Apr 27, 2017 - Introduction. Broadcast encryptions (BE), introduced by Fiat and Naor [1], ... and Waters [8] provided a stronger security model, called adaptive ...
Hindawi Security and Communication Networks Volume 2017, Article ID 1404279, 16 pages https://doi.org/10.1155/2017/1404279
Research Article Adaptive Security of Broadcast Encryption, Revisited Bingxin Zhu, Puwen Wei, and Mingqiang Wang Key Laboratory of Cryptologic Technology and Information Security, Ministry of Education, Shandong University, Jinan, China Correspondence should be addressed to Puwen Wei; [email protected] and Mingqiang Wang; [email protected] Received 21 February 2017; Accepted 27 April 2017; Published 3 July 2017 Academic Editor: Paolo DâArco Copyright Š 2017 Bingxin Zhu et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited. We provide a strong security notion for broadcast encryption, called adaptive security in the multichallenge setting (MA-security), where the adversary can adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge). The adversary specially can query for the challenge ciphertexts on different target user sets adaptively, which generalizes the attacks against broadcast encryptions in the real world setting. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of đ in the MA setting, where đ is the maximum number of encryption queries. In order to construct tighter MA-secure broadcast encryptions, we investigate Gentry and Waterâs transformation and show that their transformation can preserve MA-security at the price of reduction loss on the advantage of the underlying symmetric key encryption. Furthermore, we remove the đ-type assumption in Gentry and Waterâs semistatically secure broadcast encryption by using Hofheinz-Koch-Striecks techniques. The resulting scheme instantiated in a composite order group is MA-secure with constant-size ciphertext header.
1. Introduction Broadcast encryptions (BE), introduced by Fiat and Naor [1], allow a sender to broadcast encrypted messages in such a way that only a specified group of users can decrypt the messages. Such schemes are useful in many applications, for example, pay-TV systems, internet multicasting of video and music, DVD content protection, file system access control, and wireless sensor networks [2]. One basic security requirement for broadcast encryption is the fully collusion resistance, which means that even a coalition of all users outside of target user set đ learns nothing about the target plaintext. Naor et al. [3] proposed a fully collusion secure broadcast encryption scheme with the private key overhead đ(log2 (đ)), where đ is the total number of users. Subsequent works [4, 5] reduced the private key size to đ(log đ). However, the ciphertexts size of collusion resistant schemes, for example, [3â6], usually grows linearly with either the number of receivers or the number of revoked users. Boneh et al. [7] constructed a fully collusion secure broadcast encryption systems with low ciphertext overhead and short secret keys. But the security of their scheme was proven in a static model, where the adversary needs to choose the target user set before seeing the system parameter. To capture more powerful attacks, Gentry and Waters [8] provided a stronger security model, called
adaptive security, where the adversary can compromise usersâ keys and choose the target user set adaptively. They showed a generic method to construct adaptively secure broadcast encryption scheme by transforming semistatically secure broadcast encryption scheme, while the underlying semistatically secure scheme in [8] is based on a đ-type assumption, which is considered to be too strong. By introducing the dual system, Waters [9] presented a broadcast encryption scheme with ciphertext overhead of constant size, and the resulting scheme can be proven adaptively secure under static assumption (non-đ-type assumption). Then, Boneh, Waters, and Zhandry [10] made use of multilinear maps to construct a broadcast encryption where ciphertext overhead, private key size, and public key size are all poly-logarithmic in đ. Other works [11â15] focus on the improvements of broadcast encryptions with special functionalities, for example, identity-based BE, anonymous BE, and traitor-tracing BE. Recently, Wee [16] presented the first broadcast encryption scheme with constant-size ciphertext overhead, constant-size user secret keys, and linear-size public parameters under static assumptions, while the resulting scheme is proven secure under static security model. It is worth noting that although adaptive security defined in [8] seems strong enough to capture the security of broadcast encryptions, attacks in the real world are more complex,
2 for example, the adversary may adaptively get multiple challenge ciphertexts instead of only one. Such attacks are described in the so-called multiuser, multichallenge setting. Bellare et al. [17] initiated the study of the formal security in the multiuser setting, which shows that one-user, one-ciphertext security implies security in the multiuser, multichallenge setting. But the reduction loss of the proof is đđ˘ â đđ , where đđ˘ and đđ denote the number of users and the number of challenge ciphertexts per user, respectively. However, large reduction loss usually implies large cryptographic parameters, which leads to low efficiency in practice. Recent breakthrough was made by Hofheinz and Jager [18], which provided the first IND-CCA secure PKE in the multiuser/multichallenge setting and the security tightly relates to the decision linear assumption. Here, tight security means that the security loss is a constant. Hofheinz, Koch, and Striecks [19] extended Chen and Weeâs proof technique [20] to the multiuser/multichallenge setting and provided an almost tightly secure identity-based encryption (IBE) in the same setting, where the security loss only relies on the security parameter instead of the number of queries or instances of the scheme. Hence, an extension of broadcast encryptions in the multiuser/multichallenge setting is natural. However, the problem of constructing tightly secure broadcast encryptions in the multiuser/multichallenge setting is more subtle. Our Contribution. We define a stronger notion for broadcast encryption, called the adaptive security in the multichallenge setting (MA-security), where the adversary can not only adaptively have access to the key generation oracle and the encryption oracle many times (multichallenge) but also adaptively query for the challenge ciphertexts on different target user sets instead of only one target set as in previous security model. Since each target user set is actually the combination of different users chosen by the adversary adaptively, it is more challenging for the reduction algorithm to prepare the parameters of broadcast encryptions than that of ordinary PKE or IBE. Our general result shows that the reduction of the adaptive secure broadcast encryption will lose a factor of đ in the MA setting, where đ is the maximum number of encryption queries. To achieve tighter MA-security, we investigate the following two methods. The first method is from Gentry and Waters transformation [8] mentioned above. By exploring the random self-reducibility of BDHE assumption, we show that their transformation still holds in terms of MA-security, but at the cost of reduction loss đ on the advantage of underlying symmetric key encryption. We emphasize that the resulting broadcast encryption schemeâs security depends on both the BDHE assumption and the security of the symmetric key encryption. The reduction loss on the underlying symmetric key encryption is đ, while the reduction on BDHE is tight due to the random self-reducibility of BDHE assumption, which is not implied by the general result of [17]. To remove the BDHE assumption, our second method applies the HofheinzKoch-Striecks techniques [19] to Gentry-Watersâ semistatic secure broadcast encryption. The resulting scheme is essentially the Hofheinz-Koch-Striecks IBE scheme instantiated in a composite order group, while the userâs decryption
Security and Communication Networks key of broadcast encryption is expressed in a different way from that of [19]. Both methods can turn Gentry-Watersâ semistatically secure broadcast encryption into a MA-secure one with constant-size ciphertext header. Note that the public key size of both schemes is linear with the number of users. An interesting problem is how to reduce the public key size of a MA-secure broadcast encryption under standard assumptions while preserving constant ciphertext header size.
