Bridging Broadcast Encryption and Group Key Agreement

  • Qianhong Wu
  • Bo Qin
  • Lei Zhang
  • Josep Domingo-Ferrer
  • Oriol Farràs
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7073)


Broadcast encryption (BE) schemes allow a sender to securely broadcast to any subset of members but requires a trusted party to distribute decryption keys. Group key agreement (GKA) protocols enable a group of members to negotiate a common encryption key via open networks so that only the members can decrypt the ciphertexts encrypted under the shared encryption key, but a sender cannot exclude any particular member from decrypting the ciphertexts. In this paper, we bridge these two notions with a hybrid primitive referred to as contributory broadcast encryption (CBE). In this new primitive, a group of members negotiate a common public encryption key while each member holds a decryption key. A sender seeing the public group encryption key can limit the decryption to a subset of members of his choice. Following this model, we propose a CBE scheme with short ciphertexts. The scheme is proven to be fully collusion-resistant under the decision n-Bilinear Diffie-Hellman Exponentiation (BDHE) assumption in the standard model. We also illustrate a variant in which the communication and computation complexity is sub-linear with the group size. Of independent interest, we present a new BE scheme that is aggregatable. The aggregatability property is shown to be useful to construct advanced protocols.


Broadcast encryption Group key agreement Contributory broadcast encryption Provable Security 


