA2 and EUF-CMA2 security. IBBSC achieves O(n) public key size, O(1) secret key size, O(n− r) header size, and O(n − r) decryption time.

Table 1: Comparison of some broadcast encryption schemes

Scheme Public Key Size Secret Key Size Header Size Decryption Time CS N/A O(log n) O(r logn_r) O(log log n) SD N/A O(log2n) O(r) O(log n) YJCK04 N/A O(logn

r) O(αr + n)

1 _O(d

w)2

HL05 N/A O(log n) O(r) O(nβ₎3

PK-CS O(1) O(log n) O(r logn_r) O(1) PK-SD O(1) O(log2n) O(r) O(log n) BGW05 (i) O(n) O(1) O(1) O(n− r) BGW05 (ii) O(√n) O(1) O(√n) O(√n)

BE-PI O(1) O(log n) O(r) O(r) PK-SD-PI O(1) O(log2n) O(r) O(1) PK-LSD-PI O(1) O(log1+n)4 O(r/)4 O(1) Our Scheme O(1) O(log n) O(r) O(1)

1 _{1 < α < 2 is a system parameter.} 2 _d

1= 1 and di=α(di−1+ 1). Let w be the minimal integer such that n ≤ (α + 1)(dw+ 1) + 1.

3 _{0 < β ≤ 1 is a system parameter.} 4 _{0 <  < 1 is a system parameter.}

1.2

Our Contribution

We proposed a fully collusion resistant public key broadcast encryption scheme based on the idea of key derivation, the scheme PK-SD-PI, and the result of Boyen [Boy07]. Our scheme is an improvement on PK-SD-PI. We used the idea of key derivation to reduce the number of secret keys to O(log n). In our scheme, the polynomials are not all independent. The share of a polynomial can be derived from the share of another polynomial. Thus users don’t need to store as many as O(log2n) shares, and the size of secret key is reduced. We also used the result of [Boy07] to achieve the IND-CCA2 security without the extra redundancy in the random oracle model. Thus the header size is still the same as the original scheme PK-SD-PI, and the communication cost doesn’t rise up. Our scheme achieves O(1) public key size, O(log n) secret key size, O(r) header size, and O(1) decryption time. To the best of our knowledge, our scheme is the most efficient scheme in the existing broadcast encryption schemes.

2

Preliminary

We use the bilinear map as a fundamental tool to build our public key broadcast encryption scheme. We prove that our scheme is IND-CCA2 secure by reducing from the Gap-BDH problem. Thus our scheme is secure if Gap-BDH assumption is held. We are going to introduce the background knowledge used in this paper.

2.1

Bilinear Map

It is also known as pairing on elliptic curve. Let p be a large prime, G = g and G_t=g_t be two multiplicative groups such that|G| = |G_t| = p, and ˆe : G × G → G_t be a computable pairing. Then ˆe should satisfy the following properties:

• Bilinear. ∀x, y ∈ Zp, we have ˆe(gx, gy) = ˆe(g, g)xy.

• Non-Degenerate. We have ˆe(g, g) = gt = 1.

• Computable. It can be computed in polynomial time with respect to |p|.

2.2

Gap-BDH Assumption

Let k be the security parameter, p be a large prime with|p| = k, G = g and G_t=g_t be two multiplicative groups such that|G| = |G_t| = p, and ˆe : G×G → G_tbe a computable pairing. For an instance (g, ga_{, g}b_{, g}c_{) of Bilinear Diffie-Hellman (BDH) problem where a, b, c∈}

R Zp,

the decisional oracle O about the instance is:

O(g, ga, gb, gc, W ) = 

1, if W = ˆe(g, g)abc 0, otherwise

The Gap-BDH problem is described as follows:

• Given (g, ga_{, g}b_{, g}c_{) as input and the access right of O, compute ˆe(g, g)}abc_.

• It is hard to solve the BDH problem for any polynomial-time adversary A, even with the help of the decisional oracle O. It means that the Gap-BDH problem is hard for any polynomial-time adversary. Therefore, we have

P r[AO(g, ga, gb, gc) = ˆe(g, g)abc]≤ neg(k) where neg(k) is some negligible function respect to k.

Gap-BDH assumption is a variant of BDH assumption, and the former is stronger than the latter. Gap-BDH assumption is not as widely used as BDH assumption. However, it is getting popular. For example, see [Boy07], [AFG+06], [BSNS05], [TNJ+05], [HSaFZ06], and [HSaFZ08].

2.3

Broadcast Encryption

Usually, there is a trusted third party, also known as the private key generator (PKG), to setup a public key broadcast encryption system. A scheme consists of the three algorithms: • Setup(1k_{, ID, U ). k is the security parameter, ID is the identity of system, and}

U = {u1, u2, . . . , un} is the set of users in this system where n is the total number

of users. Setup takes these parameters as input and outputs the public key P K, the master secret key M SK for PKG, and the set SK = {SK1, SK2, . . . , SKn} of secret

keys where SK_i is the secret key of user u_i ∈ U.

• Enc(P K, T , Msg). P K is the public key, T ⊆ U is the set of valid receivers for this encryption, and M sg is the message to be encrypted. Enc takes these parameters as input and outputs the ciphertext Ctx of M sg. Only the user u_i in T can decrypt Ctx with his secret key SK_i, while other users can not.

• Dec(P K, SKi, Ctx). P K is the public key, SKi is the secret key of user ui in T ,

message M sg of Ctx if SK_i is valid.

We say that a public key broadcast encryption scheme is IND-CCA2 secure if there is no polynomial-time adversary A that can win the following game with non-negligible advantage:

• Initial. A chooses a system identity ID and a set T ⊆ U of users to attack.

• Setup. Challenger C runs algorithm Setup(1k_{, ID, U ), and obtains the public key}

P K and secret keys SK ={SK1, SK2, . . . , SKn} of all users in U. Then C sends the

public key P K and the secret keys SK_u to A for each user u∈ U\T .