2. Preliminaries Notations. Let [1, đ] fl {1, . . . , đ}, where đ â N. For a finite set đ
S, we denote by đĽ â ół¨ S the fact that đĽ is picked uniformly at random from S. đ can be denoted as a binary string; that is, đ = đ 1 â â â đ đ , where đ đ â {0, 1} for đ â [1, đ]. We write vectors in bold font; for example, K = (đž0 , . . . , đž2đ ) for a vector of length 2đ + 1. SD(đ; đ) denotes the statistical distance of đ and đ, where đ and đ are random variables. We say đ and đ are đ-close if SD(đ; đ) ⤠đ. 2.1. Bilinear Map. Let G and Gđ be two groups of prime order đ, and let đ be a generator of G. đ : G Ă G â Gđ is a bilinear map with the following properties. (1) Bilinearity: for all đ˘, V â G and đ, đ â Z, đ(đ˘đ , Vđ ) = đ(đ˘, V)đđ . (2) Nondegeneracy: đ(đ, đ) ≠ 1. (3) Computability: there exists an efficient algorithm to compute đ(đ˘, V), for any đ˘, V â G. 2.2. Assumptions Decisional BDHE Problem [8]. Let (G, Gđ, đ, đ) be the description of the group parameter which is the output of group generator G(đ), where đ is the security parameter. Choose đ
ół¨ {0, 1} and given 2đ + 2 elements đâ 2
where đ, đ â ół¨ Zâđ , đ â đ(đđ , đđ ) if đ = 0 and đ â ół¨ Gđ if đ = 1. The problem is to guess đ. The decisional BDHE assumption states that for any PPT adversary A which takes as inputs the description of (G, Gđ , đ) and the above elements and outputs đâ , the advantage óľ¨óľ¨ â óľ¨óľ¨ AdvBDHE G,A (đ) fl óľ¨óľ¨Pr [đ = đ ] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ 2 óľ¨óľ¨
(2)
is negligible in đ. 2.3. Broadcast Encryption Systems. A broadcast encryption system consists of four randomized algorithms described below.
đđđĄđ˘đ(đ, â). Take as input the number of users đ and the maximal size â ⤠đ of a broadcast recipient group and output a public/secret key pair (PK, SK). (The security parameter đ is taken as parts of the input implicitly.) đžđđŚđşđđ(đ, đđž). Take as input a user index đ â [1, đ] and the secret key SK and output a private key đđ . đ¸đđ(đ, đđž). Take a user set đ â [1, đ] and the public key PK as input. It outputs a pair (đťđđ, đž), where đťđđ is the header and đž â K is the message encryption key from a key space K. đˇđđ(đ, đ, đđ , đťđđ, đđž). Take as input a user set đ â [1, đ], a user index đ â [1, đ], and the corresponding private key đđ for user đ, a header đťđđ, and the public key PK. If đ â đ, then the algorithm outputs the message encryption key đž â K.
3. Adaptive Security in the Multichallenge Setting (MA-Security) In this section, we define the adaptive security of broadcast encryption in the multichallenge setting. Let BE = (Setup, KeyGen, Enc, Dec) be a broadcast encryption scheme. The experiment for BE is described in Table 1. During the experiment, the adversary A takes đ and the description of BE including PK as inputs and A can have access to the following two kinds of oracles. (i) OKeyGen (â , SK) is the secret key generation oracle which takes a user index đ as input and outputs KeyGen(đ, SK). Note that A cannot make đ as the key generation query if đ â đđ , where đđ has been queried to the encryption oracle. Suppose the adversary can make đkey key generation queries at most. (ii) OEnc (â , PK) is the encryption oracle which takes đđ as input and outputs the challenge ciphertext đśđ = (đťđđđâ , đžđ,đ ), where (đťđđđâ , đž0,đ ) â Enc(đđ , PK), đ
đž1,đ â ół¨ K. The restriction on encryption query is that đđ can not include any user index đ which has been queried to OKeyGen . Suppose that the adversary A can only query encryption oracle OEnc (â , PK) at most đEnc times. A broadcast encryption scheme BE is adaptively secure in the multichallenge setting (MA-secure) if, for any PPT adversary A, the advantage óľ¨óľ¨ 1 óľ¨óľ¨óľ¨ MA óľ¨óľ¨ óľ¨ (3) AdvMA A,BE (đ) fl óľ¨óľ¨Pr [ExpA,BE (đ) = 1] â óľ¨óľ¨ 2óľ¨ óľ¨ is negligible in đ.
Remark 1. The main difference between our MA-security and the adaptive security defined in [8] is the encryption queries. In MA-security experiment, the adversary can not only adaptively have access to the encryption oracle many times but also query for the challenge ciphertexts on different target user sets, while the adversary can make only one encryption query for one target user set in adaptive security experiment ExpAA,BE [8], where the related advantage of ExpAA,BE is denoted as AdvAA,BE (đ) fl | Pr[ExpAA,BE (đ) = 1] â 1/2|. To investigate Gentry and Waters transformation in the multichallenge setting, we also need to extend semistatic security defined in [8] to the multichallenge setting, which is called semistatic security in the multichallenge setting (MSsecurity). The MS-security is defined in a similar way as that of MA-security, where the adversary also takes đ and the description of BE including PK as inputs and can have access to OđžđđŚđşđđ (â , SK) and OEnc (â , PK) as defined in MA-security. But additional restrictions in MS-security are that A has to choose a target user set đâ at the beginning of the experiment and encryption queries đđ are such that đđ â đâ . Details of MS experiment are shown in Table 2 A broadcast encryption scheme BE is semistatically secure in the multichallenge setting (MS-secure) if, for any PPT adversary A, the advantage óľ¨óľ¨ MS óľ¨óľ¨ AdvMS A,BE fl óľ¨óľ¨Pr [ExpA,BE (đ) = 1] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ 2 óľ¨óľ¨
(4)
is negligible in đ.
4. MA-Secure Broadcast Encryption First we give a general result on the reduction loss of an adaptive secure broadcast encryption in the MA setting. Then, to derive a tighter reduction, we show how to extend Gentry-Waters transformation to the multichallenge setting and construct a concrete MA-secure broadcast encryption based on BDHE assumption. 4.1. General Construction Theorem 2. For any PPT adversary A which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exists an algorithm B with about the same running time as A, such that A AdvMA A,BE (đ) ⤠đEnc â AdvB,BE (đ) .
