Adaptively secure broadcast encryption with authenticated content distributors

Abstract

In public key broadcast encryption systems, anyone could run the encryption algorithm to broadcast messages by using the public parameters. The unsupervised broadcast strategy allows malicious users (even though someone outside the system with the intentionally divulged public parameters) to distribute junk messages without responsibility. Consequently, content distributor authentication is essential for broadcast encryption systems to forbid spreading of junk information. In this work, we devise a solution for public key broadcast encryption system with adaptive security to resolve the aforementioned vicious broadcaster problem, which is neglected in the previous related works. In our scheme, any user could distribute an encryption of messages with both public parameters and his/her own secret keys, and each message is associated to its broadcaster. The construction is based on the composite order bilinear groups and its adaptive security depends on the hardness of the general subgroup decisional assumptions. Furthermore, this allows our scheme to be flexible in terms on the overhead of ciphertexts, which is constant sized. Compared with previous related broadcast encryption systems constructed in the composite order bilinear groups, our scheme inherits the superiority of adaptive security based non-interactive falsifiable assumption, and simultaneously achieves the optimal ciphertext overhead and the authentication of broadcasters.

1 Introduction

Broadcast encryption system (BE) [12] enables a broadcaster to encrypt messages to any set S of receivers drawn from the universe of users U, only authorized users included in the set S can decrypt the broadcast with his/her own secret key and any other cannot. Broadcast encryption provide a solution for confidentially broadcasting content to multiple users, and it is regularly employed in many practical applications such as pay-TV, group communication, radio subscription systems and file system access control [3, 29, 31]. In a broadcast encryption system, fully collusion resistant is a fundamental security property in the sense that a ciphertext cannot be recovered by any coalition of users who are not included in the set S. Identity-based broadcast encryption [10, 11, 20, 24, 34] is one kind of BE systems, which should support exponentially many users. The framework is a generalization of the identity-based encryption (IBE). Or, put another way, IBE system [20, 22, 32] is a specific form of the identity-based broadcast encryption, which has only a single receiver in the broadcast.

A public key broadcast encryption system means that any user in the system could encrypt messages and play the role of broadcaster [3, 15]. In contrast, only the trust authority possesses the jurisdiction to distribute content in the broadcast encryption system, the former is more flexible and efficient. Whereas, it is also difficult to be supervised. A Traitor Tracing [4, 8, 16, 21, 26] or Trace & Revoke system [6, 14, 28] is designed to handle the pirate problem, and help content distributors identify malicious users and revoke the corresponding keys. Nevertheless, how to protect users to refrain from receiving junk messages broadcasted venomously by some content distributors.

Consider a scenario in which a vicious content distributor intends to broadcast junk messages, like gambling advertising, illegal commercial advertising, porn and violence information, while any user may access to the content with his/her secret keys [25]. The risk for such a public key broadcast encryption system is that any user could execute the aforementioned operation and ignore any relevant laws and regulations on broadcast content. Even worse, an unauthorized person or organisation could broadcast content with the sold or intentionally divulged public parameters from malicious users, and will not bear any responsibilities for that. The problem is that in this system there exist no verification mechanism for identifying content distributors.

As shown in Fig. 1, the intuitive solution for this issue is that every distributor signs the broadcast. Receivers could verify the signature to confirm the authenticity of its broadcaster. If any user obtains spam from decrypting the broadcast, the law enforcement officer will take legal action against the owner of the corresponding signature for the broadcast content. However, there is a significant problem in this combination of the broadcast encryption with a signature scheme, in which the vicious broadcaster is untraceable if he/she forges a signature for distributed messages and receivers also could decrypt the broadcast to obtain the spam. Some researchers [23, 25, 27, 30] introduce broadcast signcryption schemes to realize broadcaster authentication. However, in these broadcast signcryption systems, the broadcaster is assigned in the initial building phase and every receiver should registers at broadcaster to acquire decryption key. Furthermore, the ciphertext typically grows linearly with either the size of the broadcast subset or the revoked subset. In this paper, we devise a low overhead public key broadcast encryption scheme with authenticated content distributors in another way, it achieves the signature feature and forbid the above matter.

Fig. 1

Authenticated Public Key BE System

In this paper, we begin by formally defining the notion for a public key broadcast encryption system with authenticated broadcasters. For now we present some intuition of the definition. This system is comprised of four randomized algorithms Setup, KeyGen, Encrypt and Decrypt. The setup and user key generation algorithm respectively generate the master secret key with the corresponding public parameters and users’ secret keys. The generated user secret keys contain two parts: broadcast key and decryption key. The encrypt algorithm encrypts the content with public parameters and user’s broadcast key. The decrypt algorithm is able to decrypt the broadcast with decryption keys of the authorized users. Specifically, the decrypt algorithm could realize the authentication for distributor during the decryption. If the content distributor encrypts messages without his/her own broadcast secret key or with a forged one, the created ciphertext is unavailable.

The main security requirements of conventional public key broadcast encryption systems are the semantic security (the ciphertext should reveal no non-trivial information about the broadcasted plaintext) and fully collusion security (the system is secure against any number of colluders). Except that, the system captured broadcaster authentication should remain secure even if the content distributer is vicious. That is, the broadcast reveals no non-trivial information if it is encrypted without a correct broadcast secret key or with a forged one. Herein, this implies that the venomous broadcaster does not use his/her broadcast secret key to encrypt digital content to prevent being traced. We formalize the definition for adaptive security in broadcast encryption system featured verification of distributor. In such a system, the adversary is allowed to see public parameters and query user private keys before choosing the set of indices that he/she wish to attack. Further, he/she also could assign the identity of sender to create an encrypted version of the content.

Contributions

Subsequently, we present a construction for public key broadcast encryption system to attain meaningful guarantees of authenticated broadcasters. We describe such a system for N users with composite bilinear maps, it has ciphertext overhead of only O(1) group elements. The public key size and user secret key size are linear in the total number N of users. We prove the construction is fully collusion resistant under adaptive attacks in the standard model assuming only General Subgroup Decision Assumptions.

Outline

The layout of the proposal is organized as follows. We present the related literatures briefly in the next section and some essential definitions in Section 3. Then, we describe the construction of the authenticated broadcast encryption and give the formal security analysis in the standard model respectively in Sections 4 and 5. Subsequently, we show the evaluation of performance with other related solutions in Section 6. The final section conclude this work.

2 Related work

A trivial solution to broadcast encryption admits the broadcaster encrypts messages separately by each recipient’s public key, the broadcast information expansion is proportional to the size of recipient set. This trivial solution possesses low storage requirements and adaptive security. Nevertheless, such a system has a very high ciphertext expansion. Therefore, there are many researchers provided their broadcast encryption schemes with lower ciphertext expansion. However, such systems tradeoff between security and parameters size, and include a collusion bound t (using larger value of t will affect performance and overall system usability). If more than t users collude and pool their private keys, the system would no longer guarantee security [12].

