Abstract
Broadcast encryption with dealership (BED) has been proposed to achieve more innovative and scalable business models for broadcast services. It has an extensive application future. However, designing secure BED is a challenging task. The only known BED construction so far is by Gritti et al. We aim to raise the profile of BED primitives which has not received much attention despite of its importance. This paper presents a selectively chosen plaintext attack (CPA) secure BED scheme supporting maximum number of accountability and privacy (hides the group of users from broadcaster). Our scheme is a key encapsulation mechanism and practically more efficient. It reduces the parameter sizes and computation cost compared to Gritti et al. More interestingly, the broadcaster does not need to rely on users to detect the dishonest dealer. We provide concrete security analysis of our design under reasonable assumptions.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
References
Barth, A., Boneh, D., Waters, B.: Privacy in encrypted content distribution using private broadcast encryption. In: Crescenzo, G., Rubin, A. (eds.) FC 2006. LNCS, vol. 4107, pp. 52–64. Springer, Heidelberg (2006). doi:10.1007/11889663_4
Boneh, D., Gentry, C., Waters, B.: Collusion resistant broadcast encryption with short ciphertexts and private keys. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 258–275. Springer, Heidelberg (2005). doi:10.1007/11535218_16
Boneh, D., Waters, B., Zhandry, M.: Low overhead broadcast encryption from multilinear maps. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014. LNCS, vol. 8616, pp. 206–223. Springer, Heidelberg (2014). doi:10.1007/978-3-662-44371-2_12
Chor, B., Fiat, A., Naor, M.: Tracing traitors. In: Desmedt, Y.G. (ed.) CRYPTO 1994. LNCS, vol. 839, pp. 257–270. Springer, Heidelberg (1994). doi:10.1007/3-540-48658-5_25
Delerablée, C.: Identity-based broadcast encryption with constant size ciphertexts and private keys. In: Kurosawa, K. (ed.) ASIACRYPT 2007. LNCS, vol. 4833, pp. 200–215. Springer, Heidelberg (2007). doi:10.1007/978-3-540-76900-2_12
Delerablée, C., Paillier, P., Pointcheval, D.: Fully collusion secure dynamic broadcast encryption with constant-size ciphertexts or decryption keys. In: Takagi, T., Okamoto, E., Okamoto, T., Okamoto, T. (eds.) Pairing 2007. LNCS, vol. 4575, pp. 39–59. Springer, Heidelberg (2007). doi:10.1007/978-3-540-73489-5_4
Dodis, Y., Fazio, N.: Public key broadcast encryption for stateless receivers. In: Feigenbaum, J. (ed.) DRM 2002. LNCS, vol. 2696, pp. 61–80. Springer, Heidelberg (2003). doi:10.1007/978-3-540-44993-5_5
Fiat, A., Naor, M.: Broadcast encryption. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 480–491. Springer, Heidelberg (1994). doi:10.1007/3-540-48329-2_40
Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009). doi:10.1007/978-3-642-01001-9_10
Gritti, C., Susilo, W., Plantard, T., Liang, K., Wong, D.: Broadcast encryption with dealership. Int. J. Inf. Secur. 15, 1–13 (2015)
Lewko, A., Sahai, A., Waters, B.: Revocation systems with very small private keys. In: IEEE Symposium on Security and Privacy (SP), pp. 273–285 (2010)
Naor, D., Naor, M., Lotspiech, J.: Revocation and tracing schemes for stateless receivers. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 41–62. Springer, Heidelberg (2001). doi:10.1007/3-540-44647-8_3
Phan, D.H., Pointcheval, D., Shahandashti, S., Strefler, M.: Adaptive CCA broadcast encryption with constant-size secret keys and ciphertexts. Int. J. Inf. Secur. 12(4), 251–265 (2013)
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
A The BED Construction of [10]
A The BED Construction of [10]
The portions in the following scheme of [10] framed by boxes indicates those terms which were added or modified in transition from the syntax of KEMD as described in Sect. 2.1 to the syntax of BED of [10].
