Abstract
In a broadcast encryption system, a broadcaster can encrypt a message to a group of authorized receivers S and each authorized receiver can use his/her own private key to correctly decrypt the broadcast ciphertext, while the users outside S cannot. Identity-based broadcast encryption (IBBE) system is a variant of broadcast encryption system where any string representing the user’s identity (e.g., email address) can be used as his/her public key. IBBE has found many applications in real life, such as pay-TV systems, distribution of copyrighted materials, satellite radio communications. When employing an IBBE system, it is very important to protect the message’s confidentiality and the users’ anonymity. However, existing IBBE systems cannot satisfy confidentiality and anonymity simultaneously. In this paper, using an anonymous identity-based encryption (IBE) primitive with robust property as a building block, we propose a generic IBBE construction, which can simultaneously ensure the confidentiality and anonymity under chosen-ciphertext attacks. Our generic IBBE construction has a desirable property that the public parameters size, the private key size and the decryption cost are constant and independent of the number of receivers.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
References
Abdalla, M., Bellare, M., Catalano, D., Kiltz, E., Kohno, T., Lange, T., Malone-Lee, J., Neven, G., Paillier, P., Shi, H.: Searchable encryption revisited: consistency properties, relation to anonymous IBE, and extensions. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 205–222. Springer, Heidelberg (2005)
Abdalla, M., Bellare, M., Neven, G.: Robust encryption. In: IACR Cryptology ePrint Archive, 2008/440 (2008)
Baek, J., Safavi-Naini, R., Susilo, W.: Efficient multi-receiver identity-based encryption and its application to broadcast encryption. In: Vaudenay, S. (ed.) PKC 2005. LNCS, vol. 3386, pp. 380–397. Springer, Heidelberg (2005)
Barbosa, M., Farshim, P.: Efficient identity-based key encapsulation to multiple parties. In: IACR Cryptology ePrint Archive, 2005/217 (2005)
Barth, A., Boneh, D., Waters, B.: Privacy in encrypted content distribution using private broadcast encryption. In: Di Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 52–64. Springer, Heidelberg (2006)
Bellare, M., Boldyreva, A., Desai, A., Pointcheval, D.: Key-privacy in public-key encryption. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 566–582. Springer, Heidelberg (2001)
Bellare, M., Rogaway, P.: Random oracles are practical: A paradigm for designing efficient protocols (1995)
Boneh, D., Franklin, M.: Identity-based encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001)
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)
Chatterjee, S., Sarkar, P.: Multi-receiver identity-based key encapsulation with shortened ciphertext. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 394–408. Springer, Heidelberg (2006)
Chien, H.-Y.: Improved anonymous multi-receiver identity-based encryption. Comput. J. 55(4), 439–446 (2012)
Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 200–215. Springer, Heidelberg (2007)
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Security and Privacy in Digital Rights Management, ACM CCS-9 Workshop, DRM 2002, Washington, DC, USA, November 18, 2002, pp. 61–80 (2002)
Fan, C.-I., Huang, L.-Y., Ho, P.-H.: Anonymous multireceiver identity-based encryption. IEEE Trans. Comput. 59(9), 1239–1249 (2010)
Fazio, N., Perera, I.M.: Outsider-anonymous broadcast encryption with sublinear ciphertexts. In: Proceedings of the Public Key Cryptography - PKC 2012–15th International Conference on Practice and Theory in Public Key Cryptography, Darmstadt, May 21–23, 2012, pp. 225–242 (2012)
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)
Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009)
He, K., Weng, J., Liu, J.-N., Liu, J.K., Liu, W., Deng, R.H.: Anonymous identity-based broadcast encryption with chosen-ciphertext security. In: Accepted for publication in ASIACCS 2016, January 2016
Liang, H., Liu, Z., Cheng, X.: Efficient identity-based broadcast encryption without random oracles. JCP 5(3), 331–336 (2010)
Hur, J., Park, C., Hwang, S.: Privacy-preserving identity-based broadcast encryption. Inf. Fusion 13(4), 296–303 (2012)
Kim, I., Hwang, S.O.: An optimal identity-based broadcast encryption scheme for wireless sensor networks. IEICE Trans. 96–B(3), 891–895 (2013)