In 2005, Boneh, Gentry and Waters [3] propose the first broadcast encryption scheme with constant sized ciphertexts and private keys. The public key size in their system is linear in the total number receivers. Their scheme is built from bilinear maps and fully secure against any number of colluders. However, the authors only prove security of their scheme in a static model, where the adversary needs to commits the target set that the challenge ciphertexts is encrypted to before observing public parameters.

Four years later, Gentry and Waters [15] define the adaptive security definition of broadcast encryption and suggest an adaptively secure identity-based broadcast encryption system, in which there is a separate tag value associated with the recipient group size included in the ciphertexts. Subsequently, the authors introduce a way to reuse Tag in the original system by increasing the ciphertext size to sub-linear. The adaptive security captures the fact that an adversary could declare the challenge set he/she wishes to attack, based on the acquired knowledge of the public parameters and previously queried private keys. Obviously, the adaptive model of security is the proper notion of the security for broadcast encryption systems to against the more general adversaries.

In 2009, Waters [32] present a methodology called Dual System Encryption for demonstrating adaptive security of encryption systems. The author also propose a secure broadcast encryption scheme with leveraging their dual system encryption techniques, in which the ciphertext, public key and secret key sizes are O(1), O(N), O(N) respectively.

In 2012, Lewko and Waters [22] provide a dual system encryption in composite order bilinear groups and introduce an improved method for proving encryption scheme under static complexity assumptions (not dependent on the depth of the hierarchy or the number of queries made by an attacker). Later, Kim et al. [20] propose an identity-based broadcast encryption featuring constant sized ciphertext. Technically, they employ the security proof technique introduced by Lewko and Waters, and the proposal offers adaptive security proved in the stand model. In their scheme, the size of public parameters and private keys are both linear in the maximum number of receivers. However, the maximum number of receivers should be fixed in the setup phase, and this restriction would impact the flexibility of the public key broadcast encryption system, in which the contend distributor could broadcast to any authorized set of users.

In 2019, Guo et al. [17] introduce an authenticated public key broadcast encryption with prime bilinear map, in which each user possesses a broadcast key to encrypt content and guarantees the generated ciphertext is traceable. This supervised distributed strategy solves the vicious broadcaster problem in the public key broadcast encryption systems. However, their scheme is proved statically secure with decisional Diffie-Hellman assumption.

Constructions of broadcast encryption from multilinear maps [5, 9, 13] have optimal parameters overhead. Boneh et al. [7] provide the solution for N users from O(logN)-linear maps, in which the ciphertext overhead is O(1), secret key size and public key size are all poly-logarithmic in N. Whereafter, many researchers devise broadcast encryption scheme based on their scheme in prime or composite order multilinear groups for higher security [18, 33]. Nevertheless, in 2016 Hu and Jia [19] show the applications of GGH map (a major candidate of multilinear maps) for encoding is not secure. Therefore, we no longer detailed these results from multilinear maps here.

3 Preliminary

3.1 Public key broadcast encryption systems with broadcaster authentication

Herein, we formally present the definition of public key broadcast encryption systems with broadcaster authentication. Similar to the conventional broadcast encryption systems, it is also defined as a key encapsulation mechanism. Further, the presented definition is general enough to capture identity-based broadcast encryption systems. A broadcast encryption scheme with broadcaster authentication consists of four randomized algorithms: Setup, KeyGen, Encrypt and Decrypt.

Setup(\(\mathcal {I}\mathcal {D}\), λ)

Take as input identity space \(\mathcal {I}\mathcal {D}\) and security parameter λ. It outputs the public parameters PK and master secret key msk.

KeyGen(msk,u)

Takes as input an identity \(u\in \mathcal {I}\mathcal {D}\) and master secret key msk. It outputs user secret key sk_u for u.

Encrypt(PK,S,sk_i)

The encryption algorithm takes as input the public parameters PK, recipient set \(S\subseteq \mathcal {I}\mathcal {D}\), the broadcaster’s secret key sk_i. It outputs a pair 〈Hdr,K〉, where Hdr is called the header and K is a message encryption key. Let M be a plaintext message to be broadcasted and let \(C\leftarrow SymEnc(K,M)\) be the symmetric encryption of M under the encryption key K. The overall ciphertext broadcasted to users consists of \(\{S^{\prime },Hdr,C\}\), where \(S^{\prime }=S\cup \{i\}\). Notice that, the broadcaster index in \(S^{\prime }\) is explicit, for example, i is always first element in \(S^{\prime }\). The ciphertext \(\{S^{\prime },Hdr,C\}\) is unavailable if the broadcaster produces them without his/her own broadcast secret key or with a forged one.

Decrypt(\(PK,S^{\prime },u,sk_{u},Hdr\))

Take as input the public key PK, a subset \(S^{\prime }\), an index \(u\in \mathcal {I}\mathcal {D}\), a private key sk_u for u, and the received header Hdr. If \(u\in S^{\prime }\setminus \{i\}\), the decryption algorithm outputs the message encryption key K, which is used to decrypt C to retrieve M; otherwise, it outputs ⊥. Notice that, if the received ciphertext \(\{S^{\prime },Hdr,C\}\) is unavailable, the decryption algorithm always outputs ⊥.

Next, we require that the system should satisfy the correctness property. That is, for all \(S\subseteq \mathcal {I}\mathcal {D}\), \(i\in \mathcal {I}\mathcal {D}\) and all u ∈ S, if (PK,msk) output by Setup(\(\mathcal {I}\mathcal {D},\lambda \)), sk_i output by KeyGen(msk,i), sk_u output by KeyGen(msk,u) and (Hdr,K) output by Encrypt(S, PK,sk_i), that Decrypt(PK,S ∪{i},u,sk_u,Hdr) = K.

3.2 Security definition

We formally define the adaptive security model of the public key broadcast encryption with broadcaster authentication. In such a adaptively secure system, the adversary could query several users’ private keys before committing a set which he/she wish to attack. It also captures the collusion attack implicitly by modeling the adversary queries all secret keys of users outside of the committed set S^∗. This basically follows the security definition of broadcast encryption in [15]. The difference is that the adversary needs to specify an identity to simulate broadcaster in the challenge phase.

Setup

The challenger runs the Setup(\(\mathcal {I}\mathcal {D},\lambda \)) algorithm and obtains public parameters PK. Afterwards, it gives PK to the adversary \(\mathcal {A}\).

Secret key queries

The challenger maintains a list \({\mathscr{L}}\) of 〈u,sk_u〉, which is initialized empty. When \(\mathcal {A}\) adaptively issues secret key queries for indices \(u \in \mathcal {I}\mathcal {D}\). The challenger looks up the list \({\mathscr{L}}\) and responds to \(\mathcal {A}\) as follows:

1. (1)

   If 〈u,sk_u〉 exists in \({\mathscr{L}}\), the challenge sends sk_u to \(\mathcal {A}\).