• Query Phase 1. A issues decryption queries Q = {Q1, Q2, . . . , Qq} to C adaptively

where q is polynomial to k. Then C responds to A’s queries with the answers R = {R1, R2, . . . , Rq} such that Qi =Enc(P K, T , Ri).

• Challenge. A chooses two messages M0 and M1 to C. Then C chooses a random bit

b, and runs the algorithm Enc(P K, T , M_b). C returns the ciphertext Ctx to A. • Query Phase 2. It is almost the same as the Query Phase 1, except that A can not

issue the decryption query about Ctx.

3

Idea of SD

D. Naor, M. Naor, and Lotspiech [NNL01] firstly proposed the tree-based broadcast encryp-tion system. They saw the users as the leaves of a complete binary tree, and the internal nodes of the binary tree present the subsets of users that are descendants of them. We use T_i to denote the set of users that are leaves of the subtree which is rooted in node i. In figure 1, we assume that there are totally 8 users here. These users are presented by the leaf nodes u1, u2, . . . , u8 respectively. The users u1, u2, u3, and u4 is covered by the node that is

labeled 2, and we use T2 to present this set.















Figure 1: Tree-based structure

D. Naor, M. Naor, and Lotspiech viewed designing a broadcast encryption scheme as solving the subset-cover problem in the tree-based system. They proposed a Subset-Cover framework and two broadcast encryption schemes based on the framework. Let n be the number of total users and r be the number of the revoked users. The first scheme is called CS. In CS, each user only needs to store O(log n) secret keys. But it partitions the receivers into O(r logn_r) disjoint subsets, then the header size is too large. The second scheme is called SD, it reduces the header size from O(r logn_r) to O(r). But the number of secret keys a user holds is increasing to O(log2n). We let the subset difference T_xi denotes the set of users that

are in the subtree T_i but not in the subtree T_x, see figure 2.

Figure 2: Subset difference

In SD, we partition the receivers into disjoint subset differences. Use figure 3 as an example, we want to send a message to the users u1, u2, u6, u7, and u8. Then we can partition

these receivers into the subset differences T₅2 and T_u3₅ respectively, users {u1, u2} ∈ T52 and

users {u6, u7, u8} ∈ T_u35.















Figure 3: Partition of receivers

Let U be the set of users in the system and R be the set of revoked users for this time of message sending. We are going to partition the receivers U\R into the disjoint subset differences Ti1

x1, Ti 2

Steiner Tree induced by R and the root. We generate the collection of the disjoint subsets iteratively. We maintain a subtree T of the tree ST (R) with the property that any leaf node u ∈ U\R of T has been covered. In the beginning, we let T be equal to ST (R). Then we remove the nodes from T and add the subset difference to the collection iteratively, until T consists of only one single node:

1. Find two leaves v_i and v_j in the tree T such that their least common ancestor v does not contain any other leaf of T in the subtree T_v. Let v_k and v_l be the two children of v such that v_k is an ascendant of v_i and v_l is an ascendant of v_j. If there is only one leaf in T, let v_i = v_j be the leaf and v = v_k = v_l be the root of T.

2. If v_k = v_i, add the subset difference Tk

i to the collection. Likewise, if vl = vj, add the

subset difference Tl

j to the collection.

3. Remove the subtree T_v from T, and make the node v a leaf in T. Let T = Ti1

x1∪Ti 2

x2∪· · ·∪Txirr be the union of the disjoint subset differences of valid receivers

and r be the number of partition of T in SD. While broadcasting a message M , we encrypt M with the session key K and encrypt K for r times with the secret keys SK1, SK2, . . . , SKr

respectively where SK_k, 1≤ k ≤ r, is the secret key of the subset difference Tik

xk of receivers.

Thus the ciphertext isE_K(M ), E_SK ₁(K), E_SK ₁(K), . . . , E_SK _r(K) where E and E are some symmetric encryptions, e.g. AES.

In SD, each user needs to store all the secret keys of the subset differences that he belongs to. Use figure 4 as an example, user u3 needs to store the secret keys of the subset differences

T₁₁5, {T₄2, T₈2, T₉2, T₁₁2}, and {T₃1, T₄1, T₆1, T₇1, T₈1, T₉1, T₁₁1, T₁₂1, T₁₃1, T₁₄1, T₁₅1}. The storage amount of each user is too high, it is O(n).

To reduce the storage amount, D. Naor, M. Naor, and Lotspiech proposed the hash chain solution. For each subtree T_i, the node x of T_i is assigned an unique label Li



























Figure 4: Key storage

the labels of the children nodes can be generated from the label of the parent node by using the two one-way hash functions H_L and H_R. Moreover, the hash function H_L is for the left child node and the hash function H_R is for the right child node, thus we have Li

2x = HL(Lix)

and Li

2x+1 = HR(Lix). The secret key SKxi of the subset difference Txi is generated by the

one-way hash function H_K such that SK_xi = H_K(Li_x). Thus each user doesn’t need to store all the secret keys anymore, he just stores the labels of the sibling nodes along the path from himself to the root node i for each subtree T_i. The storage amount for each user is reduced from O(n) to O(log2n) by the hash chain solution.

In figure 5, we use the subtree T1 as an example and let Lx denotes the label L1x for

simplicity. The user u3 needs to store the labels L11, L4, and L3 in the subtree T1. Then

he can use the hash functions H_L and H_R to generate the other labels that he should own, like {L8, L9} from L4, {L6, L7} from L3, {L12, L13} from L6, and {L14, L15} from L7. User

u3 can use the hash function HK to generate the secret keys of subtree T1 he needs.

An user needs to store O(log n) secret keys for a subtree, and there are totally O(log n) subtrees for an user. Thus the number of secret keys a user needs to store is bounded by O(log2n).

4

Idea of PK-SD

Dodis and Fazio [DF03] proposed two public key broadcast encryption schemes that are called PK-CS and PK-SD by applying Identity Based Encryption (IBE) and Hierarchical Identity Based Encryption (HIBE) to the schemes CS and SD respectively.