  1. 1.
    Abdalla, M., Chevalier, C., Manulis, M., Pointcheval, D.: Flexible Group Key Exchange with On-demand Computation of Subgroup Keys. In: Bernstein, D.J., Lange, T. (eds.) AFRICACRYPT 2010. LNCS, vol. 6055, pp. 351–368. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  2. 2.
    Boneh, D., Boyen, X., Goh, E.J.: Hierarchical Identity Based Encryption with Constant Size Ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  3. 3.
    Boneh, D., Gentry, C., Waters, B.: Collusion Resistant Broadcast Encryption with Short Ciphertexts and Private Keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005)Google Scholar
  4. 4.
    Boneh, D., Sahai, A., Waters, B.: Fully Collusion Resistant Traitor Tracing with Short Ciphertexts and Private Keys. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 573–592. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  5. 5.
    Boneh, D., Silverberg, A.: Applications of Multilinear Forms to Crytography. Contemporary Mathematics, vol. 324, pp. 71–90 (2003)Google Scholar
  6. 6.
    Boneh, D., Waters, B.: A Fully Collusion Resistant Broadcast, Trace, and Revoke System. In: ACM CCS 2006, pp. 211–220. ACM Press (2006)Google Scholar
  7. 7.
    Boneh, D., Gentry, C., Lynn, B., Shacham, H.: Aggregate and Verifiably Encrypted Signatures from Bilinear Maps. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 416–432. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Boyd, C., González-Nieto, J.M.: Round-Optimal Contributory Conference Key Agreement. In: Desmedt, Y.G. (ed.) PKC 2003. LNCS, vol. 2567, pp. 161–174. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  9. 9.
    Bresson, E., Chevassut, O., Pointcheval, D.: Provably Authenticated Group Diffie-Hellman Key Exchange - The Dynamic Case. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 290–309. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  10. 10.
    Bresson, E., Chevassut, O., Pointcheval, D.: Dynamic Group Diffie-Hellman Key Exchange under Standard Assumptions. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 321–336. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  11. 11.
    Bresson, E., Chevassut, O., Pointcheval, D., Quisquater, J.-J.: Provably Authenticated Group Diffie-Hellman Key Exchange. In: ACM CCS 2001, pp. 255–264. ACM Press (2001)Google Scholar
  12. 12.
    Burmester, M., Desmedt, Y.: A Secure and Efficient Conference Key Distribution System. In: De Santis, A. (ed.) EUROCRYPT 1994. LNCS, vol. 950, pp. 275–286. Springer, Heidelberg (1995)CrossRefGoogle Scholar
  13. 13.
    Cheon, J.H., Jho, N.S., Kim, M.H., Yoo, E.S.: Skipping, Cascade, and Combined Chain Schemes for Broadcast Encryption. IEEE Transactions Information Theory 54(11), 5155–5171 (2008)CrossRefMathSciNetGoogle Scholar
  14. 14.
    Diffie, W., Hellman, M.: New Directions in Cryptography. IEEE Transactions on Information Theory 22(6), 644–654 (1976)CrossRefzbMATHMathSciNetGoogle Scholar
  15. 15.
    Fiat, A., Naor, M.: Broadcast Encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994)Google Scholar
  16. 16.
    Fujisaki, E., Okamoto, T.: Secure Integration of Asymmetric and Symmetric Encryption Schemes. In: Wiener, M. (ed.) CRYPTO 1999. LNCS, vol. 1666, pp. 537–554. Springer, Heidelberg (1999)Google Scholar
  17. 17.
    Gentry, C., Waters, B.: Adaptive Security in Broadcast Encryption Systems (with Short Ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  18. 18.
    Gorantla, M.C., Boyd, C., González Nieto, J.M., Manulis, M.: Generic One Round Group Key Exchange in the Standard Model. In: Lee, D., Hong, S. (eds.) ICISC 2009. LNCS, vol. 5984, pp. 1–15. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  19. 19.
    Halevy, D., Shamir, A.: The LSD Broadcast Encryption Scheme. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 47–60. Springer, Heidelberg (2002)CrossRefGoogle Scholar
  20. 20.
    Ingemarsson, I., Tang, D.T., Wong, C.K.: A Conference Key Distribution System. IEEE Transactions on Information Theory 28(5), 714–720 (1982)CrossRefzbMATHMathSciNetGoogle Scholar
  21. 21.
    Joux, A.: A One Round Protocol for Tripartite Diffie-Hellman. J. of Cryptology 17, 263–276 (2004)CrossRefzbMATHMathSciNetGoogle Scholar
  22. 22.
    Kim, H.J., Lee, S.M., Lee, D.H.: Constant-Round Authenticated Group Key Exchange for Dynamic Groups. In: Lee, P.J. (ed.) ASIACRYPT 2004. LNCS, vol. 3329, pp. 245–259. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  23. 23.
    Kim, Y., Perrig, A., Tsudik, G.: Tree-Based Group Key Agreement. ACM Transactions on Information System Security 7(1), 60–96 (2004)CrossRefGoogle Scholar
  24. 24.
    Mao, Y., Sun, Y., Wu, M., Liu, K.J.R.: JET: Dynamic Join-Exit-Tree Amortization and Scheduling for Contributory Key Management. IEEE/ACM Transactions on Networking 14(5), 1128–1140 (2006)CrossRefGoogle Scholar
  25. 25.
    Naor, M., Pinkas, B.: Efficient Trace and Revoke Schemes. In: Frankel, Y. (ed.) FC 2000. LNCS, vol. 1962, pp. 1–20. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  26. 26.
    Park, J.H., Kim, H.J., Sung, M.H., Lee, D.H.: Public Key Broadcast Encryption Schemes With Shorter Transmissions. IEEE Transactions on Broadcasting 54(3), 401–411 (2008)CrossRefGoogle Scholar
  27. 27.
    Sherman, A., McGrew, D.: Key Establishment in Large Dynamic Groups Using One-way Function Trees. IEEE Transactions on Software Engineering 29(5), 444–458 (2003)CrossRefGoogle Scholar
  28. 28.
    Snoeyink, J., Suri, S., Varghese, G.: A Lower Bound for Multicast Key Distribution. In: INFOCOM 2001, pp. 422–431. IEEE Press (2001)Google Scholar
  29. 29.
    Steiner, M., Tsudik, G., Waidner, M.: Key Agreement in Dynamic Peer Groups. IEEE Transactions on Parallel and Distributed Systems 11(8), 769–780 (2000)CrossRefGoogle Scholar
  30. 30.
    Tzeng, W.-G., Tzeng, Z.-J.: Round-Efficient Conference Key Agreement Protocols with Provable Security. In: Okamoto, T. (ed.) ASIACRYPT 2000. LNCS, vol. 1976, pp. 614–627. Springer, Heidelberg (2000)CrossRefGoogle Scholar
  31. 31.
    Wong, C.K., Gouda, M., Lam, S.: Secure Group Communications Using Key Graphs. IEEE/ACM Transactions on Networking 8(1), 16–30 (2000)CrossRefGoogle Scholar
  32. 32.
    Wu, Q., Mu, Y., Susilo, W., Qin, B., Domingo-Ferrer, J.: Asymmetric Group Key Agreement. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 153–170. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  33. 33.
    Wu, Q., Qin, B., Zhang, L., Domingo-Ferrer, J., Farras, O.: Bridging Broadcast Encryption and Group Key Agreement (full version),

Copyright information

© International Association for Cryptologic Research 2011

Authors and Affiliations

  • Qianhong Wu
    • 1
    • 2
  • Bo Qin
    • 1
    • 3
  • Lei Zhang
    • 4
  • Josep Domingo-Ferrer
    • 1
  • Oriol Farràs
    • 1
    • 5
  1. 1.Department of Computer Engineering and Mathematics, UNESCO Chair in Data PrivacyUniversitat Rovira i VirgiliTarragonaSpain
  2. 2.Key Lab. of Aerospace Information Security and Trusted Computing, Ministry of Education School of ComputerWuhan UniversityChina
  3. 3.Dept. of Maths, School of ScienceXi’an University of TechnologyChina
  4. 4.Software Engineering InstituteEast China Normal UniversityShanghaiChina
  5. 5.Department of Computer ScienceBen Gurion UniversityBe’er-ShevaIsrael

Personalised recommendations