2. (2)

   Otherwise, it runs the algorithm KeyGen(msk,u) and insert a new tuple 〈u,sk_u〉 into \({\mathscr{L}}\). Then it sends sk_u to \(\mathcal {A}\).

Challenge

The adversary specifies a challenge set \(S^{*}\subset \mathcal {I}\mathcal {D}\) and a broadcaster identity i∉S^∗, which subject to the restriction that each user in S^∗ never have been requested in the secret key query. And then \(\mathcal {A}\) proceeds to declare two equal length messages M₀, M₁. If 〈i,sk_i〉 exists in the list \({\mathscr{L}}\), the challenger output sk_i; otherwise, it runs the algorithm KeyGen(msk,i) to acquire sk_i and inserts the generated 〈i,sk_i〉 to \({\mathscr{L}}\). Subsequently, it computes \((Hdr^{*},K^{*})\underset {\longleftarrow }{R}\)Enc(S^∗,PK,sk_i), and randomly selects β ∈{0,1} to calculate C^∗ = SymEnc(K^∗,M_β), then it gives (Hdr^∗,C^∗) to the adversary \(\mathcal {A}\).

More secret key queries

The adversary \(\mathcal {A}\) is allowed to query more secret keys with the restriction that u∉S^∗.

Guess

The adversary returns a guess \(\beta ^{\prime }\in \{0,1\}\) of β.

The adaptive advantage of adversary \(\mathcal {A}\) wining the above game is defined as \(Adv^{\mathcal {A}}_{\mathcal {I}\mathcal {D},\lambda }=|\Pr [\beta ^{\prime }=\beta ]-1/2|\).

Definition 1

A broadcast encryption system with broadcaster authentication is secure if for all polynomial time adversaries \(\mathcal {A}\), \(Adv^{\mathcal {A}}_{\mathcal {I}\mathcal {D},\lambda }\) is a negligible functions of λ.

3.3 Composite order bilinear maps

Herein, we briefly review some general notions about composite order bilinear maps and groups which were introduced in [2, 22].

Consider two cyclic groups G and G of same order n = p₁ ⋅ p₂ ⋅ p₃ (where p₁, p₂, p₃ are distinct large primes), we let \(e:\mathbf {G}\times \mathbf {G}\rightarrow \mathbf {G}_{T}\) denote its bilinear map, which is assumed an efficiently computable function such that:

• Bilinear: ∀g,h ∈G, a,b ∈ Z_n, e(g^a,h^b) = e(g,h)^ab.

• Non-degenerate: ∃g ∈G such that e(g,g) is a generator of G_T, which has order n.

We will use the notation G_i (i = 1,2,3) to denote the respective subgroup of order p_i of G. The notations g₁,g₂,g₃ respectively denote generators of G₁ through G₃. Each element h ∈G could be expressed as \(\mathbf {h}=g_{1}^{\gamma _{1}}g_{2}^{\gamma _{2}}g_{3}^{\gamma _{3}}\) for some \(\gamma _{1}\in Z_{p_{1}}\), \(\gamma _{2}\in Z_{p_{2}}\), \(\gamma _{3}\in Z_{p_{3}}\). If γ_i(modp_i) ≡ 0 for i = 1,2,3, we say that there is no component of G_i in G. The subgroups G₁,G₂,G₃ maintain the orthogonality property under the bilinear map e. Specifically, if g_i ∈ G_i and h_j ∈ G_j for i≠j, e(g_i,h_j) = 1, which denotes the identity element of G_T. Similar to some broadcast encryption constructions in composite order bilinear groups, the orthogonality property is also the principal tool in our scheme for realizing dual system, which is significant methodology for proving adaptive security.

3.4 General subgroup decision assumptions

Now that, we review the general subgroup decision assumptions for composite order bilinear groups, which are a family of static complexity assumptions (independent on the number of queries issued by an attacker). We base the security of the proposed public key broadcast encryption system with broadcaster authentication on these three assumptions formulated in [1, 22].

More formally, let \(\mathcal {G}(1^{\lambda })\) denote a group generation algorithm. It takes in a security number λ and outputs (n = p₁ ⋅ p₂ ⋅ p₃,G,G_T,e), where p₁, p₂, p₃ are distinct primes, G and G_T are cyclic groups of order n, e is a computable bilinear map in polynomial time with respect to G and G_T.

Assumption 1

If an adversary is given the following parameters

$$ (n=p_1\cdot p_2\cdot p_3,\mathbf{G},\mathbf{G}_T,e)\underset{\longleftarrow}{R} \mathcal{G}(1^{\lambda}), $$

$$ g_1,w_{1,1},w_{1,2},\cdots,w_{1,2^{n-1}}\underset{\longleftarrow}{R}G_1, $$

$$ X_2\underset{\longleftarrow}{R} G_2, $$

$$ \mathcal{D}=\{n,\mathbf{G},\mathbf{G}_T,e,g_1,w_{1,1},\cdots,w_{1,2^{n-1}},X_2\}, $$

$$ T_1\underset{\longleftarrow}{R} G_{1,3}, ~ T_2\underset{\longleftarrow}{R} G_{1}, $$

it must be hard to distinguish T₁ from T₂.

Let define the advantage \(Adv_{\lambda ,\mathcal {A}}^{1}\) of \(\mathcal {A}\) in breaking Assumption 1:

$$ Adv_{\lambda,\mathcal{A}}^1=\mid \Pr[\mathcal{A}(\mathcal{D},T_1)=1]-\Pr[\mathcal{A}(\mathcal{D},T_2)=1]\mid. $$

Definition 2

We say that Assumption 1 holds if no polynomial time algorithm \(\mathcal {A}\) has a non-negligible advantage \(Adv_{\lambda ,\mathcal {A}}^{1}\).

Assumption 2

If an adversary is given the following parameters

$$ (n=p_1\cdot p_2\cdot p_3,\mathbf{G},\mathbf{G}_T,e)\underset{\longleftarrow}{R} \mathcal{G} (1^{\lambda}),$$

$$ g_1,X_1\underset{\longleftarrow}{R}G_1, $$

$$ U_2,V_2,X_2,Y_2\underset{\longleftarrow}{R} G_2, $$

$$ U_3,V_3,X_3,Y_3\underset{\longleftarrow}{R} G_3, $$

$$ \mathcal{D}=\{n,\mathbf{G},\mathbf{G}_T,e,g_1,X_1X_3,X_2,Y_2Y_3,U_2U_3,V_2V_3\} $$

$$ T_1\underset{\longleftarrow}{R} \mathbf{G}, ~ T_2\underset{\longleftarrow}{R} G_{1,2}, $$

it must be hard to distinguish T₁ from T₂.