The distinctive difference between the general public key encryption and IBE system is that the public key of user can be any arbitrary or meaningful string in IBE while it usually is a random or meaningless string in the general public key encryption system. In IBE system, we usually use the receiver’s identity, e-mail address, or telephone number as receiver’s public key to encrypt the message. There is a trusted third party that is called Private Key Generator (PKG). PKG holds the master secret key, and he can generate any private keys of any identity if he wants to. Each user needs to register himself to the PKG, thus he can obtain his own private key.

HIBE system enjoys more features than IBE system. The users in HIBE are in the tree-based structure, and we can see them as the nodes of a binary tree. The maximum level of the binary tree is a system parameter that is decided before the implementation of the system. The important feature of HIBE is that the ascendant user can derivate the private keys of his descendant users from his private key. Thus the message for the descendant user can also be decrypted by his ascendant users, while the message for the ascendant user can not be decrypted by his descendant users. It means that the users in the higher level have more authority that the users in the lower level.

Dodis and Fazio proposed a naming system to generate the public key of each subset difference. For each subtree T_i, they give the root node i an unique identity independently. Then the identity of the left child is generated by concatenating 0 to his parent’s identity, while the identity of the right child is generated by concatenating 1. In figure 6, we use the subtree T1 as an example. We give the root node 1 of the subtree T1 an unique identity R.

Then the identities of his children are R0 and R1 respectively.

We can use these identities as public keys to encrypt the messages. The users in PK-CS or PK-SD store their private keys as if they are in CS or SD respectively. But in PK-SD, the user needs to be able to derivate the other private keys that he should hold from his private keys. So we have to use the HIBE system in PK-SD, while we just use IBE system in PK-CS.              

5

Idea of PK-SD-PI

Liu and Tzeng [LT08] proposed three fully collusion resistant broadcast encryption schemes based on the idea of polynomial interpolation. The schemes are called BE-PI, PK-SD-PI, and PK-LSD-PI respectively. In PK-SD-PI, the users are the leaves of a complete binary tree, and the internal nodes of the binary tree present the sets of users that are covered. We use T_i to denote the set of users that are leaves of the subtree which is rooted in node i, and we let the subset difference T_xi denotes the set of users that are in the subtree T_i but not in the subtree T_x. These settings are the same as SD, and the distinctive difference between PK-SD-Pi and SD is about the secret keys. In PK-SD-PI, an user stores the secret keys that are related to his ascendant nodes. While in SD, an user stores the secret keys that are related to his sibling nodes.

For each subtree T_i, we denote the maximum number of its levels as l_i. Then there are l_i independent polynomials belonging to T_i, one polynomial to one level of the subtree. These polynomials are named as f₁i, f₂i, . . . , f_li_i respectively, and the polynomial f_ji, 1 ≤ j ≤ l_i, is used for the nodes that are in the j-th level of T_i. Use figure 7 as an example, we assume that there are totally 8 users here. The polynomial f₁1 is used for node 2 and node 3 in the subtree T1, and the polynomial f22 is used for the leaf nodes u1, u2, u3, and u4 in the subtree

T2. These polynomials are all degree of one, and we let f_ji(X) = ai_j,1X + ai_j,0 for 1≤ j ≤ li.

The secret of the polynomial fi

j is fji(0), the coefficient aij,0 of the constant term. Thus the

coefficients of these polynomials are made private, but their masked values, hidden in the exponent, are public information.

For each subtree T_i, the covered user needs to store the shares of the polynomials f_ji that are at the path from himself to the root node i. Use figure 7 as an example, the user u3

needs to store the shares {f₁1(2), f₂1(5), f₃1(u3)} for subtree T1,{f12(5), f22(u3)} for subtree T2,









































Let T = Ti1

x1 ∪ Ti 2

x2 ∪ · · · ∪ Txirr be the union of the disjoint subset differences of valid

receivers and r be the number of subset differences of receivers. To broadcast a message M , we encrypt M with the system public key, and the master secret key is masked by the secrets of the polynomials that are related to the subset differences respectively. The idea is secret sharing. The valid receivers can obtain enough shares to recover the secret of the polynomial for decrypting the message, while the revoked users can not have enough shares from the broadcasted messages. Thus we broadcast the ciphertext and the shares held by the revoked users. The ciphertext isEnc(M), P1, P2, . . . , Pr where Enc(M) is the ciphertext of M and

P_k is the shares.

Use figure 8 as an example, we want to send a message to the users u1, u2, u6, u7,

and u8. These users are partitioned into the subset differences T52 and Tu35, and the related

polynomials are f₁2 and f₂3respectively. We use the system public key to encrypt the message, and the master secret key is masked by f₁2(0) and F₂3(u5) respectively. Then we broadcast

the share f₁2(5) held by the revoked users {u3, u4} and the share f23(u5) held by the revoked

user u5. The users u1 and u2 can have enough shares{f12(4), f12(5)} to recover the secret for

decryption. But the revoked users u3 and u4 only have their own share f12(5), and it is not















6

Our Scheme

In PK-SD-PI, an user needs to store O(log2n) secret keys. Use figure 7 as an example, the user u3 needs to store the shares {f11(2), f21(5), f31(u3)}, {f12(5), f22(u3)}, and f15(u3).

We observe that these shares usually use the same intput values but apply to different polynomials. For example,{f₂1(5), f₁2(5)} share the same input 5 and {f₃1(u3), f22(u3), f15(u3)}

share the same input u3. It means that we can have an easy method of key derivation, because

we only need to focus on the translation of coefficients between the polynomials. That’s why we can use O(log n) independent polynomials and O(log n) independent information to substitute the O(log2n) independent polynomials in PK-SD-PI.

