1
行政院國家科學委員會補助專題研究計畫
□ 成 果 報 告
期中進度報告
具密文與金鑰效率之公開式廣播加密系統之研究
Public-Key Broadcast Encryption with Efficient Ciphertext and Private Keys
計畫類別:
個別型計畫 □整合型計畫
計畫編號:NSC 96-2628-E-009-011-MY3
執行期間: 96 年 8 月 1 日至 99 年 7 月 31 日
計畫主持人:曾文貴 教授
計畫參與人員:林煥宗、陳宏達、簡韶瑩、劉思維、陳毅睿、陳證傑
成果報告類型(依經費核定清單規定繳交):
精簡報告 □完整報告
本成果報告包括以下應繳交之附件:
□赴國外出差或研習心得報告一份
□赴大陸地區出差或研習心得報告一份
V 出席國際學術會議心得報告及發表之論文各一份
□國際合作研究計畫國外研究報告書一份
處理方式:除產學合作研究計畫、提升產業技術及人才培育研究計畫、
列管計畫及下列情形者外,得立即公開查詢
□涉及專利或其他智慧財產權,□一年□二年後可公開查詢
執行單位:國立交通大學 資訊科學系
中 華 民 國 97 年 6 月 30 日
2
中文摘要
本研究計畫將研究公開式廣播加密系
統,現今最好的公開式廣播加密系統的私密
金鑰大小、公開金鑰和傳輸量能無法和私密
式的廣播系統相比,我們覺得可以使之達到
更佳的效率:分別為
O(r), O(log n) 和 O(1),
同時計算量也可控制在合理的範圍之內,不
像
BGW 的方法需要 O(n)。
今年度我們發展出兩個公開廣播加密協
定,第一個協定可以達到
O(r)密文長度,O(log
n)私密金鑰及 O(1)公開金鑰,計算量需要
O(r)。第二個協定可以達到 O(r)密文長度,
O(log
2n)私密金鑰及 O(1)公開金鑰,計算量
只需要
O(1)。論文已在今年的 PKC 會議上發
表。
關鍵詞:廣播加密、公開金鑰。
英文摘要
In this project we study the public-key
broadcast encryption system, in which one can
broadcast to a set of authorized users. To our
best knowledge, the best public-key broadcast
encryption system is not very efficient in the
size of the header, public key and private key of
users, compared to the secret-key broadcast
encryption system. One of the goals of this
research is to design and analyze efficient
public-key broadcast encryption schemes.
In this year, we have designed two
efficient public-key broadcast encryption
schemes. The first scheme achieves O(1)
public-key size, O(r) header size and O(log n)
private keys per user. The decryption time is
reasonably O(r). Our second scheme achieves
O(1) public-key size, O(r) header size and
O(log
2n) private keys per user. Although the
private key size is less efficient than the first
one, its decryption time is remarkably O(1).
The paper of these results has been published in
prestigious PKC conference.
Keywords: Broadcast encryption, public key
system.
一、 計畫緣起及目的
廣播加密是一種有效率的金鑰管理及訊
息傳播機制。對於大量的使用者,管理中心
可以傳播訊息給任意指定(未被註銷)的使用
者,指定的使用者收到訊息後,可依表頭的
內容解開資訊;而被註銷的使用者,即使共
謀也無法從中得到資訊。廣播加密在生活上
有很多應用,如付費電視、線上影片等。廣
播加密的正式討論最早是在
1993 年由 Fiat
和 Naor 所提出,在廣播加密的機制中,一
開始管理中心會分配每位使用者
u 一些金鑰
k。廣播時,中心首先會使用一把金鑰 SK 對
欲傳送的訊息
M 做加密,接著依照接收使用
者的集合,使用某些
k 對金鑰 SK 做加密,
此為表頭,連結欲傳送之加密訊息,形成下
列的廣播格式:
E
k1(
SK
),
E
k2(
SK
) , . . . ;
E
SK(
M
)
使用者接收到訊息後,首先利用表頭和所擁
有的金鑰來解出
SK,接著用 SK 即可還原訊
息
M。
根據使用者一開始所分配的金鑰改變與
否 , 廣 播 加 密 可 分 為 有 狀 態 加 密 機 制
(stateful)和無狀態加密機制 (stateless),在無
狀態加密機制中,使用者的金鑰分配完成後
即不再更改,此法符合許多裝置的限制,大
幅的提升了廣播加密的應用性,如使用在
DVD 和 VCD 分區上。無狀態加密機制方法
中,又可再區分為私密式廣播加密 及公開
式廣播加密系統,其中差別在於私密式廣播
加密系統,只有知道所有使用者秘鑰 (如設
置中心)才可廣播,而公開式廣播加密則是每
人皆可廣播,並只有擁有相對秘鑰者才可解
開訊息。
3
Naor 和 Naor 等人於 2001 年所提出一個
可行性高的無狀態私密金鑰廣播加密機制演
算法,他們把廣播加密轉換成為
Subset Cover
問題的想法,同時在擬亂數產生器是安全的
假設下,利用擬亂數產生器來衍生金鑰,大
幅減少使用者金鑰儲存的數量,並突破了原
本
Luby 所計算出在完全(unconditionally)
安全性上傳輸量和計算量關係的下限。後來
許多學者提出了各種架構來改進廣播加密的
方法。
公開金鑰廣播加密系統的成果比較少,
最早的論文為 Boneth and Franklin 提出,之
後
Tzeng and Tzeng 提出用多項式插值的技術
來達到剔除使用者與追蹤背叛者 (traitor)的
功能,後來
Kurosawa and Yoshida 將其推廣到
使用任何
linear error correcting code 皆可。最
近
Boneth, Gentry and Waters 提出廣播量和
儲存金鑰量都很少的公開金鑰廣播加密的方
法,缺點是公開金鑰的量非常大。2003 年,
Dodis and Fazio 提 出 了 利 用 IBE
(identity-based encryption)系統把私密式廣播
加密系統轉化成公開式廣播加密的系統的方
法,轉換出來的系統的各項參數和原來的私
密金鑰系統的皆相同。
在廣播加密之中,重要的參數有下列幾
個,第一個是表頭大小
t (Header size)也就是
傳輸量,第二則是金鑰的儲存量,第三則是
每個使用者所需的計算量。在一些研究中,
某些方法會限制註銷使用者共謀的個數,然
而在此篇文章中,我們著重在探討無限制註
銷者共謀(collusion resistant)的方法。關於金
鑰分配和傳輸量之間的關係,直覺的想法,
假設現在有
n 位使用者,每位使用者擁有一
把自己專屬的金鑰,則當我們註銷掉任意
r
位使用者時,我們需要對其餘
n-r 位使用者一
一加密,因此,此方法所需的傳輸量為
n-r,
每位使用者金鑰的儲存量則為
1,計算量方
面,由於使用者收到後可直接使用金鑰解開
表頭,因此計算量也為
1 (以上這種方法我們
取名為(a)列於下表之中)。相反的,若我們分
給每位使用者
2n-1 把金鑰,每把金鑰分別代
表自己之外其餘
n-1 個使用者註銷的情形,
則當我們註銷
r 個使用者時,我們所需的傳
輸量為
1,每位使用者金鑰儲存量即為 2n-1
(以上這種方法我們取名為 (b)列於下表之
中),且我們需要 O(n)的金鑰查詢時間。
由上述兩種方法我們觀察可得知,當每
個使用者金鑰儲存量少的時候,傳輸量多;
當儲存量少之時,所需傳輸量就大,而如何
能有個好方法能在這兩者間取得平衡?亦或
是使這兩者參數皆小,並在計算量上所需最
小,便是我們研究的主要課題。
二、 研究成果
本年度(第一年度)的研究成果為提出兩
個有效率公開金鑰廣播加密系統,
第一個協
定可以達到
O(r)密文長度,O(log n)私密
金鑰及
O(1)公開金鑰,計算量需要 O(r)。
第 二 個 協 定 可 以 達 到
O(r) 密文長 度,
O(log
2n)私密金鑰及 O(1)公開金鑰,計算
量更只需要
O(1),
非常不可思議。這兩個
系統的效率超越先前的公開金鑰廣播加密系
統。
詳細的方法請見附件的論文,在此我們
簡述這兩個協定。在原理上,這兩個協定都
是 使 用 多 項 式 插 值 法 (
polynomial
interpolation)來達到目的,但是直接的應用
導致使用過多的參數,公開金鑰數目過多,
且解密時間無法達到
O(1)。因以,對於多項
式的係數,我們不使用如先前的隨意取,而
是使用雜湊函數來計算,這樣可以將公開參
數的數目快速的降為
O(1);然而這樣做雖然
可以降低公開金鑰的數目,但確導致無法給
定使用者私密金鑰,因此我門們引入了雙線
性的
pairing 函數,把使用者的私密金鑰放入
該函數中,使得系統可以設定使用者的私密
金鑰。如此,我們的到了第一個協定。
第一個協定的主要問題是解密時間需要
O(r),第二個協定非常有技巧的把多項式插值
法引入
SD 私密金鑰廣播系統中,我們使用
4
degree-1 的多項式,因此作插值時只需常數
的時間,達到解密時間為
O(1)。
三、 計畫成果自評
我 們 的 研 究 結 果 發 表 了 一 篇 會 議 論
文 ”Public key broadcast encryption with low
number of keys and constant decryption time”
在
PKC08 國際會議上,PKC 國際公開金鑰密
碼系統會議是密碼領域的一線國際會議,論
文接受率低於 20%,許多會議論文的發表者
和與會者是密碼領域裡的傑出學者,可見其
重要性。以成果來看,我們達成了本計畫第
一年度的目的。
參考文獻
1. N. Attrapadung, H. Imai. Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations. In Proceedings of Advances in
Cryptology - Asiacrypt 05, Lecture Notes in Computer
Science 3788, pp.100-120, Springer, 2005.