(5)
4
Security and Communication Networks
Proof. The proof proceeds via the following games. (i) Game0 : Game0 is the real MA experiment except the following differences. When the adversary adaptively makes encryption query for set đđ , the challenger responds with Enc(đđ , PK) = (đťđđđ , đž0,đ ), where đ â [1, đEnc ]. (ii) Game1 : Game1 is identical to Game0 except that the challenger replies the encryption queries with (đťđđđ , đž1,đ ) for đ â [1, đEnc ], where (đťđđđ , đž0,đ ) â đ
ół¨ Kâ and Kâ denotes the key Enc(đđ , PK), đž1,đ â space. Now we construct a series of subgames 0, đ for đ = 0, . . . , đEnc to prove the indistinguishability between Game0 and Game1 . (i) Game0,1 . Game0,1 is the same as Game0 except that the đ
â
challenger chooses đž1,1 â ół¨ K to construct challenge (đťđđ1 , đž1,1 ) for the first encryption query đ1 . (ii) Game0,đ . Game0,đ is the same as Game0,đâ1 except that đ
Next, we show that |Pr[Game0,đ = 1] â Pr[Game0,đâ1 = 1]| is negligible, for đ â [1, đEnc ]. That is, if there exists a PPT adversary A1 which can distinguish the adjacent games for
some đ, we can construct a PPT algorithm B which can break the adaptive security of the underlying scheme. Claim (Game0,đâ1 đĄđ Game0,đ ). For any PPT adversary A1 which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exists algorithm B with about the same running time as A1 , such that 1 óľ¨óľ¨ óľ¨ â óľ¨Pr [Game0,đ = 1] â Pr [Game0,đâ1 = 1]óľ¨óľ¨óľ¨ 2 óľ¨ =
AdvAB,BE
(7)
(đ) .
Proof. B simulates the experiment as follows. (i) The challenger runs Setup(đ, â) and sends PK to B which will send PK to A1 . (ii) A1 adaptively makes key generation queries for user index đ. (iii) B sends user index đ to the challenger which runs KeyGen(đ, SK) and sends back the secret key đđ for user đ. Then B sends đđ to A1 . (iv) A1 adaptively makes encryption queries for đđ , where đ denotes the đth query. (a) If đ â [1, đ â 1], B runs Enc(đđ , PK) = (đťđđđ , đ
ół¨ Kâ and sends đž0,đ ) and chooses đž1,đ â (đťđđđ , đž1,đ ) to A1 . (b) If đ â [đ + 1, đEnc ], B runs Enc(đđ , PK) = (đťđđđ , đž0,đ ) and sends (đťđđđ , đž0,đ ) to A1 . (c) If đ = đ, B sends đđ to the challenger which đ
ół¨ {0, 1} and sends back đśđâ = then chooses đ â đ
ół¨ Kâ , (đťđđđ , đž0,đ ) â (đťđđđ , đžđ,đ ) where đž1,đ â Enc(đđ , PK). Next B sends đśđâ to A1 . (v) A1 outputs đó¸ . If đó¸ = đ, B outputs 1, otherwise, 0. Observe that if đ = 1, A1 âs view is identical to that of Game0.đ . Otherwise A1 âs view is identical to that of Game0.đâ1 . Thus óľ¨óľ¨ 1 óľ¨óľ¨ óľ¨óľ¨ 1 AdvAB,BE fl óľ¨óľ¨óľ¨óľ¨Pr [ExpAB,BE (đ) = 1] â óľ¨óľ¨óľ¨óľ¨ = óľ¨óľ¨óľ¨óľ¨ 2óľ¨ óľ¨2 óľ¨ â Pr [ExpAB,BE (đ) = 1 | đ = 1] +
5 an algorithm B with about the same running time as A, such that
Hence we have A AdvMA A,BE (đ) ⤠đEnc â AdvB,BE (đ) ,
(9)
which completes the proof of Theorem 2. 4.2. MS-Secure Broadcast Encryption Based on BDHE Assumption. To reduce the reduction loss, we investigate Gentry-Waters broadcast encryption [8] in the MA setting. First we briefly recall the semistatically secure broadcast encryption scheme in [8]. Let G(đ, đ) be a PPT algorithm which takes as input the security parameter đ and the number of users đ and generates the description of group parameter (G, Gđ , đ, đ), where G, Gđ denotes the group of prime order đ = đ(đ, đ) and đ is the bilinear map. đ
ół¨ Zđ . Set đ, â1 , . . . , âđ are generators of G and đź â đź
BDHE AdvMS A,BE (đ) = AdvG,B (đ) .
(16)
The proof is similar to that of [8] except that we have to deal with multiple challenges in the simulation. Furthermore, to derive a tighter reduction, we need the following lemma which makes use of the random self-reducibility of BDHE. Lemma 4. There exists an efficient algorithm that takes 2 đ đ+2 2đ as input (đđ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ , đ) for đ = đ đ(đđ , đđ ) and generates many tuples of the form 2
Output (đťđđ, đž). đˇđđ(đ, đ, đđ , đťđđ, đđž). If đ â đ, parse đđ as (đđ,0 , . . . , đđ,đ ) and đťđđ as (đś1 , đś2 ) and output đž = đ (đđ,đ â â đđ,đ , đś1 ) â đ (đđ,0 , đś2 ) .
If đ = 0, namely, đ = đđ , then đđ = đđ đ . If đ ≠ 0, namely, đ ≠ đđ , then đđ = đđ đ + đVđ . Since đVđ are uniformly distributed, we have đđ uniformly distributed over Zđ .
(13)
đâđ
đźâ đĄ
(19)
Next, more details of the concrete proof of Theorem 3 can be found in Appendix A.
đĄ
đťđđ = (đđĄ , (ââđ ) ) ,
đ đđ if đ = đđ mod đ {đ (đ , đ đ ) đđ = { đ đ đđ đ +đVđ ) if đ ≠ đđ mod đ. {đ (đ , đ
(15)
đâđ\{đ}
Theorem 3. For any PPT adversary A which can make at most đkey = đđđđŚ (đ) key generation queries, đđ¸đđ = đđ¸đđ (đ) encryption queries with running time đĄó¸ , there exists
4.3. Transforming MS-Security to MA-Security. In this section, we show that Gentry-Waters transformation still holds in the multichallenge setting, but at the cost of reduction loss đEnc in the advantage of underlying symmetric encryption scheme. First, we briefly recall Gentry-Waters transformation [8]. Let BEMS = (SetupMS , KeyGenMS , EncMS , DecMS ) be a MS-secure broadcast system and Î sym = (SymSetup, SymEnc, SymDec) be a symmetric encryption scheme with key space Kó¸ . đ
đđđĄđ˘đ(đ). Run SetupMS (2đ) â (đđžó¸ , đđžó¸ ). Let đ â ół¨ {0, 1}đ ó¸ and đ đ denotes đth bit of đ . Let PK = đđž and SK = (đđžó¸ , đ ). Output (PK, SK). đžđđŚđşđđ(đ, đđž). Run KeyGenMS (2đ â đ đ , đđžó¸ ) â đđó¸ . Set đđ = (đđó¸ , đ đ ). Output private key đđ .
