Symmetric-Key Broadcast Encryption: The Multi-sender Case

Abstract

The problem of (stateless, symmetric-key) broadcast encryption, in which a central authority distributes keys to a set of receivers and can then send encrypted content that can be decrypted only by a designated subset of those receivers, has received a significant amount of attention. Here, we consider a generalization of this problem in which all members of the group must have the ability to act as both sender and receiver. The parameters of interest are the number of keys stored per user and the bandwidth required per transmission, as a function of the total number of users n and the number of excluded/revoked users r.

As our main result, we show a multi-sender scheme allowing revocation of an arbitrary number of users in which users store O(n) keys and the bandwidth is O(r). We prove a matching lower bound on the storage, showing that for schemes that support revocation of an arbitrary number of users \(\varOmega (n)\) keys are necessary for unique predecessor schemes, a class of schemes capturing most known constructions in the single-sender case. Previous work has shown that \(\varOmega (r)\) bandwidth is needed when the number of keys per user is polynomial, even in the single-sender case; thus, our scheme is optimal in both storage and bandwidth.

We also show a scheme with storage \(\mathrm{polylog} (n)\) and bandwidth O(r) that can be used to revoke any set of \(\mathrm{polylog} (n)\) users.

A Information-Theoretic Single-Sender Schemes

In this section we describe various single-sender schemes that, to the best of our knowledge, have not appeared previously in the literature. The parameters of the schemes presented here do not beat the parameters of the best known single-sender schemes, but they have the advantage of having information-theoretic security.

We begin with a simple scheme that revokes exactly one user (i.e., \(r_\mathrm{max}=1\)). Fix some b, and identify the n users with b-tuples whose coordinates range from 1 to \(n^{1/b}\). The sender holds a set of keys \(K = \{k_{i, w}\}_{i\in [b], \, w \in [n^{1/b}]}\) of size \(b \cdot n^{1/b}\). The user associated with tuple \((w_1, \ldots , w_b)\) is given the set of keys \(\{k_{i,w}\}_{i\in [b], \, w \ne w_i}\); in other words, key \(k_{i,w}\) is held by all users whose ith coordinate is not w. To revoke the single user \((w_1, \ldots , w_b)\), the sender encrypts the message using the b keys \(k_{1,w_1}, \ldots , k_{b, w_b}\) not held by that user. It follows that:

Theorem 5

For any b, there is an information-theoretic, single-sender BE scheme with \(r_\mathrm{max}=1\) having per-user storage \(b \cdot n^{1/b} - b\), bandwidth b, and \(b \cdot n^{1/b}\) total keys.

Gentry et al. [18] show that in any information-theoretic, single-sender scheme with \(r_\mathrm{max}=1\), storage s, and bandwidth b, it holds that \(n \le s^b\). The above scheme shows this bound is tight within a constant factor.

We now show how to build an information-theoretic scheme \(\varPi ^*\) revoking any number of users based on any scheme \(\varPi \) revoking a single user. The high-level idea is to apply the SD approach [29] but to schemes rather than keys. In the SD approach, users are arranged at the leaves of a binary tree, and for each pair of nodes i, j in the tree with i a parent of j, we let \(S_{i,j}\) denote the users who are descendants of i but not descendants of j. Naor et al. show that any set of users S can be partitioned into O(r) such sets, where \(r=n-|S|\) is the number of revoked users. In the SD scheme, for all i, j as above there is a single key \(k_{i,j}\) that is known exactly to those users in \(S_{i,j}\); hence, the bandwidth of the scheme is O(r). Here, we generalize the approach so that there is a set of keys allowing only those users in \(S_{i,j}\) to decrypt.

We again arrange the users at the leaves of a binary tree. In this tree, let \(T_i\) denote the sub-tree rooted at some node i. For each such sub-tree \(T_i\) of height h, we associate the root node i of that sub-tree with h instances of \(\varPi \) (recall, \(\varPi \) is a single-sender scheme supporting revocation of a single user) corresponding to the h levels of \(T_i\) not including the root node itself. The “virtual users” of instance \(\ell \in \{0, \ldots , h-1\}\) of \(\varPi \) correspond to the nodes at height \(\ell \) in \(T_i\), and we imagine giving each node the keys it would receive as a virtual user in all instances of \(\varPi \) in which it is involved. The real users, at the leaves, store the keys that would be given to its ancestors.

To send a message to a subset S of the users, the sender partitions S into a collection of subsets \(S_{i,j}\) as in the SD scheme. To encrypt a message such that only the users in \(S_{i,j}\) can read it, the sender uses the instance of \(\varPi \) in which node i is the sender and the nodes on the same level as j are the receivers, and revokes user j.

Rather than analyzing the above in the general case, we compute the bandwidth and storage when applied to the single-sender scheme \(\varPi \) from Theorem 5. Naor et al. showed that any set of S users can be partitioned into at most \(2r-1\) subsets \(S_{i,j}\), where \(r=n-|S|\) is the number of revoked users. Since the scheme \(\varPi \) from Theorem 5 has fixed bandwidth b independent of the number of users, we conclude that the bandwidth of our scheme here is at most \(b \cdot (2r-1)\). The storage per user is given by \(\sum _{h=1}^{\log n} \sum _{\ell =0}^{h-1} (n/2^{h-\ell })^{1/b} = O(n^{1/b})\). Similarly, one can show that the total number of keys is O(n). Summarizing:

Theorem 6

(Scheme 1). For any b, there is an information-theoretic, single-sender BE scheme supporting arbitrarily many revoked users having per-user storage \(O(n^{1/b})\), bandwidth \(O(b \cdot r)\), and O(n) total keys.

Specifically, there is an information-theoretic, single-sender BE scheme supporting arbitrarily many revoked users having per-user storage \(O(\sqrt{n})\), bandwidth O(r), and O(n) total keys.