-
(\(\textsf {PP}, \textsf {MK}\))\(\leftarrow \) Setup(\(N,\lambda \)): The PKGC chooses a bilinear group system \(\mathbb {S}=(p,\mathbb {G},\) \(\mathbb {G}_1,e)\), where \(\mathbb {G },\mathbb {G}_1\) are groups of prime order p and \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_1\) is a bilinear mapping. Let g be a generator of \(\mathbb {G}\) and \(h\in _R \mathbb {G}\). It selects \(\alpha , \beta ,\gamma \in _R \mathbb {Z}_p\), computes \(u_i=h^{\gamma \alpha ^i},v_i=h^{\gamma \beta \alpha ^i}\) for \(i\in [0,N]\) and sets public parameter \({\textsf {PP}}\) and master key \({\textsf {MK}}\) as
$$ {\textsf {MK}}=(\alpha , \beta ,\gamma ), {\textsf {PP}}=(\mathbb {S},g,h,e(g^{\gamma }, g),\{u_i\}_{i=0}^{N},\{v_i\}_{i=0}^{N}). $$ -
\(({sk_i,\boxed {{\textsf {PK}}_i}})\) \(\leftarrow \) KeyGen(\({\textsf {PP}},{\textsf {MK}},i\)): The PKGC takes \(s_i\in _R \mathbb {{Z}}_p\), \(f_i\in _R \mathbb {G}\) for \(i\in [1,N]\) and generates a secret key for user i as \(sk_i=(d_{i,0},\ldots ,d_{i,N}),\) where \(d_{i,0}=g^{-s_i}, d_{i,i}=g^{\gamma }f_i^{s_i},d_{i,j}=f_j^{s_i}\) for \(i \ne j\). The PKGC additionally generates the public key for user i as \({\textsf {PK}}_i=(x_i+\alpha ,f_i)\) where \(x_i\in _R \mathbb {Z}_p\). It makes \({\textsf {PK}}_i\) public and sends \(sk_i\) to user i securely through a secure communication channel.
-
(P(G), k)\(\leftarrow \) GroupGen(\({\textsf {PP}},\boxed {\{{\textsf {PK}}_i\}_{i=1}^{N}}, G\)): A dealer selects a group G of \(k'(\le k)\) users and generates a group token P(G) as
$$\begin{aligned} P(G)&=(w_1,w_2,w_3,w_4,w_5,w_6)\\&=(u_0^{t_1\prod \limits _{i\in G} (x_i+\alpha )},v_0^{t_1\prod \limits _{i\in G} (x_i+\alpha )},v_{N-k}^{t_1\prod \limits _{i\in G} (x_i+\alpha )},\prod \limits _{i\in G}f_i^{t_2},g^{t_2},e(g^{\gamma }, g)^{t_2}) \end{aligned}$$where \(t_1,t_2\in _R \mathbb {Z}_p\), \(u_i, v_i\) are extracted from \(\mathsf {PP}\), \(x_i+\alpha \), \(f_i\) are extracted from \({\textsf {PK}}_i\) for \(i\in [N]\). The dealer sends G to each subscribed user through a secure communication channel.
-
(0\(\vee \)1)\(\leftarrow \) KEMD.Verify(\({{P(G)}},{\textsf {PP}},k\)): The broadcaster implicitly verifies that the size of G does not exceed k by checking the pairing \(e(w_2,u_N)=e(w_3,u_k).\) If the verification succeeds, the broadcaster outputs 1 and proceeds; otherwise it outputs 0 and aborts.
-
\((\boxed {C})\) \(\leftarrow \) Encrypt(\({{P(G)}},{\textsf {PP}},\boxed {{M}}\)): The broadcaster verifies that \(w_2=w_1^\beta \) by checking \(e(w_1,v_0)=e(w_2,u_0).\) If the verification succeeds the broadcaster generates a ciphertext C using \(P(G)=(w_1,w_2,w_3,w_4,w_5,w_6)\), PP and a message \(M\in \mathbb {G}_1\) as \(C=(C_1,C_2,C_3)=(w_5^r,w_4^r,Mw_6^r)=(g^{rt_2},\prod \limits _{i\in G}f_i^{rt_2},M.e(g^{\gamma }, g)^{rt_2})\) where \(r \in _R \mathbb {Z}_p\).
-
\((\boxed {M})\) \(\leftarrow \) Decrypt(\({\textsf { PP}},sk_i,\boxed {C},G\)): User i checks the cardinality of G which he receives from the dealer. If it is greater than k, then user i informs this to the broadcaster. User i retrieves M by coupling \(C=(C_1,C_2,C_3)\) with \(d_{i,j}\)’s extracted from \(sk_i\) as follows:
$$\begin{aligned} X&=e(d_{i,i}\prod \limits _{j\in G,j\ne i} d_{i,j},C_1) e(d_{i,0},C_2)\\&=e(g^{\gamma }\prod \limits _{j\in G}f_j^{s_i},g^{rt_2})e(g^{-s_i},\prod \limits _{j\in G}f_j^{rt_2})=e(g^{\gamma }, g^{{rt_2}})\\ X&^{-1} C_3=e(g^{\gamma }, g^{{rt_2}})^{-1}M e(g^{\gamma }, g^{{rt_2}})=M. \end{aligned}$$
Rights and permissions
Copyright information
© 2016 Springer International Publishing AG
About this paper
Cite this paper
Acharya, K., Dutta, R. (2016). Secure and Efficient Construction of Broadcast Encryption with Dealership. In: Chen, L., Han, J. (eds) Provable Security. ProvSec 2016. Lecture Notes in Computer Science(), vol 10005. Springer, Cham. https://doi.org/10.1007/978-3-319-47422-9_16
Download citation
DOI: https://doi.org/10.1007/978-3-319-47422-9_16
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-47421-2
Online ISBN: 978-3-319-47422-9
eBook Packages: Computer ScienceComputer Science (R0)