6
Security and Communication Networks length as the query and Oó¸ Enc (đ, â ) returns SymEnc(đ, đđ ) as the challenge ciphertext. We say the symmetric key encryption scheme Î sym is one-time CPA-secure if, for any PPT adversary A, the advantage
(iii) Game2 is the same as Game1 except that for each đ
Output (đťđđ, đž). đˇđđ(đ, đ, đđ , đťđđ, đđž). Parse đťđđ as (đťđđ0 , đťđđ1 , đś0 , đś1 , đĄ) and đđ as (đđó¸ , đ i ). Set đ0 and đ1 as above. Run đ đ đ âđĄđ âół¨
(23)
Proof of Sketch. The main idea of the proof is similar to that of [8] except that we need to deal with multiple challenges, which incurs a reduction loss in the advantage of symmetric key encryption scheme. More precisely, we need to prove the indistinguishability of the following games.
ół¨ Kó¸ encryption query the challenger chooses đ 1,đ â to construct đś1,đ = SymEnc(đ 1,đ , đž1,đ ), where đž0,đ = đž1,đ .
(iv) Game3 is the same as Game2 except that the challenger đ
(21)
chooses đž0,đ â ół¨ K to construct đś0,đ = SymEnc(đ 0,đ , đž0,đ ). (v) Game4 is the same as Game3 except that the challenger đ
chooses đž1,đ â ół¨ K to construct đś1,đ = SymEnc(đ 1,đ , đž1,đ ).
Output đž. Theorem 5. For any PPT adversary A which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exist algorithms A1 , A2 , A3 , and A4 , each with about the same running time as A, such that MS MS AdvMA A,BE,đ (đ) ⤠AdvA1 ,BE,2đ (đ) + AdvA2 ,BE,2đ (đ)
+ đEnc â AdvCPA A3 ,Î sym (đ) + đEnc
(22)
â AdvCPA A4 ,Î sym (đ) . Notice that AdvCPA B,Î sym (đ) denotes the advantage of Î sym
= (SymSetup, SymEnc, SymDec), which is defined by the following one-time symmetric key IND-CPA experiment described in Table 3. During the experiment, A takes the security parameter and the description of Î sym as input and can make only one encryption query to encryption oracle Oó¸ Enc (đ, â ). More precisely, đ´ chooses a pair of plaintexts (đ0 , đ1 ) of the same
The indistinguishability among Game0 , Game1 , and Game2 relies on the MS-security of BE. By using hybrid arguments, we show the indistinguishability between Game2 and Game3 (Game3 and Game4 ), which relies on the one-time CPA security of the underlying symmetric key encryption. It is easy to check that the adversary has no advantage in Game4 . More details are shown in Appendix B.
5. Remove đ-Type Assumption In this section, we show how to remove the đ-type assumption of the MS-secure Gentry-Waters scheme in Section 4 by using Hofheinz-Koch-Striecks techniques [19], where the original Gentry-Waters scheme is lifted to composite order groups. Let G(đ, 4) be a composite-order group generator which generates group parameters (đş, đşđ , đ, đ, đ, đ1 , đ2 , đ3 , đ4 ), where đ : đş Ă đş â đşđ is a nondegenerate bilinear map and đş, đşđ are cyclic groups of order đ and đ is the product of different primes đ1 , đ2 , đ3 , and đ4 , and let đ be the generator of group đş and đđ , for đ â [1, 4], be the
Security and Communication Networks
7
random generators of subgroups đşđ1 , đşđ2 , đşđ3 , đşđ4 of orders đ1 , đ2 , đ3 , đ4 , respectively. Let UH be a family of universal hash functions H : đşđ â {0, 1}đ with the property that for any nontrivial subgroup đşđó¸ â đşđ and for H â UH, đ â đşđó¸ and đ â {0, 1}đ , we have SD((H, H(đ)), (H, đ)) = O(2âđ ). In addition, the resulting scheme relies on the following assumptions [19]. Dual System Assumption 1 (DS1). For any PPT adversary A, the advantage function AdvDS1 A (đ)
is negligible in đ, where (đş, đşđ , đ, đ, đ, (đđ )đ ) âół¨ G (đ, 4) ; đŚ
Note that đž2đ˘ is not used in đ đđ˘ . đ¸đđ(đ, mpk). Take a set đ â [1, đ] as well as a master public key mpk as input. We denote đ as a binary string; that is, đ = đ 1 â â â đ đ , where đ đ˘ â {0, 1} and đ˘ â [1, đ]. That is, đ đ˘ = 1 if user đ
đ˘ is in đ. Otherwise, đ đ˘ = 0. Generate đĄ â ół¨ Zđ and output đťđđ = (đś0 , đś1 ) =
The proof follows that of [19] and proceeds via a series of games described in Appendix C, where the user set đ is considered as a special kind of identity đđ. The main difference between games is presented in Table 4. Random function families, auxiliary secret key generation, auxiliary encryption function, semifunctional user secret keys, pseudo-normal ciphertexts, and semifunctional ciphertexts are defined as follows. More details can be found in Table 4. (i) Random Function Families. In our scheme each user index đ˘ â [1, đ] is interpreted as đ-bit binary string đ˘ = 0 â â â 010 â â â 0, where only đ˘-th bit is 1. Both user index đ˘ and user set đ are denoted as identity đđ. Let đđ|đ fl đđ1 â â â đđđ be đbit prefix of đđ and denote ID|đ fl {0, 1}đ . For đ â [0, đ], define two random functions as follows. Ě đ (đđ|đ ) : ID|đ â đşđ đşđ ; đđ|đ ół¨â (đ2 đ4 )đžĚđ (đđ|đ ) ; (a) RF 2 4 đ
5.2. Security Proof Theorem 6. For any PPT adversary A which can make at most đđđđŚ = đđđđŚ (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time đĄó¸ , there exist algorithm B1 on DS1, B2 on DS2, B3 on DS3, and B4 on DS-BDDH with running time đĄó¸ +O(đđđ (đkey +đEnc )), respectively, for some constant đ â N, such that DS1 DS2 AdvMA A,BE (đ) ⤠AdvB1 (đ) + 2đ â AdvB2 (đ) + đ DS-BDDH â AdvDS3 + đEnc B3 (đ) + AdvB4
â O (2âđ ) .