Our key derivation method is in the horizontal form, not in the intuitional vertical form. We let the polynomials of subtree T_i can be derivated from the polynomials of subtree T1

respectively. Using the information kd_i, the polynomial f_ji can be derivated from the poly-nomial f_{j+log i}1 directly. In figure 9, {f₁2(5), f₂2(u3)} can be derivated from {f21(5), f31(u3)}

respectively with the same information kd2, and f15(u3) can be derivated from f31(u3) with

the infromation kd5.

The polynomials belong to subtree T1 are all independent, and the information kdi,

2 ≤ i ≤ n − 1, used for key derivation are all independent, too. Figure 10 is a sketch of the polynomial derivation. The polynomial fi

j(x) can be derivated from the polynomial

f_j1(x) = A_jx2+ B_jx + C_j with kd_i = (D_i, E_i) by adding D_i to the coefficient of x-term and

E_i to the coefficient of constant term, that is f_ji(x) = f_j1(x) + D_ix + E_i.

Let k be the security parameter, and p be a large prime such that |p| = k. We have a multiplicative group G = g such that |G| = p. Let H1 : {0, 1}∗ → {0, 1}k and H2 :

{0, 1}∗_{→ G be collision resistant hash functions. Furthermore, let ID be the identity name}

of the scheme, h and h ∈ G be the assigned values, and n be the total number of users in the scheme. Without loss of generality, we assume that n is a power of 2, and let log be the

Figure 9: Key derivation

ORJ

logarithm with the base 2.

In our scheme, the users are the leaves of a complete binary tree, and the internal nodes cover the users in its descendant leaves. The polynomial fi

j is used for the nodes that are

descendants of node i and are in the j-th level from node i. These settings are almost the same as PK-SD-PI, except that we use the polynomials of degree of 2 while PK-SD-PI uses the polynomials of degree of 1. We denote fi

j(X) = aij,2X2 + aij,1X + aij,0 (mod p) be a

2-degree polynomial function.

Each polynomial f_ji is assigned a specific value either h or h. Most of them are assigned h, and the remains are assigned h. We claim that for each subtree T_i, there are at most one polynomial fi

j that is assigned h. We use the hash function H1to pick up which polynomials

are assigned h:

For each subtree T_i, we let

j_i ≡ H1(ID||i) (mod log n − log i + 1)

where log n− log i + 1 equals to the number of levels of T_i plus one. • If j

i = 0, the polynomials belong to subtree Ti are all assigned h.

• If j

i = 0, the polynomial fjii is assigned h

_{. The other polynomials belong to subtree}

T_i are assigned h.

Figure 11 is an example. Subtree T_u has 4 levels, and we have H1(ID||u) ≡ 2 (mod 5).

Thus the polynomial fu

2 is assigned h, and the remaining polynomials of Tu are assigned h.

Likewise, Subtree T_v has 3 levels, and we have H1(ID||v) ≡ 0 (mod 4). Thus there is no

polynomial of T_v assigned h, and the polynomials belong to T_v are all assigned h. Then there are three possible relation between the polynomial f_{j+log i}1 and f_ji:

1. The polynomial f_{j+log i}1 is assigned h (h), and the polynomial f_ji is also assigned the same value h (h). We denote it as h→ h (h → h).

 __ PRG

 __ PRG

Figure 11: Assignment of h and h

2. The polynomial f_{j+log i}1 is assigned h, while the polynomial fi

j is assigned h. We

denote it as h→ h.

3. The polynomial f_{j+log i}1 is assigned h, while the polynomial f_ji is assigned h. We denote it as h → h.

For different relation between f_{j+log i}1 and fi

j, we use different information to derivate the

polynomial fi

j. Thus kdi is composed of three parts (Di,1, Ei,1), (Di,2, Ei,2), and (Di,3, Ei,3).

Figure 12 is a sketch for the polynomial derivation:

• The first part (Di,1, Ei,1) is used for the case 1: h → h or h → h.

• The second part (Di,2, Ei,2) is used for the case 2: h→ h.

• The third part (Di,3, Ei,3) is used for the case 3: h → h.

The coefficients of the polynomial fi

j(X) = aij,2X2 + aij,1X + aij,0 are secrets, but their

masked values are public information. The masked values are the coefficients put in the exponents of g, that is gaij,k for 0≤ k ≤ 2. The information kd

i for key derivation also needs

ORJ

Figure 12: Polynomial derivation depends on the relation

The masked values of the polynomials belong to subtree T1and the information kdiwhere

2≤ i ≤ n − 1 are computed as follows:

• ga1j,s = H₂(ID||1||j||s), for 1 ≤ j ≤ log n and 0 ≤ s ≤ 2

• gbil,s = H₂(ID||i||l||s), for 1 ≤ l ≤ 3 and 0 ≤ s ≤ 1

where a1_j,sis the coefficient of the Xs_{-term of the polynomial f}1

j, and bil,s is the key derivation

information for the Xs_{-term of the polynomial belong to subtree T}

i respect to the case l.

Thus the masked values of the polynomials belong to subtree T_i where 2≤ i ≤ n − 1 are computed as follows:

• gai j,2 _{= g}a

1

j+log i,2_{, for 1} ≤ j ≤ log n − log i

• gai j,s = ga

1

j+log i,s× gbil,s if it is case l, for 1≤ j ≤ log n − log i and 0 ≤ s ≤ 1

The masked coefficients of the polynomials can be computed easily. But these polynomi-als can not be accessed directly since their function values are the secrets to guarantee the security. The users can access these polynomials only in the masked way (in the exponent of g).

6.1

Construction

Let k be the security parameter, and p be a large prime such that |p| = k. We have two multiplicative groups G = g and G_t =g_t such that |G| = |G_t| = p, and a bilinear map ˆ

e : G× G → G_t such that ˆe(g, g) = g_t. Let H1 : {0, 1}∗ → {0, 1}k, H2 : {0, 1}∗ → G,

π : G_t → Z_p, Ψ : G_t → G_t, and Φ : G× G_t → G_t be collision resistant hash functions. Furthermore, let ID be the identity name of the scheme, h and h ∈ G be the assigned values, and n be the total number of users in the scheme. Without loss of generality, we assume that n is a power of 2, and let log be the logarithm with the base 2. We denote Δh = h/h.