2. D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with constant size ciphertext. In
Proceedings of Advances in Cryptology - Eruocrypt 05,
Lecture Notes in Computer Science 3494, pp.440-456, Springer, 2005.
3. D. Boneh, M. Franklin. An efficient public key traitor tracing scheme. In Proceedings of Advances in
Cryptology - Crypto 99, Lecture Notes in Computer
Science 1666, pp.338-353, Springer, 1999.
4. D. Boneh, C. Gentry, B. Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. In Proceedings of Advances in Cryptology -Crypto
05, Lecture Notes in Computer Science 3621, pp.258-275,
Springer, 2005.
5. D. Boneh, B. Waters. A fully collusion resistant broadcast trace, and revoke system. In Proceedings of the ACM
Conference on Computer and Communications Security - CCS 06, pp.211-220, ACM Press, 2006.
6. Y. Dodis, N. Fazio. Public key broadcast encryption for stateless receivers. In Proceedings of Digital Right
Management 02 - DRM 02, Lecture Notes in Computer
Science 2696, pp.61-80, Springer, 2002.
7. Y. Dodis, N. Fazio. Public key broadcast encryption secure against adaptive chosen ciphertext attack. In
Proceedings of Public Key Cryptography - PKC 03,
Lecture Notes in Computer Science 2567, pp.100-115, Springer, 2003.
8. A. Fiat, M. Naor. Broadcast encryption. In Proceedings of
Advances in Cryptology - Crypto 93, Lecture Notes in
Computer Science 773, pp.480-491, Springer, 1993. 9. E. Fujisaki, T. Okamoto. Secure integration of
asymmetric and symmetric encryption schemes. In
Proceedings of Advances in Cryptology - Crypto 99,
Lecture Notes in Computer Science 1666, pp.537-554, Springer, 1999.
10. D. Galindo. Boneh-Franklin identity based encryption revisited. In Proceedings of ICALP 05, Lecture Notes in Computer Science 3580, pp.791-802, Springer, 2005. 11. M.T. Goodrich, J.Z. Sun, R. Tamassia. Efficient
Tree-Based Revocation in Groups of Low-State Devices. In Proceedings of Advances in Cryptology - Crypto 04, Lecture Notes in Computer Science 3152, pp.511-527, Springer, 2004.
12. D. Halevy, A. Shamir. The LSD broadcast encryption scheme. In Proceedings of Advances in Cryptology -
Crypto 02, Lecture Notes in Computer Science 2442,
pp.47-60, Springer, 2002.
13. K. Kurosawa, Y. Desmedt. Optimum traitor tracing and symmetric schemes. In Proceedings of Advances in
Cryptology - Eurocrypt 98, Lecture Notes in Computer
Science 1403, pp.145-157, Springer, 1998.
14. K. Kurosawa, T. Yoshida. Linear code implies public-key traitor tracing. In Proceedings of Public Key
Cryptography, Lecture Notes in Computer Science 2274,
pp.172-187, Springer, 2002.
15. J.W. Lee, Y.H. Hwang, P.J. Lee. Efficient public key broadcast encryption using identifier of receivers. In
Proceedings of International Conference on Information Security Practice and Experience - ISPEC 06, Lecture
Notes in Computer Science 3903, pp.153-164, Springer, 2006.
5
16. D. Naor, M. Naor, J. Lotspiech. Revocation and tracing schemes for stateless receivers. In Proceedings of
Advances in Cryptology - Crypto 01, Lecture Notes in
Computer Science 2139, pp.41-62, Springer, 2001. 17. M. Naor, B. Pinkas. Efficient trace and revoke schemes.
In Proceedings of Financial Cryptography 00, Lecture Notes in Computer Science 1962, pp.1-20, Springer, 2000.
18. A. Shamir. How to share a secret. Communications of the
ACM, 22(11), pp.612-613, 1979.
19. W.-G. Tzeng, Z.-J. Tzeng. A public-key traitor tracing scheme with revocation using dynamic shares. In
Proceedings of Public Key Cryptography - PKC 01,
Lecture Notes in Computer Science 1992, pp.207-224, Springer, 2001.
20. P. Wang, P. Ning, D.S. Reeves. Storage-efficient stateless group key revocation. In Proceedings of the 7th
Information Security Conference - ISC 04, Lecture Notes
in Computer Science 3225, pp.25-38, Springer, 2005. 21. E.S. Yoo, N.-S. Jho, J.J. Cheon, M.-H. Kim. Efficient
broadcast encryption using multiple interpolation methods. In Proceedings of ICISC 04, Lecture Notes in Computer Science 3506, pp.87-103, Springer, 2005. 22. M. Yoshida, T. Fujiwara. An efficient traitor tracing
scheme for broadcast encryption. In Proceedings of 2000
IEEE International Symposium on Information Theory,
Public Key Broadcast Encryption with Low
Number of Keys and Constant Decryption Time
?Yi-Ru Liu and Wen-Guey Tzeng
Department of Computer Science National Chiao Tung University
Hsinchu, Taiwan 30050 [email protected]
Abstract. In this paper we propose three public key BE schemes that have efficient complexity measures. The first scheme, called the BE-PI scheme, has O(r) header size, O(1) public keys and O(log N ) private keys per user, where r is the number of revoked users. This is the first public key BE scheme that has both public and private keys under O(log N ) while the header size is O(r). These complexity measures match those of efficient secret key BE schemes.