2đ+1 . where K = (đž0 , đž1 , đž2 , . . . , đž2đ ) â đşđ
Table 4: Sequence of games, where a dash(â) means the same as in the previous game. Note that user set đâ and user identity đ˘ are interpreted as đđâ and đđ, respectively. Game
Proof. If there exists a PPT adversary A which can break the MS-security of the broadcast encryption, then we show how to construct a PPT algorithm B to break BDHE assumption. Upon receiving the BDHE problem instance, which 2 đ đ+2 2đ consists of (đđ , đ, đđ , đđ , . . . , đđ , đđ , . . . , đđ ) and đ, B MS simulates the experiment ExpA,BE (đ) for A as follows. (i) A chooses a set đâ â [1, đ].
10
Security and Communication Networks đ
number of encryption queries that adversary can make. A1 acts as follows:
(ii) Setup. B generates đŚ0 , . . . , đŚđ â ół¨ Zđ and sets âđ = đđŚđ
if đ â đâ , đ
âđ = đđŚđ +đ
đ
(A.1)
if đ â đâ .
đ+1
Since đđ is unknown, we implicitly set đź = đŚ0 â đđ+1 đ and đ(đ, đ)đź can be computed as đ(đđ , đđ )đŚ0 . Now the public key is đź
(iv) Encryption queries: A adaptively makes subset đđ â đâ as encryption query. B runs the algorithm of Lemma 4 to generate (đđ đ , đđ ) for đ â [1, đEnc ] and set đťđđđâ = (đś1,đ , đś2,đ ) = (đđ đ , (âđâđđ âđ )đ đ ) = (đđ đ , đŚ
đŚ
(đđ đ ) đâđđ đ ), đžđ = đđ 0 . Return (đťđđđâ , đžđ ) as the answer to đđ . Eventually, A outputs a bit đó¸ which is also the output of B. It is easy to check that B perfectly simulates ExpMS A,BE (đ). Therefore, Bâs advantage in deciding the BDHE instance is precisely Aâs advantage against the MS-security of the broadcast encryption scheme, which completes the proof.
B. Proof of Theorem 5 Proof. Let Gameđ = 1 denote the event that the adversary outputs 1 in Gameđ . Game0 . This is the real game which is identical to experiment ExpMA A,BE . Thus, óľ¨óľ¨ óľ¨óľ¨ AdvMA A,BE,đ (đ) = óľ¨óľ¨Pr [Game0 = 1] â óľ¨
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ . 2 óľ¨óľ¨
(B.1)
(Game1 đĄđ Game0 ). Game1 is identical to Game0 except that the challenge ciphertext đś0,đ for đ â [1, đEnc ] is computed as đ
đ
(ii) Choose đ â ół¨ {0, 1}đ and generate đâ â {2đ â (1 â đ đ ) : đ â [1, đ]}, where đ đ denotes đth bit of đ . A1 sends đâ to the challenger. Notice that đâ â [1, 2đ]. (iii) The challenger runs SetupMS to obtain (PKó¸ , SKó¸ ) and sends PKó¸ to A1 . Then B1 sets PK â PKó¸ and sends PK to A. (iv) A adaptively makes key generation queries for đó¸ â [1, đ]. Then A1 sends 2đó¸ â đ đó¸ to the challenger of the MS experiment. (v) The challenger runs KeyGenMS (2đó¸ âđ đó¸ , SKó¸ ) to obtain đđó¸ ó¸ and sends đđó¸ ó¸ to A1 , which returns đđó¸ â (đđó¸ ó¸ , đ đó¸ ) to A. (vi) A adaptively makes encryption queries đđ . Then A1 sets đđ = {đĄđ = 1 â đ đ : đ â đđ }, đ0,đ = {2đ â đĄđ : đ â đđ }, đ1,đ = {2đ â (1 â đĄđ ) : đ â đđ } and sends đ0,đ for đ â [1, đEnc ] to the challenger. Notice that đ0,đ â đâ . (đ) ), where (vii) The challenger sends back (đťđđ0,đ , đ 0,đ
đđŚđ đđ +đ â đ§đ .
â
(i) Choose đâ â ół¨ {0, 1}.
ół¨ Kó¸ and đś0,đ â SymEnc(đ 0,đ , đžđ ). follows: đ 0,đ â For any PPT adversary A which can distinguish Game1 from Game0 , there exists an algorithm A1 which can break the MS-security of BEMS scheme. Suppose đEnc is the maximal
đ
(0) (1) (đťđđ0,đ , đ 0,đ ) â EncMS (đ0,đ , PKó¸ ) and đ 0,đ â ół¨ Kó¸ . Note that đ â {0, 1} has been chosen by the challenger at the beginning of the experiment. (viii) A1 sets (đťđđ1,đ , đ 1,đ ) â EncMS (đ1,đ , PKó¸ ) and gener đ
(đ) ół¨ K. Then it sets đś0,đ â SymEnc(đ 0,đ , ates đž0,đ , đž1,đ â â đž0,đ ), đś1,đ â SymEnc(đ 1,đ , đž0,đ ), and đťđđđ â (đťđđ0,đ , đś0,đ , đťđđ1,đ , đś1,đ , đđ ) and sends (đťđđđâ , đžđâ ,đ ) to adversary A. (ix) A outputs a bit đó¸ . If đâ = đó¸ , A1 outputs 0, otherwise, 1.
Notice that if đ = 0, Aâs view is identical to that of Game0 . Otherwise, Aâs view is identical to that of Game1 . Hence, we have óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game0 = 1] â Pr [Game1 = 1]óľ¨óľ¨óľ¨ (B.2) ⤠AdvMS A1 ,BE,2đ (đ) . (Game2 đĄđ Game1 ). Game2 is identical to Game1 except that đ
ół¨ Kó¸ for each encryption query the challenger chooses đ 1,đ â to construct đś1,đ = SymEnc(đ 1,đ , đž0,đ ). The proof of the indistinguishability between Game2 and Game1 is similar to that of Game1 and Game0 . So we have óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game1 = 1] â Pr [Game2 = 1]óľ¨óľ¨óľ¨ (B.3) ⤠AdvMS A2 ,BE,2đ (đ) . (Game3 đĄđ Game2 ). Game3 is identical to Game2 except that đ
ół¨K for each encryption query the challenger chooses đž0,đ â đ
ół¨ SymEnc(đ 0,đ , đž0,đ ) for đ â [1, đEnc ]. to construct đś0,đ â
Security and Communication Networks
11
We construct a series of subgame 2, đ for đ = 1, . . . , đEnc , to prove the indistinguishability between Game 2 and Game 3. (i) Game2,1 . Game2,1 is identical to Game2 except that the đ
đ
challenger chooses đž0,1 â ół¨ K to construct đś0,1 â ół¨ SymEnc(đ 0,1 , đž0,1 ). (ii) Game2,đ . Game2,đ is identical to Game2,đâ1 except that đ
đ
the challenger chooses đž0,đ â ół¨ K to construct đś0,đ â ół¨ SymEnc(đ 0,đ , đž0,đ ).
indistinguishability between Game4 and Game3 is similar to that of Game3 and Game2 . So we have óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game3 = 1] â Pr [Game4 = 1]óľ¨óľ¨óľ¨ ⤠đEnc â AdvCPA A4 ,Î sym (đ) .