The scheme is composed of the following algorithms: • Setup(1k_{, ID, U ):}

k is the security parameter, ID is the identity of this system, and U is the set of users in the system. The private key generator (PKG) chooses the master secret key ρ∈ Z_p randomly, thus M SK = ρ. PKG then publishes the public key P K and generates the secret key SK_v for each user u_v as follows:

– P K ={ID, G, G_t, ˆe, g, gρ_{, h, h}_{, H1, H2, π, Ψ, Φ}} – SK_v =  sk1_j, for 1 ≤ j ≤ log n kd_i, for i ∈ Ancestor(u_v)  where sk_j1 ={grv_{, g}rvfj1(I1,jv )_{, g}rvfj1(0)_hρ} or sk1 j ={grv, grvf 1 j(I1,jv )_{, g}rvfj1(0)_hρ}

it depends on the assigned value of polynomial f_j1, and kd_i ={(grvbi_{1,1, g}rvb_1,0i _{), (g}rv(bi_2,1I_i,jv +bi_2,0)

, grvbi_2,0Δhρ_{), (g}rv(bi_3,1I_i,jv +bi_3,0)

, grvbi_3,0 1

Δhρ)}

Here sk1_j is the share of polynomial f_j1 held by the user u_v, and kd_i is the information used to derivate the polynomial f_ji from the polynomial f_{j+log i}1 . Moreover, r_v ∈ Z_p is

chosen randomly, gbil,s _{= H2(ID}||i||l||s) is the key derivation information, and Iv

i,j is an

identity of the node that is an ascendant of u_vand in the j-th level of the subtree T_i, see figure 13. We denote Iv

i,j as the identity of the node whose polynomials fj1+log i and

fi

j are in the case 2: h → h, and Ii,jv  as the identity of the node whose polynomials

f_j1_{+log i} and f_ji are in the case 3: h → h.

/HYHO /HYHO

/HYHO

Figure 13: The notation I_i,jv When f_{j+log i}1 and fi

j are assigned the same value h (h), we use the first element

(grvbi_{1,1, g}rvbi_{1,0) of kd}

i to generate skij from skj+log i1 as follows:

sk_ji = sk_{j+log i}1 × {1, (grvbi_1,1)Ii,jv _grvbi_{1,0, g}rvbi_1,0}

If f_j1_{+log i}is assigned h and f_jiis assigned h, we use the second element (grv(b i

2,1Ivi,j+bi2,0)_{, g}rvbi_2,0Δhρ₎

of kd_i to generate ski_j from sk_j1_{+log i} as follows:

sk_ji = sk1_j_{+log i}× {1, grv(b i

2,1Ii,jv +b i

2,0)_{, g}rvbi_2,0Δhρ}

If f_j1_{+log i}is assigned hand f_jiis assigned h, we use the third element (grv(b i

3,1Ii,jv +bi3,0)_{, g}rvbi_3,0 1

of kd_i to generate ski_j from sk_ji_{+log i} as follows: sk_ji = sk_j1_{+log i}× {1, grv(b i 3,1Ii,jv +b i 3,0)_{, g}rvbi_3,0 1 Δhρ} • Enc(P K, T , Msg):

P K is the public key, T ⊆ U is the set of valid receivers for this encryption, and Msg is the message to be encrypted. Let T = r

t=1

Tit

xt be the union of disjoint subset differences

of users, and r is the number of partitions for T . The procedure of encryption is defined as follows:

1. Choose z∈ Z_p randomly and compute: ⎧ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎩ A = ˆe(gρ_{, h)}z B = Ψ(A)⊕ Msg C = ˆe(gρ, h)z/π(B) D = gz/π(B) E = Φ(D, C)⊕ B and ⎧ ⎪ ⎪ ⎪ ⎪ ⎨ ⎪ ⎪ ⎪ ⎪ ⎩ A = ˆe(gρ, h)z B = Ψ(A)⊕ Msg C = ˆe(gρ, h)z/π(B) D = gz/π(B) E = Φ(D, C)⊕ B 2. Generate the broadcasted shares depending on T = Ti1

x1 ∪ Ti 2

x2 ∪ · · · ∪ Txirr. For a

subset difference Tit

xt, assume that the node xt is in the jt-th level from the node it

and y_t = 0 is not in the system (y_t does not present any nodes). For each subset difference Tit

xt where 1≤ t ≤ r, compute the shares:

P_t,1 = (i_t, x_t, gz/π(B)fjtit(xt)₎ P_t,2 = (i_t, y_t, gz/π(B)fjtit(yt)₎ and P_t,1 = (i_t, x_t, gz/π(B)fjtit(xt)) P_t,2 = (i_t, y_t, gz/π(B)fjtit(yt)₎

Thus the ciphertext is like this:

Ctx ={(E, D, P_1,1, P_1,2, . . . , P_r,1, P_r,2)  for h , (E, D, P_1,1 , P_1,2 , . . . , P_r,1 , P_r,2 )  for h }

If the polynomials related to T are all assigned h, the part for h of Ctx can be omitted. Likewise, If the polynomials related to T are all assigned h, the part for h of Ctx can be omitted.

