Adaptive Security of Broadcast Encryption, Revisited

Zhu, Bingxin; Wei, Puwen; Wang, Mingqiang

doi:https://doi.org/10.1155/2017/1404279

Security and Communication Networks

On this page

Abstract Introduction Preliminaries Appendix Disclosure Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2017 | Article ID 1404279 | https://doi.org/10.1155/2017/1404279

Adaptive Security of Broadcast Encryption, Revisited

Bingxin Zhu,¹Puwen Wei,¹and Mingqiang Wang¹

Academic Editor: Paolo D’Arco

Received21 Feb 2017

Accepted27 Apr 2017

Published03 Jul 2017

Abstract

We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Water’s transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the -type assumption in Gentry and Water’s semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header.

1. Introduction

Broadcast encryptions (BE), introduced by Fiat and Naor [1], allow a sender to broadcast encrypted messages in such a way that only a specified group of users can decrypt the messages. Such schemes are useful in many applications, for example, pay-TV systems, internet multicasting of video and music, DVD content protection, file system access control, and wireless sensor networks [2]. One basic security requirement for broadcast encryption is the fully collusion resistance, which means that even a coalition of all users outside of target user set learns nothing about the target plaintext. Naor et al. [3] proposed a fully collusion secure broadcast encryption scheme with the private key overhead , where is the total number of users. Subsequent works [4, 5] reduced the private key size to . However, the ciphertexts size of collusion resistant schemes, for example, [3–6], usually grows linearly with either the number of receivers or the number of revoked users. Boneh et al. [7] constructed a fully collusion secure broadcast encryption systems with low ciphertext overhead and short secret keys. But the security of their scheme was proven in a static model, where the adversary needs to choose the target user set before seeing the system parameter. To capture more powerful attacks, Gentry and Waters [8] provided a stronger security model, called adaptive security, where the adversary can compromise users’ keys and choose the target user set adaptively. They showed a generic method to construct adaptively secure broadcast encryption scheme by transforming semistatically secure broadcast encryption scheme, while the underlying semistatically secure scheme in [8] is based on a -type assumption, which is considered to be too strong. By introducing the dual system, Waters [9] presented a broadcast encryption scheme with ciphertext overhead of constant size, and the resulting scheme can be proven adaptively secure under static assumption (non--type assumption). Then, Boneh, Waters, and Zhandry [10] made use of multilinear maps to construct a broadcast encryption where ciphertext overhead, private key size, and public key size are all poly-logarithmic in . Other works [11–15] focus on the improvements of broadcast encryptions with special functionalities, for example, identity-based BE, anonymous BE, and traitor-tracing BE. Recently, Wee [16] presented the first broadcast encryption scheme with constant-size ciphertext overhead, constant-size user secret keys, and linear-size public parameters under static assumptions, while the resulting scheme is proven secure under static security model.

It is worth noting that although adaptive security defined in [8] seems strong enough to capture the security of broadcast encryptions, attacks in the real world are more complex, for example, the adversary may adaptively get multiple challenge ciphertexts instead of only one. Such attacks are described in the so-called multiuser, multichallenge setting. Bellare et al. [17] initiated the study of the formal security in the multiuser setting, which shows that one-user, one-ciphertext security implies security in the multiuser, multichallenge setting. But the reduction loss of the proof is , where and denote the number of users and the number of challenge ciphertexts per user, respectively. However, large reduction loss usually implies large cryptographic parameters, which leads to low efficiency in practice. Recent breakthrough was made by Hofheinz and Jager [18], which provided the first IND-CCA secure PKE in the multiuser/multichallenge setting and the security tightly relates to the decision linear assumption. Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Wee’s proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural. However, the problem of constructing tightly secure broadcast encryptions in the multiuser/multichallenge setting is more subtle.

Our Contribution. We define a stronger notion for broadcast encryption, called the adaptive security in the multichallenge setting (MA-security), where the adversary can not only adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge) but also adaptively query for the challenge ciphertexts on different target user sets instead of only one target set as in previous security model. Since each target user set is actually the combination of different users chosen by the adversary adaptively, it is more challenging for the reduction algorithm to prepare the parameters of broadcast encryptions than that of ordinary PKE or IBE.

Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of in the MA setting, where is the maximum number of encryption queries. To achieve tighter MA-security, we investigate the following two methods. The first method is from Gentry and Waters transformation [8] mentioned above. By exploring the random self-reducibility of BDHE assumption, we show that their transformation still holds in terms of MA-security, but at the cost of reduction loss on the advantage of underlying symmetric key encryption. We emphasize that the resulting broadcast encryption scheme’s security depends on both the BDHE assumption and the security of the symmetric key encryption. The reduction loss on the underlying symmetric key encryption is , while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the Hofheinz-Koch-Striecks techniques [19] to Gentry-Waters’ semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the user’s decryption key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Waters’ semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header.

Note that the public key size of both schemes is linear with the number of users. An interesting problem is how to reduce the public key size of a MA-secure broadcast encryption under standard assumptions while preserving constant ciphertext header size.

2. Preliminaries

Notations. Let , where . For a finite set , we denote by the fact that is picked uniformly at random from . can be denoted as a binary string; that is, , where for . We write vectors in bold font; for example, for a vector of length . denotes the statistical distance of and , where and are random variables. We say and are -close if .

2.1. Bilinear Map

Let and be two groups of prime order , and let be a generator of . is a bilinear map with the following properties.(1)Bilinearity: for all and , .(2)Nondegeneracy: .(3)Computability: there exists an efficient algorithm to compute , for any .

2.2. Assumptions

Decisional BDHE Problem [8]. Let be the description of the group parameter which is the output of group generator , where is the security parameter. Choose and given elementswhere , if and if . The problem is to guess .

The decisional BDHE assumption states that for any PPT adversary which takes as inputs the description of and the above elements and outputs , the advantageis negligible in .

2.3. Broadcast Encryption Systems

A broadcast encryption system consists of four randomized algorithms described below.

. Take as input the number of users and the maximal size of a broadcast recipient group and output a public/secret key pair . (The security parameter is taken as parts of the input implicitly.)

. Take as input a user index and the secret key and output a private key .

. Take a user set and the public key as input. It outputs a pair , where is the header and is the message encryption key from a key space .

. Take as input a user set , a user index , and the corresponding private key for user , a header , and the public key . If , then the algorithm outputs the message encryption key .

3. Adaptive Security in the Multichallenge Setting (MA-Security)

In this section, we define the adaptive security of broadcast encryption in the multichallenge setting. Let be a broadcast encryption scheme. The experiment for is described in Table 1.

During the experiment, the adversary takes and the description of including as inputs and can have access to the following two kinds of oracles.(i) is the secret key generation oracle which takes a user index as input and outputs . Note that cannot make as the key generation query if , where has been queried to the encryption oracle. Suppose the adversary can make key generation queries at most.(ii) is the encryption oracle which takes as input and outputs the challenge ciphertext , where , . The restriction on encryption query is that can not include any user index which has been queried to . Suppose that the adversary can only query encryption oracle at most times.

A broadcast encryption scheme is adaptively secure in the multichallenge setting (MA-secure) if, for any PPT adversary , the advantage is negligible in .

Remark 1. The main difference between our MA-security and the adaptive security defined in [8] is the encryption queries. In MA-security experiment, the adversary can not only adaptively have access to the encryption oracle many times but also query for the challenge ciphertexts on different target user sets, while the adversary can make only one encryption query for one target user set in adaptive security experiment [8], where the related advantage of is denoted as .

To investigate Gentry and Waters transformation in the multichallenge setting, we also need to extend semistatic security defined in [8] to the multichallenge setting, which is called semistatic security in the multichallenge setting (MS-security). The MS-security is defined in a similar way as that of MA-security, where the adversary also takes and the description of including as inputs and can have access to and as defined in MA-security. But additional restrictions in MS-security are that has to choose a target user set at the beginning of the experiment and encryption queries are such that . Details of MS experiment are shown in Table 2

A broadcast encryption scheme is semistatically secure in the multichallenge setting (MS-secure) if, for any PPT adversary , the advantage is negligible in .

4. MA-Secure Broadcast Encryption

First we give a general result on the reduction loss of an adaptive secure broadcast encryption in the MA setting. Then, to derive a tighter reduction, we show how to extend Gentry-Waters transformation to the multichallenge setting and construct a concrete MA-secure broadcast encryption based on BDHE assumption.