In Game4 , all đ 0,đ , đ 1,đ , đž0,đ , đž1,đ for đ â [1, đEnc ] are chosen at random and đťđđđâ is independent of đžđ,đ . Hence, the adversary has no advantage. That is, óľ¨óľ¨ óľ¨óľ¨Pr [Game = 1] â óľ¨óľ¨ 4 óľ¨
Note that Game3 is identical to Game2,đEnc . Claim (Game2,đâ1 đĄđ Game2,đ ). For any PPT adversary M which can make at most đkey = đkey (đ) key generation queries and đEnc = đEnc (đ) encryption queries with running time ĚđĄ, there exists an algorithm A3 with running about the same time as M, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đâ1 = 1] â Pr [Game2,đ = 1]óľ¨óľ¨óľ¨ (B.4) ⤠AdvCPA A3 ,Î sym (đ) . đ
Proof. A3 chooses đâ â ół¨ {0, 1} and simulates the experiment as follows. ó¸
(i) A3 runs Setup(đ, â) and KeyGen(đ , SK) as in Game2 . (ii) M adaptively makes encryption queries for đđ , where đ denotes đth query. If đ â [1, đ â 1], A3 returns the answer as in Game2,đâ1 . If đ â [đ + 1, đEnc ], A3 returns the answer as in Game2 . If đ = đ, A3 đ
chooses đž0,đ , đž1,đ â ół¨ K and sends (đž0,đ , đž1,đ ) to the đ
challenger. The challenger chooses đ â ół¨ {0, 1} and returns đś0,đ = SymEnc(đ , đžđ,đ ). Then A3 chooses đ
ó¸
đ 1,đ â ół¨ K , computes đś1,đ = SymEnc(đ 1,đ , đž1,đ ), and returns (đś0,đ , đś1,đ ). (iii) M outputs đó¸ . If đâ = đó¸ , A3 outputs 0, otherwise, 1. Observe that if đ = 1, Mâs view is identical to that of Game2,đâ1 . Otherwise, Mâs view is identical to that of Game2,đ . Thus óľ¨óľ¨óľ¨Pr [Game2,đâ1 = 1] â Pr [Game2,đ = 1]óľ¨óľ¨óľ¨ óľ¨ óľ¨ (B.5) CPA ⤠AdvA3 ,Î sym (đ) , which concludes the proof of the Claim. Due to the Claim, we have óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2 = 1] â Pr [Game3 = 1]óľ¨óľ¨óľ¨
(B.7)
1 óľ¨óľ¨óľ¨ óľ¨óľ¨ = 0. 2 óľ¨óľ¨
(B.8)
Hence, we have MS MS AdvMA A,BE,đ (đ) ⤠AdvA1 ,BE,2đ (đ) + AdvA2 ,BE,2đ (đ)
+ đEnc â AdvCPA A3 ,Î sym (đ) + đEnc
(B.9)
â AdvCPA A4 ,Î sym (đ) .
C. Proof of Theorem 6 Game Sequence (i) Game0 is the real experiment ExpMA A,BE . (ii) Game1 is the same as Game0 except that all the challenge ciphertexts are pseudo-normal. (iii) Game2,đ,0 is the same as Game1 except that all user secret keys are semifunctional of type-(đ â 1), while the challenge ciphertexts are semifunctional of type(â§, đ â 1) for đ â [1, đ]. (iv) Game2,đ,1 is the same as Game2,đ,0 except that if đth bit of a challenge identity đđâ is 0 (i.e., đđđâ = 0), then the corresponding challenge ciphertexts are semifunctional of type-(â§, đ â 1). Otherwise, the corresponding challenge ciphertexts are semifunctional of type-(âź , đ â 1). (v) Game2,đ,2 is the same as Game2,đ,1 except that if đth bit of a challenge identity đđâ is 0 (i.e., đđđâ = 0), then the corresponding challenge ciphertexts are semifunctional of type-(â§, đ). Otherwise, the corresponding challenge ciphertexts are semifunctional of type(âź, đ). (vi) Game3 is the same as Game2,đ,0 except that all the challenge ciphertexts and user secret keys are semifunctional of type-(â§, đ) and semifunctional of typeđ, respectively.
(B.6)
(vii) Game4 is the same as Game3 except that the challenge keys đžđ output by oracle OEnc (â , mpk) are uniform bitstrings over {0, 1}đ .
(Game4 đĄđ Game3 ). Game4 is identical to Game3 except that
Lemma C.1 (Game0 to Game1 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an
⤠đEnc â AdvCPA A3 ,Î sym (đ) .
đ
ół¨ K to construct đś1,đ = the challenger sets đž1,đ â SymEnc(đ 1,đ , đž1,đ ) for đ â [1, đEnc ]. The proof of the
12
Security and Communication Networks
algorithm B1 on DS1 with running time đĄ1 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ đˇđ1 óľ¨óľ¨Pr [Game0 = 1] â Pr [Game1 = 1]óľ¨óľ¨óľ¨ ⤠AdvB1 (đ) .
Lemma C.3 (Game2,đ,0 to Game2,đ,1 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2 with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đ,0 = 1] â Pr [Game2,đ,1 = 1]óľ¨óľ¨óľ¨
đ
ół¨ đşđ1 or đ â ół¨ đşđ1 đ2 , and from the challenger, where đ â simulates the experiment for A as follows. đ
ół¨ đşđ1 đ2 or đ â ół¨ đşđ1 đ3 đ{2,3} , đ) from the challenger, where đ â đ
and chooses đ â ół¨ {0, 1}. Then B2 can use the parameter to generate msk, mpk as in the proof of Lemma C.1 and define a truly random function RF : {0, 1}đâ1 â đşđ2 đ3 đ4 . Key Generation Queries. Next, it can answer the secret key queries for đ˘ â [1, đ] as KeyGen(đ˘, msk â RF(đđ|đâ1 ), K), where RF(đđ|đâ1 ) : đđ|đâ1 â (đ{2,3} đ4 )đžđâ1 (đđ|đâ1 ) , đžđâ1 (đđ|đâ1 ) : đđ|đâ1 ół¨â đ
Key Generation Queries. To answer key generation queries đó¸
đ
ó¸ ół¨ Zâđ and compute đ 4,đ = đ4 đ for đ˘ â [1, đ], set đó¸ đ â đ â [1, 2đ] and generate K = (đž0 , đž1 , đž2 , . . . , đž2đ ) = (âđĄ , â1đĄ â đ
â where đĄđ â ół¨ Zâđ, đ â [1, đEnc ] and returns (đťđđđâ , đžđ,đ ), where â đ đžđ,1 â {0, 1} . Finally, A outputs a guess đó¸ . B1 outputs 1 if đó¸ = đ, otherwise, 0. The distribution of the master public key and user secret keys that A requests are identical to those in Game0 as well đ
as in Game1 . If đ â ół¨ đşđ1 , the distribution of challenge đ
ciphertexts is identical to that of Game0 , while if đ â ół¨ đşđ1 đ2 , the distribution of challenge ciphertexts is identical to that of Game1 . Therefore, we have (C.1). Lemma C.2 (Game1 to Game2,1,0 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, we have Pr [Game1 = 1] = Pr [Game2,1,0 = 1] .