• Dec(P K, SKv, Ctx):

P K is the public key, SK_v is the secret key of the user u_v ∈ T , and Ctx is the ciphertext to T . Without loss of generality, we assume that the user u_v ∈ T_xi where the node x is in the j-th level from the node i, and the polynomial f_ji is assigned h. Thus we use the part for h of Ctx to decrypt. We denote P1 and P2 be the published shares that

are related to the subset difference Ti

x. In practically, which pair (Pt,1, Pt,1) should be

used for decryption is according to the first two elements (i_t, x_t) of the share P_t,1. The procedure of decryption is defined as follows:

1. If i = 1, generate the secret key ski

j from skj+log i1 and kdi respect to the real

case. Thus we have:

ski_j ={grv_{, g}rvf_ji(I_i,jv )_{, g}rvf_ji(0)_hρ}

2. Compute the pairing with D = gz/π(B) _{and g}rvf_ji(Iv_i,j) _{of sk}i j: ˆ e(gz/π(B), grvf_ji(I_i,jv )_{) = g}z/π(B)rvf i j(Ii,jv ) t

3. Compute the pairings with gz/π(B)fji(x) _{of P1, g}z/π(B)fji(y) _{of P2, and g}rv _{of sk}i

j: ˆ e(grv_{, g}z/π(B)fji(x)_{) = g}z/π(B)rvf i j(x) t ˆ e(grv_{, g}z/π(B)fji(y)) = gz/π(B)rvf i j(y) t 4. Compute gz/π(B)rvf i j(0) t from ⎧ ⎪ ⎪ ⎨ ⎪ ⎪ ⎩ (I_i,jv , gz/π(B)rvf i j(Ii,jv ) t ) (x, gz/π(B)rvf i j(x) t ) (y, gz/π(B)rvf i j(y) t ) by Lagrange Interpolation: gz/π(B)rvf i j(0) t = (g z/π(B)rvfji(Ii,jv ) t ) (0−x)(0−y) (Iv_{i,j −x})(Iv_{i,j −y})

× (gz/π(B)rvf_ji(x) t ) (0−y)(0−Iv_i,j) (x−y)(x−Iv_i,j) × (gz/π(B)rvfji(y) t ) (0−Iv_i,j)(0−x) (y−Iv_i,j)(y−x)

5. Compute C = ˆe(gρ, h)z/π(B) from D, grvfji(0)_hρ _{of sk}i j, and g z/π(B)rvf_ji(0) t : C = e(D, gˆ rvfji(0)hρ) gz/π(B)rvfji(0) t = ˆe(D, hρ)e(D, gˆ rvfji(0)) gz/π(B)rvfji(0) t = ˆe(D, hρ) = ˆe(gz/π(B), hρ) 6. Compute B from E = Φ(D, C)⊕ B and D, C:

B = E⊕ Φ(D, C) 7. Compute A = ˆe(gρ, h)z from C = ˆe(gρ, h)z/π(B) and B:

A = Cπ(B) 8. Compute M sg from B = Ψ(A)⊕ Msg and A:

7

Security

The scheme is IND-CCA2 secure with random oracle under the Gap-BDH assumption.

Theorem 1. If Gap-BDH problem is (t, )-hard, the scheme is (t−t, +)-IND-CCA2 secure in the random oracle model where t is polynomial k-bounded and  ≤ qd(qd+qΨ)

p = O(k2)

2k is

negligible to k (q_d is the number of decryption query and qΨ is the number of hash-Ψ query).

Proof. We reduce Gap-BDH problem to the scheme. Let H1, H2, Φ, and Ψ be random

oracles, while π just be a collision resistant hash function. We denote C as the challenger of Gap-BDH problem, A as the adversary of the scheme, and S as the simulator between C and A. Then S is described as follows:

• Initial. S receives the instance (g, ga_{, g}b_{, g}c_{) of BDH problem as input and the access}

right of decisional oracle O about BDH problem from C. Then A chooses an system identity ID and a set T ⊆ U of users to attack.

• Setup. Let T = r

t=1

Tit

xt be the union of disjoint subset differences, and S sets up the

random oracles H1 and H2 depending on T . For each Tit

xt where 1≤ t ≤ r, we assume

that node x_t is in the j_t-th level from node i_t. Then H1 and H2 are defined as follows:

– H1. For each subset difference T_xit_t where 1≤ t ≤ r, we have the pair (it, jt) and

set

H1(ID||it) = jt+ mit(log n− log it + 1)

where m_it is a random number. Then for the remaining subtree T_i in the system, set

H1(ID||i) = mi(log n− log i + 1)

The setting assigns h to the polynomial fit

jt where 1 ≤ t ≤ r and assigns h to

the other polynomials. If the input is not meaningful, H1 just returns a random

number under the consistence. Note that there doesn’t exist polynomials fi j and

f_{j+log i}1 that are both assign h.

– H2. The setting of H2 is composed of the two steps:

1. Set up the polynomials f_j1 that are belong to the subtree T1.

If subset difference T_x1 ⊆ T (assume that the node x is in the j-th level from

node 1), set

f_j1(0) = m− b (1)

f_j1(x) = x (2)

f_j1(y) = y (3)

where y = 0 is not in the system, and (m, x, y)∈_R Z_p3 is chosen by S (S knows m, x, and y, but he does not know b). Then compute gfj1(X) ₌

ga1j,2X

2_+a1

j,1X+(m−b) _{by Lagrange Interpolation over the exponent of g, and}

have

H2(ID||1||j||s) =

gm−b, if s = 0 ga1j,s, for 1 ≤ s ≤ 2

For the remaining polynomials f_j1(X) = a1_j,2X2+ a1_j,1X + a1_j,0 of subtree T1,

choose them randomly and have

H2(ID||1||j||s) = ga

1

j,s, for 0 ≤ s ≤ 2

2. Set up the information that is used for key derivation.

If subset difference T_x1 ⊆ T (assume that the node x is in the j-th level from

the node 1), then for 2≤ i ≤ 2j− 1, set

H2(ID||i||3||s) =



gb+mi, if s = 0

where m_i ∈_R Z_p is chosen by S. Then for each of the remaining subset difference Tit xt ⊆ T , set H2(ID||it||2||s) =  gmit−b, if s = 0 gb/xt_{, if s = 1} (5)

where m_it ∈_R Z_p is chosen by S. Moreover, for 2≤ i ≤ n − 1, set

H2(ID||i||1||s) = gmi,s, for 0 ≤ s ≤ 1 (6)

where m_i,s ∈_RZ_p is chosen by S.