4.1. General Construction

Theorem 2. For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exists an algorithm with about the same running time as , such that

Proof. The proof proceeds via the following games.(i): is the real MA experiment except the following differences. When the adversary adaptively makes encryption query for set , the challenger responds with , where .(ii): is identical to except that the challenger replies the encryption queries with for , where and denotes the key space. Now we construct a series of subgames for to prove the indistinguishability between and . (i). is the same as except that the challenger chooses to construct challenge for the first encryption query .(ii). is the same as except that the challenger chooses to construct challenge for the th encryption query , where . Let denote the event that the adversary outputs 1 in . Note that and are identical to and , respectively. Thus,Next, we show that is negligible, for . That is, if there exists a PPT adversary which can distinguish the adjacent games for some , we can construct a PPT algorithm which can break the adaptive security of the underlying scheme.
Claim For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exists algorithm with about the same running time as , such thatProof. simulates the experiment as follows. (i)The challenger runs and sends to which will send to .(ii) adaptively makes key generation queries for user index .(iii) sends user index to the challenger which runs and sends back the secret key for user . Then sends to .(iv) adaptively makes encryption queries for , where denotes the th query.(a)If , runs and chooses and sends to .(b)If , runs and sends to .(c)If , sends to the challenger which then chooses and sends back where . Next sends to .(v) outputs . If , outputs 1, otherwise, 0. Observe that if , ’s view is identical to that of . Otherwise ’s view is identical to that of . ThusHence we havewhich completes the proof of Theorem 2.

4.2. MS-Secure Broadcast Encryption Based on BDHE Assumption

To reduce the reduction loss, we investigate Gentry-Waters broadcast encryption [8] in the MA setting. First we briefly recall the semistatically secure broadcast encryption scheme in [8]. Let be a PPT algorithm which takes as input the security parameter and the number of users and generates the description of group parameter , where denotes the group of prime order and is the bilinear map.

. , , where are generators of and . Set Output .

. Choose and output user ’s private key

. Choose and compute . Set Output .

. If , parse as and as and output

Theorem 3. For any PPT adversary which can make at most key generation queries, encryption queries with running time , there exists an algorithm with about the same running time as , such that

The proof is similar to that of [8] except that we have to deal with multiple challenges in the simulation. Furthermore, to derive a tighter reduction, we need the following lemma which makes use of the random self-reducibility of BDHE.

Lemma 4. There exists an efficient algorithm that takes as input for and generates many tuples of the form where and .

Proof. Compute and , where . Let mod . We implicitly setHence, we have If , namely, , then . If , namely, , then . Since are uniformly distributed, we have uniformly distributed over .

Next, more details of the concrete proof of Theorem 3 can be found in Appendix A.

4.3. Transforming MS-Security to MA-Security

In this section, we show that Gentry-Waters transformation still holds in the multichallenge setting, but at the cost of reduction loss in the advantage of underlying symmetric encryption scheme. First, we briefly recall Gentry-Waters transformation [8]. Let , be a MS-secure broadcast system and be a symmetric encryption scheme with key space .

. Run . Let and denotes th bit of . Let and . Output .

. Run . Set . Output private key .

. Generate random bits: and . SetOutput .

. Parse as and as . Set and as above. RunOutput .

Theorem 5. For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exist algorithms , and , each with about the same running time as , such that

Notice that denotes the advantage of , , which is defined by the following one-time symmetric key IND-CPA experiment described in Table 3.

During the experiment, takes the security parameter and the description of as input and can make only one encryption query to encryption oracle . More precisely, chooses a pair of plaintexts of the same length as the query and returns as the challenge ciphertext.

We say the symmetric key encryption scheme is one-time CPA-secure if, for any PPT adversary , the advantage is negligible in , where the probability is taken over the random coins used in the experiment, as well as the random coins used by .

Proof of Sketch. The main idea of the proof is similar to that of [8] except that we need to deal with multiple challenges, which incurs a reduction loss in the advantage of symmetric key encryption scheme. More precisely, we need to prove the indistinguishability of the following games.(i) is identical to .(ii) is the same as except that for each encryption query the challenger chooses to construct , where .(iii) is the same as except that for each encryption query the challenger chooses to construct , where .(iv) is the same as except that the challenger chooses to construct .(v) is the same as except that the challenger chooses to construct . The indistinguishability among , , and relies on the MS-security of . By using hybrid arguments, we show the indistinguishability between and ( and ), which relies on the one-time CPA security of the underlying symmetric key encryption. It is easy to check that the adversary has no advantage in . More details are shown in Appendix B.