Our second scheme, called the PK-SD-PI scheme, has O(r) header size,
O(1) public key and O(log2N ) private keys per user. They are the same
as those of the SD scheme. Nevertheless, the decryption time is re-markably O(1). This is the first public key BE scheme that has O(1) decryption time while other complexity measures are kept low. The third scheme, called, the PK-LSD-PI scheme, is constructed in the same way, but based on the LSD method. It has O(r/²) ciphertext size and
O(log1+²N ) private keys per user, where 0 < ² < 1. The decryption time
is also O(1).
Our basic schemes are one-way secure against full collusion of revoked
users in the random oracle model under the BDH assumption. We can
modify our schemes to have indistinguishably security against adaptive chosen ciphertext attacks.
Keywords: Broadcast encryption, polynomial interpolation, collusion.
1
Introduction
Assume that there is a set U of N users. We would like to broadcast a message to a subset S of them such that only the (authorized) users in S can obtain the message, while the (revoked) users not in S cannot get information about the message. Broadcast encryption is a bandwidth-saving method to achieve this goal via cryptographic key-controlled access. In broadcast encryption, a dealer sets up the system and assigns each user a set of private keys such that the
?Research supported in part by NSC projects 96-2628-E-009-011-MY3,
broadcasted messages can be decrypted by authorized users only. Broadcast en-cryption has many applications, such as pay-TV systems, encrypted file sharing systems, digital right management, content protection of recordable data, etc.
A broadcasted message M is sent in the form hHdr (S, m), Em(M )i, where
m is a session key for encrypting M via a symmetric encryption method E. An
authorized user in S can use his private keys to decrypt the session key m from
Hdr (S, m). Since the size of Em(M ) is pretty much the same for all broadcast
encryption schemes, we are concerned about the header size. The performance measures of a broadcast encryption scheme are the header size, the number of private keys held by each user, the size of public parameters of the system (public keys), the time for encrypting a message, and the time for decrypting the header by an authorized user. A broadcast encryption scheme should be able to resist the collusion attack from revoked users. A scheme is fully collusion-resistant if even all revoked users collude, they get no information about the broadcasted message.
Broadcast encryption schemes can be stateless or stateful. For a stateful broadcast encryption scheme, the private keys of a user can be updated from time to time, while the private keys of a user in a stateless broadcast encryption scheme remain the same through the lifetime of the system. Broadcast encryption schemes can also be public key or secret key. For a public key BE scheme, any one (broadcaster) can broadcast a message to an arbitrary group of authorized users by using the public parameters of the system, while for a secret key broadcast encryption scheme, only the special dealer, who knows the system secrets, can broadcast a message.
In this paper we refer ”stateless public key broadcast encryption” as ”public key BE”.
1.1 Our Contribution
We propose three public key BE schemes that have efficient complexity measures. The first scheme, called the BE-PI scheme (broadcast encryption with polyno-mial interpolation), has O(r) header size, O(1) public keys, and O(log N ) private keys per user1, where r is the number of revoked users. This is the first public
key BE scheme that has both public and private keys under O(log N ) while the header size is O(r). These complexity measures match those of efficient secret key BE schemes [11, 20, 21]. The idea is to run log N copies of the basic scheme in [17, 19, 22] in parallel for lifting the restriction on a priori fixed number of revoked users. Nevertheless, if we implement the log N copies straightforwardly, we would get a scheme of O(N ) public keys. We are able to use the properties of bilinear maps as well as special private key assignment to eliminate the need of O(N ) public keys and make it a constant number.
Our second scheme, called the PK-SD-PI scheme (public key SD broad-cast encryption with polynomial interpolation), is constructed by combining the polynomial interpolation technique and the subset cover method in the SD
Table 1. Comparison of some fully collusion-resistant public key BE schemes. header size public-key size private-key size decryption cost\
PK-SD-HIBE† O(r) O(1) O(log2N ) O(log N )
BGW-I [4] O(1) O(N )[ O(1) O(N − r)
BGW-II [4] O(√N ) O(√N )[ O(1) O(√N )
BW[5] O(√N ) O(√N )[ O(√N ) O(√N )
LHL§[15] O(rD) O(2C)[ O(D) O(C)
P-NP, P-TT, P-YF‡ O(r) O(N ) O(log N ) O(r)
Our work: BE-PI O(r) O(1) O(log N ) O(r)
Our work: PK-SD-PI O(r) O(1) O(log2N ) O(1)
Our work: PK-LSD-PI O(r/²) O(1) O(log1+²N ) O(1) N - the number of users.
r - the number of revoked users.
† - the transformed SD scheme [6] instantiated with constant-size HIBE [2]. ‡ - the parallel extension of [17, 19, 22].
[- the public keys are needed for decrypting the header by a user. § - N = CD.
\ - group operation/modular exponentiation and excluding the time for scanning the
header.
scheme [16]. The PK-SD-PI scheme has O(r) header size, O(1) public key and
O(log2N ) private keys per user. They are the same as those of the SD scheme.
Nevertheless, the decryption time is remarkably O(1). This is the first public key broadcast encryption scheme that has O(1) decryption time while other com-plexity measures are kept low. The third scheme, called the PK-LSD-PI scheme, is constructed in the same way, but based on the LSD method. It has O(r/²) ciphertext size and O(log1+²N ) private keys per user, where 0 < ² < 1. The
decryption time is also O(1).
Our basic schemes are one-way secure against full collusion of revoked users in the random oracle model under the BDH assumption. We modify our schemes to have indistinguishably security against adaptive chosen ciphertext attacks. The comparison with some other public key BE schemes with full collusion resistance is shown in Table 1.
1.2 Related Work
Fiat and Naor [8] formally proposed the concept of static secret key broadcast encryption. Many researchers followed to propose various broadcast encryption schemes, e.g., see [11, 12, 16, 17, 20].
Kurosawa and Desmedt [13] proposed a pubic-key BE scheme that is based on polynomial interpolation and traces at most k traitors. The similar schemes of Noar and Pinkas [17], Tzeng and Tzeng [19], and Yoshida and Fujiwara [22] allow revocation of up to k users. Kurosawa and Yoshida [14] generalized the polynomial interpolation (in fact, the Reed-Solomon code) to any linear code for constructing public key BE schemes. The schemes in [7, 13, 14, 17, 19, 22] all
have O(k) public keys, O(1) private keys, and O(r) header size, r ≤ k. However,
k is a-priori fixed during the system setting and the public key size depends on
it. These schemes can withstand the collusion attack of up to k revoked users only. They are not fully collusion-resistant.
Yoo, et al. [21] observed that the restriction of a pre-fixed k can be lifted by running log N copies of the basic scheme with different degrees (from 20 to
N ) of polynomials. They proposed a scheme of O(log N ) private keys and O(r)
header size such that r is not restricted. However, their scheme is secret key and the system has O(N ) secret values. In the public key setting, the public key size is O(N ).
Recently Boneh, et al. [4] proposed a public key BE scheme that has O(1) header size, O(1) private keys, and O(N ) public keys. By trading off the header size and public keys, they gave another scheme with O(√N ) header size, O(1)
private keys and O(√N ) public keys. Lee, et al. [15] proposed a better trade-off
by using receiver identifiers in the scheme. It achieves O(1) public key, O(log N ) private keys, but, O(r log N ) header size. Boneh and Waters [5] proposed a scheme that has the traitor tracing capability. This type of schemes [4, 5, 15] has the disadvantage that the public keys are needed by a user in decrypting the header. Thus, the de-facto private key of a user is the combination of the public key and his private key.