If the input is not meaningful, H2 just returns a random number under the

con-sistence.

Then S sets the public key

P K ={ID, G, G_t, ˆe, g, gρ= ga, h = gs, h = gb, H1, H2, π, Ψ, φ}

where s∈_R Z_p is chosen by S, and the master secret key M SK = a is unknown. The secret key SK_v of the revoked user u_v ∈ U\T is computed as follows:

1. Set grv _{= g}a+nv _{where n}

v ∈RZp is chosen by S.

2. Compute the secret key sk1_j where 1≤ j ≤ log n.

If subset difference T_x1 ⊆ T (assume that the node x is in the j-th level from

node 1), compute sk_j1 = {grv, grvf 1 j(I v 1,j)_{, g}rvf_j1(0)_hρ}

= {ga+nv_{, g}(a+nv)x_{, g}(a+nv)(m−b)_gba} by (1) and (2)

= {ga+nv_{, g}(a+nv)x_{, g}am+nvm−bnv}

where Iv

secret key sk1_j, compute

sk1_j = {grv_{, g}rvfj1(I1,jv )_{, g}rvfj1(0)_hρ}

= {ga+nv_{, g}(a+nv)Xj_{, g}(a+nv)Yj_gas}

where X_j = f_j1(Iu

i,j) and Yj = fj1(0) can be easily computed by S, since the

polynomial f_j1 is decided by S.

3. Compute the information kd_i where i∈ Ancestor(u_v).

If subset difference T_x1 ⊆ T (assume that the node x is in the j-th level from the

node 1), compute

(grv(bi_3,1I_i,jv +bi_3,0)_{, g}rvbi_3,0 1

Δhρ) = (g

(a+nv)(−b_xx+b+mi), g(a+nv)(b+mi)g(s−b)a) by (4)

= (g(a+nv)mi_{, g}bnv+ami+nvmi+as₎

where Iv

i,j = x, otherwise the user uv is not revoked. Then for each of the

remaining subset difference Tit

xt ⊆ T (assume that the node xt is in the jt-th level

from the node i_t), compute

(grv(bi_2,1I_it,jtv +bi_2,0)_{, g}rvbi_2,0Δhρ_{) = (g}(a+nv)(_xtbxt+m_it−b)_{, g}(a+nv)(m_it−b)_g(b−s)a_{) by (5)}

= (g(a+nv)m_{it, g}am_it +nvm_it−bnv−as₎

where Iv

it,jt = xt, otherwise the user uv is not revoked. Moreover, compute

(grvbi_{1,1, g}rvb_1,0i _{) = (g}(a+nv)mi,1_{, g}(a+nv)mi,0_{) by (6)}

Then S sends the public key P K and the secret key SK_v of the revoked user u_v ∈ U\T to A.

• Query Phase 1. A issues decryption query, hash-Φ query, and hash-Ψ query adaptively. Then S responds to these queries as follows:

– Decryption query. According to the above setting, the ciphertext to T only

con-sists of the part for h. Otherwise, S can use the part for h of ciphertext to decrypt the message trivially, since h = gs _{is chosen by S and he knows the exponent s.}

S receives the query Q_d = {E, D, P_1,1 , P_1,2 , . . . , P_r,1 , P_r,2 } and checks the query list of hash-Φ.

∗ If record Φ(D_{, C}_{) = φ} _{exists and O(g, g}ρ_{, h}_{, D}_{, C}_{) = 1, computes}

B = E⊕ φ A = Cπ(B) M sg = B⊕ Ψ(A) and returns M sg.

∗ Otherwise, returns Msg _∈

RGt and sets (E, D)→ Msg into the watch list

of hash-Φ.

– Hash-Φ query. S receives the query QΦ = (DΦ, CΦ) and checks the query list of

hash-Φ.

∗ If record Φ(DΦ, CΦ) = φ exists, returns φ.

∗ Otherwise, returns Φ(DΦ, CΦ) = φ ∈RGt. Moreover, if O(g, gρ, h, DΦ, CΦ) =

1, for each record (E, D)→ Msg in the watch list such that D = DΦ,

com-putes

B = E ⊕ φ A = C_Φπ(B) Ψ(A) = B⊕ Msg

and sets Ψ(A) = B ⊕ Msg into the query list of hash-Ψ.

∗ If record Ψ(AΨ) = ψ exists, returns ψ.

∗ Otherwise, returns Ψ(AΨ) = ψ ∈RGt.

• Challenge. A chooses two messages M0 and M1. Then C returns the ciphertext

Ctx ={E, D = gc, P_1,1 , P_1,2 , . . . , P_r,1 , P_r,2 }

where E is a random element in G_t, and the shares (P_1,1 , P_1,2 , . . . , P_r,1 , P_r,2 ) can be computed by S under the above setting (Like the computation for the second element grvf_ji(I_i,jv ) _{of secret key sk}i

j in the simulation).

• Query Phase 2. It is almost same as query phase 1, except that A can not issue the decryption query about Ctx.

• Guess. S checks the query list of hash-Φ and sees whether there is a record Φ(D_{, C}_{) =}

φ such that O(g, gρ= ga, h = gb, D = gc, C) = 1. If there is, S returns C = ˆe(g, g)abc as the answer of Gap-BDH problem. Otherwise, we claim that A can not have non-negligible advantage to crack our system, since that the simulation is almost perfect and the challenge ciphertext Ctx is independent to M0 and M1.

Finally, we are going to analyze the efficacy of the simulation. It is almost perfect, except that hash-Ψ may not be consistent. Inconsistency is caused by the artificial settings to hash-Ψ in the manipulation of the watch list of Hash-Φ. The artifical setting to hash-Ψ may contradict another artificial setting or the query list of hash-Ψ. For example, we may face the situation that we have set Ψ(A) = W before, but now we have to set Ψ(A) = W to complete the manipulation of watch list. The number of the artificial settings is bounded by the number of decryption query, that is q_d. Thus the probability of this situation occurring is at most Cqd

2 1_p. Moreover, the adversary can issue at most qΨ hash-Ψ queries. After issuing

contradict the existing records in the query list. The probability of this situation occurring is at most Cqd

1 q_pΨ.