5. Remove -Type Assumption

In this section, we show how to remove the -type assumption of the MS-secure Gentry-Waters scheme in Section 4 by using Hofheinz-Koch-Striecks techniques [19], where the original Gentry-Waters scheme is lifted to composite order groups.

Let be a composite-order group generator which generates group parameters , , where is a nondegenerate bilinear map and are cyclic groups of order and is the product of different primes , and , and let be the generator of group and , for , be the random generators of subgroups of orders , respectively.

Let be a family of universal hash functions with the property that for any nontrivial subgroup and for and , we have . In addition, the resulting scheme relies on the following assumptions [19].

Dual System Assumption 1 (DS1). For any PPT adversary , the advantage function is negligible in , where

Dual System Assumption 2 (DS2). For any PPT adversary , the advantage functionis negligible in , where

Dual System Assumption 3 (DS3). For any PPT adversary , the advantage function

is negligible in , where

Dual System Bilinear DDH Assumption (DS-BDDH). For any PPT adversary , the advantage functionis negligible in , where

5.1. Construction

. Generate and compute . Set , generate , and compute . Set Output .

. Take an index and the master key as input. Set , generate , and compute and output a user secret keyNote that is not used in .

. Take a set as well as a master public key as input. We denote as a binary string; that is, , where and . That is, if user is in . Otherwise, . Generate and output

. If , parse as and as and output

Correctness.

5.2. Security Proof

Theorem 6. For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exist algorithm on DS1, on DS2, on DS3, and on DS-BDDH with running time , respectively, for some constant , such that

The proof follows that of [19] and proceeds via a series of games described in Appendix C, where the user set is considered as a special kind of identity .

The main difference between games is presented in Table 4. Random function families, auxiliary secret key generation, auxiliary encryption function, semifunctional user secret keys, pseudo-normal ciphertexts, and semifunctional ciphertexts are defined as follows. More details can be found in Table 4.

(i) Random Function Families. In our scheme each user index is interpreted as -bit binary string , where only -th bit is 1. Both user index and user set are denoted as identity . Let be -bit prefix of and denote . For , define two random functions as follows.(a); ; ; , where .(b); ; ; , where .

(ii) Auxiliary Secret Key Generationwhere .

(iii) Auxiliary Encryption Function where .

(iv) Semi-Functional Type-i User Secret Keyswhere user is denoted as .

(v) Pseudo-Normal Ciphertextswhere .

(vi) Semi-Functional Ciphertextswhere and denotes .

(vii) Semi-Functional Ciphertextswhere and denotes .

Appendix

A. Proof of Theorem 3

Proof. If there exists a PPT adversary which can break the MS-security of the broadcast encryption, then we show how to construct a PPT algorithm to break BDHE assumption.
Upon receiving the BDHE problem instance, which consists of and , simulates the experiment for as follows.(i) chooses a set .(ii) . generates and sets Since is unknown, we implicitly set and can be computed as . Now the public key is sends to .(iii) : for , chooses and computes and outputs where .(iv) : adaptively makes subset as encryption query. runs the algorithm of Lemma 4 to generate for and set . Return as the answer to . Eventually, outputs a bit which is also the output of . It is easy to check that perfectly simulates . Therefore, ’s advantage in deciding the BDHE instance is precisely ’s advantage against the MS-security of the broadcast encryption scheme, which completes the proof.