It is possible to transform a secret key BE scheme into a public key one. For example, Dodis and Fazio [6] transformed the SD and LSD schemes [12, 16] into public key SD and LSD schemes, shorted as PK-SD and PK-LSD. The transformation employs the technique of hierarchical identity-based encryption to substitute for the hash function. Instantiated with the newest constant-size hierarchical identity-based encryption [2], the PK-SD scheme has O(r) header size, O(1) public keys and O(log2N ) private keys. The PK-LSD scheme has O(r/²) header size, O(1) public keys and O(log1+²N ) private keys, where 0 <
² < 1 is a constant. The decryption costs of the PK-SD and PK-LSD schemes
are both O(log N ), which is the time for key derivation incurred by the original relation of private keys. If we apply the HIBE technique to the secret key BE schemes of O(log N ) or O(1) private keys [1, 11, 20], we would get their public key versions with O(N ) private keys and O(N ) decryption time.
2
Preliminaries
Bilinear map. We use the properties of bilinear maps. Let G and G1 be two
(multiplicative) cyclic groups of prime order q and ˆe be a bilinear map from G × G to G1. Then, ˆe has the following properties.
1. For all u, v ∈ G and x, y ∈ Zq, ˆe(ux, vy) = ˆe(u, v)xy.
2. Let g be a generator of G, ˆe(g, g) = g16= 1 is a generator of G1.
BDH hardness assumption. The BDH problem is to compute ˆe(g, g)abc from
given (g, ga, gb, gc). We say that BDH is (t, ²)-hard if for any probabilistic
algo-rithm A with time bound t, there is some k0 such that for any k ≥ k0,
Pr[A(g, ga, gb, gc) = ˆe(g, g)abc: g← G; a, b, cu ← Zu q] ≤ ².
Broadcast encryption. A public key BE scheme Π consists of three
proba-bilistic polynomial-time algorithms:
- Setup(1z, Id, U). Wlog, let U = {U
1, U2, . . . , UN}. It takes as input the
security parameter z, a system identity Id and a set U of users and outputs a public key P K and N private key sets SK1, SK2, . . . , SKN, one for each
user in U.
- Enc(P K, S, M ). It takes as input the public key PK, a set S ⊆ U of au-thorized users and a message M and outputs a pair hHdr (S, m), Ci of the ciphertext header and body, where m is a randomly generated session key and C is the ciphertext of M encrypted by m via some standard symmetric encryption scheme, e.g., AES.
- Dec(SKk, Hdr (S, m), C). It takes as input the private key SKk of user Uk,
the header Hdr (S, m) and the body C. If Uk ∈ S, it computes the session
key m and then uses m to decrypt C for the message M . If Uk6∈ S, it cannot
decrypt the ciphertext.
The system is correct if all users in S can get the broadcasted message M .
Security. We describe the indistinguishability security against adaptive
cho-sen ciphertext attacks (IND-CCA security) for broadcast encryption as fol-lows [4]. Here, we focus on the security of the session key, which in turn guaran-tees the security of the ciphertext body C. Let Enc∗and Dec∗be like Enc and
Dec except that the message M and the ciphertext body C are omitted. The
security is defined by an adversary A and a challenger C via the following game.
Init. The adversary A chooses a system identity Id and a target set S∗⊆ U
of users to attack.
Setup. The challenger C runs Setup(1z, Id, U) to generate a public key P K
and private key sets SK1, SK2, . . . , SKN. The challenger C gives SKi to A,
where Ui6∈ S∗.
Query phase 1. The adversary A issues decryption queries Qi, 1 ≤ i ≤ n, of
form (Uk, S, Hdr(S, m)), S ⊆ S∗, Uk∈ S, and the challenger C responds with
Dec∗(SK
k, Hdr(S, m)), which is the session key encrypted in Hdr(S, m).
Challenge. The challenger C runs Enc∗(P K, S∗) and outputs y = Hdr (S∗, m),
where m is randomly chosen. Then, C chooses a random bit b and a random session key m∗and sets m
b= m and m1−b= m∗. C gives (m0, m1, Hdr (S∗, m))
to A.
Query phase 2. The adversary A issues more decryption queries Qi, n+1 ≤
i ≤ qD, of form (Uk, S, y0), S ⊆ S∗, Uk ∈ S, y0 6= y, and the challenger C
responds with Dec∗(SK k, y0).
Guess. A outputs a guess b0 for b.
In the above the adversary A is static since it chooses the target set S∗ of
the above game, that is, Advind-cca
A,Π (z) = 2 · Pr[AO(P K, SKU\S∗, m0, m1, Hdr (S∗, m)) = b : S∗⊆ U, (P K, SKU) ← Setup(1z, Id, U),
Hdr (S∗, m) ← Enc∗(P K, S∗), b u
← {0, 1}] − 1,
where SKU = {SKi : 1 ≤ i ≤ N } and SKU\S∗= {SKi: Ui6∈ S∗}.
Definition 1. A public key BE scheme Π=(Setup, Enc, Dec) is (t, ², qD
)-IND-CCA secure if for all t-time bounded adversary A that makes at most qD
decryp-tion queries, we have Advind-ccaA,Π (z) < ².
In this paper we first give schemes with one-way security against chosen plain-text attacks (OW-CPA security) and then transform them to have IND-CCA security via the Fujisaki-Okamoto transformation [9]. The OW-CPA security is defined as follows.
Init. The adversary A chooses a system identity Id and a target set S∗⊆ U
of users to attack.
Setup. The challenger C runs Setup(1z, Id, U) to generate a public key P K
and private key sets SK1, SK2, . . . , SKN. The challenger C gives SKi to A,
where Ui6∈ S∗.
Challenge. The challenger C runs Enc∗(P K, S∗) and outputs Hdr (S∗, m),
where m is randomly chosen. Guess. A outputs a guess m0 for m.
Since A can always encrypt a chosen plaintext by himself, the oracle of en-crypting a chosen plaintext does not matter in the definition. Let Advow-cpaA,Π (z) be the advantage that A wins the above game, that is,
Advow-cpaA,Π (z) = Pr[A(P K, SKU\S∗, Hdr (S∗, m)) = m : S∗⊆ U,
(P K, SKU) ← Setup(1z, Id, U), Hdr (S∗, m) ← Enc∗(P K, S∗)].
Definition 2. A public key BE scheme Π=(Setup, Enc, Dec) is (t, ²)-OW-CPA
secure if for all t-time bounded adversary A, we have Advow-cpaA,Π (z) < ².
3
The BE-PI Scheme
Let G and G1 be the bilinear groups with the pairing function ˆe, where q is
a large prime. Let H1, H2 : {0, 1}∗ → G1 be two hash functions and E be a
symmetric encryption with key space G1.
The idea of our construction is as follows. For a polynomial f (x) of degree
t, we assign each user Ui a share f (i). The secret is f (0). We can compute the
secret f (0) from any t+1 shares. If we want to revoke t users, we broadcast their shares. Any non-revoked user can compute the secret f (0) from his own share and the broadcasted ones, totally t + 1 shares. On the other hand, any collusion
of revoked users cannot compute the secret f (0) since they have t shares only, including the broadcasted ones. If less than t users are revoked, we broadcast the shares of some dummy users such that t shares are broadcasted totally. In order to achieve O(r) ciphertexts, we use log N polynomials, each for a range of the number of revoked users.