The probability of inconsistency is negligible respect to k:

P r[Inconsistent]≤ Cqd 2 1 p + C qd 1 qΨ p ≤ q_d(q_d+ qΨ) p = O(k2) 2k

8

Remark

In our construction, the assignment of the specific value h and h is not intuitive. Someone may ask that why do not use one specific value h only, or just like PK-SD-PI that assigns each polynomial fi

j an unique value hi,j respectively. The reasons are as follows:

• Like PK-SD-PI. If we assign each polynomial fi

j an unique value hi,j that is generated

by the hash function, then the assigning values are all independent to each other. Thus for each subtree T_i, we need O(log n) information for changing the assigning value h_i,j in the element grvf_ji(0)_hρ

i,j of the secret key during the key derivation from the secret

keys belong to the subtree T1 to the secret keys belong to the subtree Ti. Then we have

to put O(log2n) information in the secret keys of each user. In order to reduce secret key size to O(log n), the information needed for changing the assigning value during the key derivation for each subtree T_i must be bounded by O(1).

• Use one value only. If we only use one specific value h, then we must set h = gb

in the simulation to feed the challenge input gb _{to the adversary. Thus we have to}

set all the polynomials fi

j with fji(0) = b + mi,j where mi,j ∈R Zp is chosen by us,

because we can only compute the element grvf_ji(0)_hρ _{of the secret key in this way that}

grvf_ji(0)_hρ _{= (g}−a₎(b+mi,j)_(gb₎a _{= (g}a₎−mi,j_{. But this setting makes all polynomials be}

secret to us, and we only know two function values of each polynomial. If the number of revoked users is greater than 2, we can not compute all the elements grvf_{log n}1 (x) _of

the secret keys of the revoked users. We can only compute two secret keys for revoked users, but the number of revoked users is more than two.

9

Conclusion

We have proposed a fully collusion resistant public key broadcast encryption scheme that achieves O(1) public key size, O(log n) secret key size, O(r) ciphertext size, and O(1) de-cryption time. Our scheme is the most efficient scheme in the existing broadcast ende-cryption schemes.

We propose some open questions about broadcast encryption:

1. Is it possible to construct a more efficient scheme?

References

[AFG+06] Nuttapong Attrapadung, Jun Furukawa, Takeshi Gomi, Goichiro Hanaoka, Hideki Imai, and Rui Zhang 0002. Efficient identity-based encryption with tight security reduction. In CANS, pages 19–36, 2006.

[BGW05] Dan Boneh, Craig Gentry, and Brent Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. In CRYPTO, pages 258– 275, 2005.

[Boy07] Xavier Boyen. Miniature cca2 pk encryption: Tight security without redundancy. In ASIACRYPT, pages 485–501, 2007.

[BSNS05] Joonsang Baek, Reihaneh Safavi-Naini, and Willy Susilo. Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In Public Key Cryptography, pages 380–397, 2005.

[DF03] Yevgeniy Dodis and Nelly Fazio. Public key trace and revoke scheme secure against adaptive chosen ciphertext attack. In Public Key Cryptography, pages 100–115, 2003.

[FN93] Amos Fiat and Moni Naor. Broadcast encryption. In CRYPTO, pages 480–491, 1993.

[HL06] Yong Ho Hwang and Pil Joong Lee. Efficient broadcast encryption scheme with log-key storage. In Financial Cryptography, pages 281–295, 2006.

[HSaFZ06] Xinyi Huang, Willy Susilo, and Yi Mu amd Futai Zhang. Short (identity-based) strong designated verifier signature schemes. ISPEC, 2006. LNCS 3903.

[HSaFZ08] Xinyi Huang, Willy Susilo, and Yi Mu amd Futai Zhang. Short designated verifier signature scheme and its identity-based variant. International Journal of Network Security, 2008. Vol.6, No.1.

[LT08] Yi-Ru Liu and Wen-Guey Tzeng. Public key broadcast encryption with low number of keys and constant decryption time. In Public Key Cryptography, pages 380–396, 2008.

[MSLR04] Yi Mu, Willy Susilo, Yan-Xia Lin, and Chun Ruan. Identity-based authenticated broadcast encryption and distributed authenticated encryption. In ASIAN, pages 169–181, 2004.

[NNL01] Dalit Naor, Moni Naor, and Jeffery Lotspiech. Revocation and tracing schemes for stateless receivers. In CRYPTO, pages 41–62, 2001.

[NP01] Moni Naor and Benny Pinkas. Efficient trace and revoke schemes. In FC ’00: Pro-ceedings of the 4th International Conference on Financial Cryptography, pages 1–20, London, UK, 2001. Springer-Verlag.

[SVG+08] S. Sharmila Deva Selvi, S. Sree Vivek, Ragavendran Gopalakrishnan, Naga Naresh Karuturi, and C. Pandu Rangan. Provably secure id-based broad-cast signcryption (ibbsc) scheme. Cryptology ePrint Archive, Report 2008/225, 2008. http://eprint.iacr.org/.

[TNJ+05] GOMI TAKESHI, ATTRAPADUNG NUTTAPONG, FURUKAWA JUN, ZHANG RUI, HANAOKA GOICHIRO, and IMAI HIDEKI. Cca-secure ibe scheme with tight security reduction based on the gap bdh assumption. Pro-ceedings of the Symposium on Information Theory and Its Applications, 2005. VOL.28th;NO.Vol.1.

[YJCK04] Eun Sun Yoo, Nam-Su Jho, Jung Hee Cheon, and Myung-Hwan Kim. Efficient broadcast encryption using multiple interpolation methods. In ICISC, pages 87–103, 2004.