CCA2-Secure Threshold Broadcast Encryption with Shorter Ciphertexts

  • Vanesa Daza
  • Javier Herranz
  • Paz Morillo
  • Carla Ràfols
Part of the Lecture Notes in Computer Science book series (LNCS, volume 4784)


In a threshold broadcast encryption scheme, a sender chooses (ad-hoc) a set of n receivers and a threshold t, and then encrypts a message by using the public keys of all the receivers, in such a way that the original plaintext can be recovered only if at least t receivers cooperate. Previously proposed threshold broadcast encryption schemes have ciphertexts whose length is at least \(n + \mathcal{O}(1)\). In this paper, we propose new schemes, for both PKI and identity-based scenarios, where the ciphertexts’ length is \(n-t + \mathcal{O}(1)\). The constructions use secret sharing techniques and the Canetti-Halevi-Katz transformation to achieve chosen-ciphertext security. The security of our schemes is formally proved under the Decisional Bilinear Diffie-Hellman (DBDH) Assumption.


Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.


  1. 1.
    Abe, M., Cui, Y., Imai, H., Kiltz, E.: Efficient hybrid encryption from ID-based encryption. IACR ePrint (2007), available at Google Scholar
  2. 2.
    Bellare, M., Boldyreva, A., Micali, S.: Public-key encryption in a multi-user setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  3. 3.
    Bellare, M., Goldreich, O.: On defining proofs of knowledge. In: Brickell, E.F. (ed.) CRYPTO 1992. LNCS, vol. 740, pp. 390–420. Springer, Heidelberg (1993)Google Scholar
  4. 4.
    Blakley, G.R.: Safeguarding cryptographic keys. In: Proceedings of the National Computer Conference, American Federation of Information, Processing Societies Proceedings, vol. 48, pp. 313–317 (1979)Google Scholar
  5. 5.
    Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004)Google Scholar
  6. 6.
    Boneh, D., Boyen, X., Halevi, S.: Chosen ciphertext secure public key threshold encryption without random oracles. In: Pointcheval, D. (ed.) CT-RSA 2006. LNCS, vol. 3860, pp. 226–243. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  7. 7.
    Boneh, D., Canetti, R., Katz, J., Halevi, S.: Chosen-ciphertext security from identity-based encryption. SIAM Journal on Computing 36(5), 1301–1328 (2007)CrossRefMathSciNetGoogle Scholar
  8. 8.
    Boneh, D., Franklin, M.K.: Identity-based encryption from the Weil pairing. SIAM Journal on Computing 32(3), 586–615 (2003)MATHCrossRefMathSciNetGoogle Scholar
  9. 9.
    Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)Google Scholar
  10. 10.
    Canetti, R., Goldwasser, S.: An efficient threshold public key cryptosystem secure against adaptive chosen ciphertext attack. In: Stern, J. (ed.) EUROCRYPT 1999. LNCS, vol. 1592, pp. 90–106. Springer, Heidelberg (1999)Google Scholar
  11. 11.
    Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004)Google Scholar
  12. 12.
    Chai, Z., Cao, Z., Zhou, Y.: Efficient ID-based broadcast threshold decryption in ad hoc network. In: Proceedings of IMSCCS 2006, vol. 2, IEEE Computer Society Press, Los Alamitos (2006)Google Scholar
  13. 13.
    Chatterjee, S., Sarkar, P.: Multi-receiver identity-based key encapsulation with shortened ciphertext. In: Barua, R., Lange, T. (eds.) INDOCRYPT 2006. LNCS, vol. 4329, pp. 394–408. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  14. 14.
    Daza, V., Herranz, J., Morillo, P., Ràfols, C.: Ad-hoc threshold broadcast encryption with shorter ciphertexts. In: Proceedings of WCAN 2007 (to be published by Electronic Notes in Theoretical Computer Science) (2007)Google Scholar
  15. 15.
    Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Ghodosi, H., Pieprzyk, J., Safavi-Naini, R.: Dynamic threshold cryptosystems: a new scheme in group oriented cryptography. In: Proceedings of Pragocrypt 1996, CTU Publishing house, pp. 370–379 (1996)Google Scholar
  17. 17.
    Lim, C.H., Lee, P.J.: Directed signatures and application to threshold cryptosystems. In: Lomas, M. (ed.) Security Protocols. LNCS, vol. 1189, pp. 131–138. Springer, Heidelberg (1997)Google Scholar
  18. 18.
    Sakai, R., Furukawa, J.: Identity-based broadcast encryption. IACR ePrint (2007), available at
  19. 19.
    Shamir, A.: How to share a secret. Communications of the ACM 22, 612–613 (1979)MATHCrossRefMathSciNetGoogle Scholar
  20. 20.
    Shamir, A.: Identity-based cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985)CrossRefGoogle Scholar
  21. 21.
    Shoup, V., Gennaro, R.: Securing threshold cryptosystems against chosen ciphertext attack. Journal of Cryptology 15(2), 75–96 (2002)MATHMathSciNetGoogle Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2007

Authors and Affiliations

  • Vanesa Daza
    • 1
  • Javier Herranz
    • 2
  • Paz Morillo
    • 3
  • Carla Ràfols
    • 3
  1. 1.Dept. D’Enginyeria Informàtica i Matemàtiques, Universitat Rovira i Virgili, Av. Països Catalans 26, E-43007 TarragonaSpain
  2. 2.IIIA, Artificial Intelligence Research Institute, CSIC, Spanish National Research Council, Campus UAB s/n, E-08193 BellaterraSpain
  3. 3.Dept. Matemàtica Aplicada IV, Universitat Politècnica de Catalunya, C. Jordi Girona 1-3, E-08034 BarcelonaSpain

Personalised recommendations