1. Setup(1z, Id, U): z is the security parameter, Id is the identity name of the
system, and U = {U1, U2, . . . , UN} is the set of users in the system. Wlog,
let N be a power of 2. Then, the system dealer does the following: – Choose a generator g of group G, and let lg = loggand g1= ˆe(g, g).
– Compute hi= H1(Idki) for 1 ≤ i ≤ log N .
– Compute ga(i)j = H2(Idkikj) for 0 ≤ i ≤ log N and 0 ≤ j ≤ 2i. Remark. The underlying polynomials are, 0 ≤ i ≤ log N ,
fi(x) = 2i
X
j=0
a(i)j xj (mod q).
The system dealer does not know the coefficients a(i)j = lg H2(Idkikj).
But, this does not matter.
– Randomly choose a secret ρ ∈ Zq and compute gρ.
– Publish the public key P K = (Id, H1, H2, E, G, G1, ˆe, g, gρ).
– Assign a set SKk = {sk,0, sk,1, . . . , sk,log N} of private keys to user Uk,
1 ≤ k ≤ N , where
sk,i= (grk,i, grk,ifi(k), grk,ifi(0)hρi)
and rk,i is randomly chosen from Zq, 1 ≤ i ≤ log N .
2. Enc(P K, S, M ): S ⊆ U, R = U\S = {Ui1, Ui2, . . . , Uil} is the set of
re-voked users, where l ≥ 1. M is the sent message. The broadcaster does the following:
– Let α = dlog le and L = 2α.
– Compute hα= H1(Idkα).
– Randomly select distinct il+1, il+2, . . . , iL> N . These Uit, l + 1 ≤ t ≤ L,
are dummy users.
– Randomly select a session key m ∈ G1.
– Randomly select r ∈ Zq and compute, 1 ≤ t ≤ L,
grfα(it)= ( L Y j=0 H2(Idkαkj)i j t)r.
– The ciphertext header Hdr (S, m) is
(α, mˆe(gρ, hα)r, gr, (i1, grfα(i1)), (i2, grfα(i2)), . . . , (iL, grfα(iL))).
– The ciphertext body is C = Em(M ).
– Compute b0= ˆe(gr, grk,αfα(k)) = g1rrk,αfα(k).
– Compute bj = ˆe(grk,α, grfα(ij)) = g1rrk,αfα(ij), 1 ≤ j ≤ L.
– Use the Lagrange interpolation method to compute
grrk,αfα(0) 1 = L Y j=0 bλj j , (1)
where λj= (ij−i(−i0)(i0j)(−i−i11)···(i)···(−ij−ij−1j−1)(−i)(ijj+1−ij+1)···(−i)···(iLj)−iL) (mod q), i0= k.
– Compute the session key
mˆe(gρ, h α)r· g1rrk,αfα(0) ˆ e(gr, grk,αfα(0)hρα) = mˆe(gρ, h α)r· grr1 k,αfα(0) ˆ e(gr, hρα) · grrk,αfα(0) 1 = m. (2)
– Use m to decrypt the ciphertext body C to obtain the message M .
Correctness. We can easily see that the scheme is correct by Equation (2).
3.1 Performance Analysis
For each system, the public key is (Id, H1, H2, E, G, G1, ˆe, g, gρ), which is of
size O(1). Since all systems can use the same (H, E, G, G1, ˆe, g), the public key
specific to a system is simply (Id, gρ). Each system dealer has a secret ρ for
assigning private keys to its users. Each user Uk holds private keys SKk =
{sk,0, sk,1, . . . , sk,log N}, each corresponding to a share of polynomial fi in the
masked form, 0 ≤ i ≤ log N . The number of private keys is O(log N ). When r users are revoked, we choose the polynomial fα of degree 2α for encrypting the
session key, where 2α−1 < r ≤ 2α. Thus, the header size is O(2α) = O(r). It is
actually no more than 2r.
To prepare a header, the broadcaster needs to compute one pairing function, 2α+2 hash functions, and 2α+2 modular exponentiations, which is O(r) modular
exponentiations.
For a user in S to decrypt a header, with a little re-arrangement of Equation (1) as L Y j=0 bλj j = bλ00· ˆe(grk,α, L Y j=1 (grfα(ij))λj),
the user needs to perform 3 pairing functions and 2α modular exponentiations,
which is O(r) modular exponentiations. The evaluation of λj’s can be done in
O(L) = O(2r) if the header consists of
˜
λj= (−i1) · · · (−ij−1)(−ij+1) · · · (−iL)
(ij− i1) · · · (ij− ij−1)(ij− ij+1) · · · (ij− iL)
mod q, 1 ≤ j ≤ L.
The user can easily compute λj’s from ˜λj’s. Inclusion of ˜λj’s in the header does
3.2 Security Analysis
We show that it has OW-CPA security in the random oracle model under the BDH assumption.
Theorem 1. Assume that the BDH problem is (t1, ²1)-hard. Our BE-PI scheme
is (t1− t0, ²1)-OW-CPA secure in the random oracle model, where t0 is some
polynomially bounded time.
Proof. We reduce the BDH problem to the problem of computing the session key
from the header by the revoked users. Since the polynomials fi(x) =
PL j=0a
(i) j xj
and secret shares of users for the polynomials are independent for different i’s, we simply discuss security for a particular α. Wlog, let R = {U1, U2, . . . , UL} be
the set of revoked users and the target set of attack be S∗ = U\R. Note that
S∗ was chosen by the adversary in the Init stage. Let the input of the BDH
problem be (g, ga, gb, gc), where the pairing function is implicitly known. We set
the system parameters as follows:
1. Randomly select τ, κ, µ1, µ2, . . . , µL, w1, w2, . . . , wL∈ Zq.
2. Set the public key of the system:
(a) Let the input g be the generator g in the system. (b) Set gρ= ga.
(c) The public key is (Id, H1, H2, E, G, G1, ˆe, g, ga).
(d) The following is implicitly computed. – Set fα(i) = wi, 1 ≤ i ≤ L.
– Let ga(α)0 = gfα(0)= ga· gτ = ga+τ.
– Compute ga(α)i , 1 ≤ i ≤ L, from ga(α)0 and gfα(j) = gwj, 1 ≤ j ≤ L,
by the Lagrange interpolation method over exponents. – Set hα= gb· gκ= gb+κ.
– For j 6= α, choose a random polynomial fj(x) and set hj = gzj,
where zj is randomly chosen from Zq.
3. Set the secret keys (gri,j, gri,jfj(i), gri,jfj(0)hρ
j), 0 ≤ j ≤ log N , of the revoked
user Ui, 1 ≤ i ≤ L, as follows:
(a) For j = α, let gri,α = g−b+µi, gri,αfα(i)= (gri,α)wi, and gri,αfα(0)hρ
α= g(−b+µi)(a+τ )(gb+κ)a = ga(µi+κ)−bτ +µiτ.
(b) For j 6= α, randomly choose ri,j ∈ Zq and compute gri,j, gri,jfj(i) and
gri,jfj(0)hρ
j = gri,jfj(0)(ga)zj.
4. Set the header (α, mˆe(gρ, h
α)r, gr, (1, grfα(1)), (2, grfα(2)), . . ., (L, grfα(L)))
as follows: (a) Let gr= gc.
(b) Compute grfα(i)= (gc)wi, 1 ≤ i ≤ L.
(c) Randomly select y ∈ G1and set mˆe(gρ, hα)r= y. We do not know what
m is. But, this does not matter.