B. Proof of Theorem 5

Proof. Let denote the event that the adversary outputs 1 in .
. This is the real game which is identical to experiment . Thus,. is identical to except that the challenge ciphertext for is computed as follows: and .
For any PPT adversary which can distinguish from , there exists an algorithm which can break the MS-security of scheme. Suppose is the maximal number of encryption queries that adversary can make. acts as follows:(i)Choose .(ii)Choose and generate , where denotes th bit of . sends to the challenger. Notice that .(iii)The challenger runs to obtain and sends to . Then sets and sends to .(iv) adaptively makes key generation queries for . Then sends to the challenger of the MS experiment.(v)The challenger runs to obtain and sends to , which returns to .(vi) adaptively makes encryption queries . Then sets , , and sends for to the challenger. Notice that .(vii)The challenger sends back , where and . Note that has been chosen by the challenger at the beginning of the experiment.(viii) sets and generates . Then it sets , , and and sends to adversary .(ix) outputs a bit . If , outputs 0, otherwise, 1.Notice that if , ’s view is identical to that of . Otherwise, ’s view is identical to that of . Hence, we have. is identical to except that for each encryption query the challenger chooses to construct . The proof of the indistinguishability between and is similar to that of and . So we have. is identical to except that for each encryption query the challenger chooses to construct for .
We construct a series of subgame for , to prove the indistinguishability between Game 2 and Game 3. (i). is identical to except that the challenger chooses to construct .(ii). is identical to except that the challenger chooses to construct .Note that is identical to .
Claim For any PPT adversary which can make at most key generation queries and encryption queries with running time , there exists an algorithm with running about the same time as , such that Proof. chooses and simulates the experiment as follows. (i) runs and as in .(ii) adaptively makes encryption queries for , where denotes th query. If , returns the answer as in . If , returns the answer as in . If , chooses and sends to the challenger. The challenger chooses and returns . Then chooses , computes , and returns .(iii) outputs . If , outputs 0, otherwise, 1.Observe that if , ’s view is identical to that of . Otherwise, ’s view is identical to that of . Thuswhich concludes the proof of the Claim.
Due to the Claim, we have. is identical to except that the challenger sets to construct for . The proof of the indistinguishability between and is similar to that of and . So we have In , all for are chosen at random and is independent of . Hence, the adversary has no advantage. That is, Hence, we have

C. Proof of Theorem 6

Game Sequence(i) is the real experiment .(ii) is the same as except that all the challenge ciphertexts are pseudo-normal.(iii) is the same as except that all user secret keys are semifunctional of type-, while the challenge ciphertexts are semifunctional of type- for .(iv) is the same as except that if th bit of a challenge identity is 0 (i.e., ), then the corresponding challenge ciphertexts are semifunctional of type-. Otherwise, the corresponding challenge ciphertexts are semifunctional of type-.(v) is the same as except that if th bit of a challenge identity is 0 (i.e., ), then the corresponding challenge ciphertexts are semifunctional of type-. Otherwise, the corresponding challenge ciphertexts are semifunctional of type-.(vi) is the same as except that all the challenge ciphertexts and user secret keys are semifunctional of type- and semifunctional of type-, respectively.(vii) is the same as except that the challenge keys output by oracle are uniform bitstrings over .

Lemma C.1 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS1 with running time , for some constant , such that

Proof. receives the instance from the challenger, where or , and simulates the experiment for as follows.
. Choose a bit . Pick and compute . Let , for . Compute for . Set. To answer key generation queries , set and compute for and generate , where , and return .
. can adaptively make encryption queries at most times. sets where and returns , where .
Finally, outputs a guess . outputs 1 if , otherwise, 0.
The distribution of the master public key and user secret keys that requests are identical to those in as well as in . If , the distribution of challenge ciphertexts is identical to that of , while if , the distribution of challenge ciphertexts is identical to that of . Therefore, we have (C.1).

Lemma C.2 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , we have

Proof. As shown in Table 4, in , while in is also uniform in , where denotes the empty string . Since the distribution of and is identical, (C.4) holds.

Lemma C.3 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS2 with running time , for some constant , such that

Proof. receives the instance from the challenger, where or and chooses . Then can use the parameter to generate as in the proof of Lemma C.1 and define a truly random function .
. Next, it can answer the secret key queries for as , where , , and .
. Upon receiving encryption queries , chooses and returnsFinally, outputs a guess bit . outputs 1 if ; otherwise 0.
Note that is distributed uniformly over . If , the challenge ciphertexts are distributed identically as in . Otherwise, the distribution is the same as in . Hence (C.5) holds.

Lemma C.4 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS3 with running time , for some constant , such that

Proof. gets the instance , where is either or for chooses and , computes , and generates and sets Next generates for and and sets During the experiment can answer key generation queries for identity for as follows.
By running the algorithm in Lemma of [20] (or algorithm in [19]) which takes as input and , can generate the following tuples: respectively, whereThen generates , , where , and setsThus . For identity and , defines the random functions below:where . Next answers -th secret key generation query for identity with prefix that is not a prefix of an already queried identity asFor an identity prefix that is a prefix of an already queried identity, we rerandomize the element of .
. Upon receiving encryption queries , chooses and returnswhere , , .
Finally, outputs a guess bit . outputs 1 if , otherwise 0. If (i.e., ), then the secret keys are distributed identically as in . If (i.e., ), we haveidentically distributed, respectively. Therefore, in this case, the distribution is the same as in . Besides, the distribution of the challenge ciphertexts is identical in these two games. Hence, (C.7) holds.