Let define the advantage \(Adv_{\lambda ,\mathcal {A}}^{2}\) of \(\mathcal {A}\) in breaking Assumption 2:

$$ Adv_{\lambda,\mathcal{A}}^2=\mid \Pr[\mathcal{A}(\mathcal{D},T_1)=1]-\Pr[\mathcal{A}(\mathcal{D},T_2)=1]\mid. $$

Definition 3

We say that Assumption 2 holds if no polynomial time algorithm \(\mathcal {A}\) has a non-negligible advantage \(Adv_{\lambda ,\mathcal {A}}^{2}\).

Assumption 3

If an adversary is given the following parameters

$$ (n=p_1\cdot p_2\cdot p_3,\mathbf{G},\mathbf{G}_T,e)\underset{\longleftarrow}{R} \mathcal{G} (1^{\lambda}),~\alpha,s\underset{\longleftarrow}{R}Z_n, $$

$$ g_1\underset{\longleftarrow}{R} G_1,~X_2\underset{\longleftarrow}{R} G_2,~X_3,Y_3,H_3,U_3,V_3\underset{\longleftarrow}{R} G_3, $$

$$ \mathcal{D}=\{n,\mathbf{G},\mathbf{G}_T,e,g_1,g_1^{\alpha}X_3,X_2,g_1^kY_3,H_3,U_3,V_3\}, $$

$$ T_1=e(g,g)^{\alpha k}, ~ T_2\underset{\longleftarrow}{R} \mathbf{G}_{T}, $$

it must be hard to distinguish T₁ from T₂.

Let define the advantage \(Adv_{\lambda ,\mathcal {A}}^{3}\) of \(\mathcal {A}\) in breaking Assumption 3:

$$ Adv_{\lambda,\mathcal{A}}^3=\mid \Pr[\mathcal{A}(\mathcal{D},T_1)=1]-\Pr[\mathcal{A}(\mathcal{D},T_2)=1]\mid. $$

Definition 4

We say that Assumption 3 holds if no polynomial time algorithm \(\mathcal {A}\) has a non-negligible advantage \(Adv_{\lambda ,\mathcal {A}}^3\).

4 Broadcast encryption system with broadcaster authentication

In this section, we present our adaptively secure construction of broadcast encryption with content distributor authentication from composite order bilinear maps. The size of ciphertext in our scheme is optimal (O(1) bits). Furthermore, we employ the methodology of Lewko and Waters for realizing dual system encryption to demonstrate the adaptive security of our construction under the non-interactive assumptions in the standard model.

Setup

(N,λ) The setup algorithm takes in the total number \(N=|\mathcal {I}\mathcal {D}|=2^n-1\) of users in the system and the security parameter λ as input. Let G be a bilinear group of composite order n = p₁p₂p₃, where p₁, p₂, p₃ are distinct primes. Afterwards, the algorithm chooses random generators g₁,w_1,u ∈ G₁ (\(u\in \mathcal {I}\mathcal {D}\)), where G₁ is a subgroup of G of order p₁. Next, it picks a random α ∈ Z_n as master secret key msk. The public parameters are published as PK = {g₁,w_1,u,e(g₁,g₁)^α} for \(u\in \mathcal {I}\mathcal {D}\).

KeyGen

(msk,u) The key generation algorithm randomly chooses generators \(\hat {g}_1,h_{1,i}\in G_1\), \(R_{2,i},\hat {R}_{2,i} \in G_2\) for \(i\in \mathcal {I}\mathcal {D}\). Subsequently, it generates r_u ∈ Z_n for identity u in \(\mathcal {I}\mathcal {D}\). The private keys of user \(u\in \mathcal {I}\mathcal {D}\) are

$$ \begin{array}{@{}rcl@{}} sk_{u} &=&\{D_{u},\hat{D}_{u},\forall_{i\in [1,2^{n}-1]}D_{u,i},\hat{D}_{u,i},E_{u}\},\\ D_{u} &=&g_{1}^{\alpha}(w_{1,u}\hat{g}_{1})^{r_{u}}R_{2,u},\\ \hat{D}_{u} &=&g_{1}^{r_{u}}\hat{R}_{2,u},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i} &=& w_{1,i}^{r_{u}}R_{2,i},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i} &=& h_{1,i}^{r_{u}}\hat{R}_{2,i},\\ E_{u} &=& \hat{g}_{1}h_{1,u}. \end{array} $$

Enc

(S,PK,sk_i) The encryption algorithm picks random k ∈ Z_n and computes the key and header as

$$ \begin{array}{@{}rcl@{}} K &=& e(g_{1},g_{1})^{\alpha k}, \\ Hdr &=& (C_{0},C_{1}) \\ &= &\left( {g_{1}^{k}},\left( E_{v}{\prod\limits_{i}^{S}} {w_{1,i}}\right)^{k}\right)\\ & =&\left( {g_{1}^{k}},\left( \hat{g}_{1}h_{1,v}{\prod\limits_{i}^{S}} {w_{1,i}}\right)^{k}\right), \end{array} $$

where v is the identity of the broadcaster.

It sets C = SymEnc(K,M), where SymEnc() is a symmetric encryption algorithm. The overall ciphertexts are \(\{S^{\prime }=S\cup \{v\},Hdr,C\}\). The broadcaster identity v in \(S^{\prime }\) is explicit.

Dec

(\(PK,u,sk_u,S^{\prime },Hdr\)) Suppose u ∈ S (\(S=S^{\prime }-\{v\}\)), u≠v and v is a legitimate broadcaster, the decryption algorithm outputs

$$ \begin{array}{@{}rcl@{}} K =\frac {e\left( D_{u}\cdot \left( \prod\limits_{i\neq u}^{S} {D_{u,i}}\right)\cdot\hat{D}_{u,v},C_{0}\right)}{e(C_{1},\hat{D}_{u})}. \end{array} $$

Then, it outputs the message M = SymDec(K,C).