Assume that the revoked users together can compute the session key m. During computation, the users can query H1and H2hash oracles. If the query is
of the form H2(Idkikj) or H1(Idki), we set them to be ga
(i)
If the query has ever been asked, we return the stored hash value for the query. For other non-queried inputs, we return random values in G.
We should check whether the distributions of the parameters in our reduction and those in the system are equal. We only check those related to α since the others are correctly distributed. Since τ, w1, w2, . . . , wL are randomly chosen,
ga(α)i , 0 ≤ i ≤ L are uniformly distributed over GL+1. Due to the random oracle
model, their corresponding system parameters are also uniformly distributed over GL+1. Since κ, µ
1, µ2, . . . , µL are randomly chosen, the distribution of hα
and gri,α, 1 ≤ i ≤ L, are uniform over GL+1, which is again the same as that
of the corresponding system parameters. The distributions of gr in the header
and gρ in the public key are both uniform over G since they are set from the
given input gc and ga, respectively. Since the session key m is chosen randomly
from G1, mˆe(gρ, hα)r is distributed uniformly over G1. We set it to a random
value y ∈ G1. Even though we don’t know about m, it does not affect the
reduction. Other parameters are dependent on what have been discussed. We can check that they are all computed correctly. So, the reduction preserves the right distribution.
If the revoked users compute m from the header with probability ², we can solve the BDH problem with the same probability ²1 = ² by computing the
following:
y · m−1· ˆe(ga, gc)−κ= ˆe(gρ, h
α)r· ˆe(g, g)−acκ
= ˆe(ga, gb+κ)c· ˆe(g, g)−acκ
= ˆe(g, g)abc. (3)
Let t0be the time for this reduction and the solution computation in Equation
(3). We can see that t0 is polynomially bounded. Thus, if the collusion attack of
the revoked users takes t1− t0 time, we can solve the BDH problem within time
t1.
4
The BE-PI Scheme with IND-CCA Security
In Theorem 1, we show that the session key in the header is one-way secure against any collusion of revoked users. There are some standard techniques of transforming OW-CPA security to IND-CCA security. Here we present such a scheme Π0 based on the technique in [9].
The IND-CCA security of the Fujisaki-Okamoto transformation depends only on the OW-CPA security of the public key encryption scheme, the FG security of a symmetric encryption scheme E, and the γ-uniformity of the public key encryption scheme. The FG-security is the counterpart of the IND-security for symmetric encryption. A public key encryption scheme is γ-uniform if for every key pair (pk, sk), every message x, and y ∈ {0, 1}∗, Pr[E
pk(x) = y] ≤ γ. Before
applying the transformation, we check the following things:
1. The transformation applies to public key encryption, while ours is public key broadcast encryption. Nevertheless, if the authorized set S is fixed, our public
key broadcast encryption scheme is a public key encryption scheme with public key pk = (P K, S). In the definition of IND-CCA security (Definition 1), the adversary A selects a target set S∗ of users to attack in the Init
stage and S∗ is fixed through the rest of the attack. Thus, we can discuss
the attack of A with a fixed target set S∗. Note that A is a static adversary.
2. Let S be a fixed authorized set of users. For every m and every y ∈ {0, 1}∗,
Pr[Hdr (S, m) = y] is either 0 or 1/q ' 1/2z, where z is the security
pa-rameter (the public key size). Thus, our broadcast encryption scheme is 2−z-uniform if the authorized set is fixed.
Let E : K × G1→ G1 be a symmetric encryption scheme with FG-security,
where K is the key space of E. Let H3 : G1× G1 → Zq and H4 : G1 → K be
two hash functions. The modification of Π for Π0 is as follows.
– In the Setup algorithm, add E, H3, H4to PK.
– In the Enc algorithm,
Hdr (S, m) = (gr, σˆe(gρ, h
α)r, EH4(σ)(m),
(i1, grfα(i1)), (i2, grfα(i2)), . . . , (iL, grfα(iL))),
where σ is randomly chosen from G1and r = H3(σ, m).
– In the Dec algorithm, we first compute ¯σ as described in the BE-PI scheme.
Then, we compute the session key ¯m from EH4(σ)(m) by using ¯σ. We check
whether σˆe(gρ, h
α)r = ¯σˆe(gρ, hα)H3(¯σ, ¯m) and grfα(ij) = gfα(ij)H3(¯σ, ¯m), 1 ≤
j ≤ L. If they are all equal, ¯m is outputted. Otherwise, ⊥ is outputted.
Let qH3, qH4 and qDbe the numbers of queries to H3, H4and the decryption
oracles, respectively. Our scheme Π0 is IND-CCA-secure.
Theorem 2. Assume that the BDH problem is (t1, ²1)-hard and the symmetric
encryption E is (t2, ²2) F G-secure. The scheme Π0 is (t, ², qH3, qH4, qD
)-IND-CCA secure in the random oracle model, where t0 is some polynomially bounded
time,
t = min{t1− t0, t2} − O(2z(qH3+ qH4)) and
² = (1 + 2(qH3+ qH4)²1+ ²2)(1 − 2²1− 2²2− 2
−z+1)−qD− 1.
This theorem is proved by showing that if Π0 is not IND-CCA-secure, then
either Π is not OW-CPA-secure or E is not FG-secure directly. The OW-CPA security of Π is based on the BDH assumption. We note that the application of the transformation to other types of schemes could be delicate. Galindo [10] pointed out such a case. Nevertheless, the problem occurs in the proof and is fixable without changing the transformation or the assumption. The detailed proof will be given in the full version of the paper.
5
A Public Key SD Scheme
In the paradigm of subset cover for broadcast encryption [16], the system chooses a collection C of subsets of users such that each set S of users can be covered by the subsets in C, that is, S = ∪w
i=1Sw, where Si∈ C are disjoint, 1 ≤ i ≤ w. Each
subset Si in C is associated with a private key ki. A user is assigned a set of keys
such that he can derive the private keys of the subsets to which he belongs. The subset keys ki cannot be independent. Otherwise, each user may hold too many
keys. It is preferable that the subset keys have some relations, for example, one can be derived from another. Thus, each user Uk is given a set SKk of keys so
that he can derive the private key of a subset to which he belongs. A subset-cover based broadcast encryption scheme plays the art of choosing a collection C of subsets, assigning subset and user keys, and finding subset covers.
5.1 The PK-SD-PI Scheme
We now present our PK-SD-PI scheme, which is constructed by using the poly-nomial interpolation technique on the collection of subsets in [16]. The system setup is similar to that of the BE-PI scheme. Consider a complete binary tree T of log N + 1 levels. The nodes in T are numbered differently. Each user in U is associated with a different leaf node in T . We refer to a complete subtree rooted at node i as ”subtree Ti”. For each subtree Ti of η levels (level 1 to level η from
top to bottom), we define the degree-1 polynomials
fj(i)(x) = a(i)j,1x + a(i)j,0 (mod q),
where a(i)j,0 = lg H2(Idkikjk0) and a(i)j,1 = lg H2(Idkikjk1), 2 ≤ j ≤ η. For a user
Uk in the subtree Ti of η levels, he is given the private keys
sk,i,j = (grk,i,j, grk,i,jf
(i)
j (ij), grk,i,jfj(i)(0)hρ)
for 2 ≤ j ≤ η, where nodes i1, i2, . . . , iη are the nodes in the path from node i
to the leaf node for Uk (including both ends). We can read sk,i,j as the private
key of Uk for the jth level of subtree Ti. In Figure 1, the private keys (in the
unmasked form) of U1 and U3 for subtree Tiwith η = 4 are given. Here, we use
hρ in all private keys in order to save space in the header.