Li, H., Pang, L.: Cryptanalysis of wang et al’.s improved anonymous multi-receiver identity-based encryption scheme. IET Inf. Secur. 8(1), 8–11 (2014)
Libert, B., Paterson, K.G., Quaglia, E.A.: Anonymous broadcast encryption: Adaptive security and efficient constructions in the standard model. In: Proceedings of Public Key Cryptography - PKC 2012 - 15th InternationalConference on Practice and Theory in Public Key Cryptography, Darmstadt, May 21-23, 2012, pp. 206–224 (2012)
Liu, W., Liu, J., Wu, Q., Qin, B.: Hierarchical identity-based broadcast encryption. In: Susilo, W., Mu, Y. (eds.) ACISP 2014. LNCS, vol. 8544, pp. 242–257. Springer, Heidelberg (2014)
Ren, Y., Dawu, G.: Fully CCA2 secure identity based broadcast encryption without random oracles. Inf. Process. Lett. 109(11), 527–533 (2009)
Ren, Y., Niu, Z., Zhang, X.: Fully anonymous identity-based broadcast encryption without random oracles. I. J. Netw. Sec. 16(4), 256–264 (2014)
Rompel, J.: One-way functions are necessary and sufficient for secure signatures. In: Proceedings of the 22nd Annual ACM Symposium on Theory of Computing, May 13–17, 1990, Baltimore pp. 387–394 (1990)
Sakai, R., Furukawa, J.: Identity-based broadcast encryption. Cryptology ePrint Archive, Report 2007/217 (2007)
Wang, H., Yi-Chun Zhang, H., Xiong, H., Qin, B.: Cryptanalysis and improvements of an anonymous multi-receiver identity-based encryption scheme. IET Inf, Sec. 6(1), 20–27 (2012)
Wang, J., Bi, J.: Lattice-based identity-based broadcast encryption scheme. IACR Cryptology ePrint Archive, 2010/288 (2010)
Qing, W., Wang, W.: New identity-based broadcast encryption with constant ciphertexts in the standard model. JSW 6(10), 1929–1936 (2011)
Xie, L., Ren, Y.: Efficient anonymous identity-based broadcast encryption without random oracles. IJDCF 6(2), 40–51 (2014)
Yang, C., Zheng, S., Wang, L., Xiuhua, L., Yang, Y.: Hierarchical identity-based broadcast encryption scheme from LWE. J. Commun. Netw. 16(3), 258–263 (2014)
Zhang, B., Xu, Q.: Identity-based broadcast group-oriented encryption from pairings. In: The Second International Conference on Future Generation Communication and Networking, FGCN 2008, vol. 1, Main Conference, Hainan Island, China, December 13–15, 2008, pp. 407–410 (2008)
Zhang, J.H., Cui, Y.B.: Comment an anonymous multi-receiver identity-based encryption scheme. IACR Cryptology ePrint Archive, 2012/201 (2012)
Zhang, J., Mao, J.: An improved anonymous multi-receiver identity-based encryption scheme. Int. J. Commun. Syst. 28(4), 645–658 (2015)
Zhang, L., Hu, Y., Mu, N.: An identity-based broadcast encryption protocol for ad hoc networks. In: Proceedings of the 9th International Conference for Young Computer Scientists, ICYCS 2008, Zhang Jia Jie, Hunan, China, November 18–21, 2008, pp. 1619–1623 (2008)
Zhang, L., Wu, Q., Mu, Y.: Anonymous identity-based broadcast encryption with adaptive security. In: Wang, G., Ray, I., Feng, D., Rajarajan, M. (eds.) CSS 2013. LNCS, vol. 8300, pp. 258–271. Springer, Heidelberg (2013)
Zhang, M., Takagi, T.: Efficient constructions of anonymous multireceiver encryption protocol and their deployment in group e-mail systems with privacy preservation. IEEE Syst. J. 7(3), 410–419 (2013)
Zhao, X., Zhang, F.: Fully CCA2 secure identity-based broadcast encryption with black-box accountable authority. J. Syst. Softw. 85(3), 708–716 (2012)
Acknowledgments
This work was supported by National Science Foundation of China (Grant Nos. 61272413, 61133014, 61272415 and 61472165), Program for New Century Excellent Talents in University (Grant No. NCET-12-0680), Research Fund for the Doctoral Program of Higher Education of China (Grant No. 20134401110011), Foundation for Distinguished Young Talents in Higher Education of Guangdong (Grant No. 2012LYM 0027), the Fundamental Research Funds for the Central Universities (Grant No. 11613106), and this work is also supported by China Scholarship Council.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A A Concrete Instantiation
A A Concrete Instantiation
We shall present a concrete instantiation based on the generic IBBE construction, employing Boneh-Franklin IBE scheme [8], which is IND-CCA secure and ANO-CCA secure as noticed in [1] and WROB-CCA secure as noticed in [2] and a concrete signature scheme, e.g. [27] which is a strong one-time signature scheme \(\varSigma =(\mathsf {Gen},\mathsf {Sig},\mathsf {Ver})\).