Correctness

K can be calculated as follows:

$$ \begin{array}{@{}rcl@{}} K &=&\frac{e\left( D_{u}\cdot \left( \prod\limits_{i\neq u}^{S} {D_{u,i}}\right)\cdot\hat{D}_{u,v},C_{0}\right)} {e(C_{1},\hat{D}_{u})}\\ &=& \frac{e\left( D_{u}\cdot \left( \prod\limits_{i\neq u}^{S} {D_{u,i}}\right),C_{0}\right)} {e(C_{1},\hat{D}_{u})}\cdot e(\hat{D}_{u,v},C_{0})\\ &=&\frac {e\left( g_{1}^{\alpha}\left( w_{1,u}\hat{g}_{1}\right)^{r_{u}}R_{2,u}\cdot \left( \prod\limits_{i\neq u}^{S} {w_{1,i}^{r_{u}}R_{2,i}}\right),{g_{1}^{k}}\right)} {e\left( \left( \hat{g}_{1}h_{1,v}{\prod\limits_{i}^{S}} {w_{1,i}}\right)^{k},g_{1}^{r_{u}}\hat{R}_{2,u}\right)} \\ &\cdot& e\left( h_{1,v}^{r_{u}}\hat{R}_{2,i},{g_{1}^{k}}\right) \end{array} $$

$$ \begin{array}{@{}rcl@{}} &=&\frac{e\left( g_{1}^{\alpha},{g_{1}^{k}}\right)\cdot e\left( {\prod\limits_{i}^{S}} {w_{1,i}^{r_{u}}},{g_{1}^{k}}\right)\cdot e\left( \hat{g}_{1}^{r_{u}},{g_{1}^{k}}\right) \cdot e\left( h_{1,v}^{r_{u}},{g_{1}^{k}}\right)} {e\left( \hat{g}_{1}^{k},g_{1}^{r_{u}}\right) \cdot e\left( h_{1,v}^{k},g_{1}^{r_{u}}\right)\cdot e\left( \left( {\prod\limits_{i}^{S}} {w_{1,i}}\right)^{k},g_{1}^{r_{u}}\right)}\\ &=& e\left( g_{1}^{\alpha},{g_{1}^{k}}\right)\\ &=& e\left( g_{1},g_{1}\right)^{\alpha k} \end{array} $$

Note that, if the broadcaster v produces the distributed ciphertexts without his/her own broadcast secret key or with a forged one, the receiver will employ the secret key \(\hat {D}_{u,v}\) corresponding the index v to calculate K, which does match the encrypted one. Obviously, the decryption algorithm will output ⊥.

5 Security proof

In this section, we prove our broadcast encryption with broadcaster authentication offers adaptive security in the standard model with the techniques for dual system encryption introduced by Lewko and Waters.

5.1 Semi-functional algorithms

Firstly, we detail two structures named semi-functional ciphertext and semi-functional key, which are necessary in the security proof, instead of being used in our real scheme. They are constructed with the knowledge of the secret exponents from transforming on the normal ciphertext and key.

5.1.1 Semi-functional ciphertext

The simulator executes the encryption algorithm to create the normal header \(Hdr^{\prime }=\left (C_0^{\prime },C_1^{\prime }\right )\) for authorized broadcast set S. Then it picks random exponents x, z_c ∈ Z_n and sets \(C_0=C_0^{\prime }\cdot R_3^x\), \(C_1=C_1^{\prime } R_3^{xz_c}\), where R₃ denotes a generator of G₃ (the subgroup of order p₃ of G).

5.1.2 Semi-functional key

The simulator executes the key generation algorithm to create a normal private key \(sk_u^{\prime } =\{D_u^{\prime },\hat {D}_u^{\prime },\forall _{i\in [1,2^n-1]} D_{u,i}^{\prime },\hat {D}_{u,i}^{\prime },E_u^{\prime }\}\) for user \(u\in \mathcal {I}\mathcal {D}\). Then it picks random exponents \(y_i,\hat {y}_i \in Z_n\) (i = 1,2,⋅⋅⋅,2ⁿ − 1) and sets

$$ \begin{array}{@{}rcl@{}} D_{u} &=& D_{u}^{\prime}\cdot R_{3}^{y_{u}},\\ \hat{D}_{u} &=& \hat{D}_{u}^{\prime}\cdot R_{3}^{\hat{y}_{u}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i} &=& D_{u,i}R_{3}^{y_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i} &=& \hat{D}_{u,i}R_{3}^{\hat{y}_{i}},\\ E_{u} &=& E_{u}^{\prime}. \end{array} $$

The subgroup G₃ of bilinear group G is a semi-functional space served for security proof. The semi-functional key and ciphertext are attached with some blinding factors in G₃. The orthogonality property of subgroups G_i for i = 1,2,3 under paring ensures the nominally semi-functionality. Technically, the attached blinding terms can be cancel out when a normal key is used to decrypt a semi-functional ciphertext. For similar reasons, the semi-functional components of a private key will not impede decryption when applied on a normal ciphertext. Otherwise, an obscured value \(e(R_3,R_3)^{x\hat {y}_u\left ({\sum \limits _{i}^{S}}{y_i}+y_v-z_c\right )}\) will be arisen from paring, which hinders decryption when \(z_c\neq {\sum \limits _{i}^{S}}{y_i}+y_v\). From the formula we could conclude that the decryption still proceed successfully if \(z_c= {\sum \limits _{i}^{S}}{y_i}+y_v\).

5.2 Proof of security

We organize the security proof of our construction as a range of distinguishable games, in which we change first the challenge ciphertext and then private keys one by one to be semi-functional. Let define the first game labeled by Game_Real be the real broadcast encryption security game. In the last game, both challenge ciphertext and secret keys are all semi-functional. And thus, the adversary has no advantage to conquer it unconditionally.

The first game is defined as follows:

Game_Real: The actual broadcast encryption security game in defined in Section 3.2, in which all private keys and the challenge ciphertext are normal.

For t from 0 to q (the total number of key queries the attacker issues), we define Game_t as:

Game_t: This game like a restricted real security game, and there are two exceptions compared to the real one. Firstly, the challenge ciphertext given to \(\mathcal {A}\) will be a semi-functional form on the challenge authorized set S^∗. Secondly, the adversary will receive semi-functional secret keys for the first t secret key queries, and receive normal secret keys for the rest of queries. Noticeable, the adversary is allowed to make at most q queries, and we will focus on the games for Game₀, ⋯, Game_q. The challenge ciphertext is semi-functional form and all returned secret keys for all private key queries are normal form in the Game₀. In the last game Game_q, both the challenge ciphertext and all queried private keys are semi-functional form.

Game_Final: This game is Game_q except that the semi-functional challenge ciphertext is encrypted of a random message, instead of the committed two messages by the adversary \(\mathcal {A}\).

In the following, we demonstrate a series of Lemmas that discuss the distinguishability of the above games.

Lemma 1

We could construct an algorithm \({\mathscr{B}}\) to break Assumption 1 with advantage 𝜖, if there is an algorithm \(\mathcal {A}\) such that \(Game_{Real} Adv_{\mathcal {A}} - Game_{0}Adv_{\mathcal {A}} =\epsilon \),.