Lemma C.5 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS2, with running time , for some constant , such that

Lemma C.6 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS2, with running time , for some constant , such that

In all the challenge ciphertexts are semifunctional of type-, while in if th bit of challenge identity is 0 (i.e., ), the challenge ciphertexts are totally identical to those in . Otherwise, the challenge ciphertexts are semifunctional of type-. Actually, the proof of to and to is similar to that in Lemma C.3 and thus omitted.

Lemma C.7 ( to ). For any PPT adversary with at most key generation queries, encryption queries, and running time , there exists an algorithm on DS-BDDH with running time , for some constant such that

Proof. is provided with the instance where is either or , for where .
. chooses and computes . Set , and compute . Thus. defines a truly random function . Next it can answer the secret key generation queries for identity as where , for , and for , , where .
. Upon receiving encryption queries for some , sets where . Then runs the algorithm in [19] and outputs , wherewhere , ; , . It is easy to check that are uniformly distributed in . If , then , and For the case , since and are uniformly distributed over , we have all uniformly distributed in and .(i) If the challenge identity was not queried before, then computes and returns(ii) If the challenge identity was queried before, then uses the algorithm in [19] to compute and returnsThe distribution of and the requested user secret keys are identical to the real scheme.
If and the challenge identity was not queried before,Note that the exponents , and are required to be uniformly distributed in , but when we reuse the outputs of and , are uniformly distributed in . Since the uniform distribution in is statistically indistinguishable from the uniform distribution in , we have that the distribution of challenge ciphertexts are -close to that of . Note that we implicitly set . For the challenge identity queried before, we can just rerandomize the previously used query value .
If , thenSince are uniformly distributed over . So is statically close to the uniform distribution of subgroup of . Due to the property of universal hash function we have for . Thus the challenge ciphertexts are distributed -close to that of . Hence (C.21) holds.
Finally, we have which completes the proof of Theorem 6.

Disclosure

Parts of this paper are presented at Inscrypt 2016.

Conflicts of Interest

The authors declare that there are no conflicts of interest regarding the publication of this paper.

Acknowledgments

All authors were funded by National 973 Grant 2013CB834205, NSFC Grant 61672019, and The Fundamental Research Funds of Shandong University Grant 2016JC029. Puwen Wei was also funded by NSFC Grant 61502276.