(C.6)
if (đđđâ )đ = 1.
, H (đ (đđĄđ , msk)))
đ=1
=
ół¨ Zâđ. đžđâ1 , and đžđâ1 â
(C.4)
Proof. As shown in Table 4, msk â đşđ in Game1 , while Ě 0 (đ)â RF Ě 0 (đ) in Game2,1,0 is also uniform in đşđ, mskó¸ = mskâ RF where đđ|0 denotes the empty string đ. Since the distribution Ě 0 (đ) â RF Ě 0 (đ) is identical, (C.4) holds. of msk and msk â RF
Finally, A outputs a guess bit đó¸ . B2 outputs 1 if đó¸ = đ; otherwise 0. đ đĄđ Note that g{1,2} is distributed uniformly over đşđ1 đ2 . If đ â ół¨ đşđ1 đ2 , the challenge ciphertexts are distributed identically as in Game2,đ,0 . Otherwise, the distribution is the same as in Game2,đ,1 . Hence (C.5) holds. Lemma C.4 (Game2,đ,1 to Game2,đ,2 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B3 on DS3 with running time đĄ3 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨ óľ¨óľ¨ óľ¨óľ¨Pr [Game2,đ,1 = 1] â Pr [Game2,đ,2 = 1]óľ¨óľ¨óľ¨ ⤠Advđˇđ3 B3 (đ) .
(C.7)
Ě đ) Ě is either Proof. B3 gets the instance (đˇ, đ), where đ = (đ, đĽđŚ
Key Generation Queries. During the experiment B3 can answer key generation queries for identity đđâ for â â [1, đkey ] as follows. By running the algorithm in Lemma 6 of [20] (or algorithm in [19]) which takes as input (1đkey , (đ2 , đ4 , Ě4 , đđŚ đ Ě Ě and (1đkey , (đ3 , đ4 , đđĽ đ Ě đŚĚ Ě B3 đ2đĽ đ 3 4 , đ3 đ4 ), đ), 2 4 ), đ) can generate the following tuples: đkey
For an identity prefix đđâ |đ that is a prefix of an already queried identity, we rerandomize the element of Kâ . Encryption Queries. Upon receiving encryption queries đđâ ,
where đžĚâ , đžĚâ â Zâđ. Next B3 answers â-th secret key generation query for identity đđâ with prefix đđâ |đ that is not a prefix of an already queried identity as
identically distributed, respectively. Therefore, in this case, the distribution is the same as in Game2,đ,2 . Besides, the distribution of the challenge ciphertexts is identical in these two games. Hence, (C.7) holds.
Key Generation Queries. B4 defines a truly random function RFó¸ : {0, 1}đ â đşđ2 đ4 . Next it can answer the secret key generation queries for identity đ˘ â [1, đ] as
Lemma C.5 (Game2,đâ1,2 to Game2,đ,0 ). For any PPT adversary A with at most đđđđŚ = đđđđŚ (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2, with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that
Encryption Queries. Upon receiving encryption queries đđâ for some đ â [1, đEnc ], B4 sets
Proof. B4 is provided with the instance (đˇ, đ) where đ is either đ(đ2 , đ2 )đđđ or đ(đ2 , đ2 )đ§ , for
đ
đó¸
(C.20)
Lemma C.7 (Game3 to Game4 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B4 on DS-BDDH with running time đĄ4 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N such that
In Game2,đ,0 all the challenge ciphertexts are semifunctional of type-(â§, đ â 1), while in Game2,đâ1,2 if đth bit of challenge identity đđ is 0 (i.e., đđđ = 0), the challenge ciphertexts are totally identical to those in Game2,đ,0 . Otherwise, the challenge ciphertexts are semifunctional of type-(âź, đ â 1). Actually, the proof of (Game2,đâ1,2 to Game2,đ,0 ) and (Game2,đ,2 to Game3 ) is similar to that in Lemma C.3 and thus omitted.
Lemma C.6 (Game2,đ,2 to Game3 ). For any PPT adversary A with at most đkey = đkey (đ) key generation queries, đEnc = đEnc (đ) encryption queries, and running time ĚđĄ, there exists an algorithm B2 on DS2, with running time đĄ2 â ĚđĄ + O(đđđ (đkey + đEnc )), for some constant đ â N, such that óľ¨óľ¨ óľ¨ óľ¨óľ¨Pr [Game2,đ,2 = 1] â Pr [Game3 = 1]óľ¨óľ¨óľ¨
of Rerandđ and Rerandđ , đđ , đđ are uniformly distributed in Zđ. Since the uniform distribution in Zđ is statistically indistinguishable from the uniform distribution in Zâđ, we have that the distribution of challenge ciphertexts are O(2âđ )close to that of Game3 . Note that we implicitly set đžĚđ = đđ đđ . For the challenge identity queried before, we can just rerandomize the previously used query value đđ . If đ = đ(đ2 , đ2 )đ§ , then
The distribution of mpk and the requested user secret keys are identical to the real scheme. If đ = đ(đ2 , đ2 )đđđ = đ((đ1 đ2 )đ , đ{2,4} )đđ and the challenge identity was not queried before, đđ ((đ1đ đĚ2đ Ě)
H (đ ((đ1đ đĚ2Ěđ ) , msk â (đ{2,4} )
))) .
Since đđ , đ§đđđ are uniformly distributed over Zđ. So đ((đ1đ đĚ2Ěđ )đđ , â1 msk â (đ{2,4} )đ§đđđ â đđ ) is statically close to the uniform distribution of subgroup of đşđ . Due to the property of universal hash function we have SD((H, H(đ((đ1đ đĚ2Ěđ )đđ , msk â â1 (đ{2,4} )đ§đđđ â đđ ))); (H, đ)) = O(2âđ ) for đ â {0, 1}đ . Thus the challenge ciphertexts are distributed O(2âđ )-close to that of Game4 . Hence (C.21) holds. Finally, we have
H (đ ((đ1đ đĚ2Ěđ ) , msk â (đ{2,4} ) đ đ ))) . Note that the exponents đ, đ, đ, and đ§ are required to be uniformly distributed in Zâđ, but when we reuse the outputs
DS-BDDH â AdvDS3 + đEnc B3 (đ) + AdvB4
â O (2âđ ) , which completes the proof of Theorem 6.