Proof

The algorithm \({\mathscr{B}}\) begins by taking the received instance \(\mathcal {D}=\{n,\mathbf {G},\mathbf {G}_T,\)\(e,g_1,w_{1,1},\cdots ,w_{1,2^{n-1}},X_2\}\) of the Assumption 1. It could executes that the Setup, Secret Key Queries, Challenge, More Secret Key Queries, Guess of broadcast encryption and simulate the Game_Real and Game₀ with \(\mathcal {A}\). □

Setup

\({\mathscr{B}}\) picks random numbers α ∈ Z_n and sets public parameters are {g₁,w_1,1, \(w_{1,2},\cdots ,w_{1,2^{n-1}},e(g_1,g_1)^{\alpha }\}\). After that, it transmits them to the adversary \(\mathcal {A}\).

KeyGen

\({\mathscr{B}}\) maintains a list \({\mathscr{L}}\) of 〈u,sk_u〉, which is initialized empty. If the adversary make a secret key query with an indices \(\langle u,sk_u\rangle \notin {\mathscr{L}}\), \({\mathscr{B}}\) could execute the key generation algorithm KeyGen(msk,u) to generate user secret keys with the actual master secret key α and responses to \(\mathcal {A}\) with legitimate secret keys sk_u for the queried users u. It generates invariable random numbers a,c₁,c₂,⋯ ,c_N ∈ Z_n for each user. Subsequently, \({\mathscr{B}}\) selects random exponents \(r_u,b_{i},\hat {b}_{i} \in Z_n\) (for i = 1,2,⋯ ,2ⁿ − 1) and sets

$$ \begin{array}{@{}rcl@{}} sk_{u} &=& \{D_{u},\hat{D}_{u},\forall_{i\in [1,2^{n}-1]}D_{u,i},\hat{D}_{u,i},E_{u}\},\\ D_{u} &=& g_{1}^{\alpha+ar_{u}}w_{1,u}^{r_{u}}X_{2}^{b_{u}},\\ \hat{D}_{u} &=& g_{1}^{r_{u}}X_{2}^{\hat{b}_{u}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i} &=& w_{1,i}^{r_{u}}X_{2}^{b_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i} &=& h_{1,i}^{r_{u}}=g_{1}^{c_{i}r_{u}}X_{2}^{\hat{b}_{i}},\\ E_{u} &=& h_{1,u}=g_{1}^{a+c_{u}}. \end{array} $$

After that, it inserts the generated 〈u,sk_u〉 into \({\mathscr{L}}\). Suppose that \(\mathcal {A}\) issues a query with indices u which has queried before, \({\mathscr{B}}\) looks up the list \({\mathscr{L}}\) and responds sk_u to \(\mathcal {A}\).

Challenge ciphertext

The adversary \(\mathcal {A}\) commits to \({\mathscr{B}}\) a broadcaster v∉S^∗, two messages M₀, M₁ and a challenge set S^∗. If the indices v has been queried before, \({\mathscr{B}}\) looks up the list \({\mathscr{L}}\) to acquire sk_v. Otherwise, it generates sk_v as the above procedures. Then, it flips a cion β and computes the ciphertext as follows:

$$ \begin{array}{@{}rcl@{}} K &=&e(g_{1},T)^{\alpha}, \\ Hdr & =&(C_{0},C_{1}) \\ & =&\left( T,\left( E_{v}\prod\limits_{i}^{S^{*}} {w_{1,i}}\right)^{k}\right)\\ & =&\left( T,\left( g_{1}^{a+c_{v}}\prod\limits_{i}^{S^{*}} {w_{1,i}}\right)^{k}\right),\\ C &=&SymEnc(K,M_{\beta}). \end{array} $$

This assignment implicitly sets that \(g_1^k\) equals to the G₁ part of T. If \(T\underset {\longleftarrow }{R} G_{1,3}\), the generated challenge ciphertext is a semi-functional ciphertext. If \(T\underset {\longleftarrow }{R} G_{1}\), it will be distributed identically to a actual ciphertext. Thereby, \({\mathscr{B}}\) could distinguish between these possibilities for T with the output \(\beta ^{\prime }\) of \(\mathcal {A}\) and break Assumption 1 with the same advantage 𝜖 of \(\mathcal {A}\).

Lemma 2

If there is an algorithm \(\mathcal {A}\) that makes at most q queries such that \(Game_{t-1}Adv_{\mathcal {A}} - Game_{t}Adv_{\mathcal {A}}=\epsilon \) for some t where 1 ≤ t ≤ q. Then we could construct an algorithm \({\mathscr{B}}\) to break Assumption 2 with advantage 𝜖.

Proof

The algorithm \({\mathscr{B}}\) begins by taking the received instance \(\mathcal {D}=\{n,\mathbf {G},\mathbf {G}_T,e,\)g₁,X₁X₃,X₂,Y₂Y₃,U₂U₃,V₂V₃} of Assumption 2. It could execute that the Setup, Secret Key Queries, Challenge, More Secret Key Queries, Guess of broadcast encryption, and we describe the concrete simulation of the Game_t− 1 and Game_t with the help of \(\mathcal {A}\). □

Setup

\({\mathscr{B}}\) chooses random exponents α,a₁,⋯ ,a_N ∈ Z_n and defines

$$ \begin{array}{@{}rcl@{}} w_{1,1} &=& g_{1}^{a_{1}},\\ w_{1,2} &=& g_{1}^{a_{2}},\\ \vdots&&\\ w_{N} & =&g_{1}^{a_{N}}. \end{array} $$

The public parameters of the broadcast encryption system are {g₁,w_1,1,w_1,2,⋯ , \(w_{1,2^{n-1}},e(g_1,g_1)^{\alpha }\}\), which will be sent to \(\mathcal {A}\).

KeyGen

A list \({\mathscr{L}}\) stores the tuple 〈u,sk_u〉 (sk_u is the value which respond to \(\mathcal {A}\)’s u th secret key query) is maintained by \(\mathcal {B}\). The list is initialized empty. If \(\mathcal {A}\) makes a query with a queried indices u, \({\mathscr{B}}\) looks up the list \({\mathscr{L}}\) and sends the corresponding sk_u to \(\mathcal {A}\). Otherwise, \({\mathscr{B}}\) performs the following procedures to respond the private key queries and adds the corresponding values into \({\mathscr{L}}\). First of all, \({\mathscr{B}}\) selects random exponents a,c₁,c₂,⋯ ,c_N ∈ Z_n and sets

$$ \begin{array}{@{}rcl@{}} \hat{g}_{1} &=&{g_{1}^{a}},\\ h_{1,1} &=&g_{1}^{c_{1}},\\ h_{1,2} &=&g_{1}^{c_{2}},\\ \vdots&&\\ h_{N} & =&g_{1}^{c_{N}}. \end{array} $$