Recall that in the SD scheme, the collection C of subsets is
{Si,t: node i is a parent of node t, i 6= t},
where Si,t denotes the set of users in subtree Ti, but not in subtree Tt. By our
design, if the header contains a masked share for fj(i)(t), where node t is in the
j-th level of subtree Ti, only user Uk in Si,t can decrypt the header by using his
private key sk,i,j, that is, the masked form of fj(i)(s), for some s 6= t. In Figure 1,
the share f3(i)(t) is broadcasted so that only the users in Si,t can decrypt the
i=i
1f
2(i)(x)
f
3(i)(x)
t
i
2i
3f
4(i)(x)
U1 U2 U3 U4 U5 U6 U7 U8– U1holds masked shares of f2(i)(i2), f3(i)(i3), f4(i)(i4)
– U3holds masked shares of f2(i)(i2), f3(i)(t), f4(i)(v)
– For subset Si,t, a masked share of f3(i)(t) is broadcasted so that
U3and U4cannot decrypt, but others can.
i
4v
Fig. 1. Level polynomials, private keys and broadcasted shares for subtree Ti.
For a set R of revoked users, let Si1,t1, Si2,t2, . . ., Siz,tz be a subset cover for U\R, the header is
(mˆe(gρ, h)r, gr, (i1, t1, grf (i1) j1 (t1)), . . . , (i z, tz, grf (iz ) jz (tz))),
where node tk is in the jk-th level of subtree Tik, 1 ≤ k ≤ z.
For decryption, a non-revoked user finds ik, tk, grf
(ik)
jk (tk) (corresponding to Sik,tk where he is in) from the header and applies the Lagrange interpolation to
compute the session key m.
Performance. The public key is O(1), which is the same as that of the BE-PI
scheme. Each user belongs to at most log N + 1 subtrees and each subtree has at most log N + 1 levels. For the subtree of η levels, the user in the subtree holds
η − 1 private keys. Thus, the total number of shares (private keys) held by each
user is Plog Ni=1 i = O(log2N ). According to [16], the number z of subsets in a
subset cover is at most 2|R| − 1, which is O(r)
When the header streams in, a non-revoked user Uk looks for his containing
subset Sij,tj to which he belongs. With a proper numbering of the nodes in T , this
can be done very fast, for example, in O(log log N ) time. Without considering the time of scanning the header to find out his containing subset, each user needs to perform 2 modular exponentiations and 3 pairing functions. Thus, the decryption cost is O(1).
Theorem 3. Assume that the BDH problem is (t1, ²1)-hard. Our PK-SD-PI
scheme is (t1− t0, ²1)-OW-CPA secure in the random oracle model, where t0 is
some polynomially bounded time.
Proof. The one-way security proof for the PK-SD-PI scheme is similar to that for
the BE-PI scheme. In the PK-SD-PI scheme, all polynomials fj(i)(x) are of degree one. Let (g, ga, gb, gc) be the input to the BDH problem. Let S
i1,t1, Si2,t2, . . . , Siz,tz
be a subset cover for S∗ = U\R. Due to the random oracle assumption for H 1
and H2, all polynomials are independent. Thus, we can simply consider a
par-ticular Sα,t in the subset cover for S∗ = U\R, where t is at level β of subtree
Tα. The corresponding polynomial is f (x) = fβ(α)(x) = a1x + a0 (mod q). Wlog,
let {U1, U2, . . . , Ul} be the set of revoked users that have the secret share about
f (t). The reduction to the BDH problem is as follows. Recall that the public key
of the PK-SD-PI method is (Id, H1, H2, E, G, G1, ˆe, g, gρ).
1. Let g be the generator in the system and gρ= ga.
2. Set f (t) = w and compute gf (t)= gw, where w is randomly chosen from Z q.
3. Let ga0 = gf (0)= ga· gτ, where τ is randomly chosen from Z
q.
4. Compute ga1 from gf (t) and ga0 via the Lagrange interpolation.
5. The (random) hash values H2(Idkαkβk0) and H2(Idkαkβk1) are set as ga0
and ga1 respectively.
6. Set h = gb· gκ, where κ is randomly chosen from Z q.
7. The f (x)-related secret share of Ui, 1 ≤ i ≤ l, is computed as (gri, grif (t),
grif (0)hρ), where gri = g−b· gµi and µi is randomly chosen from Zq. Note
that grif (0)hρ = ga(µi+κ)−bτ +µiτ can be computed from the setting in the
previous steps.
8. The non-f (x)-related secret shares of Ui, 1 ≤ i ≤ l, can be set as follows.
Let f0 be a polynomial related to subtree α0 and level β0, where t0 is in the
β0-th level and U
i∈ Sα0,t0. The secret share (gr 0
i, gri0f0(t0), gr0if0(0)hρ) of Ui is
computed from (gri, grif (t), grif (0)hρ). Let f0(t0) = w0, f0(0) = f (0) + a0 and r0
i = ri+ r0, where w0, a0, and r0 are randomly chosen from Zq. Thus, gr
0 i = gri·gr0, gri0f0(t0)= (gr0i)w0and gr0if0(0)hρ= (grif (0)hρ)·gr0f (0)·gria0·gr0a0. Note
that the hash values H2(Idkα0kβ0k0) and H2(Idkα0kβ0k1) can be answered
accordingly.
9. Set the challenge as (y, gc, (i 1, t1, gcf (i1) j1 (t1)), (i 2, t2, gcf (i2) j2 (t2)), . . . , (i z, tz, gcf (iz ) jz (tz))),
where y is randomly chosen from G and thought as mˆe(gρ, h)c. Note that
gcfjk(ik)(tk), 1 ≤ k ≤ z, can be computed since f(ik)
jk (tk) is a number randomly
chosen from Zq, as described in Step 2.
If the revoked users U1, U2, . . . , Ul can together compute the session key m
from the challenge with probability ²1, we can compute
y · m−1· ˆe(ga, gc)−κ= ˆe(gρ, h)c· ˆe(g, g)−acκ
with the same probability ²1. This contradicts the BDH assumption.
Let t0 be the time for the reduction and solution computation in Equation
(4), where t0 is polynomially bounded. Thus, if the collusion attack takes t 1− t0,
we can solve the BDH problem in time t1.
Similarly, we can modify our PK-SD-PI scheme to have IND-CCA security like Section 4
5.2 The PK-LSD-PI Scheme
The LSD method is an improvement of the SD method by using a sub-collection
C0 of C in the SD method. The basic observation is that S
i,tcan be decomposed
to Si,k∪ Sk,t. The LSD method delicately selects C0 such that each Si,t ∈ C is
either in C0 or equal to S
i,k∪ Sk,t, where Si,kand Sk,tare in C0. The subset cover
found for U\R in the SD method is used except that each Si,t in the cover, but
not in C0, is replaced by two subsets S
i,k and Sk,tin C0. Thus, each user belongs
to a less number of Si,t’s in C0 such that it holds a less number of private keys.
We consider the basic case of the LSD method, in which each user holds (log n)3/2 private keys. There are√log n ”special” levels in T . The root is at a
special level and every level of depth k ·√log n, 1 ≤ k ≤ √log n, is special. A layer is the set of the levels between two adjacent special levels. Each layer has
√
log n levels. The collection C0 of the LSD method is
{Si,t : nodes i and t are in the same layer, or node i is at a special level}.
There are two types of Si,t’s in C0. The first type is that node i is in a special
level and the second type is that nodes i and t are in the same layer. Every non-revoked set U\R can be covered by at most 4|R| − 2 disjoint subsets in C0.