(C.33)
16
Security and Communication Networks
Disclosure Parts of this paper are presented at Inscrypt 2016.
[11]
Conflicts of Interest The authors declare that there are no conflicts of interest regarding the publication of this paper.
[12]
Acknowledgments All authors were funded by National 973 Grant 2013CB834205, NSFC Grant 61672019, and The Fundamental Research Funds of Shandong University Grant 2016JC029. Puwen Wei was also funded by NSFC Grant 61502276.
[13]
[14]
References [1] A. Fiat and M. Naor, âBroadcast encryption,â in Advances in Cryptologyâ(CRYPTO â93), D. R. Stinson, Ed., vol. 773 of Lecture Notes in Computer Science, pp. 480â491, Springer, Berlin, Germany, 1993. [2] I. Kim and S. O. Hwang, âAn optimal identity-based broadcast encryption scheme for wireless sensor networks,â IEICE Transactions on Communications, vol. E96-B, no. 3, pp. 891â895, 2013. [3] D. Naor, M. Naor, and J. Lotspiech, âRevocation and tracing schemes for stateless receivers,â in Proceedings of the Advances in Cryptologyâ(CRYPTO â01), 21st Annual International Cryptology Conference, pp. 41â62, Springer, Berlin, Germany. [4] D. Halevy and A. Shamir, âThe LSD broadcast encryption scheme,â in Advances in Cryptologyâ(CRYPTO â02), M. Yung, Ed., vol. 2442 of Lecture Notes in Computer Science, pp. 47â60, Springer, Berlin, Germany, 2002. [5] M. T. Goodrich, J. Z. Sun, and R. Tamassia, âEfficient treebased revocation in groups of low-state devices,â in Advances in Cryptologyâ(CRYPTO â04), M. K. Franklin, Ed., vol. 3152 of Lecture Notes in Computer Science, pp. 511â527, Springer, Berlin, Germany, 2004. [6] Y. Dodis and N. Fazio, âPublic key broadcast encryption for stateless receivers,â in Security and Privacy in Digital Rights Management, ACM CCS-9 Workshop, J. Feigenbaum, Ed., vol. 2696 of Lecture Notes in Computer Science, pp. 61â80, Springer, Berlin, Germany, 2003. [7] D. Boneh, C. Gentry, and B. Waters, âCollusion resistant broadcast encryption with short ciphertexts and private keys,â in Advances in Cryptologyâ(CRYPTO â05), V. Shoup, Ed., vol. 3621 of Lecture Notes in Computer Science, pp. 258â275, Springer, Berlin, Germany, 2005. [8] C. Gentry and B. Waters, âAdaptive security in broadcast encryption systems (with short ciphertexts),â in Advances in Cryptologyâ(EUROCRYPT â09), A. Joux, Ed., vol. 5479 of Lecture Notes in Computer Science, pp. 171â188, Springer, Berlin, Germany, 2009. [9] B. Waters, âDual system encryption: realizing fully secure IBE and HIBE under simple assumptions,â in Advances in Cryptologyâ(CRYPTO â2009), S. Halevi, Ed., vol. 5677 of Lecture Notes in Computer Science, pp. 619â636, Springer, Berlin, Germany, 2009. [10] D. Boneh, B. Waters, and M. Zhandry, âLow overhead broadcast encryption from multilinear maps,â in Advances in Cryptologyâ(CRYPTO â14), J. A. Garay and R. Gennaro, Eds.,
[15]
[16]
[17]
[18]
[19]
[20]
vol. 8616 of Lecture Notes in Computer Science, pp. 206â223, Springer, Berlin, Germany, 2014. D. Boneh and B. Waters, âA fully collusion resistant broadcast, trace, and revoke system,â in Proceedings of CCS 2006: 13th ACM Conference on Computer and Communications Security, pp. 211â 220, Alexandria, Virginia, USA, November 2006. J. H. Han, J. H. Park, and D. H. Lee, âTransmission-efficient broadcast encryption scheme with personalized messages,â IEICE Transactions on Fundamentals of Electronics, Communications and Computer Sciences, vol. E96-A, no. 4, pp. 796â806, 2013. M. Zhang, B. Yang, Z. Chen, and T. Takagi, âEfficient and adaptively secure broadcast encryption systems,â Security and Communication Networks, vol. 6, no. 8, pp. 1044â1052, 2013. J. Kim, W. Susilo, M. H. Au, and J. Seberry, âAdaptively secure identity-based broadcast encryption with a constantsized ciphertext,â IEEE Transactions on Information Forensics and Security, vol. 10, no. 3, pp. 679â693, 2015. S. H. Islam, M. K. Khan, and A. M. Al-Khouri, âAnonymous and provably secure certificateless multireceiver encryption without bilinear pairing,â Security and Communication Networks, vol. 8, no. 13, pp. 2214â2231, 2015. H. Wee, âD´ej`a Q: Encore´e un petit IBE,â in Theory of Cryptographyâ13th International Conference, TCC 2016-A, E. Kushilevitz and T. Malkin, Eds., vol. 9563 of Lecture Notes in Computer Science, pp. 237â258, Springer, Berlin, Germany, 2016. M. Bellare, A. Boldyreva, and S. Micali, âPublic-key encryption in a multi-user setting: security proofs and improvements,â in Advances in Cryptologyâ(EUROCRYPT â2000), B. Preneel, Ed., vol. 1807 of Lecture Notes in Computer Science, pp. 259â274, Springer, Berlin, Germany, 2000. D. Hofheinz and T. Jager, âTightly secure signatures and public-key encryption,â Designs, Codes and Cryptography. An International Journal, vol. 80, no. 1, pp. 29â61, 2016. D. Hofheinz, J. Koch, and C. Striecks, âIdentity-based encryption with (almost) tight security in the multi-instance, multiciphertext setting,â in Public-key cryptographyâ(PKC â15), J. Katz, Ed., vol. 9020 of Lecture Notes in Computer Science, pp. 799â822, Springer, Berlin, Germany, 2015. J. Chen and H. Wee, âFully, (almost) tightly secure IBE and dual system groups,â in Advances in Cryptologyâ(CRYPTO â13), R. Canetti and J. A. Garay, Eds., vol. 8043 of Lecture Notes in Computer Science, pp. 435â460, Springer, Berlin, Germany, 2013.