Case 1

u > t

In such situation, the algorithm \({\mathscr{B}}\) will produce normal secret key for the queried user u. It could run the key generation algorithm to generate the requested keys with the actual master secret key α. Furthermore, it selects \(b_{i},\hat {b}_{i} \in Z_n\) for i = 1,2,⋯ ,2ⁿ − 1 and r_u for the queried user u, and then computes his/her secret key as follows:

$$ \begin{array}{@{}rcl@{}} sk_{u} &=& \{D_{u},\hat{D}_{u},\forall_{i\in [1,2^{n}-1]}D_{u,i},\hat{D}_{u,i},E_{u}\},\\ D_{u} &=& g_{1}^{\alpha+ar_{u}}w_{1,u}^{r_{u}}X_{2}^{b_{u}},\\ \hat{D}_{u} &=& g_{1}^{r_{u}}X_{2}^{\hat{b}_{u}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i}& =& w_{1,i}^{r_{u}}X_{2}^{b_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i}& =& h_{1,i}^{r_{u}}X_{2}^{\hat{b}_{i}},\\ E_{u} &=&\hat{g}_{1}h_{1,u}=g_{1}^{a+c_{u}}. \end{array} $$

Case 2

u < t

In such situation, the algorithm \({\mathscr{B}}\) should produce the semi-functional private key queried user u. \({\mathscr{B}}\) picks random exponents \(b_{i},\hat {b}_{i} \in Z_n\) for i = 1,2,⋯ ,2ⁿ − 1 and r_u ∈ Z_n for the queried user u, then it computes:

$$ \begin{array}{@{}rcl@{}} sk_{u} &=&\{D_{u},\hat{D}_{u},\forall_{i\in [1,2^{n}-1]}D_{u,i},\hat{D}_{u,i},E_{u}\},\\ D_{u} &=&g_{1}^{\alpha+ar_{u}}w_{1,u}^{r_{u}}(Y_{2}Y_{3})^{b_{u}},\\ \hat{D}_{u} &=&g_{1}^{r_{u}}(Y_{2}Y_{3})^{\hat{b}_{u}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i}& =& w_{1,i}^{r_{u}}(U_{2}U_{3})^{b_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i}& =& h_{1,i}^{r_{u}}(V_{2}V_{3})^{\hat{b}_{i}},\\ E_{u} &=&\hat{g}_{1}h_{1,u}=g_{1}^{a+c_{u}}. \end{array} $$

This assignment implicitly sets that \(r_3^{y}=(Y_3)^{y_u}\).

Case 3

u = t

In such situation, \({\mathscr{B}}\) will produce a nominally semi-functional secret key for the queried user u. It does this by computing:

$$ \begin{array}{@{}rcl@{}} sk_{t} &=&\{D_{t},\hat{D}_{t},\forall_{i\in [1,2^{n}-1]}D_{t,i},\hat{D}_{t,i},E_{t}\},\\ D_{t} &=&g_{1}^{\alpha}T^{a+a_{t}}\\ \hat{D}_{t} &=&T,\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{t,i} &=& T^{a_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{t,i} &=& T^{b_{i}},\\ E_{u} &=&\hat{g}_{1}h_{1,u}=g_{1}^{a+c_{u}}. \end{array} $$

Challenge ciphertext

\({\mathscr{B}}\) is given a committed broadcaster v∉S^∗, two messages M₀, M₁ and a challenge set S^∗. Then it looks up the list \(\mathcal {L}\) to examine the indices v is queried before. If so, \({\mathscr{B}}\) extracts the corresponding secret key sk_v; otherwise, it produces sk_v according to the aforementioned steps. Finally, it picks β ∈{0,1} randomly and calculates the ciphertext as follows:

$$ \begin{array}{@{}rcl@{}} K &=&e(X_{1}X_{3},g_{1})^{\alpha}, \\ Hdr &=&(C_{0},C_{1}) \\ &=&\left( X_{1}X_{3},(X_{1}X_{3})^{a+c_{v}+\sum\limits_{i}^{S^{*}} {a_{i}}}\right), \\ C &=&SymEnc(K,M_{\beta}). \end{array} $$

This implicitly sets \(g_1^k\) is equal to \(R_3^{xz_c}=X_3^{\sum \limits _{i}^{S^{*}} {a_i}+c_v}\) and X₁. If \(z_c=\sum \limits _{i}^{S^{*}} {a_i}+c_v\), the nominally semi-functional formed secret key could decrypt this ciphertext successfully, and the simulator \({\mathscr{B}}\) could not examine whether the secret key of user t is semi-functional form or not. That is, \({\mathscr{B}}\) has to produce the nominally semi-functional key sk_t.

If T ∈ G_1,2, \({\mathscr{B}}\) has properly simulated Game_t− 1. If T ∈G, it means that \({\mathscr{B}}\) has properly simulated Game_t. From the received guess of β from \(\mathcal {A}\), \({\mathscr{B}}\) can distinguish between these possibilities for T.

Lemma 3

We could construct an algorithm \({\mathscr{B}}\) to break Assumption 3 with advantage 𝜖, if there is an algorithm \(\mathcal {A}\) such that \(Game_{q}Adv_{\mathcal {A}} - Game_{Final}Adv_{\mathcal {A}}\) = 𝜖.

Proof

The challenge ciphertext and the queried private keys are all semi-functional in both these two games. \({\mathscr{B}}\) begins by taking the received instance \(\mathcal {D}=\{n,\mathbf {G},\mathbf {G}_T,e\), \(g_1,g_1^{\alpha }X_3,X_2,g_1^kY_3,H_3\}\) of Assumption 3. It could executes the Setup, Secret Key Queries, Challenge, More Secret Key Queries, Guess of broadcast encryption, and we describe the concrete simulation of Game_q and Game_Final with the help of \(\mathcal {A}\). □

Setup

\({\mathscr{B}}\) begins by picking random exponents a₁,⋯ ,a_N ∈ Z_n and defines

$$ \begin{array}{@{}rcl@{}} e(g_{1},g_{1})^{\alpha}&=&e\left( g_{1},g_{1}^{\alpha}X_{3}\right),\\ w_{1,1} &=&g_{1}^{a_{1}},\\ w_{1,2} &=&g_{1}^{a_{2}},\\ \vdots&&\\ w_{N} & =&g_{1}^{a_{N}}. \end{array} $$

The public parameters of the broadcast encryption system are \(\{g_1,\hat {g}_1,w_{1,1},w_{1,2},\)\(\cdots ,w_{1,2^{n-1}},e(g_1,g_1)^{\alpha }\}\). \({\mathscr{B}}\) will transmit them to \(\mathcal {A}\). From the above formulas, we could conclude that \({\mathscr{B}}\) does not possess the master secret key α.

