Generic Anonymous Identity-Based Broadcast Encryption with Chosen-Ciphertext Security

Abstract

In a broadcast encryption system, a broadcaster can encrypt a message to a group of authorized receivers S and each authorized receiver can use his/her own private key to correctly decrypt the broadcast ciphertext, while the users outside S cannot. Identity-based broadcast encryption (IBBE) system is a variant of broadcast encryption system where any string representing the user’s identity (e.g., email address) can be used as his/her public key. IBBE has found many applications in real life, such as pay-TV systems, distribution of copyrighted materials, satellite radio communications. When employing an IBBE system, it is very important to protect the message’s confidentiality and the users’ anonymity. However, existing IBBE systems cannot satisfy confidentiality and anonymity simultaneously. In this paper, using an anonymous identity-based encryption (IBE) primitive with robust property as a building block, we propose a generic IBBE construction, which can simultaneously ensure the confidentiality and anonymity under chosen-ciphertext attacks. Our generic IBBE construction has a desirable property that the public parameters size, the private key size and the decryption cost are constant and independent of the number of receivers.

A A Concrete Instantiation

We shall present a concrete instantiation based on the generic IBBE construction, employing Boneh-Franklin IBE scheme [8], which is IND-CCA secure and ANO-CCA secure as noticed in [1] and WROB-CCA secure as noticed in [2] and a concrete signature scheme, e.g. [27] which is a strong one-time signature scheme \(\varSigma =(\mathsf {Gen},\mathsf {Sig},\mathsf {Ver})\).

Setup \((1^{\lambda })\) : On input of a security parameter \(\lambda \), it first chooses a bilinear group \(\mathbb {G},\mathbb {G}_T\) of prime order p with bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) and a generator \(g {\leftarrow }_R\mathbb {G}\), and then picks \(\alpha ,\beta {\leftarrow }_R\mathbb {Z}_p\), computes \(g_1=g^{\alpha }\) and \(g_2=g^{\beta }\), chooses hash functions \(H_1:\{0,1\}^*\rightarrow \mathbb {G}\), \(H_2:\{0,1\}^{\ell }\times \{0,1\}^{n}\rightarrow \mathbb {Z}_p\), \(H_3:\mathbb {G}_T \rightarrow \{0,1\}^{\ell }\), \(H_4:\{0,1\}^{\ell }\rightarrow \{0,1\}^{(\lambda +\ell +n)}\), \(H_5:\{0,1\}^{\ell }\times \{0,1\}^{\lambda +\ell +n}\rightarrow \mathbb {Z}_p\) which are modeled as random oracles. The public parameters are \({params}=(\mathbb {G},\mathbb {G}_T,\mathbb {Z}_p,p,e,g,g_1,g_2,H_1,H_2,H_3\), \(H_4\), \(H_5)\) and the master secret key is msk = \((\alpha \), \(\beta )\).

Extract(msk, ID): On input of the master secret key msk and an identity ID, it computes \(sk^{0}_{ID}=H_1(ID)^{\alpha }\) and \(sk^{1}_{ID}=H_1(ID)^{\beta }\). The private key is \(sk_{ID}=(sk^{0}_{ID},sk^{1}_{ID})\).

Enc(params, S, M): On input of the public parameters params, a receiver set \(S=\{ID_1,ID_2,\cdots ,ID_t\}\) and a message \(M\in \{0,1\}^n\), it first runs \((svk,ssk)\leftarrow \) Gen \((1^{\lambda })\), chooses \(\delta _1,\delta _2\leftarrow _R\{0,1\}^{\ell }\), lets \(r_1=H_2(\delta _1||M)\) and \(r_2=H_5(\delta _2||svk||\delta _1\) ||M), and then computes \(T_1=g^{r_1}\) and \(T_2=g^{r_2}\). For each \(ID\in S\), it computes \(c_{ID}^0=H_3(e(g_1,H_1(ID))^{r_1})\) and \(c_{ID}^1=(c_{ID}^{10},c_{ID}^{11})=(H_3(e(g_2,H_1(ID))^{r})\oplus {\delta _2},H_4(\delta _2)\oplus (svk||\delta _1\) ||M)). Let \(C_1=(c_{ID_1}^0,c_{ID_1}^1)||\cdots ||(c_{ID_t}^0,c_{ID_t}^1)\). The ciphertext is \(CT=(svk,T_1,T_2,C_1,\sigma )\), where \(\sigma =\) Sig \((ssk,T_1||T_2||C_1)\).

Dec(\(sk_{ID}\), CT): On input of a private key \(sk_{ID}\) and a ciphertext CT, it parses CT as \((svk,\sigma ,T,C_1)\), where \(C_1=(c_{ID_1}^0,c_{ID_1}^1)||\cdots ||(c_{ID_t}^0,c_{ID_t}^1)\). If Ver(svk, \(T_1||T_2||C_1\), \(\sigma )\)=0, returns \(\perp \); else computes \(c_{ID}^0\)=\(H_3\) \((e(T_1\), \(sk^{0}_{ID}))\) and determines which ciphertext should be decrypted among \((c_{ID_1}^0,c_{ID_1}^1)||\cdots || (c_{ID_{t}}^0,c_{ID_t}^1)\). For each \(ID_j\in S\), if \(c_{ID}^0\ne c_{ID_j}^0\), returns \(\bot \); else chooses the smallest index j such that \(c_{ID}^0=c_{ID_j}^0\) and \(c_{ID}^1=c_{ID_j}^1\). It computes \(\delta _2'=H_3(e(T_2,sk^{1}_{ID}))\oplus {c_{ID}^{10}}\), \(svk||\delta _1||M=H_4(\delta _2')\oplus {c_{ID}^{11}}\). If \(T_1\ne {g^{H_2(\delta _1||M)}}\) or \(T_2\ne {g^{H_5(\delta _2||svk||\delta _1||M)}}\), returns \(\perp \); else returns M.