Setup \((1^{\lambda })\) : On input of a security parameter \(\lambda \), it first chooses a bilinear group \(\mathbb {G},\mathbb {G}_T\) of prime order p with bilinear map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) and a generator \(g {\leftarrow }_R\mathbb {G}\), and then picks \(\alpha ,\beta {\leftarrow }_R\mathbb {Z}_p\), computes \(g_1=g^{\alpha }\) and \(g_2=g^{\beta }\), chooses hash functions \(H_1:\{0,1\}^*\rightarrow \mathbb {G}\), \(H_2:\{0,1\}^{\ell }\times \{0,1\}^{n}\rightarrow \mathbb {Z}_p\), \(H_3:\mathbb {G}_T \rightarrow \{0,1\}^{\ell }\), \(H_4:\{0,1\}^{\ell }\rightarrow \{0,1\}^{(\lambda +\ell +n)}\), \(H_5:\{0,1\}^{\ell }\times \{0,1\}^{\lambda +\ell +n}\rightarrow \mathbb {Z}_p\) which are modeled as random oracles. The public parameters are \({params}=(\mathbb {G},\mathbb {G}_T,\mathbb {Z}_p,p,e,g,g_1,g_2,H_1,H_2,H_3\), \(H_4\), \(H_5)\) and the master secret key is msk = \((\alpha \), \(\beta )\).
Extract(msk, ID): On input of the master secret key msk and an identity ID, it computes \(sk^{0}_{ID}=H_1(ID)^{\alpha }\) and \(sk^{1}_{ID}=H_1(ID)^{\beta }\). The private key is \(sk_{ID}=(sk^{0}_{ID},sk^{1}_{ID})\).
Enc(params, S, M): On input of the public parameters params, a receiver set \(S=\{ID_1,ID_2,\cdots ,ID_t\}\) and a message \(M\in \{0,1\}^n\), it first runs \((svk,ssk)\leftarrow \) Gen \((1^{\lambda })\), chooses \(\delta _1,\delta _2\leftarrow _R\{0,1\}^{\ell }\), lets \(r_1=H_2(\delta _1||M)\) and \(r_2=H_5(\delta _2||svk||\delta _1\) ||M), and then computes \(T_1=g^{r_1}\) and \(T_2=g^{r_2}\). For each \(ID\in S\), it computes \(c_{ID}^0=H_3(e(g_1,H_1(ID))^{r_1})\) and \(c_{ID}^1=(c_{ID}^{10},c_{ID}^{11})=(H_3(e(g_2,H_1(ID))^{r})\oplus {\delta _2},H_4(\delta _2)\oplus (svk||\delta _1\) ||M)). Let \(C_1=(c_{ID_1}^0,c_{ID_1}^1)||\cdots ||(c_{ID_t}^0,c_{ID_t}^1)\). The ciphertext is \(CT=(svk,T_1,T_2,C_1,\sigma )\), where \(\sigma =\) Sig \((ssk,T_1||T_2||C_1)\).
Dec(\(sk_{ID}\), CT): On input of a private key \(sk_{ID}\) and a ciphertext CT, it parses CT as \((svk,\sigma ,T,C_1)\), where \(C_1=(c_{ID_1}^0,c_{ID_1}^1)||\cdots ||(c_{ID_t}^0,c_{ID_t}^1)\). If Ver(svk, \(T_1||T_2||C_1\), \(\sigma )\)=0, returns \(\perp \); else computes \(c_{ID}^0\)=\(H_3\) \((e(T_1\), \(sk^{0}_{ID}))\) and determines which ciphertext should be decrypted among \((c_{ID_1}^0,c_{ID_1}^1)||\cdots || (c_{ID_{t}}^0,c_{ID_t}^1)\). For each \(ID_j\in S\), if \(c_{ID}^0\ne c_{ID_j}^0\), returns \(\bot \); else chooses the smallest index j such that \(c_{ID}^0=c_{ID_j}^0\) and \(c_{ID}^1=c_{ID_j}^1\). It computes \(\delta _2'=H_3(e(T_2,sk^{1}_{ID}))\oplus {c_{ID}^{10}}\), \(svk||\delta _1||M=H_4(\delta _2')\oplus {c_{ID}^{11}}\). If \(T_1\ne {g^{H_2(\delta _1||M)}}\) or \(T_2\ne {g^{H_5(\delta _2||svk||\delta _1||M)}}\), returns \(\perp \); else returns M.
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
He, K., Weng, J., Au, M.H., Mao, Y., Deng, R.H. (2016). Generic Anonymous Identity-Based Broadcast Encryption with Chosen-Ciphertext Security. In: Liu, J., Steinfeld, R. (eds) Information Security and Privacy. ACISP 2016. Lecture Notes in Computer Science(), vol 9723. Springer, Cham. https://doi.org/10.1007/978-3-319-40367-0_13
Download citation
DOI: https://doi.org/10.1007/978-3-319-40367-0_13
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-40366-3
Online ISBN: 978-3-319-40367-0
eBook Packages: Computer ScienceComputer Science (R0)