Our PK-LSD-PI scheme is as follows. Since C0 is just a sub-collection of C
in the SD method, our PK-LSD-PI scheme is almost the same as the PK-SD-PI scheme except that some polynomials for type-2 Si,t ∈ C0 are unnecessary.
Consider a user Uk (or its corresponding leaf node). For his ancestor node i
at a special layer (type-1 Si,t’s), Uk is given the private keys (corresponding
to subtree Ti) by the same way as the PK-SD-PI method. There are
√
log n such i’s and each Ti has at most log n levels. In this case, Uk holds (log n)3/2
private keys. For his ancestor node i and nodes t in the same layer (type-2
Si,t’s), choose degree-1 polynomials for the levels between i and its (underneath)
adjacent special level only. There are at most√log n such polynomials and Uk
is assigned corresponding√log n private keys as the PK-SD-PI scheme does. In this case, Ukholds at most log n·
√
log n private keys since Ukhas log n ancestors.
Overall, each user Uk holds at most 2(log n)3/2 private keys.
Security. We show that the scheme described in this subsection is one-way
secure.
Theorem 4. Assume that the BDH problem is (t1, ²1)-hard. Our PK-LSD-PI
scheme is (t1− t0, ²1)-OW-CPA secure in the random oracle model, where t0 is
Proof. The collection of Si,t’s for covering U\R in the LSD method is a
sub-collection of that in the SD method. The way of assigning private keys to users is the same as that of the PK-SD-PI scheme except that we omit the polynomials that are never used due to the way of choosing a subset cover in the LSD method. In the random oracle model, we can simply consider a particular Sα,t in the
subset cover for U\R. Since all conditions are the same, the rest of proof is the same as that in Theorem 3.
With the same extension in [12], we can have a PK-LSD-PI scheme that has O(1) public keys and O(log1+²) private keys, for any constant 0 < ² < 1. The header size is O(r/²), which is O(r) for a constant ². The decryption cost excluding the time of scanning the header is again O(1).
6
Conclusion
We have presented very efficient public key BE schemes. They have low public and private keys. Two of them even have a constant decryption time. Our results show that the efficiency of public key BE schemes is comparable to that of private-key BE schemes.
We are interested in reducing the ciphertext size while keeping other com-plexities low in the future.
Acknowledgement
We thank Eike Kiltz and Michel Abdalla for valuable comments on the manuscript.
References
1. N. Attrapadung, H. Imai. Graph-decomposition-based frameworks for subset-cover broadcast encryption and efficient instantiations. In Proceedings of Advances in
Cryptology - Asiacrypt 05, Lecture Notes in Computer Science 3788, pp.100-120,
Springer, 2005.
2. D. Boneh, X. Boyen, E.-J. Goh. Hierarchical identity based encryption with con-stant size ciphertext. In Proceedings of Advances in Cryptology - Eruocrypt 05, Lecture Notes in Computer Science 3494, pp.440-456, Springer, 2005.
3. D. Boneh, M. Franklin. An efficient public key traitor tracing scheme. In
Proceed-ings of Advances in Cryptology - Crypto 99, Lecture Notes in Computer Science
1666, pp.338-353, Springer, 1999.
4. D. Boneh, C. Gentry, B. Waters. Collusion resistant broadcast encryption with short ciphertexts and private keys. In Proceedings of Advances in Cryptology
-Crypto 05, Lecture Notes in Computer Science 3621, pp.258-275, Springer, 2005.
5. D. Boneh, B. Waters. A fully collusion resistant broadcast, trace, and revoke sys-tem. In Proceedings of the ACM Conference on Computer and Communications
Security - CCS 06, pp.211-220, ACM Press, 2006.
6. Y. Dodis, N. Fazio. Public key broadcast encryption for stateless receivers. In
Proceedings of Digital Right Management 02 - DRM 02, Lecture Notes in Computer
7. Y. Dodis, N. Fazio. Public key broadcast encryption secure against adaptive chosen ciphertext attack. In Proceedings of Public Key Cryptography - PKC 03, Lecture Notes in Computer Science 2567, pp.100-115, Springer, 2003.
8. A. Fiat, M. Naor. Broadcast encryption. In Proceedings of Advances in Cryptology
- Crypto 93, Lecture Notes in Computer Science 773, pp.480-491, Springer, 1993.
9. E. Fujisaki, T. Okamoto. Secure integration of asymmetric and symmetric encryp-tion schemes. In Proceedings of Advances in Cryptology - Crypto 99, Lecture Notes in Computer Science 1666, pp.537-554, Springer, 1999.
10. D. Galindo. Boneh-Franklin identity based encryption revisited. In Proceedings of ICALP 05, Lecture Notes in Computer Science 3580, pp.791-802, Springer, 2005. 11. M.T. Goodrich, J.Z. Sun, R. Tamassia. Efficient Tree-Based Revocation in Groups
of Low-State Devices. In Proceedings of Advances in Cryptology - Crypto 04, Lec-ture Notes in Computer Science 3152, pp.511-527, Springer, 2004.
12. D. Halevy, A. Shamir. The LSD broadcast encryption scheme. In Proceedings of
Advances in Cryptology - Crypto 02, Lecture Notes in Computer Science 2442,
pp.47-60, Springer, 2002.
13. K. Kurosawa, Y. Desmedt. Optimum traitor tracing and asymmetric schemes. In
Proceedings of Advances in Cryptology - Eurocrypt 98, Lecture Notes in Computer
Science 1403, pp.145-157, Springer, 1998.
14. K. Kurosawa, T. Yoshida. Linear code implies public-key traitor tracing. In
Pro-ceedings of Public Key Cryptography, Lecture Notes in Computer Science 2274,
pp.172-187, Springer, 2002.
15. J.W. Lee, Y.H. Hwang, P.J. Lee. Efficient public key broadcast encryption using identifier of receivers. In Proceedings of International Conference on Information
Security Practice and Experience - ISPEC 06, Lecture Notes in Computer Science
3903, pp.153-164, Springer, 2006.
16. D. Naor, M. Naor, J. Lotspiech. Revocation and tracing schemes for stateless re-ceivers. In Proceedings of Advances in Cryptology - Crypto 01, Lecture Notes in Computer Science 2139, pp.41-62, Springer, 2001.
17. M. Naor, B. Pinkas. Efficient trace and revoke schemes. In Proceedings of Financial
Cryptography 00, Lecture Notes in Computer Science 1962, pp.1-20, Springer, 2000.
18. A. Shamir. How to share a secret. Communications of the ACM, 22(11), pp.612-613, 1979.
19. W.-G. Tzeng, Z.-J. Tzeng. A public-key traitor tracing scheme with revocation us-ing dynamic shares. In Proceedus-ings of Public Key Cryptography - PKC 01, Lecture Notes in Computer Science 1992, pp.207-224, Springer, 2001.
20. P. Wang, P. Ning, D.S. Reeves. Storage-efficient stateless group key revocation. In
Proceedings of the 7th Information Security Conference - ISC 04, Lecture Notes in
Computer Science 3225, pp.25-38, Springer, 2005.
21. E.S. Yoo, N.-S. Jho, J.J. Cheon, M.-H. Kim. Efficient broadcast encryption us-ing multiple interpolation methods. In Proceedus-ings of ICISC 04, Lecture Notes in Computer Science 3506, pp.87-103, Springer, 2005.
22. M. Yoshida, T. Fujiwara. An efficient traitor tracing scheme for broadcast en-cryption. In Proceedings of 2000 IEEE International Symposium on Information
1