KeyGen

Similar to the above proof, \({\mathscr{B}}\) also maintains a list \({\mathscr{L}}\) (which is initialized empty) to store the tuple 〈u,sk_u〉. If the queried indices u exits in \({\mathscr{L}}\), \(\mathcal {A}\) will receive the corresponding sk_u; otherwise, he/she will receive the calculated semi-functional private key, which will be added in \({\mathscr{L}}\) in the form of 〈u,sk_u〉. Noticeably, in this game, all the returned secret keys are all semi-functional. Firstly, \({\mathscr{B}}\) selects random exponents a,c₁,c₂,⋯ ,c_N ∈ Z_n and sets

$$ \begin{array}{@{}rcl@{}} \hat{g}_{1} &=&{g_{1}^{a}},\\ h_{1,1} &=&g_{1}^{c_{1}},\\ h_{1,2} &=&g_{1}^{c_{2}},\\ \vdots&&\\ h_{N} & =&g_{1}^{c_{N}}. \end{array} $$

When a request for user u’s key is made, \({\mathscr{B}}\) chooses random exponents \(b_{i},\hat {b}_{i} \in Z_n\) for i = 1,2,⋯ ,2ⁿ − 1 and r_u for the queried user u and sets:

$$ \begin{array}{@{}rcl@{}} sk_{u} &=&\left\{D_{u},\hat{D}_{u},\forall_{i\in [1,2^{n}-1]}D_{u,i},\hat{D}_{u,i},E_{u}\right\},\\ D_{u} &=&g_{1}^{\alpha}X_{3}w_{1,u}^{r_{u}}(X_{2}U_{3})^{b_{u}},\\ \hat{D}_{u} &=&g_{1}^{r_{u}}(X_{2}U_{3})^{\hat{b}_{u}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} D_{u,i}&=& w_{1,i}^{r_{u}}(X_{2}H_{3})^{b_{i}},\\ \forall_{i\in [1,2^{n}-1],i\neq u} \hat{D}_{u,i}& =& h_{1,i}^{r_{u}}(X_{2}V_{3})^{\hat{b}_{i}},\\ E_{u} &=&\hat{g}_{1}h_{1,u}=g_{1}^{a+c_{u}}. \end{array} $$

Challenge ciphertext

\({\mathscr{B}}\) receives a committed broadcaster v∉S^∗, a challenge set S^∗ and two messages M₀, M₁ from the attacker. \({\mathscr{B}}\) will create a secret key for broadcaster v or extracts the corresponding secret key from \({\mathscr{L}}\) according to whether the indices v has been queried before or not. The produced challenge ciphertext is a semi-functional formed ciphertext of either M_β or a random message depending on T. It flips a coin and chooses β ∈{0,1} randomly. Finally, it forms the challenge ciphertext as follows:

$$ \begin{array}{@{}rcl@{}} K &=&T, \\ Hdr &=&(C_{0},C_{1}) \\ &=&\left( {g_{1}^{k}}Y_{3},\left( {g_{1}^{k}}Y_{3}\right)\right.^{a+c_{v}+\sum\limits_{i}^{S^{*}} {a_{i}}}\\ C &=&SymEnc(K,M_{\beta}). \end{array} $$

We implicitly set \(Y_3^{xz_c}=Y_3^{a+c_v+\sum \limits _{i}^{S^{*}} {a_{i}}}\). Suppose that T is a random element of G_n+ 1, the generated ciphertext is a semi-functional formed ciphertext based on a random message. If T = e(g,g)^αk, the generated one is a properly distributed semi-functional ciphertext with message M_β. Therefore, \({\mathscr{B}}\) could distinguish between these possibilities for T from the received \(\mathcal {A}\)’ guess of β.

Theorem 1

If all of Assumption 1, 2, and 3 hold, then our broadcast encryption system with broadcaster authentication is secure.

Proof

The final game Game_Final information theoretically hide the value of β from the adversary \(\mathcal {A}\), he/she has no advantage to compromise the construction of broadcast encryption. We also present the demonstration of a sequence of Lemmas which prove that the real security game Game_Real is indistinguishable from Game_Final based on the Assumption 1, 2, 3. If these three assumptions hold, we could conclude that the advantage of adversary to compromise the game Game_Real is negligibly close to 0. □

6 Performance and functionality evaluation

In this section, we present performance and functionality evaluation analysis of the proposed construction and other related solutions in the field of broadcast encryption [3, 15, 17, 25, 27, 30, 32]. Table 1 shows the classified comparisons in terms of function, ciphertext size, public key size, private key size and security.

Table 1 Comparison

Ciphertext size is the amount of information which should be transmitted in addition to the description of the recipient set and the symmetric encryption of the broadcasted plaintext, it is the most critical efficiency aspect for broadcast encryption systems. It is optimized for such a system with constant ciphertext size. Literally, the public key and private key size mean the number of contained group elements, respectively. The sizes of public key and private key are also important measures to evaluate the storage consumption of broadcast encryption systems. From Table 1, we could see that only Guo et al.’s proposal [17] achieves O(1) ciphertext size and possesses the broadcaster authentication, simultaneously. However, their scheme is proved secure in the weaker static model. Our construction achieves the adaptive security based on static and simple assumptions in the standard model, meanwhile preserving optimal ciphertext overhead. This system has longer user secret keys, however it could realize the broadcaster authentication and has a tighter security proof in generic bilinear groups.

The time consumption for computing \({\prod \limits _{i}^{S}} {w_{1,i}}\) with ∣S∣ group operations and \(\prod \limits _{i\neq u}^{S} {D_{u,i}}\) with ∣S∣ − 1 group operations determines the computation efficiency of encryption and decryption algorithm, respectively. The broadcaster executes the encryption algorithm, for example, he/she could re-use the computed value \(\sigma = \prod \limits _{i}^{\hat {S}} {w_{1,i}}\) for authorized set \(\hat {S}\) which in prior broadcast, and compute \({\prod \limits _{i}^{S}} {w_{1,i}}\) with just δ group operations using the cached value σ, where δ is the size of the set difference between S and \(S^{\prime }\) (the receiver set \(\hat {S}\) that is similar to S). The aforementioned precomputation procedures could bring down the computation consumption of encryption and decryption algorithm greatly.

7 Conclusion

The public key broadcast encryption system with broadcaster authentication possesses a supervised broadcast strategy, each one is responsible for his/her distributed content. In this paper, we formally define the notion for a public key broadcast encryption system with authenticated broadcaster and formalize the adaptive security definition in the system. Next, we devise a construction to attain meaningful guarantees of authenticated broadcaster in the composite order bilinear groups. In our constructions for N users, the ciphertext size is of O(1) (only constant number of group elements). The public key size and user private key size are of O(N). Next, we prove the adaptive security of our scheme in the standard model under static general subgroup decisional assumptions using the methodology of dual system encryption. Finally, the performance and functionality evaluations with other solutions shows that our constructions achieves adaptive security with tighter reductions, while preserving optimal ciphertext overhead. In the future work, devising constructions for authenticated broadcast encryption system with logarithmic public key size and user private key (rather than O(N)) size is very meaningful.