References

A. Fiat and M. Naor, “Broadcast encryption,” in Advances in Cryptology—(CRYPTO '93), D. R. Stinson, Ed., vol. 773 of Lecture Notes in Computer Science, pp. 480–491, Springer, Berlin, Germany, 1993.
View at: Google Scholar
I. Kim and S. O. Hwang, “An optimal identity-based broadcast encryption scheme for wireless sensor networks,” IEICE Transactions on Communications, vol. E96-B, no. 3, pp. 891–895, 2013.
View at: Publisher Site | Google Scholar
D. Naor, M. Naor, and J. Lotspiech, “Revocation and tracing schemes for stateless receivers,” in Proceedings of the Advances in Cryptology—(CRYPTO '01), 21st Annual International Cryptology Conference, pp. 41–62, Springer, Berlin, Germany.
View at: Publisher Site | Google Scholar | MathSciNet
D. Halevy and A. Shamir, “The LSD broadcast encryption scheme,” in Advances in Cryptology—(CRYPTO '02), M. Yung, Ed., vol. 2442 of Lecture Notes in Computer Science, pp. 47–60, Springer, Berlin, Germany, 2002.
View at: Publisher Site | Google Scholar | MathSciNet
M. T. Goodrich, J. Z. Sun, and R. Tamassia, “Efficient tree-based revocation in groups of low-state devices,” in Advances in Cryptology—(CRYPTO '04), M. K. Franklin, Ed., vol. 3152 of Lecture Notes in Computer Science, pp. 511–527, Springer, Berlin, Germany, 2004.
View at: Publisher Site | Google Scholar | MathSciNet
Y. Dodis and N. Fazio, “Public key broadcast encryption for stateless receivers,” in Security and Privacy in Digital Rights Management, ACM CCS-9 Workshop, J. Feigenbaum, Ed., vol. 2696 of Lecture Notes in Computer Science, pp. 61–80, Springer, Berlin, Germany, 2003.
View at: Publisher Site | Google Scholar
D. Boneh, C. Gentry, and B. Waters, “Collusion resistant broadcast encryption with short ciphertexts and private keys,” in Advances in Cryptology—(CRYPTO '05), V. Shoup, Ed., vol. 3621 of Lecture Notes in Computer Science, pp. 258–275, Springer, Berlin, Germany, 2005.
View at: Publisher Site | Google Scholar | MathSciNet
C. Gentry and B. Waters, “Adaptive security in broadcast encryption systems (with short ciphertexts),” in Advances in Cryptology—(EUROCRYPT '09), A. Joux, Ed., vol. 5479 of Lecture Notes in Computer Science, pp. 171–188, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
B. Waters, “Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions,” in Advances in Cryptology—(CRYPTO '2009), S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 619–636, Springer, Berlin, Germany, 2009.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh, B. Waters, and M. Zhandry, “Low overhead broadcast encryption from multilinear maps,” in Advances in Cryptology—(CRYPTO '14), J. A. Garay and R. Gennaro, Eds., vol. 8616 of Lecture Notes in Computer Science, pp. 206–223, Springer, Berlin, Germany, 2014.
View at: Publisher Site | Google Scholar | MathSciNet
D. Boneh and B. Waters, “A fully collusion resistant broadcast, trace, and revoke system,” in Proceedings of CCS 2006: 13th ACM Conference on Computer and Communications Security, pp. 211–220, Alexandria, Virginia, USA, November 2006.
View at: Publisher Site | Google Scholar
J. H. Han, J. H. Park, and D. H. Lee, “Transmission-efficient broadcast encryption scheme with personalized messages,” IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E96-A, no. 4, pp. 796–806, 2013.
View at: Publisher Site | Google Scholar
M. Zhang, B. Yang, Z. Chen, and T. Takagi, “Efficient and adaptively secure broadcast encryption systems,” Security and Communication Networks, vol. 6, no. 8, pp. 1044–1052, 2013.
View at: Publisher Site | Google Scholar
J. Kim, W. Susilo, M. H. Au, and J. Seberry, “Adaptively secure identity-based broadcast encryption with a constant-sized ciphertext,” IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 679–693, 2015.
View at: Publisher Site | Google Scholar
S. H. Islam, M. K. Khan, and A. M. Al-Khouri, “Anonymous and provably secure certificateless multireceiver encryption without bilinear pairing,” Security and Communication Networks, vol. 8, no. 13, pp. 2214–2231, 2015.
View at: Publisher Site | Google Scholar
H. Wee, “Déjà Q: Encoreé un petit IBE,” in Theory of Cryptography—13th International Conference, TCC 2016-A, E. Kushilevitz and T. Malkin, Eds., vol. 9563 of Lecture Notes in Computer Science, pp. 237–258, Springer, Berlin, Germany, 2016.
View at: Publisher Site | Google Scholar
M. Bellare, A. Boldyreva, and S. Micali, “Public-key encryption in a multi-user setting: security proofs and improvements,” in Advances in Cryptology—(EUROCRYPT '2000), B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259–274, Springer, Berlin, Germany, 2000.
View at: Publisher Site | Google Scholar
D. Hofheinz and T. Jager, “Tightly secure signatures and public-key encryption,” Designs, Codes and Cryptography. An International Journal, vol. 80, no. 1, pp. 29–61, 2016.
View at: Publisher Site | Google Scholar | MathSciNet
D. Hofheinz, J. Koch, and C. Striecks, “Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting,” in Public-key cryptography—(PKC '15), J. Katz, Ed., vol. 9020 of Lecture Notes in Computer Science, pp. 799–822, Springer, Berlin, Germany, 2015.
View at: Publisher Site | Google Scholar | MathSciNet
J. Chen and H. Wee, “Fully, (almost) tightly secure IBE and dual system groups,” in Advances in Cryptology—(CRYPTO '13), R. Canetti and J. A. Garay, Eds., vol. 8043 of Lecture Notes in Computer Science, pp. 435–460, Springer, Berlin, Germany, 2013.
View at: Publisher Site | Google Scholar | MathSciNet

Copyright

Copyright © 2017 Bingxin Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies

Views

1003

Downloads

851

Citations